Info Security

Subscribe to Info Security  feed
Updated: 48 min 16 sec ago

Canadians Unsure What to Do Post-Identity Theft

Thu, 05/31/2018 - 13:58
Canadians Unsure What to Do Post-Identity Theft

An overwhelming majority of Canadians reported that they wouldn't know what actions to take if their identity were stolen in a data breach, according to new research from dragonfly id.

Partnering with ThinkHatch and Haven Insights, dragonfly id surveyed 425 Canadians over the course of four days in early March 2018. The goal of the survey was to understand how much Canadians know about the steps they should take to retrieve data in the aftermath of an identity breach. Results showed that 83% of respondents don't know what to do to restore their identities.   

Given the current state of the economy, the number of data breaches being reported daily and the impact identity theft has on both companies and consumers, younger respondents agreed that it's important to educate consumers on the need to have a restoration service in place for when a breach does happen.

"As age increased, concerns about online identity theft of personal data and records tended to decline," according to a 30 May press release issued by dragonfly id.

A majority (65%) of respondents also said that they really don't understand how criminals are able to compromise their identities online. Only 5% of respondents said they have a good understanding of the way thieves can steal personal information. 

Of the respondents, 46% believe it would take fewer than 50 hours to restore someone's identity after it was stolen. 

Karey Davidson, president of dragonfly id, said that a low-level identity theft breach could take between two to five weeks to resolve. However, if an attacker engages in a more sophisticated and comprehensive attack and gains access to more detailed identity information, recovering one's identity could take up to six months.

"Canadians are becoming increasingly more concerned with the impact of identity theft on their personal and financial lives. They are unsure about how to deal with the fraud that can result [in] and, in particular, the time and the steps that it takes to resolve a breach," Davidson said in the press release. 

Earlier this month, Peter Boys, Canadian Association of Farm Advisors wrote an opinion piece in The Stettler Independent. Boys noted that according to a recent annual fraud survey commissioned by the Chartered Professional Accountants of Canada (CPA Canada), Canadians are growing increasingly more concerned about identity theft.

Recognizing that citizens are fearful that businesses in Canada are more vulnerable to cyber-attacks, Boys warned, "Fraud comes in many different forms, from credit card theft, mail theft, mortgage fraud, [and] skimming to hacking. In today’s ever-evolving economy, change is rapid, and the threat of fraud is constant. Canadians are strongly encouraged to be aggressive in protecting themselves against fraud."

Categories: Cyber Risk News

Senators Urge Bolton to Reconsider Cyber-Tsar Role

Thu, 05/31/2018 - 10:20
Senators Urge Bolton to Reconsider Cyber-Tsar Role

A group of 19 senators have called on the Trump administration to reverse its decision to drop a key cybersecurity role from the upper echelons of government.

An open letter to national security adviser (NSA), John Bolton, expressed concern that the lack of a special assistant to the President and cybersecurity coordinator would hamper US efforts at precisely the wrong time.

It detailed concerns from US lawmakers and intelligence officials of Russia’s growing confidence in conducting audacious cyber-attacks against its geopolitical enemies.

“Our country’s cybersecurity should be a top priority; therefore, it is critically important that the US government present a unified front in defending against cyber-attacks. Eliminating the cybersecurity coordinator role keeps us from presenting that unified front and does nothing to deter our enemies from attacking us again,” the letter continued.

“Instead, it would represent a step in the wrong direction. Again, we urge you to send a strong signal to the rest of the world that cybersecurity is a top priority by reconsidering the elimination of the cybersecurity coordinator.”

News that the position had been dropped broke earlier this month, after the White House chose not to replace Trump’s first appointee to the role, Rob Joyce, whose departure was announced in April.

It’s believed controversial NSA Bolton was behind the decision, which came amidst a spate of departures from the National Security Council following his appointment.

The decision was justified on the basis of “streamlining management” reducing bureaucracy and increasing accountability by placing decision-making firmly in the National Security Council.

It’s unlikely that the letter will change policy, given that all 19 senators are Democrats, even though it features the signatures of heavyweights including Elizabeth Warren and Mark Warner, the latter vice-chairman of the powerful Senate Intelligence Committee.

Categories: Cyber Risk News

Icann Files Suit in Germany in Bid to Clarify GDPR

Thu, 05/31/2018 - 09:54
Icann Files Suit in Germany in Bid to Clarify GDPR

Internet oversight body Icann has filed a one-sided lawsuit in Germany in a bid to clarify its GDPR obligations, after clashes with European regulators.

Icann is taking action after EPAG, part of the Tucows group, decided to no longer collect “administrative and technical contact information” for the Whois database as it believes it would conflict with the new privacy legislation.

However, failing to do so breaks the terms of Icann’s recently created Temporary Specification.

Although the oversight body believes the new rules comply with the GDPR, Tucows disagrees, claiming it breaks the principle of data minimization if it means the registry is required “to store and process personal data belonging to people with whom we have no legal or contractual relationship.”

There are also issues with Icann’s requirement that registrars send all data collected to the relevant registry as it contravenes the principle of data use only when a legitimate legal basis applies, Tucows said.

“Icann has also required that we continue to publish the organization, state/province, and country fields in the public Whois. We disagree that the organization should be published because, although it is optional, many people do not realize this and put their own first and last names in the organization field,” Tucows added. “We do not want to expose the personal data of these registrants because of a misunderstanding, and it will take considerable time to educate registrants and cleanse this data from the field.”

For Icann and the US government, this is a serious matter as they believe Whois data is a critical resource for law enforcers and IP rights holders and one which should be kept intact.

That sets Washington yet again on a collision course with Brussels.

It should also be mentioned that Icann’s one-sided filing should help to stay any further GDPR-related legal action against the body until a decision is made.

Andy Kays, CTO of Redscan, argued that Whois can be an invaluable resource in helping to track down phishers and spammers.

“An accreditation scheme, that would vet access to personal data in Whois records for special interest groups such as the police, security researchers and journalists, would certainly be very welcome and help to address concerns,” he added. “Planning to implement such a vetting system should have started years ago but by only recently attempting to outline its proposals, Icann shows that it has been too slow to react to the global impact of the GDPR.”

Categories: Cyber Risk News

US Court Upholds Kaspersky Lab Government Ban

Thu, 05/31/2018 - 08:44
US Court Upholds Kaspersky Lab Government Ban

Kaspersky Lab has failed in its bid to have a ban on the sale of its products to government agencies overturned.

A US district court upheld the ban, despite the Moscow-based AV firm filing two lawsuits against the relevant documentation: the September 2017 Binding Operative Directive (BOD 17-01) and the Congressional National Defense Authorization Act (NDAA).

Kaspersky Lab’s founder Eugene Kaspersky had argued that the rulings violate the Fifth Amendment by interfering with due process.

However, judge Kollar-Kotelly dismissed both arguments, ruling that the NDAA “eliminates a perceived risk to the nation’s cybersecurity and, in so doing, has the secondary effect of foreclosing one small source of revenue for a large multinational corporation.”

As the NDAA is taking effect later this year, the BOD wouldn’t cause any further impact to Kaspersky Lab because government agencies would already be warned off buying its products, she added.

In a statement, the AV firm said it was “disappointed” with the ruling and will be appealing the verdict.

“Kaspersky Lab maintains that these actions were the product of unconstitutional agency and legislative processes and unfairly targeted the company without any meaningful fact finding,” it added.

“Given the lack of evidence of wrongdoing by the company and the imputation of malicious cyber activity by nation-states to a private company, these decisions have broad implications for the global technology community. Policy prohibiting the US government's use of Kaspersky Lab products and services actually undermines the government's expressed goal of protecting federal systems from the most serious cyber threats.”

Kaspersky Lab launched a Global Transparency Initiative last year in a bid to reassure Western governments of its integrity in the face of claims it allowed Russian intelligence to use its products to spy on targets.

The firm is opening a Swiss datacenter as part of this effort to handle all data for customers in key markets like Europe, North America and Australia.

Categories: Cyber Risk News

EU Agencies Join to Tackle Dark Web Crime

Wed, 05/30/2018 - 15:56
EU Agencies Join to Tackle Dark Web Crime

In an effort to strengthen their ability to fight cybercrime on the dark web, multiple law enforcement agencies have come together to establish a Dark Web Team. Europol announced yesterday that it will work with EU partners and global law enforcement agencies to reduce the size of the underground crime economy.

In a 29 May event that marked the official launch of the new Europol Dark Web Team, stakeholders from the European Commission, Interpol, and Eurojust joined with law enforcement agents from 28 countries in The Hague, the Netherlands, and expressed their enthusiasm over the expanded efforts to take down cybercriminals on the dark web.

Through its European Cybercrime Centre (C3), Europol has been actively monitoring the dark web for several years. Investigations in the underground marketplaces have yielded an array of tools, tactics and techniques used by cybercriminals. 

As a result, Europol, in partnership with other law enforcement agencies, has successfully shut down AlphaBay and Hansa, "two of the largest marketplaces responsible for the trading of over 350 000 illicit goods like drugs, firearms and cybercrime tools, such as malware," according to a Europol press release

The reported success of the crime-fighting partnerships has led to a reduced number of illicit transactions, with Europol reporting that some dark web traders have closed down their platforms for fear of getting caught. 

The dedicated Dark Web Team will share information through a coordinated approach, allowing the different agencies to provide operational support and varying degrees of expertise in the wide range of cybercrimes that they are fighting.  

Chief commissioner Ivaylo Spiridonov, director of the Bulgarian general directorate combatting organised crime, delivered the opening remarks on behalf of the current Presidency of the Council of the EU and highlighted that “today’s expert assembly will further enhance the law enforcement’s ability to find sustainable solutions and a common coordinated approach to respond to criminality on the dark web.”

Categories: Cyber Risk News

Tesla Car Crashes into Police SUV

Wed, 05/30/2018 - 15:34
Tesla Car Crashes into Police SUV

Police are investigating a 29 May crash in which the driver of a Tesla Model S car struck a parked police vehicle in Laguna Beach, California, at 11:07 a.m. local time. The police cruiser, though unoccupied, was damaged when the Tesla’s front end rammed into the rear driver’s side of the patrol car.

The driver of the 2015 Model S car, who suffered minor injuries, told investigators that the car was in autopilot. According to a Tesla spokesperson, “When using Autopilot, drivers are continuously reminded of their responsibility to keep their hands on the wheel and maintain control of the vehicle at all times.”

Tesla told Infosecurity Magazine the company has always been clear that Autopilot doesn’t make the car impervious to all accidents. “Before a driver can use Autopilot, they must accept a dialogue box which states that ‘Autopilot is designed for use on highways that have a center divider and clear lane markings,’” the spokesperson wrote in an email.

Many Twitter users have weighed in on the crash, expressing both defense of Tesla and concern over the expectations of what autopilot is actually capable of. In response to news of the crash, one person tweeted, “IMO, Tesla tech gives a driver an invaluable 2nd set of eyes that make the car way safer than most ... BUT it seems the pattern emerging is drivers believing they purchased a chauffeur ! - driver aid NOT driver replacement.”

In related news, another Tesla owner endured a crash in Seattle, Washington, yesterday. While the company continues crash tests for the Tesla Model 3, electrek reported that the owner of a Model 3 was rear-ended yesterday but said that the car “performed miraculously.”

In his story of the crash published on Tesla Motor Club, the car owner, known as Anatari, wrote that he was traveling along the I-90 tunnel at 65 mph when he was hit from behind by another vehicle. Anatari said he lost control of the car.

The car then spun out of control and hit the freeway divider wall, “all the way on the other side of the freeway 4 lanes across, and then bouncing back all the way back to the other side of the freeway and hitting that wall before coming to a stop.

“Thankfully the model 3 performed miraculously, crumple zones compressed, airbags deployed, no fire after the accident, and no one in my family seems to be seriously injured.”

Categories: Cyber Risk News

To Keep Them Safe Online, Teach Them to Phish

Wed, 05/30/2018 - 14:00
To Keep Them Safe Online, Teach Them to Phish

Security experts in Hamilton, Bermuda, yesterday hosted a live hacking demonstration showing event attendees the ease with which attackers are able to gain access to a corporate network through a phishing email campaign. 

The event, hosted by the (ISC)2 Bermuda Chartering Chapter, revealed the tricks that hackers use to get email recipients to click on malicious links and share their personal information. Dionach senior technical consultant Mark Phillips and business development manager Mathew Sofiyani simulated the phishing attacks.

According to the Royal Gazette, the demonstration warned that "having gained controlled of a compromised computer, an attacker is in a position to monitor everything that goes on, operate inbuilt microphones, webcams, and record key strokes to capture username and password details. If it is a company workstation that is compromised that could lead to serious and costly damage to an internal network, and the loss of valuable corporate data."

These events are an effort to raise awareness and share technical expertise, with good reason. Symantec's 2018 Internet Security Threat Report found that "spearphishing is the number one infection vector, employed by 71 percent of organized groups in 2017."

A classic example is the tech support scam, and since the GDPR has prompted many organizations to make customers aware of changes to their privacy policies, attackers have leveraged that communication as another avenue for scams.

Penetration testers and ethical hackers are increasing their efforts to help organizations educate their employees on not only the inherent dangers of phishing campaigns but also how to spot a malicious email.

On 29 May, The Wall Street Journal broke down the anatomy of a phishing attack as explained by Shawn Moyer, a founding partner at Atredis Partners

Attackers look for a way into the company and use social engineering tactics to hack the trust of unsuspecting users. Then comes the attack. Yet there are several ways to avoid falling victim to an attack.

Phillips showed yesterday's event attendees that hovering over links reveals the actual URL destination and pointed out the distinctions between "http" and "https". 

End users were also advised to read carefully in order to spot spelling errors. While phishing is far more problematic, brazen attackers also use "vishing" and engage with their targets over the phone. The goal is always to get the victim to reveal personal information, which Phillips said is very easy for attackers to do. 

Categories: Cyber Risk News

Spear-Phisher Gets Five Years for Helping FSB Yahoo Hackers

Wed, 05/30/2018 - 10:23
Spear-Phisher Gets Five Years for Helping FSB Yahoo Hackers

A Canadian man has been handed down a five-year prison sentence for his part in a Russian government conspiracy which resulted in the compromise of 500 million Yahoo accounts.

Kazakhstan-born Karim Baratov, 23, pleaded guilty in November 2017 to spear-phishing at least 80 webmail accounts belonging to “individuals of interest” for the Russian intelligence service the FSB. He’s then said to have sent the account passwords to a co-conspirator in exchange for money.

Baratov is also said to have hacked more than 11,000 webmail accounts in total from around 2010 until his March 2017 arrest in Canada.

Although he wasn’t directly responsible for the Yahoo breach, his co-conspirators in the FSB and fellow “hacker-for-hire” Alexsey Belan were, according to the Department of Justice. Baratov’s job was in fact to hack user accounts for non-Yahoo providers such as Gmail.

The persons of interest Baratov helped the FSB to monitor included Russian journalists, US and Russian government officials and private-sector employees of financial, transportation and other companies, the DoJ said in a detailed description of the case back in March 2017.

“It's difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyber-attack against 500 million victim user accounts,” said FBI special agent in charge John Bennett.

“Today's sentencing demonstrates the FBI's unwavering commitment to disrupt and prosecute malicious cyber actors despite their attempts to conceal their identities and hide from justice.”

The judge also ordered Baratov to pay a fine of $250,000, apparently claiming the large sum would make up for the relatively lenient sentence, which prosecutors wanted doubled.

The compromise of 500 million user accounts at Yahoo is not thought to be linked to the other breaches affecting billions of customers.

Categories: Cyber Risk News

US Government Warns of North Korean APT Malware

Wed, 05/30/2018 - 09:24
US Government Warns of North Korean APT Malware

The US-CERT has released a new technical alert warning of two pieces of malware it says are being used by the North Korean government.

The joint alert comes from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) and refers to the prolific APT group known as Hidden Cobra.

The two pieces of malware it’s using are: remote access trojan (RAT) Joanap and SMB worm Brambul.

“According to reporting of trusted third parties, Hidden Cobra actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States — including the media, aerospace, financial, and critical infrastructure sectors,” US-CERT claimed.

The US government has found Joanap on 87 compromised network nodes in 17 countries including China, Spain, Sweden, India, Brazil and Iran.

“Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by Hidden Cobra actors remotely from a command and control server,” the alert continued. “Joanap typically infects a system as a file dropped by other Hidden Cobra malware, which users unknowingly downloaded either when they visit sites compromised by Hidden Cobra actors, or when they open malicious email attachments.”

Joanap operates covertly, moving laterally inside an infected network to any connected nodes, said US-CERT.

“Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network,” it added. “Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.”

The US-CERT urged organizations to mitigate the risk posed by these attacks by: keeping systems up-to-date with patches and the latest AV, applying least privilege policy to permissions, scanning and blocking suspicious email attachments, disabling Microsoft’s File and Printer Sharing service and configuring personal workstation firewalls to deny unsolicited connection requests.

Categories: Cyber Risk News

Two Canadian Banks Warn Customers of Possible Breach

Wed, 05/30/2018 - 08:56
Two Canadian Banks Warn Customers of Possible Breach

Two Canadian banks confirmed on Monday that they have been contacted by ‘fraudsters’ claiming to have in their possession personal and financial information on tens of thousands of customers.

The Bank of Montreal (BMO) said in a brief statement that the data related to a “limited” number of customers, which some reports put as high as 50,000.

“We believe they originated the attack from outside the country. We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off,” it added.

The lender is working with the authorities and contacting those who may have been affected, advising customers to keep a close eye on their accounts for any potentially suspicious activity.

Simplii Financial, a subsidiary of the Canadian Imperial Bank of Commerce, was more transparent, revealing that around 40,000 customers may have been affected after it was contacted by fraudsters on Sunday, the same day as BMO.

It’s also investigating the claims and has also reached out to customers, urging them to monitor their accounts and to always use a complex password and PIN on their accounts, although this in itself is indicative that 2FA is not used by the bank as standard for customer authentication.

“We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, senior vice president at Simplii Financial. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

It’s not clear whether the parties that contacted each bank were fraudsters or the hackers who initially breached the data.

James Lerud, head of the Verodin Behavioral Research Team, argued that if the data breach is genuine then the banks’ detection and prevention measures appear to have failed.

“Hats off to both banks for alerting the public, this was the right thing to do and takes a lot of power away from the hackers, but we shouldn't completely let them off the hook,” he added.

“Banks and other organizations we trust with sensitive information need to let the public know exactly how they are validating and improving defenses over time. Without a program to scientifically validate and improve controls, customers should find it hard to trust these entities with their valuable information.”

Categories: Cyber Risk News

No Smiles for Coca-Cola After Data Breach

Tue, 05/29/2018 - 14:38
No Smiles for Coca-Cola After Data Breach

The threat of malicious insiders is one that Coca-Cola knows all too well now that it has had to disclose a breach after a former employee was discovered to have stolen a hard drive. 

According to Cyware, Coca-Cola suffered a data breach in September 2017 in which the personal data of 8,000 employees was compromised after a former employer at one of its subsidiaries stole an external hard drive. Law enforcement officials notified the company and initially requested that Coca-Cola not disclose the incident, as they were still investigating the breach. 

The company has now notified affected employees with a letter that explains what happened, what information was involved and what the company is doing in response to the breach.

"Our investigation identified documents containing certain personal information for Coca-Cola employees and other individuals that was contained in the data held by the former employee. We do not have any information to suggest that the misappropriated information was used to commit identity theft," the notification letter said.  

In an effort to restore confidence, Coca-Cola wrote that it has secured the services of Kroll to provide identity monitoring for one year at no cost, warning those affected by the breach that "it is important that you remain vigilant against possible identity theft by regularly reviewing your account statement and credit report." 

Insider threats remain the top source of security incidents, according to PwC's Global State of Information Security Survey 2018. While outsider threats have decreased, "those attributed to insiders, such as third parties–including suppliers, consultants and contractors–and employees, have stayed about the same or increased."

While Albawaba Business reported that a Kaspersky Lab study found data breaches are costing enterprises more money, Coca-Cola stock prices don't yet reflect financial losses. On 25 May, only days before the breach was announced, FinTelegraph reported, "The Coca-Cola Company has lost -3.91% in value over the last three months, and -7.56% over the last six-month period."

At the end of the 25 May trading session, the stock was worth $42.32. Today, it is trading up from that at $42.66.  

Categories: Cyber Risk News

Destroyed Keys Cost WIRED $100,000 in Bitcoin

Tue, 05/29/2018 - 13:31
Destroyed Keys Cost WIRED $100,000 in Bitcoin

Back in 2013, WIRED began mining for Bitcoin using a mining device sent to it by the now-defunct Butterfly Labs. It successfully mined 13 Bitcoins reportedly worth around $100,000 and apparently threw away the keys in its quest to remain ethical in its reporting on cryptocurrency. Years later, Louise Matsakis, staff writer at WIRED, said the magazine could have locked the coins down to be used at a future date.

Butterfly Labs had shared a 5-gigahash-per-second Bitcoin miner with WIRED so that it could review the miner. Paying customers would have had to invest $274 for the system that WIRED received. At the time, miners didn't need the powerful, specialized hardware required to mine crytocurrencies that is required today.

By essentially winning the Bitcoin lottery a couple times, WIRED earned itself over 13 coins, which left it confronting a moral dilemma. When former senior writer for WIRED Robert McMillian reported on the earnings, he set forth the poignant question of what they should do with the proceeds. After a lengthy conversation, staff members couldn't agree on what to do with the earnings, but, Matsakis said, "what was agreed upon was that the money shouldn't just sit there, because it could influence how the magazine reported on cryptocurrencies."

To settle the matter, WIRED decided to destroy the private keys that unlock the Bitcoin wallet so that the funds could never be spent. "Originally I was going to say that the closest metaphor I have is that we dropped a car key somewhere in the Atlantic, but I think it's closer for me to say we dropped the key somewhere between here and the Alpha Centauri," said Stefan Antonowicz, the then-head of engineering at WIRED who set up the miner.

Recovering lost or stolen Bitcoin is impossible, according to Cryptalker. That's bad news for anyone at WIRED who hoped to maybe someday recover the keys. Shredding the private keys to its 13 Bitcoin is a loss, but one that pales in comparison to the estimated 2.78 and 3.79 million lost coins in the worldwide abyss.

Categories: Cyber Risk News

More Data Leaked from AWS Bucket Misconfigurations

Tue, 05/29/2018 - 11:27
More Data Leaked from AWS Bucket Misconfigurations

Another Amazon S3 bucket misconfiguration breach, this time with AgentRun, has resulted in an insurance start-up exposing data for clients, including Cigna, Transamerica, SafeCo Insurance, Schneider Insurance, Manhattan Life, and Everest Re. Sensitive personal and medical information of thousands of insurance policyholders was exposed, leaving the data without password protection and publicly accessible to anyone while AgentRun was migrating to the bucket during an application upgrade, according to Cyware.

Mike McKee, CEO, ObserveIT, said that companies are moving faster than ever, so it no surprise that many security breaches occur due to human error. "This is another example of how damaging an insider with good intentions but poor execution or adherence to policy can be to an organization," McKee said.

Many organizations don't understand how to evaluate the security practices of all their downline parties. Fred Kneip, CEO, CyberGRX, said it is critical to know not only who has your data but also where it is and how well they are securing it. "Are they encrypting the data in an S3 bucket? These are critical factors that organizations need to understand about all third parties in their digital ecosystem in order to know which pose the most risk to their data. We’re going to continue to see these types of attacks until the industry takes this issue more seriously and adopts a more collaborative approach to reducing third-party risk.”

Some argue that cloud providers probably need to do more, and Mukul Kumar, CISO and VP of cyber practice at Cavirin, said that they are moving in this direction to protect the cloud assets of organizations that have little or no expertise. Still, Kumar said, "when spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge."

Sanjay Kalra, co-founder and chief product officer at Lacework, said, "AWS provides an amazing services that helps any innovative business accelerate the deployment of new applications. That said, properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources. It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored. Hackers have discovered that many organizations have left these buckets open to public access."

With AWS incidents happening on an almost weekly basis, McKee said that companies can better mitigate risks of human error by identifying high-risk users and third-party vendors with data and system access, ensuring that strict change control sets are in place, continuously monitoring user activity, implementing technology to help detect and respond to risky, out-of-policy actions quickly and implementing ongoing employee education programs.

Categories: Cyber Risk News

Apple Device Access Requests Decline

Tue, 05/29/2018 - 10:26
Apple Device Access Requests Decline

Apple received over 29,700 requests from law enforcers to access customer devices in the second half of 2017 and provided data in 79% of cases.

The findings are revealed in the tech giant’s latest Report on Government and Private Party Requests for Customer Information covering July 1 to December 31 last year.

The requests cover just over 309,000 devices, more than double the 151,000 it received over the same time period in 2016, and back then the number of requests was slightly higher (30,184).

Apple claimed that in the US, the high number of devices specified in requests was “predominantly due to device repair fraud investigations, fraudulent purchase investigations, and stolen device investigations.”

In China, it was due to “tax/device export investigations, device repair/warranty fraud investigations, and stolen device investigations.”

Apple added that device-based requests usually seek “details of customers associated with devices or device connections to Apple services.”

The firm famously prides itself on providing access only up to a point where it is technically possible, and will not – for example – accede to requests by law enforcers to unlock encrypted devices by re-engineering products. That has led to a well-publicized stand-off with the FBI in recent years.

The firm isn’t allowed to be as transparent with national security-related requests, although it claimed not to have any orders for bulk data “to date.” It said that during the second half of 2017 it received 16,000-16,249 national security orders affecting 8000-8249 accounts.

From the next report, Apple claimed it will reveal the number of apps removed from its app store.

The report comes as a new bill calling for even greater transparency on the part of Silicon Valley firms was approved by a Senate committee last week.

The new National Defense Authorization Act includes provisions which would force US tech firms that do business with the US military to disclose if their products have had source code examined by foreign governments.

A Reuters report last year revealed that HP allowed Russian operatives to scrutinize software used by the Pentagon.

Categories: Cyber Risk News

PGP Founder: Don’t Disable Encryption Service

Tue, 05/29/2018 - 09:21
PGP Founder: Don’t Disable Encryption Service

The man credited with inventing PGP has teamed up with other key developers to assure users that the popular encryption program is not insecure, despite some reports to the contrary earlier this month.

Some outlets and the Electronic Frontier Foundation (EFF) mis-reported the findings of new research detailing several new ‘vulnerabilities’ in PGP and recommended users disable the service, they said.

The post late last week added the following:

“These statements are highly misleading and potentially dangerous. PGP is not broken. The vulnerabilities identified by eFail are not flaws with the OpenPGP protocol itself but rather flaws in certain implementations of PGP, including in Apple Mail, Mozilla Thunderbird, and Microsoft Outlook. Many other commonly used software based upon PGP are not affected by the eFail vulnerability in any way, as the researchers themselves point out in their paper.”

The authors of the post – including Phil Zimmerman and the developers of Enigmail, Mailvelope and ProtonMail – recommended users switch to PGP implementations that are not impacted by eFail, or update their PGP software to the latest version.

“Ensure that everyone you communicate with is also using unaffected implementations or has updated their PGP software,” they added. “Be sure to get a verified confirmation from your contacts before sending sensitive information to them.”

The quartet are particularly scathing of the EFF, claiming its advice for users to disable PGP plugins or stop using PGP altogether “is akin to saying, ‘some locks can be broken; therefore we must remove all doors’,” and therefore could put individuals at risk if they rely on PGP for security.

Infosecurity reported at the time that security experts had criticized the EFF’s warnings as “pretty overblown” and that OpenPGP tools would continue to function without any issues.

The other signatories are ProtonMail founder, Andy Yen, Enigmail founder Patrick Brunschwig and Mailvelope founder Thomas Oberndörfer.

Categories: Cyber Risk News

Prolific Phisher ‘Courvoisier’ Gets 10 Years Behind Bars

Tue, 05/29/2018 - 08:53
Prolific Phisher ‘Courvoisier’ Gets 10 Years Behind Bars

A British man has been sentenced to a decade behind bars for a range of computer crime and drugs offenses.

Grant West, 26, was behind a string of phishing attacks against customers of big-name brands including Just Eat, Sainsbury’s, Ladbrokes and Argos.

Between July and December 2015 he’s said to have conspired with unknown parties to obtain data on Just Eat customers and use it “to facilitate fraudulent transactions whether directly or indirectly following transmission of the data to others.”

It’s believed he carried out these phishing attacks by spamming users with offers of a £10 gift voucher for answering questions about the service and filling in their personal details.

He’s also sentenced with conspiracy to defraud by “obtaining, using and supplying …  fullz” – i.e. lucrative packages of complete identity information.

Presumably in order to obtain these credentials, West was convicted of carrying out “brute force” attacks using popular off-the-shelf tool Sentry MBA to compromise the websites of Sainsbury’s, Nectar, Groupon,, Ladbrokes, Coral betting, Uber, Asda and many more.

He was also convicted of possessing and supplying cannabis and selling “how to” guides to other hackers and fraudsters.

West was caught in dramatic fashion after police finally tracked the IP address of his girlfriend’s laptop, and captured the unlocked device as he was travelling from Rhyl to London by train.

“This prosecution was able to prove that Grant West was the prolific cyber hacker known as Courvoisier. West was caught by police conducting attacks on company websites,” said Sarah Jennings, of the Crown Prosecution Service.

“He sold the lists of financial information to make money and even used stolen credit card details to pay for holidays, food and shopping. In the end, West had no alternative but to plead guilty due to the overwhelming evidence.”

West is said to have made over £180,000 by selling his wares on the now-defunct dark web marketplace Alpha Bay.

Categories: Cyber Risk News

Security of HTML5 May Not Live Up to Promise

Fri, 05/25/2018 - 16:09
Security of HTML5 May Not Live Up to Promise

Once believed to be bereft of the security risks inherent in plugins like Adobe Flash, HTML5 attributes enable malware attacks, and The Media Trust is reporting that it has discovered numerous malware incidents in the hypertext markup language. 

In a blog posted today, The Media Trust wrote, “The malware, which has produced at least 21 separate incidents affecting dozens of globally recognized digital media publishers and at least 15 ad networks, uses JavaScript commands in order to hide within HTML5 creative and avoid detection. The scale of the infection marks a turning point for HTML5’s presumed security and demonstrates the advances malware developers have made in exploiting the open standards’ basic functionality to launch their attack.”

Introduced as code that enabled an improved user experience when playing multimedia content on computers and mobile devices, HTML5 has served as a viable and more secure alternative to the Flash plugin. In 2015, when Flash was identified as the source of the greatest security risk facing companies and individuals, security was cited as the chief reason for HTML5 adoption.  

“In fact, over the past five years, developers, along with publishers and browser providers, have staged a mass exodus from Flash technology into HTML5, which seemed to promise greater security and more advanced web app features,” The Media Trust wrote.

However, the malware team at the Media Trust has discovered that the very attributes that allow HTML5 to deliver the content of popular formats without external plugins are also being used to cloak malware. By breaking it into smaller parts, the malware is harder to detect, but when certain conditions are met, those broken parts are pieced back together. 

While researchers have discovered HTML5 malware before, these instances are different because they require no victim interaction and are targeting devices that have trouble detecting malware. 

“The HTML5 malware was designed to entice victims to enter their information in response to a pop-up ad. This campaign is quickly spreading through the online world, waiting for individuals with the right devices to trigger the collection of personally identifiable information,” The Media Trust wrote. In addition, no antivirus solutions have been able to stop any previous versions of HTML5 malware.

Categories: Cyber Risk News

Xenotime Attack Group Expands Activity

Fri, 05/25/2018 - 15:30
Xenotime Attack Group Expands Activity

A known threat group targeting industrial safety systems in the Middle East is using similar attacks on industrial systems in the United States, according to new research from Dragos. The Xenotime group has been labeled the most dangerous threat activity group because it is the only group intentionally compromising and disrupting industrial safety instrumented systems.

Though Dragos has not identified the specific targets of the latest attack on industrial controls systems in the US, it has reported that the attacks resembles the Russian attack on US critical infrastructure reported by US-CERT earlier this year, noting that the malware shows similarities to Trisis, which was used in an attack last year in Saudi Arabia.

In a 24 May blog post, Dragos wrote, “Industrial safety systems are highly redundant and separate controls which override and manage industrial processes if they approach unsafe conditions such as over-pressurization, overspeed, or over-heating. They enable engineers and operators to safely control and possibly shutdown processes before a major incident occurs. They’re a critical component of many dangerous industrial environments such as electric power generation and oil and gas processing.”

In the December 2017 attack on Schneider Electric’s Triconex safety instrumented system, attackers moved between networks using credential capture and replay after it configured the malware based on the functions of the system within the industrial control (ICS) environment. The level of sophistication noted in the Trisis malware framework indicated that the group had a deep knowledge of the Triconex infrastructure and processes.

“This means it’s not easy to scale—however, the malware provides a blueprint of how to target safety instrumented systems. This tradecraft is thus scalable and available to others even if the malware itself changes. Dragos’ data indicates XENOTIME remains active,” Dragos wrote.

“Both attacks started with social engineering to persuade employees to open phishing emails or visit watering hole websites. Attackers then gained administrative access to IT networks, from which they’ve identified IT/OT touch points to make their way into industrial control systems,” said Oren Aspir, CTO at Cyberbit.

Most ICS attacks leverage IT/OT convergence, which is why Oren said that companies managing industrial control networks should abandon the assumption that IT and OT can be fully segregated. “Start treating OT security at the same level of seriousness as they approach IT security. It starts with obtaining visibility in your OT network. Today organizations can deploy, within days, solutions for OT visibility and detect anomalies. These could have easily detected this attack.”

Categories: Cyber Risk News

EU Privacy Activist Targets US with GDPR Rules

Fri, 05/25/2018 - 14:08
EU Privacy Activist Targets US with GDPR Rules

With the General Data Protection Regulations (GDPR) now in effect, any company collecting and using data on consumers in the EU is required to give users the choice of whether they agree or disagree with a company's privacy policy. 

The GDPR regulations empower citizens by enabling them to file complaints against companies that are not in compliance, which is exactly what Reuters reported that Max Schrems, a privacy activist in Austria, has done. 

Schrems, who has reportedly filed legal cases against Facebook, Google, Instagram, and WhatsApp, told Reuters that US tech giants are trying to force users to consent to their new privacy policies without providing a "yes or no" option.

Schrems has long been awaiting today's deadline and is no stranger to relying on the law to protect personal data. The South China Morning Post reported that he won a landmark European court ruling in 2015 and recently established a charity called None of Your Business to prevent tech giants from harvesting consumer data.

The impact of the regulations is also notable with US companies that are not reportedly breaking the law. TwitterMoments wrote, "A number of high-profile websites, including the Chicago Times and LA Times, are temporarily unavailable in Europe after new European Union rules on data protection came into effect. The General Data Protection Regulation (GDPR) gives people in the area more rights over how their information is used. Companies that fail to comply with the new law are subject to fines of up to 4% of global revenue."

GDPR in full effect

Not everyone fears the immediate consequences of noncompliance, though. "The EU regulators aren’t going to be slapping you with a 4% fine anytime soon. As the ‘The Verge’ reported earlier this week, not even the regulators are ready (or funded) to do this. With that said, I think back to Douglas Adam’s advice, ‘Don’t panic.’ Even the Facebooks and Twitters of the world don’t have all the answers," said Anupam Sahai, vice president of product management at Cavirin

Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management said, "For companies that have been working diligently on preparations and are essentially compliant, this is the time to focus on the finer points of the regulation and to put policies and processes in place to ensure that the ecosystem of service providers, vendors, and partners can be managed in a comprehensive but streamlined manner. Larger companies should have a Data Protection Officer (DPO) in place, and SMBs [small to medium-sized businesses] should assign equivalent responsibilities to a senior employee, retaining outside expert help when needed.”

Categories: Cyber Risk News

One in Three HCOs Hit by Cyber-Attack

Fri, 05/25/2018 - 13:30
One in Three HCOs Hit by Cyber-Attack

More than one in three healthcare providers have suffered a cyber-attack over the past year, with 10% paying a ransom or other extortion-related fee, according to Imperva.

The vendor polled over 100 healthcare IT professionals at the recent 2018 Healthcare Information and Management Systems Society (HIMSS) Conference in the US.

Unsurprisingly given the sizeable number that had suffered an attack, 77% of respondents said they were very concerned about a cybersecurity event hitting the organization while 15% admitted they needed to do more to improve their cyber-defenses.

Ransomware (32%) was the biggest concern in terms of online threats. That’s understandable, given the WannaCry attack of May 2017 devastated large parts of the NHS, leading to an estimated 19,000 cancelled operations and appointments.

Worryingly, over a quarter (26%) of respondents claimed they don’t have an incident response plan in place — something required by the new GDPR.

In addition, 28% said their healthcare organization (HCO) doesn’t even have chief information security officer (CISO).

A recent report from Verizon revealed that healthcare was the number one sector affected by breaches, accounting for 24% of the total number analyzed over the preceding year. It was also revealed to be the only sector in which insider threats (56%) outweighed those from external attackers (43%).

Answering questions on the insider threat, respondents to the Imperva poll said they were most concerned about careless users (51%). While 27% claimed a lack of tools to monitor employees and other activities makes detecting insider threats difficult.

“Attackers understand the value of the data held by healthcare organizations, and as a result, they are quickly becoming a sweet spot for hackers looking to steal large amounts of patient records for profit,” argued Imperva CTO, Terry Ray.

“There have been a number of incidents recently where cybercrime has impacted hospitals and left them unable to access patient data, which demonstrates the consequences of a successful attack. It is crucial that healthcare organizations take steps to protect their data. To retain patient trust, organizations must provide an excellent defense at all times.”

Categories: Cyber Risk News