Info Security

Subscribe to Info Security  feed
Updated: 1 hour 51 min ago

Virtual Reality Could Help Close Workforce Gap

Mon, 10/30/2017 - 18:10
Virtual Reality Could Help Close Workforce Gap

About three-quarters of respondents in a recent survey said that virtual reality (VR) tools could be a critical next-gen approach to addressing the cybersecurity workforce gap.

By 2020, a projected 1.8 million cybersecurity jobs will be unfulfilled, leaving organizations scrambling to think outside of the box when it comes to attracting talent. In a survey from ESG and ProtectWise based on the opinions of 1,000 US-based millennials/post-millennials (the workforce’s newest generation and the next one poised to enter it, 74% said that the presence of VR tools increases their likelihood of pursuing a career in cybersecurity.

Meanwhile, 65% admitted that they haven’t been exposed to cybersecurity in school, and only 9% of 16-24-year-olds said they are interested in pursuing the cybersecurity field at some point in their career. The top reason for this is a general lack of awareness—39% cited a general lack of knowledge about cybersecurity as a career path—both pointing to a massive opportunity for education on cybersecurity as a viable profession.

“Employers are seeking candidates for tier-one analyst roles who have prior security experience, when in reality 87% of cybersecurity workers don’t start in the field,” the report noted. “Employers also want cybersecurity candidates with highly technical skills to which the average student is not exposed, including intrusion detection, attack mitigation and secure software development. Advanced certifications are required for roles that aren’t necessarily advanced, which deters workers who can earn an attractive salary and develop innovative technology in other fields without the burden of earning more credentials.”

The survey also revealed that this younger group is very aware of next-gen technology, and that gamification of the enterprise is something they would welcome. The survey found that 76% play games regularly and have a high affinity for VR tech. About 58% have used/regularly use VR technologies and expect to do so in the future—and are attracted to jobs that incorporate them. Meanwhile, 72% agreed that access to VR/AR in cybersecurity would make them more effective.

“One solution [to the workforce gap] may be to use technologies that capitalize on humans’ natural ability to reason visually and spatially in order to solve critical problems,” the report said. “Immersive technologies incorporating virtual reality (VR), augmented reality (AR) and collaborative gaming principles accomplish this and are being used to problem-solve in other industries—in healthcare to combat obesity, in automobile manufacturing to reduce waste and inefficiency and in the US Army to train recruits. The cybersecurity industry could similarly build solutions that enable fast, effective anomaly detection and remediation based on technologies that do not require highly specialized certifications and education. Doing so could open up the cybersecurity talent pool, particularly among millennials and post-millennials who are avid gamers and have a strong affinity for VR.”

Categories: Cyber Risk News

T-Mobile USA Calls Customers to Warn on SIM Hijacking

Mon, 10/30/2017 - 17:45
T-Mobile USA Calls Customers to Warn on SIM Hijacking

T-Mobile USA is warning some customers that they could be targeted by hackers looking to hijack their SIM cards.

According to reports, the company has contacted “a few hundred” customers in last two weeks, in the wake of a website flaw that was initially reported by Vice’s Motherboard. The bug, which was patched October 10, allowed hackers to access customers' email addresses, account numbers and phone IMSIs. Armed with this information, bad actors could impersonate the user to gain access to an account and duplicate the SIM card, gaining control over the phone number. In turn, with access to the phone, they could intercept SMS codes for two-factor authentication and gain access to bank accounts and the like.

One of the affected T-Mobile customers, Lorenzo Franceschi-Bicchierai, wrote that he got a call from customer service to warn him "of a detected alert" about his personal information.

The bug was reported in early October by Karan Saini, founder of startup Secure7. But it had been exploited since at least August 6, when a black-hat uploaded an exploitation tutorial on YouTube.

Initially, T-Mobile said that there was no indication that customer accounts were affected in any broad way—though clearly that is not the case. However, the carrier now has said the number of affected users is quite low, representing a tiny fraction of its 70 million customers.

"We found that there were a few hundred customers targeted," a spokesperson told Franceschi-Bicchierai “We take our customers' privacy very seriously and called all of those customers to inform them that some of their personal data appeared to have been accessed by an unknown third party. We also offered to work with them to ensure their account remains secure."

Categories: Cyber Risk News

'unCAPTCHA' Defeats Google CAPTCHA with 85% Accuracy

Mon, 10/30/2017 - 17:40
'unCAPTCHA' Defeats Google CAPTCHA with 85% Accuracy

unCAPTCHA, an artificial intelligence-based automated system designed at the University of Maryland, can break Google's audio-based reCAPTCHA challenges with an accuracy of 85%.

Google has been working on refining and strengthening reCAPTCHA for years, a Turing test-based methodology for proving that website users aren’t robots, and recently extended it to mobile websites for Android users.

unCAPTCHA, to be fair, doesn’t address what most of us are familiar with: Challenges asking us to read distorted text and type it into a box. Instead, the AI is trained to crack audio challenges, which are offered as an option for people with disabilities.

unCaptcha combines free, public, online speech-to-text engines with a phonetic mapping technique. The system downloads the audio challenge, breaks it into several digital audio clips, then runs them through several text-to-speech systems to determine exact and near-homophones, weights the aggregated results by confidence level, and then sends the most probable answer back to Google.

The results of the trial showed that the AI could solve 450 reCAPTCHA challenges with an 85.15% accuracy in 5.42 seconds: That’s less time than it takes to listen to the challenge in the first place.

The research work proves that bad actors don’t need significant resources to mount a large-scale successful attack on the reCaptcha system.

“Prior work has generally assumed that attackers against CAPTCHA systems are well-resourced,” the researchers said in a paper. “In particular, the standard threat model involves an attacker who can attack the CAPTCHA tens or hundreds of thousands of times for a relatively small number of successes, and can scale this attack to abuse services.”

They added, “An attacker with many resources can afford a lower success rate, and thus some have argued that even a success rate of 1/10,000 is sufficient to threaten the integrity of services. In our work, we will assume an attacker with limited resources; unlike previous works attacking captchas, our threat model limits the attacker to one computer, one IP address, a small amount of RAM and limited training data (less than 100MB). Therefore, we aim for accuracy benchmarks above 50%, as a low-resource attacker cannot afford a lower percentage of success.”

Categories: Cyber Risk News

McAfee Says "No" to Foreign Govt Code Reviews

Mon, 10/30/2017 - 11:20
McAfee Says "No" to Foreign Govt Code Reviews

Security giant McAfee has decided to discontinue a policy of allowing foreign governments to analyze its source code for hidden backdoors.

The policy is seen as an essential step for US and other Western tech firms looking to sell into the Russian and other regions, ostensibly intended to allay any security concerns foreign governments may have.

However, it’s increasingly seen as a risk which could actually expose the provider’s software, despite the possibility for such tests to be conducted so that no code is allowed to leave the premises.

McAfee is said to have made the decision after it was spun-off from Intel.

“The new McAfee has defined all its own new processes, reflecting business, competitive and threat landscapes unique to our space,” a spokeswoman told Reuters. “This decision is a result of this transition effort.”

McAfee now joins Symantec, which adopted the policy in 2016 amid security fears.

It’s not just the Russian government involved here; a recent Cybersecurity Law passed in China could lead to Beijing demanding code reviews from any “critical information infrastructure” provider wanting to operate in the country.

Again, the government claims such measures are necessary to protect national security, but critics have suggested it could also give agents an opportunity to research their own backdoors.

The value of AV tools as a means for intelligence operatives to monitor targets has been brought to light by the recent showdown between the US government and Russian security firm Kaspersky Lab.

It is claimed Russian intelligence may have used backdoors in its products to spy on and steal info from an NSA contractor.

Kaspersky Lab therefore seems to be going in a different direction to McAfee and Symantec, forced to open up its source code to the US government in a bid to regain trust after Washington banned its products for federal use.

Cesare Garlati, chief security strategist at the non-profit prpl Foundation, argued that all software should be open source, available for scrutiny by all.

“There is consensus in the security community that the so called ‘security through obscurity’ never worked: just look at Windows Microsoft or Adobe Flash if you need proof,” he added.

“Close source software does not make any software more secure. In fact, is the exact opposite. All recent high-profile incidents involve reverse engineering of closed source software, identification of vulnerabilities and their systematic exploit."

Categories: Cyber Risk News

UK Government Blames WannaCry on North Korea

Mon, 10/30/2017 - 10:43
UK Government Blames WannaCry on North Korea

The British government has joined the likes of Microsoft and others in blaming North Korea for the devastating WannaCry ransomware attack that hit hundreds of thousands of victims in May, including over a third of NHS trusts in England.

Security minister, Ben Wallace, told BBC Radio 4’s Today program on Friday that the hermit nation “was the state that we believe was involved in this worldwide attack on our systems.

“We can be as sure as possible. I can’t obviously go into the detailed intelligence but it is widely believed in the community and across a number of countries that North Korea had taken this role,” he claimed.

Wallace also claimed North Korea had launched other attacks aimed at stealing foreign currency; potentially a reference to its attacks on Bitcoin exchanges in recent months.

Earlier this month, Microsoft president, Brad Smith, made similar remarks.

“I think at this point that all observers in the know have concluded that WannaCry was caused by North Korea using cyber tools or weapons that were stolen from the National Security Agency in the United States," he told ITV News.

WannaCry caused chaos around the globe when it landed in mid-May. It could have affected many more victims than the 300,000 it hit if it hadn’t been for a “kill switch” discovered by researcher Marcus Hutchins.

In the end, the ransomware managed to compromise many organizations that had failed to patch a known SMB vulnerability for which Microsoft had issued a fix in March.

Scores of them were NHS trusts: 81 to be precise.

WannaCry caused the cancellation of an estimated 19,000 operations and appointments and infected hundreds of primary care and GP practices.

A National Audit Office (NAO) report released last week revealed that systemic failures in the NHS and Department of Health left the health service woefully exposed to the threat.

Categories: Cyber Risk News

Twitter Bans RT and Sputnik Ads Following Election Meddling

Mon, 10/30/2017 - 10:12
Twitter Bans RT and Sputnik Ads Following Election Meddling

Twitter has decided to ban Russian-Linked media companies Russia Today (RT) and Sputnik from buying ads on its platform, blaming their alleged interference in the US election.

The social media giant said it would “off-board” advertising from all accounts owned by the two companies, heavily linked to the Russian government.

It explained:

“This decision was based on the retrospective work we've been doing around the 2016 US election and the US intelligence community’s conclusion that both RT and Sputnik attempted to interfere with the election on behalf of the Russian government. We did not come to this decision lightly, and are taking this step now as part of our ongoing commitment to help protect the integrity of the user experience on Twitter.”

Twitter references a US government report from January which claims both outlets are part of “Russia’s state-run propaganda machine”.

“State-owned Russian media made increasingly favorable comments about President-elect Trump as the 2016 US general and primary election campaigns progressed while consistently offering negative coverage of Secretary Clinton,” it notes.

Twitter says it will take the $1.9m projected to have been earned from RT advertising since 2011 and donate it “to support external research into the use of Twitter in civic engagement and elections, including use of malicious automation and misinformation, with an initial focus on elections and automation.”

The news has been welcomed by Senators Mark Warner and Amy Klobuchar, who have proposed an Honest Ads Bill designed to force greater transparency in political advertising.

That comes following a closed door briefing to the Senate earlier this month described as “deeply disappointing” and “inadequate” by Warner.

However, the Russian outlets will still be free to use their influence to tweet organically. An arguably bigger problem is that of bot-driven profiles which can elevate specific stories or fake news to trending topics, and then be dismantled before an investigation can begin.

Google, Facebook and Twitter have all been asked to appear before a public Senate Intelligence Committee hearing on November 1.

The news comes as the World Economic Forum called on Silicon Valley social media firms to do more to halt the spread of extremism and state-backed propaganda.

Categories: Cyber Risk News

HomeHack Flaw Allows Spying Via the Robot Vacuum

Fri, 10/27/2017 - 17:03
HomeHack Flaw Allows Spying Via the Robot Vacuum

Beware your vacuum robot: A vulnerability in LG Electronics’ smart-home line of appliances allows remote access and control of anything in the ecosystem—including refrigerators, ovens, dishwashers, washing machines and dryers, air conditioners and, yes, the vacuum cleaner.

Check Point Software uncovered a flaw that it helpfully dubbed HomeHack, which exposed millions of users of LG SmartThinQ devices to the risk of unauthorized remote control. The issue exists in the LG SmartThinkQ mobile app and cloud application, allowing hackers to remotely log in, take over the user’s legitimate LG account, and gain control of, say, the vacuum cleaner and its integrated video camera. Once in control of a specific user’s LG account, any LG device or appliance associated with that account could be controlled by the attacker.

Clearly, bad actors can spy on users’ home activities via the video camera, which sends live video to the associated LG SmartThinQ app as part of its HomeGuard Security feature. Attackers could also switch things like dishwashers or washing machines on and off.

“As more and more smart devices are being used in the home, hackers will shift their focus from targeting individual devices, to hacking the apps that control networks of devices,” said Oded Vanunu, head of products vulnerability research at Check Point. “This provides cyber-criminals with even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data. Users need to be aware of the security and privacy risks when using their IoT devices and it’s essential that IoT manufacturers focus on protecting smart devices against attacks by implementing robust security during the design of software and devices.”

LG has patched the reported issues, so users should update their apps immediately.

“As part of LG Electronics’ mission to enhance the lives of consumers worldwide, we are expanding our next-generation smart-home appliance lineup, while also prioritizing the development of safe and reliable software programs,” said Koonseok Lee manager of Smart Development Team, Smart Solution BD, LG. “Effective September 29th, the security system has been running the updated 1.9.20 version smoothly and issue-free. LG Electronics plans to continue strengthening its software security systems as well as work with cybersecurity solution providers like Check Point to provide safer and more convenient appliances.”

Categories: Cyber Risk News

Gozi Trojan Banks on Element of Surprise in Japan

Fri, 10/27/2017 - 16:48
Gozi Trojan Banks on Element of Surprise in Japan

The Gozi banking trojan has set its sights for a new land: Japan, which is a country with a low rate of financial malware activity.

According to IBM X-Force data, Gozi (aka Ursnif) has lately moved on from its traditional targets in North America, Europe and Australia to hit banks and payment providers in Japan.

“In most cases of malware migration, cyber-criminal groups with adequate resources are looking for easier money, less security and an element of surprise for users who are less accustomed to their spam ploys and social engineering during the banking session,” IBM X-Force researchers explained, in an alert. “[Also], the history of organized cybercrime in Japan is not very long. The past five years featured more generic malware and local attackers using proxy changers more than anything else.”

Many other organized groups, such as those behind Dridex and TrickBot, target banks in as many as 40 countries but have largely stayed away from Japan. This is likely because of the “connections other gangs have with local cybercrime and money-laundering groups. Even on the internet, gangs often stick to their own turf,” IBM X-Force researchers noted.

Banking, as it were, on user unfamiliarity with these types of campaigns, starting in September, Gozi operators began spreading emails with fake attachments and malicious links purporting to come from financial services and payment-card providers, according to IBM X-Force, with campaign email spikes taking place in cyclical weekly rounds, usually peaking on Tuesday evenings. Attempted infections peak on Thursdays and Fridays and are relatively low during the weekend and early weekdays.

The group is using secure sessions, web injection attacks and, in some cases, page redirections, to grab data. This Gozi variant also targets user credentials for local webmail, cloud storage, cryptocurrency exchange platforms and e-commerce sites.

 “In terms of its development cycles, Ursnif was the most active malware project in 2016, topping other banking Trojans with the largest number of updates made to its loader and binary to evade security research and detection,” IMB X-Force said. “It has kept its position so far in 2017.”

Categories: Cyber Risk News

2 Million Tarte Cosmetics Users Exposed in Latest Misconfig

Fri, 10/27/2017 - 16:43
2 Million Tarte Cosmetics Users Exposed in Latest Misconfig

Popular cruelty-free brand Tarte Cosmetics, found online and at major retailers like Sephora and Ulta, has become the latest company to misconfigure a database (actually two), exposing personal information for nearly two million customers to ransom specialists CRU3LTY.

The CRU3LTY cyber-criminal group specializes in finding unsecured databases, lifting info, wiping files then demanding a ransom for the data’s return. According to Kromtech Security Center, which found the open databases, there was a warning folder left by CRU3LTY demanding 0.2 bitcoins.

Interestingly though, the data appeared to be still there, although the group is likely in possession of a copy. The compromised data links to customers who shopped on Tarte’s website between 2008 and 2017, and includes names, email addresses, mailing addresses and the last four digits of credit-card numbers. The information offers an opportunity for follow-on phishing at attacks or scams.

“In this instance they would already have the last 4 digits of the credit card on file and with 2 million customers they would have all of the personal information needed to trick them into believing they are confirming their credit card with a company they trust,” said Kromtech chief security communications officer Bob Diachenko, in a post. “It appears that criminals have already accessed the customer data. With all of the other data leaks online it is possible that criminals could even cross reference this data against other breaches and get the customer’s full card number or more information. Ransomware alone could be devastating to a company large or small if they do not have their data backed up or a security plan in place.”

The administrators at Tarte selected “public” for the MongoDB databases’ security setting instead of “private”, according to Diachenko, and both have been indexed by the Shodan IoT search engine, popular with cyber-criminals looking for vulnerable things to exploit. The oversight is one that should have been caught in a basic security check.

“Weak security practices can be the difference between putting your customers and their data at risk, and utilizing the immense benefits of the public cloud without any ramifications,” said Zohar Alon, co-founder and CEO, Dome9, via email.

He added, “As we’ve seen recently, any size security gap in the public cloud is a big one. IT must perform regular checks and balances of cloud environments so malicious attackers cannot take advantage of simple misconfigurations. There are a number of native and third-party tools available that can solve these rampant misconfiguration errors. As companies continue to expand and leverage the agility and ease of use of the public cloud, they must put basic but crucial security practices first and be held accountable for lapses.”

For its part, Tarte issued a boilerplate statement: “At Tarte, keeping customer information fully secure is our No. 1 priority. We are aware of this potential issue, which we are actively investigating. At the same time, we are taking every measure available to ensure the highest level of protection for all corporate data, and we will keep our customers and partners informed as necessary.”

Categories: Cyber Risk News

Regional Internet Registry Spills WHOIS Database

Fri, 10/27/2017 - 10:48
Regional Internet Registry Spills WHOIS Database

Regional internet registry APNIC has suffered an embarrassing privacy incident after being alerted by a third party that it accidentally leaked details from its WHOIS database, including hashed passwords.

On October 12, Chris Barcellos from eBay’s Red Team reported to the APAC regional registry that the downloadable data was being republished on a third-party website.

That data included passwords for Maintainer and IRT objects: the former governs who can make changes to domain records while the latter contains contact info on admins responsible for receiving reports of network abuse activities.

Although passwords were hashed, APNIC admitted that there was a “possibility” that hackers with the right tools could crack the credentials.

“If that occurred, whois data could potentially be corrupted or falsified for misuse. Our investigations to date have found no evidence of this occurring,” the registry said.

“It is important to note, however, that any public misrepresentation of registry contents on whois would not result in a permanent transfer of IP resources, as the authoritative registry data is held internally by APNIC.”

As a precaution, the registry reset all Maintainer and IRT passwords.

“APNIC is continuing to analyse its logs to search for any signs of misuse as a result of this error. So far, we have found no evidence of irregularities. However, we would recommend that resource holders check the WHOIS details of their holdings to make sure that all is correct,” it added.

The incident is more of an embarrassment to APNIC than a serious risk this time around. But considering it came from a technical error which was not picked up, question marks will be raised about its internal security processes.

However, there could be a minor risk to any admins which reused passwords across multiple accounts.

“The … risk is the same with any other password breach, and the go-forward remediation is always the same – don't use the same password for multiple logins,” advised Bruce Roberts, CTO of DNS security company DomainTools.

Categories: Cyber Risk News

Anonymous Attacks Spanish Government Sites

Fri, 10/27/2017 - 10:24
Anonymous Attacks Spanish Government Sites

Hacktivist group Anonymous has been firing up its DDoS cannon again, this time aiming it at Spanish government websites, in support of Catalan independence.

The group claimed to have taken offline the website of the constitutional court, which ruled the Catalonian referendum illegal last week.

It also defaced the website of the Spanish Ministry of Public Works and Transport with a “Free Catalonia” message.

A statement from the group had the following:

“In the name of all the Catalan independence and democracy, Anonymous Catalonia asks all the Anons of the world who are in favour of the freedom of expression [...] and peaceful dialogue to persist in the #FreeCatalonia operation until 29 October 2017.”

Various accounts associated with the disparate group have been tweeting messages with #opCatalunya and #FreeCatalonia, claiming “big attacks are coming”, although the government sites in question appear to be back to normal now.

“We wish to state that the Catalan people's desire to express their will via a referendum is the majority view and cuts across all strata of society and is in keeping with the civic, peaceful and democratic determination expressed in the multitudinous demonstrations held by organised society in favour of its right to decide,” noted another Anonymous branded video.

Stephanie Weagle, VP at Corero Network Security, argued that DDoS attacks continue to function as an effective disrupter of businesses and in some cases help to distract IT teams while information is stolen.

“In order to effectively protect their networks, prevent disruptions to customer operations, and better protect against service outages, downtime and potential data theft, companies need real-time visibility and mitigation of all DDoS attack traffic targeting their networks, regardless of size or duration,” she added.

“Traditional security infrastructure will not stand up to these service interrupting attacks—a dedicated layer of DDoS mitigation is required to eliminate the DDoS threat.

Categories: Cyber Risk News

NHS and Government to Blame for WannaCry, Says NAO

Fri, 10/27/2017 - 09:11
NHS and Government to Blame for WannaCry, Says NAO

A series of systemic failures at the NHS and Department of Health exposed the service to serious levels of cyber-risk, allowing WannaCry to disrupt over a third of trusts in England with thousands of appointments and operations cancelled earlier this year, an official report has found.

In the damning new report, independent body the National Audit Office focused specifically on the health service and its patients.

It found that the DoH and Cabinet Office had written to trusts in 2014 saying it was essential they had “robust plans” in place to migrate from legacy platforms like XP. NHS Digital also issued, in March and April 2017, critical alerts to patch the flaws which were ultimately exposed by WannaCry.

However, the department had “no formal mechanism” for assessing whether trusts had complied with the advice, the NAO discovered.

The DoH is also culpable in that although it had developed an incident response plan – including delineating roles and responsibilities of national and local organisations for responding to an attack – it hadn’t been tested at a local level.

That meant that when the ransomware hit, local organizations couldn’t communicate via email with national NHS bodies and staff had to resort to sharing info by phone and WhatsApp.

The whole mess led to disruption at 81 out of 236 trusts in England (34%) and infections at a further 603 primary care and other NHS organisations, including 595 GP practices.

The NHS isn’t even sure how many appointments and operations were cancelled. There are 6,912 that have been recorded but the figure is estimated much higher; at around 19,000. In five areas, patients had to travel further to A&E departments.

This lack of transparency also means that neither the department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five A&E departments that were unable to treat some patients.

There’s also no figure on how much the disruption caused the NHS.

The NAO warned the impact could have been far worse had Marcus Hutchins’ “kill switch” not been released to prevent WannaCry locking devices. It was also fortunate the attack happened on a Friday as primary care services usually close over the weekend, the report added.

“The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients,” argued NAO boss Amyas Morse.

“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

NHS England has apparently written to all major health boards to ensure they have now applied patches and secured “local firewalls”.

However, there’s no word on whether the service, or the Department of Health, has taken concrete steps such as testing incident response plans and migrating to newer platforms, which would help mitigate risk in future.

The report also made no mention of the GDPR or NIS Directive, but after May next year regulators will take a dim view of such incidents – if patient data is made unavailable and systems are breached as a result of poor planning.

The NAO’s findings chime with a VMware survey of NHS IT managers in which 70% claim more needs to be spent on IT security.

Things could get even worse, with nearly a third of respondents claiming hackers have already infiltrated electronic patient data, 62% saying cyber-attacks could result in patients coming to harm, and 38% admitting their team lacks the skills to improve cybersecurity infrastructure and strategy.

Categories: Cyber Risk News

Sage: Innovative Ransomware with Style

Thu, 10/26/2017 - 20:18
Sage: Innovative Ransomware with Style

A revised version of the Sage ransomware has hit the scene, earning style points with a bright user interface and interactive ransom note.

“In stark contrast to the drab payment sites used by many ransomware varieties, Sage presents users with a colorful, accessible and descriptive site,” said PhishMe researchers, in a blog. “The site explains the victim’s situation and provides instructions to regain access to their encrypted data.”

One interesting similarity between this edition and older ransomware is the reuse of a technique distinctive to the Cerber encryption ransomware: A Microsoft HTML application is presented to the victim as an interactive means of navigating to the payment site.

“This was an innovation used by Cerber encryption ransomware to create a more polished look and feel for their ransom notes by providing both dynamic generation of multiple pathways to accessing the ransom payment site as well as allowing for international accessibility with a multi-lingual ransom note,” the researchers said.

They added that the new Sage is designed to make paying the Bitcoin ransom easier by presenting the victims with a QR code that contains the Bitcoin wallet address used to collect the ransom. In addition, Sage v.2.2 incorporates a simplistic analysis evasion tactic by detecting the presence of commonly used malware research tools.

Interestingly, Sage asks for a $499 ransom—in sharp contrast to the leading Locky ransomware, which asks for about $1600.

“The overarching ransomware trend is clearly one that will not subside anytime soon,” PhishMe researchers said. “The criminal business model for ransomware has proven itself viable and profitable in both high-profile crises as well as in everyday attacks. The newest iteration of development upon the Sage ransomware demonstrates another example of the viability and willingness for malware writers to produce new and innovative ransomware tools.”

Categories: Cyber Risk News

Dark Web Marketplace Extorted by Cyber-criminals

Thu, 10/26/2017 - 18:47
Dark Web Marketplace Extorted by Cyber-criminals

Cyber-extortion has a new racket: Extorting fellow criminals.

A Digital Shadows investigation saw a twist in the classic gambit of acquiring a company’s valuable data, threatening to release the data if a ransom is not paid, and then putting pressure on the victim through sharing the data with journalists. The target was a criminal marketplace, widely advertised in underground Russian forums:

“On October 24th, a user posted on Pastebin claiming to have accessed customer details and administrator accounts of Basetools, an online criminal marketplace. The user also claimed to have obtained personal details of the administrator and demanded $50,000 in ransom, or he would release further information and the dox of the administrator. The post threatened to inform law enforcement should the payment not be made. At the time of writing, the Basetools market was ‘under update’ and claimed it would be back in ‘a few days’.”

Digital Shadows researchers noted that while the motivation behind the threat is clearly financial, the situation also gives wings to a trend they have seen in criminals moving away from centralized markets—whether on the dark or deep web. While these historically have allowed bad actors to easily advertise and sell their illicit goods, there has been a significant shift in the past four months with the demise of the AlphaBay and Hansa marketplaces.

In this situation, there could be a payback element to the proceedings: The actor claims that the administrator of the site has been manipulating the vendors, creating false personae and falsely elevating those vendor profiles to the top of listings.

“We have previously forecasted the potential shift from centralized marketplaces to more decentralized models, and the conditions that would have to exist for this to become a reality,” the researchers noted. “The attempted extortion of Basetools, and in particular the allegations of an admin manipulating vendor ratings is yet another reason for cyber-criminals to reconsider the idea of a centralized market. In a decentralized model, the risk of this occurring would be reduced. While the conditions for a decentralized model taking the lead may not yet be there, this may take us one step further.”

Categories: Cyber Risk News

Amazon Key Raises Security Fears Across the Spectrum

Thu, 10/26/2017 - 18:40
Amazon Key Raises Security Fears Across the Spectrum

Amazon has raised eyebrows with the launch of a service called Amazon Key: A delivery kit that gives couriers the ability to unlock people’s homes to deliver packages inside.

The $249 kit consists of a smart-lock and a just-launched Amazon security camera called the Cloud Cam (which comes with a subscription). The camera must be mounted inside a consumer’s home, within 25 feet of the door. Once everything’s installed, Amazon Prime members can choose the “in-home” delivery option. When a delivery arrives, Amazon will authorize the delivery and unlock the door via the cloud—and turn on the camera. Users can watch the delivery live in the Amazon Key App or see a video of it later.

Users can also schedule permanent access for family members or give temporary access to recurring visitors like dog walkers, house cleaners or out-of-town guests-—and be notified any time a guest locks or unlocks the door. Eventually, Amazon Key will offer integrated unattended access options for professional service providers including the Merry Maids and pet sitters and dog walkers from, as well as over 1,200 services from Amazon Home Services.

Whether warranted or not, security fears were quick to surface among consumers and infosecurity pros alike.

While smart locks that are controlled remotely via an app are not new—and neither of course are smart surveillance cameras—what’s different about this is the fact that Amazon controls these devices, locking and unlocking the door at will and having the ability to turn on and off a camera installed inside a person’s home. This has a certain Big Brother, corporate overlord aspect that perturbs some.

Also, while individually owned smart locks require hacking one-by-one, Amazon will hold the keys—literally of course—for thousands if not millions of homes, meaning that one successful hack could deliver a big payoff.  

“Amazon’s latest service—which looks set to revolutionize the delivery market—feels like a huge test of consumer trust,” Adam Maskatiya, UK and Eire GM at Kaspersky Lab, in an emailed comment. “What makes the issue particularly dangerous is its potential reach: If a hacker can access the database of door codes, they can gain entry to a whole street’s worth of homes. That is what users need to be aware of; not how Amazon will use their information, but how hackers could potentially exploit it.”

Amazon hasn’t detailed the specific IoT security measures that may have been built into the scheme, (beyond Amazon’s stated general approach), leaving the door open, as it were, to speculation. Much of that speculation has to do with the fact that IoT’s track record for security leaves something to be desired.  

“Developers of smart devices do little to secure them, rarely release firmware updates and don’t explain to users that they should change their passwords,” Maskatiya said. “This makes IoT devices perfect targets for cyber-criminals. By successfully hacking IoT devices, criminals are able to spy on people, blackmail them and even discreetly make them their partners in crime.”

Amazon Key is also drawing concern over physical security. For many consumers, using a smart lock to let people that one knows and trusts into one’s home is one thing—but delivery truck drivers usually aren’t considered part of that trusted group, even if they’re licensed and bonded with a background check. The socialverse weighed in on this aspect: In the last day, nearly 62,000 Twitter posts mention “Amazon Key” according to international social media analytics firm Talkwalker. The firm said that the overwhelming majority of the posts are negative—mainly reflecting fears about physical security. Presumably the Amazon-controlled camera would pick up any illicit activity, but there are of course ways around that.

“Amazon Key is a new service that allows strangers to enter your home, hide in your closet, and kill you in your sleep. Free with Prime!” tweeted @MikeH5856.

@kevinplantz had a similar take: “*Calls Customer Service* Hi. I used the Amazon Key service and now my Xbox is missing. Also, they let my cat out. I’d like to cancel.”

Iftach Ian Amit, senior manager of security engineering with Amazon's AWS cloud division, appeared to discount the concerns when he tweeted, “Only in InfoSec you see people commenting about a product/service without knowing anything about it. Keep it up. #AmazonKey.”

Official responses to the criticisms/fears have yet to be released. 

Categories: Cyber Risk News

Malicious URL Emails Soar 600% in Q3

Thu, 10/26/2017 - 11:19
Malicious URL Emails Soar 600% in Q3

The volume of malicious emails blocked in Q3 climbed by 85%, versus the previous three months, with ransomware by far the most common threat according to new data from Proofpoint.

The firm’s Quarterly Threat Report is the result of daily analysis of over one billion emails, hundreds of millions of social media posts, and over 150 million malware samples.

It found the volume of emails featuring malicious URLs, as opposed to attachments, has exploded over the past quarter; increasing 600% from Q2 and a staggering 2,200% from Q3 2016.

This represents the highest proportion of malicious URL emails in over two years, according to the vendor.

Ransomware remained the number one threat category, accounting for nearly two-thirds (64%) of all email attempts, with Locky alone comprising almost 55% of total message volumes and more than 86% of all ransomware.

Banking Trojans came next, with a 24% share. A strain dubbed “The Trick” accounted for 70% of the total, eclipsing Dridex.

Email fraud rose 12% in frequency per targeted organization from the previous quarter and 32% from last year.

The use of exploit kits continued to remain much lower than its 2016 peak, with the RIG EK accounting for 76% of all activity.

Proofpoint claimed attackers are layering social engineering into their exploit kit campaigns, suggesting they are looking beyond exploits as they get harder to find and obtain.

On the web front, suspicious domain registrations outnumbered defensive registrations by 20 to 1, while in social media, fraudulent “angler” accounts doubled from a year ago.

Angler phishing is a relatively new tactic which first came to light last year, in which cybercriminals register fake Twitter accounts masquerading as customer support accounts. They monitor the real support accounts for irate customers and then jump in to send messages back to those customers loaded with malicious links.

Categories: Cyber Risk News

PCI SSC Launches New 3DS Payment Standards

Thu, 10/26/2017 - 09:56
PCI SSC Launches New 3DS Payment Standards

Payment card body PCI Security Standards Council has posted several updates designed to improve the security of authentication infrastructure, third party accountability and software design.

At its annual European community meeting in Barcelona this week, PCI SSC CTO Troy Leach claimed: “Dynamic authentication is becoming increasingly important to securing payments in an omni-channel world.”

As a result, the standards body has released enhanced requirements for multi-factor authentication (MFA) in PCI DSS v3.2, building on guidance published earlier this year on how to properly implement MFA to prevent ID fraud.

Some 81% of hacking-related breaches use weak, default or stolen passwords, according to Verizon’s latest DBIR.

When it comes to e-commerce fraud specifically, the 3-D Secure (3DS) protocol adds an extra authentication step to help boost payment security.

The PCI SSC said it has enhanced security further via two new standards.

First, the PCI 3DS Core Security Standard defines controls to protect the environments of organizations that manage, provide or assess 3DS Access Control Server (ACS), Directory Server (DS), and 3DS Server components. 

Second, the PCI 3DS SDK Security Standard has been unveiled to help improve security for organizations developing 3DS SDKs for use in mobile-based 3DS transactions.

Consumer and retail fraud including online shopping accounted for 700,000 incidents in the UK for the year ending June 2017, according to ONS figures.

PCI SSC said it’s working on additional standards to promote software lifecycle awareness; basically aimed at reducing potential bugs in code that could be exploited by hackers or introduce integrity issues.

This will address the growing dependence on software to manage various aspects of payment transactions and the relationship between cardholders, merchants and their financial partners, said the council.

Finally, it is seeking to drive greater accountability for third parties by introducing additional security testing for providers in PCI DSS 3.2; prioritizing software developer education; and through the Qualified Integrator Reseller (QIR) program, which seeks to bolster security in the installation and maintenance of payment systems.

“From the development to the installation of payment products to the ongoing monitoring for malicious attacks, security remains a shared responsibility,” Leach told attendees at the show.

“Whether it is a software developer, cloud administrator or someone installing a POS for a merchant down the street, there should be a recognition of the accountability each service provider to protect payment data to the best of their ability and be able to demonstrate that level of effort to their business partners.”

Categories: Cyber Risk News

#BadRabbit Actors Planned Attacks Since 2016

Thu, 10/26/2017 - 09:13
#BadRabbit Actors Planned Attacks Since 2016

The threat actors behind the Bad Rabbit ransomware campaign compromised some of the websites used to spread the malware as far back as a year ago, according to new research.

RiskIQ revealed in an update that it has been analyzing records of the “injection servers” used to insert malicious content into the compromised websites.

These show some of the sites compromised to display the fake Adobe Flash updates were hit as far back as early September 2016.

The vendor admitted this isn’t an exhaustive list, so there could be compromises dating even further back.

It said:

“The operators of this campaign have been able to use this position to target unique visitors based on IP space they associate with their targets. The thing we do not understand at this point is why they decided to burn this information position to mass distribute the BadRabbit ransomware rather than save it for another type of malware.”

In fact, the infrastructure could have been originally intended to distribute malware other than Bad Rabbit, RiskIQ claimed.

The evidence backs up other pieces of information that are gradually seeping out from the vendor community.

Although the identity and motivations of the group behind the ransomware are unknown, Bad Rabbit is said to share 67% of the same code as NotPetya; the infamous ransomware which caused widespread damage in Ukraine and beyond back in June.

It appears as if most of the servers used to serve up Bad Rabbit have been swiftly shut down, following widespread media reports of infections this week.

In fact, most of the infections took place in Russia in the two hours after it first appeared on October 24, according to Symantec.

It’s unclear whether the gang behind Bad Rabbit shut down this infrastructure or if a hosting company spotted what was going on.

As for attribution, the vast majority (86%) of victims were located in Russia, which would make it unlikely that a Kremlin-affiliated group is behind it, unless these were not the intended targets.

Categories: Cyber Risk News

Apple Lowers Face ID Accuracy to Bump Shipments Up—Report

Wed, 10/25/2017 - 19:04
Apple Lowers Face ID Accuracy to Bump Shipments Up—Report

Bloomberg is reporting that Apple has allowed suppliers to reduce the accuracy of its facial recognition mechanism in order to speed up iPhone X production and meet holiday demand.

It’s a story that Apple has denied in comments to Axios, calling the claim "completely false.” It added, "we expect Face ID to be the new gold standard for facial authentication."

The iPhone X relies on a Face ID feature for unlocking tasks previously managed by Touch ID, which the newer device lacks. Expected to hit the market Nov. 3, the supplies of the high-end gadget—which will go for around $1,000—may be constrained thanks to supply chain issues, including a bug in the 3D sensor system used for Face ID.

“It quietly told suppliers they could reduce the accuracy of the face-recognition technology to make it easier to manufacture, according to people familiar with the situation,” Bloomberg reported.

The tenth-anniversary phone is expected to generate much of the company’s revenue going forward, thanks to its high price tag—and with the company reportedly seeing lackluster sales of the just-launched iPhone 8, the sources said that Apple can’t afford to not meet demand during the busy holiday season.

The sensor is a serious technical challenge; as Bloomberg reported, Microsoft’s Kinect controller is to date the largest production run for the technology, coming in at 24 million units over two years. Apple on the other hand is expecting to ship closer to 40 million units just by the end of the year.

There’s also the size: The Kinect deployment is larger and less delicate when it comes to hardware; Apple’s version is mere centimeters across and only millimeters deep.

“It’s an aggressive design, and it’s a very aggressive schedule,” a source said.

Bloomberg also said that one of Apple’s suppliers for the facial recognition camera, LG Innotek, confirmed in a conference call with analysts that mass production for the iPhone X is just beginning, and that supply may be limited in the holiday season. The 3D sensor shortage should end, however, in early 2018.

For its part, Apple’s only comment on the matter has been its terse statement to Axios.

Categories: Cyber Risk News

The Dark Web Goes Mobile—and More Untrackable

Wed, 10/25/2017 - 19:02
The Dark Web Goes Mobile—and More Untrackable

The recent crackdown on popular dark web markets AlphaBay and Hansa is driving cyber-criminals to migrate to messaging apps to carry out their nefarious business.

An IntSights Cyber Intelligence threat report, Messaging Applications: The New Dark Web, suggests that apps like Discord, ICQ, Skype, Telegram and Whatsapp offer a convenience mobile platform for criminals, given the availability of group chat. IntSights analyzed thousands of black markets, text storage/paste sites, hacking forums, IRC channels, apps and social media pages, and discovered a steady increase in threat actors inviting cyber-crime forum users to join their messaging groups. 

The company estimates that up to hundreds of thousands of users of prominent mobile messaging apps are using them to trade stolen credit cards, account credentials, malware and drugs, as well as exchanging hacking methods and ideas.

In some cases, the dark web marketplaces themselves are leveraging mobile messaging and mobile apps. For instance, in July an advertisement for a new Russian black market, dubbed Matanga, started making the rounds via Jabber,  a messaging XMPP-based application. Matanga, which sells a variety of drugs, stolen credit cards, SIM cards and other illegal merchandise, created a dedicated Android app that connects to TOR utilizing ORbot, thus giving mobile-first clients easy access to the services of the dark web from their devices.

“The anonymity promised by dark web networks such as TOR and i2p was the key reason for their popularity among cyber criminals,” said Guy Nizan, IntSights CEO and co-founder. “Now that the dark web is no longer safe for hackers and threat actors, they are moving to messaging platforms and brazenly conducting their illicit activities on the same apps that millions use every day.”

The import of the research is that today’s black market is accessible to anybody with a cell phone, which could lead to a proliferation of low-level cybercrime conducted by amateurs. In the past, cyber-criminal communication required an individual to have somewhat specialized equipment and knowledge.

“While the traditional dark web proves to be less-dark than believed, hackers move to the surface web, using platforms such as social-media and mobile apps,” the report noted. “While more traditional forms of communication required an individual to have at least a basic level of knowledge of which sites to visit and how, in addition to the use of a dedicated browser over a desktop computer, today’s black market is accessible more than ever, with the tap of a finger over a portable pocket-held device. This could prove to cause a proliferation of low-level cybercrime, that is conducted by less qualified perpetrators.”

The report also concluded that the monitoring of online criminal activity will become much more challenging as threat actors move from large and centralized black markets and forums to small, closed and distributed networks based on social media groups and/or messaging apps.

Categories: Cyber Risk News