Info Security

Subscribe to Info Security  feed
Updated: 49 min 26 sec ago

BMW Fixes 14 Vulnerabilities in Connected Cars

Fri, 05/25/2018 - 13:00
BMW Fixes 14 Vulnerabilities in Connected Cars

Chinese security researchers have discovered 14 vulnerabilities in connected vehicles which could be used to remotely control a number of BMW models.

The team from Tencent’s Keen Security Lab tested several car models over a year, focusing on the Head Unit, Telematics Control Unit and Central Gateway Module.

“Through mainly focusing on the various external attack surfaces of these units, we discovered that a remote targeted attack on multiple internet-connected BMW vehicles in a wide range of areas is feasible, via a set of remote attack surfaces (including GSM Communication, BMW Remote Service, BMW ConnectedDrive Service, UDS Remote Diagnosis, NGTP protocol, and Bluetooth protocol),” the report noted.

“Therefore, it’s susceptible for an attacker to gain remote control to the CAN buses of a vulnerable BMW car by utilizing a complex chain of several vulnerabilities existing in different vehicle components. In addition, even without the capability of internet-connected, we are also able to compromise the Head Unit in physical access ways (e.g. USB, Ethernet and OBD-II). Based on our testing, we confirm that all the vulnerabilities would affect various modern BMW models.”

Attacks that lead to remote control of the CAN bus could enable third parties to interfere with steering, brakes, accelerator and other key physical functions of the vehicle.

Affected models including the BMW i Series, X1 sDrive, 5 Series, and 7 Series. The researchers reported their findings to BMW in February and the manufacturer has been rolling out mitigations remotely and via optional software updates from dealerships since then.

Natan Bandler, CEO of Cy-oT, argued the research shows that connected car vulnerabilities often arise in overlooked areas such as the info-tainment system.

“It’s always the innocent items, the ones that are invisible and the ones that we tend to neglect that are the easiest way in for a hacker,” he argued.

"We need to think from the point of view of the attacker. They’re looking for the path of least resistance; areas that are uncovered, neglected and that no one cares about, and entertainment systems are exactly this.”

Categories: Cyber Risk News

Privacy International Launches GDPR Probe into Data Companies

Fri, 05/25/2018 - 12:31
Privacy International Launches GDPR Probe into Data Companies

Privacy International has launched a new investigation into a swathe of shadowy data companies to see if they comply with the new EU General Data Protection Regulation (GDPR), which came into force today.

The GDPR has been several years in the making, and introduces strict new obligations for organizations on how they process and protect customer and employee data as well as how they seek consent for using that data.

The rights group claimed that the business model of many data companies raises significant question marks over compliance with the new law, which is EU-wide but also applies to any organization which processes data on EU citizens.

Non-consumer facing data companies such as Acxiom, Criteo and Quantcast “amass and exploit” large quantities of consumer data without directly interacting with the data subject, according to Privacy International.

If they collect this data without the user’s knowledge, use it to profile users, or share it with another company for a different purpose to that stated at the time of collection, they could be in breach of the GDPR, the group claimed.

To launch the campaign, Privacy International has sent letters to a selection of the companies involved to find out more on how they handle personal data.

The non-profit claimed that companies and governments are increasingly exploiting not just data that consumers willingly provide but information they can “observe, derive, and infer” in order to manipulate people’s lives without accountability.

Privacy International legal officer, Ailidh Callander, welcomed the GDPR.

“It's been a long time coming, and the GDPR is an important step in the right direction, providing essential safeguards to our human rights to privacy and data protection, by imposing more stringent obligations on companies, strengthening rights of individuals, and increasing enforcement powers,” she added.

“GDPR is a key tool to empower individuals, civil society, and journalists to fight against data exploitation."

The group has also joined the Center for Digital Democracy and Public Citizen in writing to almost 100 US companies asking that they implement GDPR for users globally, as Microsoft and other tech giants have promised.

Categories: Cyber Risk News

#Oktane18: Interview: Yassir Abousselham, CSO, Okta

Fri, 05/25/2018 - 08:10
#Oktane18: Interview: Yassir Abousselham, CSO, Okta

One year into his role as CSO, Yassir Abousselham sits down in Las Vegas with Eleanor Dallaway to talk about life as a chief security officer at enterprise identity provider, Okta  

Tell me about your career path before you joined Okta

Prior to my appointment at Okta, I worked as CISO for the fintech company SoFi. Before that, I spent five years at Google working on corporate DLS security and in the security for payments vertical. Previously I worked in security at EY.

For a technology professional, working at Google is the Holy Grail. How did you manage to tear yourself away to pursue a new role?

Working at Google gave me great access and visibility into doing technology and security at scale. Google attracts a lot of sharp engineers, so I was exposed to a lot of good interaction and visibility. It was a fantastic experience. At some point however, for anyone in security, you want to take the next step and manage security from A to Z at one company. That wasn’t something I could do at Google and I felt ready to make that move.

So, how is your role as CSO for a technology vendor different to being a CSO at an end-user?

The scale of the challenge makes it more interesting. It takes a special mindset to do security for a security company.

In addition to successful authentication attempts, we also see attack attempts against our customers and our platforms. We don’t stop at analyzing traffic – we have to be able to harden the platform in a way that protects both Okta and Okta customers. Businesses are trusting us with their applications and their data and that is a great responsibility. We have to be ahead of the attacker to block those attacks.

At some point, you want to take the next step and manage security from A to Z at one company. That wasn’t something I could do at Google and I felt ready to make that move.

You mentioned a ‘special mindset’ that is required – what does that entail?

You need the evil bit – to be able to think like an attacker. This should be the whole security team and indeed the whole company. We have to instill the culture that we (and our customers) are targets. You have to stay on the cutting edge of those attacks and harden the platform.

You have to also understand the business and your customers’ expectations. You need to understand the investment that customers are making in you as a vendor and become the customer advocate. We have to protect Okta, but also our customers.

Your CEO, Todd McKinnon, talked about security whilst never sacrificing usability or customer experience. How do you manage to balance the two?

Historically people thought that increasing security meant changing or hindering the customer experience.

We are gradually changing that by providing a much better user experience. We are talking about lessening password authentication, using multiple technical components to consume the contextual signals to maintain a higher level of assurance that you are who you say you are. Moving forward, we can rely more on context and behavior. We want to establish normal and react to abnormal.

As an industry, are we doing better at improving the security bar?

There is a concerted effort to raise the bar. There’s absolutely no question about the importance of information security. But how it is done depends on the company, the industry, the compliance requirements. The will to raise the bar and make the change is always there, but the speed it takes to make changes is different – we’re getting faster, but sometimes it’s not fast enough.

Attackers can move faster – they don’t have to comply and are agile and persistent. As an industry, we need to continue trying to make these changes faster and streamline the processes standing in the way of raising the bar – compliance, governance and finding talent.

How hard is it to find great talent to hire in your security team?

We have to stay steps ahead of the attacker and that cutting-edge talent is very hard to find. Once you hire, you then have to be able to retain. To retain these highly-qualified engineers you have to give them highly complex cutting-edge problems. That’s the number one motivation for these types of individuals. They have to buy into your vision as a company and see a culture aligned with their beliefs and vision.

What do you consider your one main ambition within your role at Okta?

For now, automation is at the top of my agenda. Trying to automate as much as possible. I want to help customers get better at doing security. That’s what I want to keep doing - understanding how they use Okta products and how to make them more secure. I also want to continue to improve usability without impacting security.

Categories: Cyber Risk News

Testing of Uber's Self-Driving Car Crashes to a Halt

Thu, 05/24/2018 - 14:15
Testing of Uber's Self-Driving Car Crashes to a Halt

In the aftermath of a fatal crash that killed a pedestrian, the state of Arizona barred Uber Technologies, Inc. from road-testing its self-driving car program. Now, the company announced on 23 May that it will close down the self-driving vehicle program in Arizona, a move that will affect more than 300 jobs, according to the Wall Street Journal.

A spokeswoman for Uber said that the company will not be eliminating all of their autonomous vehicle programs and will resume operations this summer with a limited focus, testing fewer cars with smaller routes in Pittsburgh and two cities in California. Uber will first have to nail down a testing permit in California, Reuters reported.

Uber has been waiting for the National Transportation Safety Board (NTSB) to release the preliminary report from its investigation of the crash. Released today, the report stated, "The inward-facing video shows the vehicle operator glancing down toward the center of the vehicle several times before the crash. In a postcrash interview with NTSB investigators, the vehicle operator stated that she had been monitoring the self-driving system interface. The operator further stated that although her personal and business phones were in the vehicle, neither was in use until after the crash, when she called 911."

While NTBS continues to collect information and Uber prepares to return self-driving cars to the road, the company hopes to soar to new heights with its announcement that it will invest $23.4 million into developing an all-electric vertical takeoff and landing aircraft in France over the next five years, according to CNN.

"France is a perfect home for our next step forward with its strong history of research and development, world class engineers and a unique role in aviation worldwide," Uber said in a statement to CNN.

As Uber calculates its best strategy to move forward, Apple races full speed ahead, veering away from BMW and straight toward Volkswagen. After waiting for BMW to take its foot off the brakes for several years now, Apple has decided to partner with a new company to get the wheels turning on its self-driving car design.

"Apple has signed a deal with Volkswagen to turn some of the carmaker's new T6 Transporter vans into Apple's self-driving shuttles for employees – a project that is behind schedule and consuming nearly all of the Apple car team's attention, said three people familiar with the project," CNBC reported.

Categories: Cyber Risk News

Collaboration Shows Trust Among EU Agencies

Thu, 05/24/2018 - 13:55
Collaboration Shows Trust Among EU Agencies

Multiple cybersecurity organizations have signed a memorandum of understanding (MoU) aimed at enhancing cooperation on cybersecurity and defense, according to a press release from Europol.

The European Union Agency for Network and Information Security (ENISA), the European Defense Agency (EDA), Europol and the Computer Emergency Response Team for the EU Institutions, Agencies and Bodies (CERT-EU) have come together to establish a framework by which the organizations can collaborate with each other.

The signed MoU serves as a symbol of strength that exists among the different EU agencies and will focus on deepening their cooperative efforts in the areas of exchanging information, education and training; cyber-exercises; technical cooperation and strategic matters, as well as any additional areas deemed important.

Collaborative efforts among the groups will improve the ways in which the organizations use existing resources while hopefully reducing redundancy and leveraging their widespread expertise to enrich the services provided by the parties.

Driven in part by the 2014 Cyber Defence Policy Framework, which called for increased cooperation among civil-military parties, academic institutions and the private sector, the collaboration has been in the making since 2016. The newly developed cooperation of agencies also aligns with the Joint Communication on Cyber issued in 2017.

"ENISA welcomes the opportunity to work closely with our partner organisations. Cybersecurity is a shared responsibility, and it is only by cooperating closely with all relevant stakeholders that the EU has a chance to address cybersecurity challenges," Dr. Udo Helmbrecht, executive director of ENISA, told Europol.

Steven Wilson, head of Europol’s European cybercrime centre (EC3), said, "This MoU illustrates how a safe and open cyberspace can only be achieved through enhanced cooperation and commitment. Through their participation, all parties involved demonstrate that they are willing to join forces and recognise that together we can provide the necessary response to cyber related threats. From EC3, we welcome the opportunity to enter a new era of working together with our MoU partners and are delighted to share our expertise and experience."

Categories: Cyber Risk News

New Bill to Reduce Synthetic Identity Fraud

Thu, 05/24/2018 - 12:50
New Bill to Reduce Synthetic Identity Fraud

Congress has passed an anti-fraud measure as part of the Economic Growth, Regulatory Relief, and Consumer Protection Act, with one of the bill's sections establishing guidelines to help prevent synthetic identity fraud. Synthetic identity fraud is a tactic where criminals fashion identities made up, in part, from credit-inactive Social Security numbers (SSN).

Cybercriminals will then use those identities to secure loans and commit other online crimes. When cybercriminals use parts of an individual's identity – particularly those of children – years can pass before the victim realizes their identity has been compromised. Often, said Robert Capps, VP of business development, NuData Security, these individuals are denied a school loan or other form of credit due to false indicators of their fraudulent behavior.

Section 215 of the act details the steps that will be taken to enhance consumer protections using fraud protection data, defined as an individual's name, SSN and date of birth. Currently the system for checking SSNs takes multiple days and requires the individual's handwritten signature.

Through the use of a database maintained by the Social Security Administration (SSA), financial institutions and service providers will be able to validate identities much more quickly. Permitted entities that have been issued certifications from SSA will be able to access an electronic identification validation system in order to compare fraud protection data for accuracy in real time, with batches of submissions not to exceed 24 hours.

Proactively trying to prevent a consumer or child from becoming a victim of fraud is an important step for Congress.

“Synthetic identity theft is one of the reasons many e-commerce companies and financial institutions are turning to multilayered solutions that incorporate passive biometrics and behavioral analytics," Capps said. "With these technologies, even when the consumer’s static information (such as social security numbers, date of birth and other data) is stolen, the breached credentials cannot be used to log into someone else’s account or to make a fraudulent transaction – making the stolen data useless."

“Stolen data is often used in automated attacks to create new accounts or try to find a user’s password," he continued. "With passive biometrics and behavioral analytics these attempts are thwarted, rendering the stolen data from fraudsters valueless.  The hundreds of data points analyzed by these technologies help identify a legitimate user or a fraudster, protecting consumers, merchants and institutions.”

The act also provides regulatory relief for small community banks and credit unions and now awaits the president’s review.

Categories: Cyber Risk News

Phishers Target Facebook to Harvest User Data

Thu, 05/24/2018 - 10:30
Phishers Target Facebook to Harvest User Data

Facebook dominated attempts to phish unsuspecting netizens in the first quarter of the year, accounting for 60% of all social network phishing attacks during the period, according to Kaspersky Lab.

The Russian AV vendor claimed in its Spam and phishing in Q1 2018 report to have blocked 3.6 million attempts to visit fraudulent social media pages.

Following Facebook, Russian social platform VK (21%), and LinkedIn (13%) were most commonly spoofed — with victims tricked into handing over names, log-ins, and even credit card numbers.

The reasons are pretty straightforward: cyber-criminals follow the money, and with over two billion active monthly users, there’s more opportunity to generate revenue by spoofing one the world’s most popular social networks.

Overall, the main targets for phishers remain internet portals, banks, online stores and payment services, with financial phishing the most popular (44%) type, according to the report.

Crypto-currency ICOs also represent a potentially lucrative event for cyber-criminals to leverage.

Around £26,000 was stolen through a phishing site claiming to offer investment opportunities for a rumored Telegram ICO, while £62,000 was stolen from victims via a single phishing email linked to the launch of “The Bee Token” ICO, Kaspersky Lab claimed.

The vendor also warned users of an increase in fake GDPR privacy notices, which require users to fill in their details in order to ‘access’ their accounts.

“We urge users to pay close attention to the new regulation and carefully study any notifications related to it,” it added. “Links should be checked before clicking: they should not contain redirects to third-party sites or domains unrelated to the service on whose behalf the message was sent.”

Germany was the number one target of malicious emails (15%) followed by Russia (6%) and the UK (5%).

However, the country with the largest percentage of users affected by phishing attacks in Q1 2018 was Brazil (19%).

Categories: Cyber Risk News

UK: We'll Return Fire Against Deadly State Cyber-Attacks

Thu, 05/24/2018 - 09:28
UK: We'll Return Fire Against Deadly State Cyber-Attacks

The UK’s attorney general has clarified the government’s position on state-sponsored cyber-attacks, saying the country will fight back against any nation seeking to cause it harm and continue to attribute serious online threats.

Speaking at the Chatham House Royal Institute for International Affairs on Wednesday morning, Jeremy Wright became the first minister to set out the UK’s opinion on how international law applies to cyberspace.

“The UK considers it is clear that cyber-operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self- defence, as recognised in Article 51 of the UN Charter,” he argued.

“If a hostile state interferes with the operation of one of our nuclear reactors, resulting in widespread loss of life, the fact that the act is carried out by way of a cyber-operation does not prevent it from being viewed as an unlawful use of force or an armed attack against us. If it would be a breach of international law to bomb an air traffic control tower with the effect of downing civilian aircraft, then it will be a breach of international law to use a hostile cyber-operation to disable air traffic control systems which results in the same, ultimately lethal, effects.”

Wright also claimed the UK would continue to work to name and shame the countries which launch such attacks, claiming that if more states get involved in such work the assessment will be more certain.

“It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community,” he added.

It’s unclear why the government chose this time to state its position but it can’t be a coincidence that state-sponsored attacks have increased over the past year. In November 2017, NCSC boss Ciaran Martin pointed to Kremlin attacks on the UK’s critical infrastructure, and in April this year the GCHQ body issued a joint alert with the US authorities of further Russian attack campaigns.

That’s in addition to the WannaCry ransomware attack that caused major outages at the NHS — subsequently blamed on North Korea.

However, Priscilla Moriuchi, director of strategic threat development at Recorded Future, argued that public naming and shaming is a double-edged sword.

“On one hand [it] allows companies, individuals, and governments to tailor their responses to and assess the risk involved in intrusions, intellectual property theft, and customer data loss. Public attribution puts a cyber-intrusion into context and assists governments in defining norms of behavior in cyber-space,” she said.

“On the other hand, there is scant evidence that public attribution deters nations from conducting cyber-enabled espionage. Naming and shaming may dissuade nations from executing destructive or disruptive cyber-attacks because of the real-world, life-and-death consequences, however public attribution as a deterrent for cyber-espionage or intellectual property theft remains unproven."

Categories: Cyber Risk News

Cisco: Destructive VPNFilter Malware Has Infected 500K Devices

Thu, 05/24/2018 - 08:44
Cisco: Destructive VPNFilter Malware Has Infected 500K Devices

Security experts are warning of a major new destructive malware campaign targeting half a million home routers around the world with a particular focus on Ukraine.

Cisco Talos announced the discovery of the sophisticated, state-sponsored VPNFilter malware system on Wednesday, claiming there are code overlaps with the notorious BlackEnergy malware linked to Kremlin hackers.

“While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country,” the firm warned.

The malware itself has already infected at least 500,000 SOHO routers from Linksys, MikroTik, NETGEAR and TP-Link in 54 countries, as well as some QNAP network-attached storage (NAS) devices.

“The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” Cisco continued.

“We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”

The modular nature of the malware means it could be used for a number of reasons: there are capabilities to “kill” infected devices, covering the attackers’ tracks, and to steal website credentials and monitor Modbus SCADA protocols.

The group behind has created “an expansive, hard-to-attribute infrastructure that can be used to serve multiple operational needs,” such as obfuscating the source of a larger scale attack, stealing data, or launching a major destructive attack, Cisco claimed.

To help them, the attackers also created a private TOR network to improve data sharing and co-ordination of infected devices.

It’s unclear whether the campaign is linked to the joint technical alert issued by the UK and US governments last month which blamed the Kremlin, however a DoJ notice on Wednesday attributed VPNFilter to the notorious Russian APT28 group which has been implicated in the hacking of Democratic Party officials ahead of the US election.

The DoJ said it was actively looking to disrupt the threat.

In the meantime, Cisco urged owners of infected devices and ISPs to reset to factory default and reboot them, as well as to update patches immediately.

Categories: Cyber Risk News

#Oktane18: Solving Identity is the Challenge of Our Time says Okta CEO

Wed, 05/23/2018 - 16:48
#Oktane18: Solving Identity is the Challenge of Our Time says Okta CEO

Okta CEO and co-founder, Todd McKinnon, declared identity the “challenge of our time” as he opened Oktane 18 conference in Las Vegas.

“Everyone knows what happened in the latest elections,” he began, “it made us rethink democracy and the impact that technology has on it.” That, he declared, is an identity problem.

“Confidence in technology is being eroded. People are doubting technology, which is a real shame. There is a risk of missing out on technology and using it for good,” McKinnon continued.

The Okta CEO and co-founder was optimistic about being able to solve identity, and thus “the challenge of our time. We have the platform, the connections, the ecosystem and the expertise to solve this,” he said.

The Okta vision is to enable anyone and any business to use any technology, said McKinnon, “and the best way of doing that is to connect everything.”

Okta’s key, core objective is enablement and that, McKinnon advised, is how they think about – and measure – customer success. “With so much technology, potential is amazing, but complexity gets in the way. You need a center of gravity and that center needs to be identity,” he argued.

“We believe that privacy and data security are individual rights, and that every organization in the world should have the best technology available to protect their identities,” McKinnon added.

Categories: Cyber Risk News

More Unsecure Wi-Fi and Phishing? Not So Flashy

Wed, 05/23/2018 - 15:12
More Unsecure Wi-Fi and Phishing? Not So Flashy

As more companies embrace the productivity of a mobile workforce, the fact that work is being conducted from potentially unsecured Wi-Fi networks puts enterprise security at risk. According to The 2018 Duo Trusted Access Report, it's not clear that security is keeping pace with the rapid evolution of how and where employees work.

For the third consecutive year, Duo Security has looked at the security state of employees, contractors, devices, and applications. The 2018 report reflects the analysis of nearly 11 million computers, laptops and smartphones from which a half-a-billion user access requests to corporate applications and data were received per month. 

In an enterprise-sized organization, mobility and growth have driven a 24% increase in the average number of unique networks that customers and enterprise organizations are authenticating from and a nearly 50% jump in users accessing from two or more distinct IP addresses.

While the numbers reflect that enterprise access is growing more fluidly, the growth also "means more work is being conducted from potentially unsecured Wi-Fi networks, which could include homes, airports, coffee shops, or other public spaces. These external, untrusted networks may introduce potential risks to corporate applications and data," Duo Security wrote in a press release

Related to the mobile workforce is the problem of mobile updates. The report found that more than 90% of Android devices and nearly 60% of iOS devices are out of date. Additionally problematic is the boom in successful phishing, which reportedly takes only 12–13 minutes on average. In 62% of phishing campaigns, at least one set of credentials is being captured. 

Flash continues to inch toward its demise, with a nearly 200% jump in browsers with Flash uninstalled. Where 80% of Chrome users were loading at least one page of Flash content per day in 2014, the report said that number is down to only 4% in 2018, according to Google.

Categories: Cyber Risk News

Security Shifts Focus From Defense to Response

Wed, 05/23/2018 - 14:25
Security Shifts Focus From Defense to Response

Despite more organizations feeling that they are getting worse at preventing data breaches, the number of businesses that feel better prepared to respond to incidents is on the rise, according to the latest survey from the not-for-profit industry body the Institute of Information Security Professionals (IISP). 

In its third year, the IISP survey asked organizations two correlating questions about data breaches. Questions look to understand how protected from a breach companies feel, as well as how prepared they are to respond to and recover from a security incident.

The number of organizations that feel they are getting worse at preventing a security breach doubled this year, up to 18% from only 9%. According to the survey report, "The only figure that showed growth of any significance was in the percentage of people that thought we had got worse as an industry at defending systems."

In a press release, Piers Wilson, director at the IISP, said, "These results reflect the difficulty in defending against increasingly sophisticated attacks and the realization that breaches are inevitable."

The survey results indicate that both budget constraints and the skills shortage contribute to the challenges of breach prevention. As the threat landscape continues to evolve, budgets are not growing at scale. The 2017–2018 survey results showed "a drop in the number of businesses where budgets are rising from 70% to 64%, and an increase in businesses where budgets are falling from 7% up to 12% (the same level as 2015)."  

Additionally, the lack of highly skilled candidates continues to be a concern, with 18% of respondents identifying a deficit in resources, 18% reporting a shortage of skills and 14% reporting insufficient experience as key factors in the skills and people shortage. 

Part of the problem with the skills shortage is the impact and disruption caused by emerging technologies. Of the emerging technologies that respondents said were "very disruptive," the top two were the internet of things (66%) and artificial intelligence and machine learning technologies (49%). 

“We have seen AI and machine learning used in defensive security systems for some time, and this is now starting to become part of a wider automation approach,” said Wilson. “But like the IoT, AI can also be exploited by cybercriminals, so we need to have the people and technologies to respond and mitigate these emerging risks."

Categories: Cyber Risk News

GPON Home Routers Are Over TheMoon Botnet

Wed, 05/23/2018 - 13:39
GPON Home Routers Are Over TheMoon Botnet

Dasan's gigabit-capable passive optical network (GPON) home routers are again the target of zero-day exploits using a new botnet called TheMoon, according to researchers at Qihoo 360 Netlab.

While activity of TheMoon botnet emerged in 2014, it's only been seen adding internet of things (IoT) device exploits into its code since 2017, Qihoo 360 Netlab researchers wrote in a 21 May post. TheMoon is the latest to "join the party" of botnets attacking GPON home routers. 

Earlier this year, Qihoo 360 Netlab researchers analyzed TheMoon, identifying it as a code for a family of malicious code. Since April 2017, researchers have been monitoring TheMoon family and its evolution.

In the most recent attacks, the researchers noted that the attacking payload looks different on TheMoon, which is why they have classified it as a zero-day. "We tested this payload on two different versions of GPON home routers, all work. All these make TheMoon totally different," the researchers wrote.

In an effort to prevent future attacks, the researchers chose not to disclose the details of the payload attack; however, they did identify features of this new dark side of TheMoon, which include the scanner IP ( Brazil/BR São Paulo "AS28573 CLARO S.A."), the scanning ports (80, 8080, 81, 82, 8888, with the GPON scan only on port 80) and the download server  (

This latest report confirms what has frequently been observed about the cycle of zero-day and botnet attacks on connected devices in the IoT world: they are vulnerable targets. "They are no match for ingenious hackers with automated discovery tools and a well-stocked experimental laboratory of potential victims, namely the internet," said Ashley Stephenson, CEO, Corero Network Security

"The larger the population of any particular device or software stack, the greater the motivation and reward for hacking it," he said. "In this case, a reported population of one million Internet accessible GPON devices makes for a huge potential payback if you can develop an exploit to pwn them into bots. We should expect additional exploit vectors to be discovered in the future.”

Categories: Cyber Risk News

Mobile Fraud Soars as Social Sites Help Scammers

Wed, 05/23/2018 - 13:01
Mobile Fraud Soars as Social Sites Help Scammers

Phishing continues to dominate the fraud landscape, accounting for nearly half of all attacks, but mobile fraud has jumped 650% over the past three years, according to RSA Security.

The security vendor’s Q1 2018 Fraud Report found phishing to account for 48% of all attacks during the quarter, followed by Trojans (24%) and brand abuse 21%).

The report uncovered a decline in use of traditional web browsers to conduct fraud, 62% in 2015 to 35% today, whilst the mobile app’s share of fraudulent transactions has risen from 5% to 39% over the same period.

However, as an attack type, mobile attacks comprised just 6% of the whole, linked to over 8,000 rogue apps in Q1. Some 82% of fraudulent e-commerce transactions spotted by RSA originated from a new device in Q1 2018, indicating the lengths scammers are going to in order to avoid detection.

RSA also confirmed the increasing role of legitimate social networks in unwittingly helping fraudsters to sell their wares.

“Social media provides the perfect control station for cyber-criminals, who can easily create profiles using fake details to operate on the platforms before collaborating with other fraudsters in closed groups, or peddling stolen wares in online marketplaces,” explained RSA Fraud & Risk Intelligence Unit director, Daniel Cohen.

“Social media’s scalability, anonymity and reach is providing cyber-criminals with the perfect disguise; they can jump between accounts and devices at will, rarely using the same device twice. This makes it much easier to dodge the authorities and continue scamming.”

The firm noted that Reddit has worked to ban a number of sub-reddits dedicated to fraud, where hackers were apparently exchanging contacts and advertising services and sharing info on which dark web fraud forums to use.

However, the problem appears to be rife on Facebook. Journalist Brian Krebs reported last month to have found over 100 private discussion groups dedicated to fraud and cybercrime, after just a couple of hours of searching

Categories: Cyber Risk News

#Oktane18: The Best Password is No Password says Okta CEO

Wed, 05/23/2018 - 13:01
#Oktane18: The Best Password is No Password says Okta CEO

At Oktane 18 in Las Vegas, Okta announced that organizations will be able to eliminate the login password as a primary factor of authentication by combining signals such as device, location, and network context, with threat intel from Okta’s new ThreatInsight functionality.

“The best password is no password at all”, said Todd McKinnon, CEO and co-founder, Okta.Today’s threat actors are targeting the weakest point of your company’s security – your people – and too many are successfully compromising employee accounts due to poor or stolen passwords.”

Okta’s incident response team sees and takes action against threats and suspicious activity across its ecosystem and making those insights available to customers through Okta ThreatInsight.

Elias Oxendine IV, Global Director of IT Security at the Brown-Forman Corporation, is using Okta ThreatInsight to get insight into authentication attempts. “Brown-Forman is one of the largest American-owned distilled beverage companies, responsibly building alcohol brands such as Jack Daniel’s, Woodford Reserve and Korbel. We’re committed to providing a safe, inclusive workplace and secure customer experience, and ensuring the right people have access to sensitive company resources is at the heart of making that happen.”

The National Bank of Canada is using the capability to give its customers a secure online experience according to Alain Goffi, vice president, IT Infrastructures at the National Bank of Canada. "National Bank of Canada services millions of clients in hundreds of branches across Canada. As an organization, we have clear objectives, one of which is to simplify the customer experience.”

Categories: Cyber Risk News

FBI Admits Overestimating Number of Encrypted Phones it Cannot Access

Wed, 05/23/2018 - 09:26
FBI Admits Overestimating Number of Encrypted Phones it Cannot Access

The FBI has admitted that “programming errors” led to it significantly over-estimating the number of locked devices which it can’t access for investigations because of strong encryption.

Director Christopher Wray claimed in January that the Bureau was unable to access the content of 7775 devices, using the example to argue as his predecessor had done for new laws or changes in policy at Apple and other tech firms enabling the FBI to access such phones with a court order.

He described the situation as an “urgent public safety issue” and has referred to the figure several times since when discussing in public the challenge facing law enforcers of “going dark.”

However, in a statement seen by the Washington Post, the FBI now claims that it made its calculations from three different databases, leading to some duplicates being counted.

“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,’’ it admitted.

A new audit could take weeks to complete but it is thought the real figure could be closer to 1000 devices.

The FBI has been locked in a stand-off with Apple and the tech community for years over access to encrypted devices. Whilst the Feds claim backdoor-ing phones isn’t required, its demands would amount to exactly that, say tech experts.

In February, a group of world-renowned cryptography experts signed an open letter backing a senator’s demands that the FBI explain the technical basis for its repeated claims encryption backdoors can be engineered without impacting user security.

These experts included Bruce Schneier, Paul Kocher, Steven Bellovin, and Martin Hellman — the latter winning the 2015 Turing Award for inventing public key cryptography.

The EFF claimed it was “not surprised” by the revelations.

“The scope of this problem is called into doubt by services offered by third-party vendors like Cellebrite and Grayshift, which can reportedly bypass encryption on even the newest phones,” it claimed.

“The Bureau’s credibility on this issue was also undercut by a recent DOJ Office of the Inspector General report, which found that internal failures of communication caused the government to make false statements about its need for Apple to assist in unlocking a seized iPhone as part of the San Bernardino case.”

Categories: Cyber Risk News

ICO Fines Soar to Over £4m in 2017 Ahead of GDPR

Wed, 05/23/2018 - 08:48
ICO Fines Soar to Over £4m in 2017 Ahead of GDPR

The Information Commissioner’s Office handed out monetary penalties of over £4m during 2017, nearly £1m more than the previous year as the GDPR approaches, according to PwC.

The global consulting giant analyzed the ICO’s enforcement actions over the past year, looking at monetary penalties, enforcement notices, prosecutions and undertakings.

In total, 54 fines were handed out in 2017 with 14 of these (26%) more than £100,000. However, although the ICO has the power to fine up to £500,000, it has never issued the maximum penalty.

The largest number of incidents for which penalties were issued were marketing offences, although security breaches and misuse of data for profiling purposes also loomed large.

When the GDPR comes into force on Friday, it will have new powers to fine up to £17m, or 4% of global annual turnover. However, PwC lead partner for GDPR and data protection, Stewart Room, claimed the ICO has made it clear maximum fines won’t be the norm.

“It’s really about putting consumer rights at the heart of today’s data-centered world. There’s an option for organizations here: simply see GDPR as a compliance exercise or embrace it and use it as an opportunity to get ahead of your competitors and win consumer trust,” he argued.

“Signs of progress are very encouraging. At board tables all over the world we are hearing a refreshing new regard for personal data and in that sense, the GDPR has already been a great success.”

Room claimed that PwC’s own global GDPR Readiness Assessments over the past two years show that highly regulated sectors such as healthcare and financial services tend to have a slight advantage in terms of preparedness as they are more used to dealing with regulatory change.

As recently as January, a UK government report claimed that just 38% of businesses had even heard of the regulation.

Categories: Cyber Risk News

New Variants Found in Spectre and Meltdown

Tue, 05/22/2018 - 13:28
New Variants Found in Spectre and Meltdown

Two new variants of the Meltdown and Spectre vulnerabilities that can allow an attacker to gain access to sensitive information have been disclosed, according to a 21 May US-CERT alert.

Google and Microsoft announced that the new variants, 3a and 4, known respectively as Meltdown and Spectre, affect the central processing unit (CPU) hardware implementations, making them vulnerable to side-channel attacks.

Security researcher for Google Project Zero, Jann Horn, reported the issue after finding a new way to attack microprocessors while testing speculative execution behavior on Intel and AMD processors.

US-CERT wrote, “Meltdown is a bug that 'melts' the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.”

Rob Tate, distinguished security researcher at WhiteHat Security, said, "Once they can get code to run locally on a victim’s computer, highly skilled hackers have many tools at their disposal to expand their control and take over the machine. What made Meltdown/Spectre special was its universal nature in both working on many machines and being useful in many different scenarios on a given machine."

The vulnerabilities were assigned Common Vulnerability Exposure numbers. Variant 3a, a rogue system register read, was assigned CVE-2018-3640 while Variant 4, known as Speculative Store Bypass (SBB), was assigned CVE-2018-3639. Tate said Variant 4 is being discussed in a fairly narrow scope of accessing specific unpatched browsers' private data.

"If an attacker has access to run code on a machine, there are already a number of simpler (and more universal) techniques to try before resorting to this, and it’s far from the wide-reaching implications of the original Spectre. So, while patches should be applied when possible, Intel is right to call this a Medium," said Tate. 

The more commonly useful a vulnerability, the more it helps attackers simplify their process; thus, the easier it becomes for non-skilled hackers to compromise more computers.

In an industry where people are trained to expect speed, it's not uncommon to see the vast majority of people choose speed over security, said Renaud Deraison, co-founder and CTO of Tenable. “The speed of the chips inside our personal computers, our tablets and our phones is critical to their performance – everybody knows that."

“In this case," continued Deraison, "the vulnerabilities take advantage of the very features that make them fast. Intel optimized for performance and later learned they were facing a trade-off between security and performance."

In their security advisory, Microsoft wrote, “At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.”

Categories: Cyber Risk News

Georgia Votes in Primary amid Cybersecurity Suit

Tue, 05/22/2018 - 11:49
Georgia Votes in Primary amid Cybersecurity Suit

Despite the continued development of a federal lawsuit regarding the cybersecurity of Georgia's voting machines against Georgia's Secretary of State Brian Kemp and others, today's highly competitive primary race for governor puts a focus on paperless voting machines, according to the Augusta Chronicle

Georgia is one of just five states with an all-electronic voting machine system that has no independent paper backup, leaving it especially vulnerable to election interference through hacking. Across the nation, about 20% of registered voters use paperless machines. While election officials are on board with upgrading these systems, they do say that the machines are accurate, according to the Augusta Chronicle.

"In many jurisdictions, the multimillion-dollar cost is a hurdle," the Augusta Chronicle said, but since the confirmation that Russians did indeed meddle in the 2016 election, many states are taking steps to replace the machines that do not produce paper records.

"In Georgia, the cost to switch to paper-based machines in the state’s 159 counties ranges from $25 million to more than $100 million, depending on the technology adopted," the Augusta Chronicle reported. 

But issues with voting accuracy are not exclusive to statewide elections. On 15 May, the Atlanta Journal Constitution reported, "A Fulton County judge ordered local elections officials to make available documents linked to a state investigation into potential irregularities of the December runoff that yielded a narrow victory for Mayor Keisha Lance Bottoms."

WXIA 11Alive, reported that "under Kemp’s watch there was a massive breach in 2015, potentially exposing the personal data of more than six million Georgians, traceable to one employee," but Kemp said extensive security measures and cyber-defense upgrades make the state’s current system reliable.

Security concerns, combined with all of the reported irregularities, have culminated in the law firm Morrison & Foerster representing, pro bono, a group of Georgia voters in the lawsuit, Curling v. Kemp, with the aim of making Georgia’s voting machines more resistant to cyber-attacks.

Morrison & Foerster partners David Cross and John Carlin are leading the team of attorneys working on the Curling v. Kemp case, and have secured an agreement over the preservation issues of the direct-recording electronic (DRE) voting machines.

“The goal of the suit," said Cross, "is to get the state to switch to a system (before the November election) that includes voter-marked paper ballots so votes can be audited and verified. In the time remaining before the midterms, that could mean having everyone cast a paper absentee ballot as one means of achieving this goal in the short term."

There are also varying options for long term solutions based on examples from other states. "The primary vulnerability is the ability to alter votes cast via DREs without a paper record to audit or otherwise verify the electronic voting records. Other vulnerabilities include the manner in which [Georgia] has stored voter registration information and the ability to access and even alter that information in ways that could affect the election. For example, a hacker could change assigned polling locations for certain voters to create confusion when they go to vote and effectively prevent them from voting,” Cross said.

Categories: Cyber Risk News

3.2 Million Files Revealed on AWS S3 Bucket

Tue, 05/22/2018 - 11:27
3.2 Million Files Revealed on AWS S3 Bucket

A Los Angeles County nonprofit that provides health and human services accidentally exposed about 3.2 million files on an unsecured AWS S3 bucket, according to the UpGuard cyber risk team.

211 LA County, a nonprofit organization serving LA County, was reportedly left publicly exposed online. The content revealed in the downloadable files was widespread. In addition to access credentials for the 211 system operators and email addresses for contacts, "included in the more than 3 million rows of call logs are 200,000 rows of detailed notes," UpGuard wrote in a 17 May post. 

The call notes included personally identifiable information for people reporting the problem. Among those were “persons in need, and, where applicable, their reported abusers, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns,” according to UpGuard.

The information, stored in an Amazon AWS S3 bucket located at the subdomain “lacounty,” was inadvertently misconfigured to be publicly and anonymously accessible, according to UpGuard. “Though some of the files in the bucket were not publicly downloadable, those that were included Postgres database backups and CSV exports of that data, with hundreds of thousands of rows of sensitive personal information,” the UpGuard post stated.

While the leak itself is not remarkable in size, the exposed information is highly sensitive, and is possibly the ultimate example of how important it is to know if the service you're using is risk-appropriate for the information being stored, said Sam Bisbee, CSO, Threat Stack.

“When you see an organization expose such sensitive data, it should serve as a reminder that companies must maintain an understanding of whether the service they use is risk-appropriate for the type of data they store there,” Bisbee said.

While UpGuard made efforts to contact 211 LA County after their 14 March analysis that revealed the sensitive information was accessible, they were not able to connect with a member of the 211 LA County information security team until 24 April.

UpGuard confirmed that after only 24 hours, the bucket was no longer publicly accessible. “Amazon S3 access rules can be set for both the bucket as a whole and for the files within it. In the case of the “lacounty” bucket, permission settings allowed anyone to list the contents; some of the files inside, however, had additional rules preventing public users from downloading them,” the UpGuard post said.

Threat Stack research indicates that nearly three-quarters of companies have critical AWS cloud security misconfigurations. “So, every reported cloud data leak is a lesson to companies that they need to proactively find ways to create transparency within their cloud infrastructure so that they can effectively manage the security of their data and systems,” Bisbee said.

Categories: Cyber Risk News