Info Security

Subscribe to Info Security  feed
Updated: 28 min 25 sec ago

(ISC)² Rolls Out On-Demand SSCP Training

Thu, 01/25/2018 - 18:13
(ISC)² Rolls Out On-Demand SSCP Training

(ISC)² and Coursera, an online platform for higher education, have partnered to offer on-demand training to cybersecurity and IT/ICT practitioners.

The two will deliver self-paced Systems Security Certified Practitioner (SSCP) training for aspiring cybersecurity practitioners, giving them the chance to sharpen skills through a new online curriculum that (ISC)² hopes will help narrow the ongoing skills gap in the cybersecurity workforce.

“Making security training easily attainable to those who might not otherwise have access allows them to proactively build their professional careers and master the expertise employers most need to conquer today’s cybersecurity challenges,” said (ISC)² CEO David Shearer. “By offering multiple learning options for cybersecurity practitioners, (ISC)² is helping to meet the demand for skilled cybersecurity personnel.” 

Coursera offers fully interactive courses in high-demand fields like data science, computer science, and business through partnerships with top universities and education institutions. In all, more than 30 million learners seek career-relevant education via the online learning platform, providing a wide audience for (ISC)²’s training content and those interested in beginning or continuing their professional cybersecurity education.

“These days, learning valuable career skills doesn’t need to happen in a classroom or an in-person training seminar; it can happen online with platforms like Coursera during your commute or after putting the kids to sleep,” said Jeff Maggioncalda, CEO of Coursera. “We see an increasing demand on Coursera for cybersecurity certifications and are excited to make the (ISC)² SSCP certificate available to anyone, anywhere in the world.”

The SSCP is a cybersecurity certification for IT professionals responsible for the hands-on operations of securing their organizations. The SSCP encompasses security operations and administration; risk identification, monitoring and analysis; incident response and recovery; network and communications security; system and application security; and cryptography – most often required by IT employers. 

Categories: Cyber Risk News

Over a Third of Global Firms Breached in 2017

Thu, 01/25/2018 - 11:21
Over a Third of Global Firms Breached in 2017

Over a third (36%) of global organizations were breached last year, a 10% increase from 2016, according to new figures from Thales.

The security and defense contractor polled 1200 senior IT executives in Germany, Japan, India, the Netherlands, Sweden, South Korea, the UK and the US to compile its 2018 Thales Data Threat Report.

It claimed that a staggering 67% of firms have now been breached, with more than two-fifths (44%) of IT leaders claiming to feel “very” or “extremely” vulnerable to data threats.

The report detailed a growing reliance on the cloud, with 42% of organizations using more than 50 SaaS applications, 57% using three or more IaaS vendors, and 53% using three or more PaaS environments.

In total, 94% store or use sensitive data in cloud, big data, IoT, container, blockchain and/or mobile environments — a trend seemingly exposing them to greater risk.

Encryption was cited as the top tool (44%) for protecting cloud data, while 77% of respondents claimed data-at-rest security solutions are the most effective at preventing breaches, just above network security (75%) and data-in-motion (75%) tools.

Encryption was also cited as the best tool (42%) to help meet new privacy requirements like the EU General Data Protection Regulation (GDPR) — understandable as it’s one of only two security technologies mentioned prescriptively in the new law.

Thales eSecurity CTO, Jon Geater, admitted that management of encryption keys can be challenging for organizations without strong security specialists, warning that “whoever controls the keys controls access to the data.”

“Everyone’s moving to the cloud today, and this challenge is compounded further in cloud environments or, as is the case for most organizations today, multi-cloud environments. To ease these operational challenges, organizations should should start with data and operations. How you work and how you value your data is most important: the tool should fit you, not the other way round,” he told Infosecurity.

“Select encryption and key management technologies that offer a smart, centralized approach. Once data is lost it’s lost, so no good building a fortress around your datacenter if your laptops are leaky. Next, ensure the tools fit your environment and work across clouds, on-premises and in datacenters. Finally, implement strong identity technologies: hardware-backed PKI for machines, multi-factor authentication for humans.”

Categories: Cyber Risk News

Crypto ICOs Lose 10% of Funds to Hackers

Thu, 01/25/2018 - 10:30
Crypto ICOs Lose 10% of Funds to Hackers

Almost $400m has been stolen from initial coin offerings (ICOs) in the past, with phishing the most commonly used technique for cyber-attackers, according to Ernst & Young.

The global consultancy’s latest research highlighted major risks in the capital raising process for new crypto-currency organizations.

Some 10% of all ICO funds are lost to hackers, who are “attracted by the rush, absence of a centralized authority and blockchain transaction irreversibility,” the report claimed.

Phishing nets attackers up to $1.5m per month either by tricking the recipient into making a fund transfer or handing over the private keys to their digital wallets.

“Criminals use DDoS attacks to disable the original site and publish phishing site addresses on web forums and social media that promote ICOs,” the report continued. “Investors, driven by FOMO, do not check the site, and transfer funds to the criminal’s address. The likelihood of crypto funds being returned is close to zero.”

Hackers also target the exchanges themselves: in fact, $2bn has already been lost globally via this route and the frequency of attacks is increasing, according to Ernst & Young.

“Most exchanges do not disclose policies and controls over personal data storage and use. This represents great value on the black market and chances of its misuse are high even without a breach,” the report claimed.

Arseny Reutov, blockchain security expert at, explained that ICOs could do several things to protect themselves, starting with ensuring that the underlying code of smart contracts is purged of any vulnerabilities.

“Secondly, organizations must ensure that the web applications their ICO use are being monitored and protected in real time – all the security of the blockchain means nothing if a hacker can misdirect funds from the web page,” he added.

"Finally, there is the human factor. A major risk here is that open source intelligence will be used to target members of the team – our own research suggests that every ICO has a team member whose password can be found online. ICOs must do everything within their power to stop investors being tricked by phishing attacks.”

Categories: Cyber Risk News

Trend Micro in New Hacktivist Warning

Thu, 01/25/2018 - 09:51
Trend Micro in New Hacktivist Warning

A new report has warned that traditional lines between hacktivists and cyber-criminals are blurring and could disappear altogether in some cases, fuelling more damaging ransomware and data theft attacks.

Trend Micro analyzed a staggering 13 million website defacements dating back 18 years to compile its latest report, A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks.

The data – collected from various third-party sources including Hack Mirror, Zone-H and MyDeface – revealed over 104,000 defacers responsible for more than 9.9 million compromised domains.

However, the techniques they use to achieve their goals of defacing websites for political or religious reasons could also be used for more malicious purposes.

SQL Injection attacks are among the top tactics used, for example.

However, despite 99.9% of the attacks analyzed by Trend Micro are said to be “harmless,” this could change, the firm warned:

“Hackers are now increasingly involved in developing web shells (backdoors to maintain access to compromised web servers), and also delving into doxing and leaking stolen data. After defacing websites, the next step would seem to be capitalizing on the available information on compromised sites.

“A troubling scenario is if these defacement groups decide to monetize their successful hacks by, for example, installing malicious redirections or exploit code in the defacement pages that would then install ransomware.”

This is no longer a theoretical threat. Trend Micro claimed there have already been reports of Indian ‘hacktivists’ targeting Pakistani servers and users to install ransomware for ‘patriotic’ purposes.

“The reason why it’s only a small step to take to switch from simple defacement of a website to digital cybercrime or extortion is that the time, energy and motivation of breaching or compromising the digital has already been done,” principal security strategist, Bharat Mistry, told Infosecurity.

“Once you have gained unauthorized access and created a point of presence it’s simply then using the asset as a lever to explore data either locally stored or remotely connected to the machine. More often than not even public facing machines have trusted access to application and database servers.”

Categories: Cyber Risk News

Charity and Business GDPR Awareness Remains Low

Wed, 01/24/2018 - 16:56
Charity and Business GDPR Awareness Remains Low

With only five months to go, new government sponsored research on the General Data Protection Regulation has revealed worrying levels of preparation and awareness.

According to the new research from the Department for Digital, Culture, Media and Sport (DCMS), 80% of large businesses have heard of GDPR, and 27% have made changes to how they operate in response.

The DCMS surveyed 1519 businesses, finding that 80% of large businesses (more than 250 people) were aware of the regulation, whilst that figure was 66% for medium businesses, 49% for small businesses (10-49 people) and 31% for two to nine person businesses.

Of those that were aware, just over a quarter of businesses (27%) had made any changes to how they operate, directly as a response to the forthcoming changes to the data protection regulation.

The research found that 36% had created or changed policies and procedures, 21% had deployed additional staff training and 12% had added new technology.

Jon Baines, chair of the National Association of Data Protection Officers (NADPO), told Infosecurity that from looking at the research, he was concerned that DCMS appears to be promulgating an idea that compliance with GDPR is solely or mainly about cybersecurity.

“I would have expected more than 27% of businesses to be making changes,” he said. “As much as GDPR is an evolution not a revolution, I would still expect to see policy review and the introduction/improvement of data protection by design and default into businesses' systems and processes. I think it would have been really helpful for DCMS to have actually published the research questions and methodology.”

The research also surveyed 569 charities, and found 44% were aware of GDPR in total, and also discovered that 36% had created or changed policies and procedures. Further, 12% had installed, changed or updated their anti-virus, and 10% had encrypted data – compared with 5% of businesses.

Baines said: “I'm astounded that there are still some charities who appear not to be aware of GDPR. From my experience there has been so much worry, and consequent publicity, in the sector, that I would have expected awareness to be very close to 100% across the field.”

Darren Anstee, chief technology officer of NETSCOUT Arbor, said that gaining a good understanding of GDPR is still a work-in-progress for many organizations – and it’s important to consider the impact mishandled data might have on the organization itself, customers and employees. It is concerning that at this late stage only 80% of large businesses are aware of the regulation.

“The fact that creating and changing policies in order to comply with the new GDPR legislation is the most common change made by business and charities alike is both good and bad. On the one hand, organizations have obviously taken on board the process and policy changes they need to comply, however, the low percentage shown around other types of change may indicate that the focus has been purely around compliance, rather than looking at the aim of the legislation – to improve the way people’s data is acquired, processed, stored and secured.”

Categories: Cyber Risk News

Bell Canada Suffers Customer Data Breach

Wed, 01/24/2018 - 15:30
Bell Canada Suffers Customer Data Breach

A data breach at Bell Canada appears to have compromised customer names and email addresses, with the RCMP launching an investigation into the incident, according to reports.

The firm has confirmed that hackers were able to illegally obtain the data, but there is currently “no indication that any credit card, banking or other information” was accessed. Bell Canada spokesman Nathan Gibson told Canadian press that “fewer than 100,000 customers were affected.”

Bell Canada has emailed impacted customers to alert them of the situation and with John Watson, customer experience, stating that “additional security authentication and identification requirements have been implemented” to accounts.

“The protection of customer and corporate information is of primary importance to Bell,” the email continued. “We work closely with the RCMP and other law enforcement agencies, government bodies and the broader technology industry to combat the growth of cybercrimes.”

Stephanie Dumoulin, RCMP spokesperson at the police force’s national division in Ottawa, and the Office of the Privacy Commissioner, advised that she was unable to discuss details.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.

Categories: Cyber Risk News

High-Profile Twitter Accounts Hit by Turkish Propaganda Campaign

Wed, 01/24/2018 - 10:44
High-Profile Twitter Accounts Hit by Turkish Propaganda Campaign

A Twitter campaign purportedly carried out by Turkish hacker group ‘Ayyildiz Tim’ has targeted the accounts of several high-profile individuals to spread political propaganda, according to McAfee.

In a blog post on the firm’s website Christiaan Beek, lead scientist & principal engineer, and Raj Samani, chief scientist and McAfee fellow, explained that upon investigating the recent events McAfee Advanced Threat Research discovered the Twitter account of the Indian ambassador to the United Nations was taken over on January 13 and used to spread pro-Pakistan and pro-Turkey postings.

“What seemed to be a single event soon became a targeted campaign that we discovered in cooperation with our partner SocialSafeGuard,” the pair wrote, with the accounts of Borge Brende, president of the World Economic Forum, Eric Bolling and Greta Van Susteren, both of Fox News, also targeted.

“Once the accounts were compromised, the attackers direct-messaged the account contacts with propaganda for their cause or with a link to convince them to click on a phishing site that would harvest the Twitter credentials of the victim.”

When looking at the source code of the malicious pages, McAfee found several Turkish-language segments, with ‘Ayyildiz Tim’ claiming responsibility for the attacks.

“There is also evidence that private messaging history has been accessed from certain compromised accounts of prominent figures, along with other sensitive or confidential information such as private phone numbers and emails,” McAfee added.

“These tactics demonstrate the use of authority and social validation as subconscious levers to invoke victim interaction,” Samani told Infosecurity. “Whilst these methods are typical for email, Twitter is a relatively new channel for such activities.

“Twitter users – or anyone using social media – should always be wary of the potential for criminals to take control of their account. This news proves the importance of double checking that the appropriate security controls are in place. Using Twitter’s log in verification is an essential extra layer of security that could well prevent many successful attacks.”

Categories: Cyber Risk News

Quality of Password Strength and MFA Adoption Improves

Wed, 01/24/2018 - 09:52
Quality of Password Strength and MFA Adoption Improves

Only 4% of common passwords would meet with official requirements on strength, new research from Okta has revealed.

According to Okta’s global Businesses @ Work report, its requirement of a minimum of eight characters, at least one lowercase letter, one uppercase letter and a number, would only fit with the small percentage of passwords it surveyed from a list of publicly-exposed details. That list also showed that 49.5% used at least eight characters.

Password security specialist Per Thorsheim told Infosecurity that the majority of password breaches analyzed out there are from online services with password policies which are ‘below average’, or at least worse than common corporate best practices during the past 15 years or so.

The research also showed that 70% of Okta’s users are now using three or four factors of authentication – but this includes SMS and ‘security questions’. Thorsheim said: “Security questions are generally not recommended in online scenarios, as the answers are mostly available online or through simple social engineering.”
Asked if MFA is an answer, or whether all solutions ultimately end up with users looking for the simple solution and writing their passwords down, Thorsheim said that he felt the message on password security and strength was getting through: “but it will easily take five to 10 years before we eventually align with NIST SP800-63B - no mandatory/regular password change, no complexity requirements, password length is key to good security, no SMS for sending secrets”.

Security Culture speaker and expert Kai Roer, added: “In my opinion, (lack of) security often revolves about user friendliness. It is considered by some nice to add ‘factors’ of authentication, especially from a marketing perspective. If, however, those factors add to the complexity of using the application, many users will find themselves trying to solve these factors by other means, for example by simplifying the password, or abandoning the service.

“Their reasoning for simplifying the password may be that they feel like X-factors of authentication should be enough to protect them even with a simple password, as well as their need to remember it.”

Categories: Cyber Risk News

Sonic the Hedgehog Apps Leak Data

Tue, 01/23/2018 - 23:25
Sonic the Hedgehog Apps Leak Data

Popular Sonic the Hedgehog official game apps are accessing and leaking users’ geolocation and device data.

Pradeo Lab discovered that the affected apps – Sonic Dash, Sonic the Hedgehog Classic and Sonic Dash 2: Sonic Boom – feature an average of 15 OWASP vulnerabilities each and send data to about 11 distant servers, including suspicious ones.

“Lately, the Pradeo Lab noticed an increase in the amount of official apps fooling their users into giving them access to data they don’t actually need,” the company explained in a blog. “In most of the cases, when installing an app from Google Play, users accept permissions without giving a second thought. As a result, publishers collect private information about their clients, such as geolocation, device data, user data (gallery, contact lists, browser history, SMS…), etc.”

Among the vulnerabilities detected, Pradeo identified two critical bugs that make the apps highly vulnerable to man-in-the-middle (MITM) attacks. The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses.

For instance, an unsafe implementation of the interface X509TrustManager ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making the app vulnerable to MITM attacks.

“An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection,” the firm said. It added, “An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.”

The flaws overall give permission for a range of tasks, including permission for other applications to bypass some security access to give direct access to potentially sensitive data, permission for other applications to start or bind the application's service (which can lead to sensitive information leaking to malicious apps or to a denial of service) and another application being given access application data.

As for the distant servers reached by the affected SEGA apps, most have a tracking and marketing purpose. However, three of them are uncertified servers, and two are hosting a variant of the Android/Inmobi.D malware.

Users should be wary of the apps from game giant SEGA until updates are issued.

Categories: Cyber Risk News

Espionage Campaign Sets Sites on Turkish Defense Contractors

Tue, 01/23/2018 - 20:54
Espionage Campaign Sets Sites on Turkish Defense Contractors

An unknown actor purporting to be from the tax collection arm of the Turkish government has been carrying out spear-phishing campaigns against Turkish defense contractors.

According to RiskIQ, the perpetrators have been targeting multiple people inside a given organization since November 2017 with weaponized documents that download a remote access Trojan (RAT) named Remcos. Remcos can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs, and manage files. Interestingly, it also has SOCKS5 proxy capabilities: An operator can turn the victims of the crime into proxies for its own network, hiding the real C2 server.

“Regions of the world in geopolitical turmoil, like Turkey, are prime targets for cyber-espionage campaigns,” said RiskIQ researcher Yonathan Klijnsma in a blog. “The group used tactics that have become extremely useful for cyber-spies – spear-phishing emails that social engineer the victim to download an attached or embedded file and then enable macros.”

The email supposedly comes from the Turkish government entity responsible for taxes. The email states that there is a possible tax exemption in place for the receiver if they fill out the attached documents. Although the sender domain,, is valid, the actual email Sender Policy Framework (SPF) verification failed in analysis.

“We would also like to point out that this campaign wasn’t run on its own — far before this campaign, the actors used these domains in other attacks,” Klijnsma said. “Pivoting through the related IP addresses can give some additional insights into the vast infrastructure of this attacker, which seems to be relying on using its victims as the SOCKS5 tunnels’ proxies.”

Categories: Cyber Risk News

Tinder Flaws Let Stalkers Watch Your Every Move

Tue, 01/23/2018 - 20:36
Tinder Flaws Let Stalkers Watch Your Every Move

The Tinder hookup and dating app has two major vulnerabilities, which if exploited could allow bad actors to monitor a user’s every move on the app.

According to the Checkmarx Security Research Team, the stalker-friendly vulns also allow an attacker to control the profile pictures that the user sees, swapping them for inappropriate content, rogue advertising or other types of malicious content.

“As Rockwell described in his famous song, if you always feel like someone’s watching you, and you have no privacy – chances are, you might be right,” said Checkmarx researcher Dafna Zahger in an analysis.

Tinder allows users to swipe through dating profiles of people in their immediate vicinity: They swipe right for a profile they like, left if they lack interest and up if they “Super Like” someone. If someone likes them back, the next step is chat-messaging to set up a rendezvous. So far, the app has created more than 20 billion matches in 196 countries.

Aside from the potential ad fraud and malware delivery issues, the vulnerabilities, found in both the Android and iOS versions of the app, allow an attacker to stalk and blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.

The situation brings up the question of how complacent have we become when it comes to online privacy.

“Knowing an ill-disposed attacker can view and document your every move on Tinder, who you like, or who you decide to chat with is definitely disturbing,” said Zahger. “But is it enough to have you abandon the app altogether? Most apps nowadays seem to be vulnerable, so what’s the alternative? Where do we, as users, draw the line? Is it at the smallest compromise of our privacy, or do we shrug it off until sensitive data is stolen?”

Until all app developers implement comprehensive application security testing solutions, “we should probably still be cautious and mindful,” she added. “This means avoiding public networks as much as possible, using HTTPS over HTTP and generally being aware of what might be happening over our virtual shoulder.”

Checkmarx said that it has disclosed the vulnerabilities to Tinder.

Categories: Cyber Risk News

NCSC: UK Facing Category One Cyber-Attack

Tue, 01/23/2018 - 11:48
NCSC: UK Facing Category One Cyber-Attack

The UK is likely to be hit by a “category one” (C1) cyber-attack in the next couple of years, crippling key parts of its critical infrastructure, according to the National Cyber Security Centre (NCSC).

NCSC boss Ciaran Martin claimed the UK has been fortunate to escape the kind of attacks seen in the US and France in recent years, but warned that it was a case of “when, not if.”

Interference in the US presidential elections and the cyber-attack that took out French TV network TV5Monde — both attributed to Russia — were C1 attacks.

“I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack,” martin told the Guardian.

“Some attacks will get through. What you need to do is cauterize the damage.”

In October, the NCSC claimed it tackled 1131 incident reports in its first year of operation, with 590 classed as “significant.”

A month later, both Martin and Prime Minister Theresa May warned about increasing Russian attempts to target UK media, telecoms and energy sectors as part of its bid to “undermine the international system.”

Much of the Kremlin’s work so far has been on reconnaissance, scouting for vulnerabilities which could be exploited at a later date, according to Martin.

This is in contrast to the more reckless activities of other nations like North Korea, which is increasingly focused on generating revenue through attacks on banks and spreading ransomware, he said.

Venafi chief cybersecurity strategist, Kevin Bocek, agreed with Martin’s assessment, claiming “escalation of hostilities … is one of the most basic rules of human history.”

“Much of the reason the UK is so vulnerable is that many organizations — both in the public and private sectors — are simply bad at doing the basics right,” he added. “With security teams being pulled from pillar to post by constant attacks, they don’t have the time to take care of a number of key precautions. It’s precisely these oversights which can let attackers in.”

Steve Malone, director of security product management at Mimecast, claimed the new NIS Directive could help CNI firms lead the way on cybersecurity.

“This EU-wide legislation needs to be harnessed quickly to foster a new culture of security for citizens,” he added.

“The defense of democracy requires ongoing scrutiny. We should be concerned that many of the UK political parties appear to be trusting their email security to Microsoft Office 365, essentially a homogeneous security environment. Security best practice on-premises dictated multiple layers of protection, and this remains when moving email to cloud.”

Categories: Cyber Risk News

The $6bn Crime: 17 Million UK Consumers Hit Last Year

Tue, 01/23/2018 - 11:01
The $6bn Crime: 17 Million UK Consumers Hit Last Year

Cybercrime cost 17 million UK consumers an estimated £4.6bn ($6bn) last year, according to Symantec.

The vendor polled over 21,000 adults across 21 markets, including 1000 in the UK, to compile its 2017 Norton Cyber Security Insights Report.

Globally, cyber-criminals stole £130bn ($172bn) from 978 million consumers in those countries.

The UK’s mature online economy contributed a hefty chunk of the £20.7bn taken from 98.2 million European consumers during the period. Even more telling, each victim of cybercrime is said to have lost nearly two working days (14.8 hrs) dealing with the aftermath of the incident.

Just one in 12 UK consumers suffered a ransomware file lock-down, with over a fifth (22%) failing to regain access to their data despite paying the ransom.

The 44% of total British netizens that claimed never to back-up could be playing a risky game.

“Handing the hackers money simply continues to fund their efforts with no guarantee that you’ll personally be able to regain access to your digital life,” warned Nick Shaw, general manager of Norton EMEA. “In the case of ransomware, crime pays, and we can all take some simple steps to thwart their efforts.”

Tellingly, cybercrime victims were more likely to use the same online password across all their accounts: 20% versus 12% of non-victims.

Cybercrime is becoming more frequent: 60% of those who have suffered an attack in the past were hit in the past year, including 37% who handed over info after being phished, 40% who had their home Wi-Fi cracked, a third who were conned into fraudulent purchases and more than a quarter who fell for tech support scams.

Yet 28% of UK victims think they’re able to protect their data from future attacks and 26% think they’re at low risk of being hit again, according to the report.

“Consumers’ actions revealed a dangerous disconnect: despite a steady stream of cybercrime sprees reported by media, too many people appear to feel invincible and skip taking even basic precautions to protect themselves,” said Shaw. “This disconnect highlights the need for consumer digital safety and the urgency for consumers to get back to basics when it comes to doing their part to prevent cybercrime.”

Categories: Cyber Risk News

UK’s Top Law Firms at Risk After 1m+ Credentials Found on Dark Web

Tue, 01/23/2018 - 10:15
UK’s Top Law Firms at Risk After 1m+ Credentials Found on Dark Web

The UK’s top law firms are at serious risk of unauthorized network intrusions after new research revealed over one million breached credentials on the dark web.

RepKnight studied 620 domains belonging to 500 of the UK’s law firms and found 1.16 million corporate email addresses on various sites which collect previously stolen or leaked credentials.

What’s more, more than half of these had been posted in the past six months, and 80% had an associated password – often available in clear text or hashed values which can be easily cracked, the vendor claimed.

“This puts those staff – and the law firm’s network – at significant risk from ‘credential stuffing’ attacks, where bots are used to repeatedly try the same username and password on multiple sites,” the report continued. “Perhaps more serious are ‘spear phishing’ attacks or identity fraud, where those credentials are used as part of a targeted cyber-attack on that individual.”

The vast majority of these credentials were taken from third-party breaches such as the one at LinkedIn, where law firm employees had signed up with their work credentials.

However, their appearance on dark web sites with associated passwords plunges their employers into a potentially alarming situation, if those credentials are used to access the corporate network, craft spear-phishing emails loaded with malware, or even attempt CEO fraud.

Any leaks of highly sensitive client or employee data could result in heavy fines under the GDPR.

The legal sector is coming under increasing scrutiny from cyber-criminals looking to tap the wealth of lucrative information such firms hold.

A quarter (24%) of SME-sized firms in the sector suffered a cyber-attack last year, with the figure rising to 36% for London-based companies, according to NatWest.

Meanwhile, two major US law firms were hacked in 2016 for information subsequently used in a $4m insider trading scam.

Both the Panama Papers and Paradise Papers leaks also came about after offshore law firms were targeted.

Categories: Cyber Risk News

14 Flaws in Popular Software Are Putting ICS at Risk

Mon, 01/22/2018 - 19:19
14 Flaws in Popular Software Are Putting ICS at Risk

A variety of serious vulnerabilities have been identified in popular license management software used in corporate and industrial control system (ICS) environments to activate software on PCs and servers.

According to Kaspersky Lab ICS CERT researchers, 14 vulnerabilities in the Hardware Against Software Piracy (HASP) license management system mean that license management USB tokens can be used to open a hidden remote-access channel for cyber-attackers.

The flaws include multiple denial-of-service (DoS) vulnerabilities and several remote code execution issues. These are automatically exploited not with user rights but with the most privileged system rights, providing attackers with an opportunity to execute any arbitrary code they wish.

“The USB-tokens in question are widely used in different organizations to serve the purpose of convenient software license activation,” researchers explained in their analysis. “In normal use case scenarios, a company’s system administrator would need to approach the computer with the software that needs to be activated and insert the token. It will then confirm that the software of interest is legitimate (not pirated) and would activate it.”

The problem is, upon installation, the software adds port 1947 of the computer to the list of exclusions of the Windows Firewall with no proper user notification, which makes it vulnerable to a remote attack.

“An attacker would only need to scan the targeted network for open port 1947 in order to identify any remotely available computers,” the researchers said. “More importantly, the port remains open after the token has been detached, which is why even in a patched and protected corporate environment, an attacker would only need to install software using the HASP solution or attach the token to a PC once (even a locked one) in order to make it available for remote attacks.”

The number of systems affected by the vulnerability is uncertain, but given the popularity of the software, it could affect hundreds of thousands of users worldwide.

“Given how popular this license management system is, the possible scale of the consequences of these vulnerabilities going unpatched is very large,” said Vladimir Dashchenko, head of vulnerability research group, Kaspersky Lab ICS CERT. “Since these tokens are not only used in regular corporate environments but also in critical facilities with strict remote access rules, the vulnerabilities we discovered could be putting thousands of critical networks in danger.”

Upon discovery, Kaspersky Lab reported these vulnerabilities to the affected software vendors, which subsequently released security patches. Organizations should install the latest (secure) version of the driver as soon as possible or contact the vendor for instructions on updating the driver.

Additionally, as long as it does not interfere with business processes, administrators should close port 1947, at least on the external firewall on the network perimeter.

Categories: Cyber Risk News

Global Levels of Fraud Reached an All-Time High in 2017

Mon, 01/22/2018 - 19:16
Global Levels of Fraud Reached an All-Time High in 2017

Businesses reported all-time high levels of fraud, cyber- and security incidents during 2017, according to a survey of businesses worldwide.

About 84% of companies surveyed worldwide experienced a fraud incident in 2017, according to the Kroll Annual Global Fraud & Risk Report.

The proportion of executives reporting that their companies fell victim to at least one instance of fraud over the past 12 months increased from 82% in last year’s survey. Levels of reported fraud have steadily risen every year since 2012, when the reported occurrence was just 61%.

An even greater percentage of executives surveyed (86%) said their companies had experienced a cyber-incident or information theft, loss or attack over the past 12 months, slightly up from 85% in 2016.  Seven in 10 respondents (70%) reported the occurrence of at least one security incident during the past year, compared to 68% in the previous survey.

The Kroll Report also revealed that respondents are experiencing a heightened sense of vulnerability to fraud, cyber- and security risks, with information-related risks now the current area of greatest concern. As criminals and other threat actors continue to find new ways to monetize confidential data, including personal data, data assets are becoming increasingly valuable and attractive targets. 

For the first time in the Kroll Report’s 10-year history, information theft, loss, or attack was the most prevalent type of fraud experienced, cited by 29% of respondents, up five percentage points from the previous year. This edged out theft of physical assets or stock, long the most common type of organizational loss, which this year was the second most frequently cited incident (27%).

Cyber-attacks represent one of the most persistent threats to confidential information. In fact, the reported level of occurrence for every type of cyber-incident included in the survey increased in the last 12 months.

“In a digitized world with growing levels of data creation, collection, and reliance for businesses, information assets have become increasingly valuable and exposed to threats,” said Jason Smolanoff, senior managing director and global cybersecurity practice leader for Kroll. “Exacerbating the challenge of safeguarding data is that criminals and other threat actors are continually developing new ways to monetize confidential information, including personal data.”

He added, “People instinctively think about data being targeted by cyber-attacks, but not all threats to information are confined to the digital realm. There is a convergence between physical and digital threats, with issues arising from equipment with sensitive data being stolen or lost, for example, or employees with access to highly sensitive information accidentally or intentionally causing a breach.”

Categories: Cyber Risk News

Fictional SpriteCoin Cryptocurrency Packs a Ransomware Punch

Mon, 01/22/2018 - 19:05
Fictional SpriteCoin Cryptocurrency Packs a Ransomware Punch

A new ransomware that only accepts Monero for payment has emerged, attempting to trick victims by masquerading as a password-protected storage mechanism for SpriteCoin. SpriteCoin doesn’t exist, however – it’s a fictional cryptocurrency.

According to Fortinet FortiGuard Labs, the malware claims to be a wallet and asks the user to create their desired password. It doesn’t actually download blockchain, however; rather, it secretly encrypts the victim’s data files and then demands a ransom in Monero cryptocurrency.

Adding insult to injury, if the ransom is paid, during the decryption phase another piece of malware is deployed with capabilities including certificate harvesting, image parsing and web camera activation.

Fortinet researchers said that the initial file is a packed executable for simple evasion. It displays the typical ransom note telling targets that “your files are encrypted” and asks for a sum of 0.3 Monero – which is equivalent to about $105 at the time of writing.

“During our analysis, we have seen indicators that the sample appears to have an embedded SQLite engine,” explained Fortinet researchers in an analysis. “This leads us to believe it is using SQLite to store harvested credentials. The ransomware first looks to harvest Chrome credentials, and if it finds nothing it then moves on and tries to access the Firefox credential store. It then looks for specific files to encrypt. These files are then encrypted with an encrypted file extension (e.g.: resume.doc.encrypted).”

The use of Monero, an open source cryptocurrency created in 2014, signals a shift away from the widely used and accepted standard Bitcoin in the ransomware space, they added.

“Ransomware authors are aware of current trends and events, and appear to be taking advantage of all the hype surrounding the cryptocurrency craze,” they said.

To minimize damage, best practices require being vigilant about backing up files and performing the backups on a regular basis. Users should store the backup offline on a separate device, and even in multiple places, to ensure redundancy.

Also, since user interaction is needed for the malware to work, Fortinet recommends the companies establish a formal security training program and delivering it at least once a quarter to personnel.

Categories: Cyber Risk News

UK 'Most Well-Prepared' European Nation for GDPR

Mon, 01/22/2018 - 13:08
UK 'Most Well-Prepared' European Nation for GDPR

The UK is the most well-prepared European country for the General Data Protection Regulation (GDPR), coming into force in May this year.

That’s according to findings from a new study by W8 Data, which was carried out amongst the top 10 European countries by GDP.

The firm discovered that confidence levels in the UK are well ahead of other European nations when it comes to GDPR compliance, with only 29% of UK organizations either not knowing or feeling totally unprepared for the new regs. That’s in contrast to almost half of Germans with Spanish and Swedish companies the least prepared, 73% and 71% respectively.

W8 Data compiled their findings into the below GDPR League table:



% of Organizations Unprepared































Findings also pointed towards a shift in perceptions surrounding GDPR in the UK in the last six months, from predominately negative to predominately positive. Increasing numbers of data controllers felt compliance is not the monumental challenge they feared and that there is more leeway than they expected.

“It is fantastic news that the UK is leading the march when it comes to compliance,” said Will Anthes, managing director, W8 Data. “It is easy to be despondent given all the negativity surrounding GDPR but ultimately it will enable more responsible marketing that will lead to stronger relationships with customers.”

However, speaking to Infosecurity André Bywater, partner at Cordery, was of the view that although there are some companies that are well-prepared for GDPR in the UK he does not feel that, on-the-hole, businesses are that well-prepared across the nation – especially smaller and medium-sized ones.

“For a number of our clients there has been a shift in attitude as they do see that plenty of aspects of GDPR are more manageable than they had thought e.g. regards marketing (although this is mainly about the PECR rules, but which will eventually be brought in line with GDPR), but I can’t say that I have seen an overall shift in the UK from negative to positive as regards certain aspects such as data breaches. Few businesses seem to understand what is going to come with mandatory notification of data breaches, despite continuing ICO enforcement such as the recent £400k Carphone Warehouse fine.”

Categories: Cyber Risk News

Army Boss Warns UK Falling Behind Russia on Cyber

Mon, 01/22/2018 - 11:53
Army Boss Warns UK Falling Behind Russia on Cyber

The head of the British army is to make a public plea for more cash today, warning that the cyber-capabilities of hostile nations like Russia and China are pulling ahead.

General Sir Nick Carter will make the speech at the Royal United Services Institute, highlighting Russian advances in cyber-warfare.

He’ll claim that Britain’s ability to defend itself "will be eroded if we don't keep up with our adversaries,” according to the BBC.

Threats to the UK “are now on Europe’s doorstep,” he will add.

The speech has the backing of new defense secretary Gavin Williamson, who is also thought to be pushing the chancellor hard for more funds.

While Europe may be more fractured from a security and defense perspective following Brexit, the UK is still a key member of Nato, which has a collective defense clause where an attack on one member is regarded as an attack on all.

The military alliance has also repeatedly claimed it now regards “cyber” as a legitimate domain alongside land, sea and air, although attribution is still a major blind spot online.

Huntsman Security head of product management, Piers Wilson, claimed the army needs to spend in the right areas.

“Our defenses could spend every penny available on people and tools and it still wouldn’t be enough to keep us secure. After all, we are still in the midst of a crippling security skills shortage that is expected to result in over 1.5m open jobs by 2020,” he argued.

“Intelligent automation, leveraging AI and analytics, can help defense analysts avoid running down endless rabbit holes and be smarter about defending all areas of the nation from attack. Cyber-defense isn’t just a matter of deploying people where they are needed, but giving them the right tools and technology to do the job - and this carries over into the commercial world too.”

Both Prime Minister Theresa May and NCSC boss Ciaran Martin called out Russia last year for increasing attacks on the UK’s media, telecoms and energy sectors.

Categories: Cyber Risk News

Russian Bots Call for Release of FISA Memo

Mon, 01/22/2018 - 11:09
Russian Bots Call for Release of FISA Memo

Republican lawmakers appear to be doing the bidding of Russian bots in calling to be made public an allegedly incendiary memo detailing secret FISA spying on the Trump campaign.

The #releasethememo campaign on Twitter has been heavily promoted by Kremlin-linked influence networks, according to transparency site Hamilton 68. At one point, bot activity for the hashtag soared by over 260,000%, according to reports.

The House Intelligence Committee memo reportedly details how the FISA surveillance law was used by the FBI under the Obama administration to spy on members of the Trump campaign team, who are suspected of collusion with Putin aides in the run up to the last presidential election.

If that’s true, the FBI would likely have been within its right to use the law, which governs intelligence gathering on foreign suspects and, by extension, any Americans they’re in communication with.

However, certain GOP lawmakers may be hoping the revelations will derail the ongoing investigation into the Trump campaign by special counsel Robert Mueller.

"The House must immediately make public the memo prepared by the Intelligence Committee regarding the FBI and the Department of Justice," said Representative Matt Gaetz, in a typical statement. "The facts contained in this memo are jaw-dropping and demand full transparency."

Several Republicans said if they had known of the ‘abuses’ of power outlined in the memo they would not have voted to reauthorize the controversial section 702 of FISA, which has now been signed by President Trump.

It will not escape the attention of many that these remarks were made in some cases just hours after the law was reauthorized — while little effort was made by many of these lawmakers to question the legislation in the months of debate preceding the vote.

Despite revelations by Edward Snowden that FISA is used by the NSA and FBI to snoop on countless innocent Americans, despite being intended to target foreign operatives, it was passed 256-164 by the lower house.

The controversial Section 702 now has another six years before it is re-examined.

In fact, the new version also gives the government the opportunity to restart “about” searches, whereby even if two Americans simply mention keywords monitored by the authorities, their conversation can be logged and their details swept up in a dragnet surveillance database.

This database can then be searched by the FBI at a later date for unrelated crimes, all without a warrant.

Californian Democrat and member of the House Intelligence Committee, Adam Schiff, has described the memo as a "profoundly misleading set of talking points drafted by Republican staff attacking the FBI and its handling of the investigation."

Categories: Cyber Risk News