Info Security

Subscribe to Info Security  feed
Updated: 2 hours 44 min ago

City of London Police Begins Cryptocurrency Training

Tue, 07/24/2018 - 10:01
City of London Police Begins Cryptocurrency Training

The City of London Police force has established a new training program to school officers in all things cryptocurrency.

The force confirmed to reporters that its Economic Crime Academy is running the new “first of its kind” course to help train officers in how to manage digital currencies in investigations.

The hope is that the program will be taken nationwide to improve the cyber-skills of officers across the UK.

“It is designed to provide delegates with the skills and knowledge required to recognize and manage cryptocurrencies in an investigation,” a City of London police spokesperson told City AM. “On successful completion of this course, participants will understand how to detect, seize, and investigate the use of cryptocurrencies in an investigative context. It will be the first of its kind, and has been developed in response to feedback from police officers nationally who felt there wasn’t enough training in the area.”

One pilot has apparently already been completed, with a second due to run next month.

McAfee chief scientist, Raj Samani, argued that cyber gangs are increasingly targeting cryptocurrencies to reap what they see as easy profits.

“The McAfee Labs count of total coin-miner malware rose by 629% in Q1 of this year – to more than 2.9 million samples. What we’re seeing is that bad actors are demonstrating a remarkable level of technical agility and innovation,” he added.

“While the City of London Police’s initiative is a good step towards the enforcement of accountability, we must always strive to do our due diligence when it comes to security and actively seek to mitigate risks in order to make life more difficult for cyber-criminals.”

An Ernst & Young report from January claimed that 10% of all Initial Coin Offering funds are lost to hackers, with $400m stolen in the past.

It’s not just cryptocurrency theft that police need to get smarter about preventing though. Digital coins are also increasingly being used to launder funds and anonymize attacks such as those involving ransomware.

Europol boss Rob Wainwright claimed earlier this year that cyber-criminals are laundering £3bn to 4bn in Europe alone.

Categories: Cyber Risk News

Endpoint Concerns Blight IIoT Security

Tue, 07/24/2018 - 09:30
Endpoint Concerns Blight IIoT Security

Securing the endpoint is the biggest concern for respondents to a new SANS Institute paper on the Industrial Internet of Things (IIoT), with patching a persistent challenge.

The 2018 SANS Industrial IoT Security Survey includes responses from over 200 security, IT and OT professionals in organizations ranging in size from less than 1000 to over 50,000 employees.

A majority (56%) cited patching problems as one of their biggest security challenges, with only 40% claiming to apply and maintain security updates to protect IIoT systems.

In fact, there appeared to be confusion over what constituted an endpoint in the IIoT sphere, leading the report authors to call for a “cultural change” in how industrial organizations approach security risk.

“The discrepancy in defining IIoT endpoints is the basis for some of the confusion surrounding responsibility for IIoT security. Many practitioners likely are not adequately identifying and managing the numerous assets that in some way connect to networks — and present a danger to their organizations,” argued co-author Doug Wylie.

“For this reason, it is important for company IT and OT groups to agree to a common definition to help ensure they adequately identify security risks as they evolve their systems to adapt to new architectural models.”

The findings are concerning given the growth of IIoT, presenting hackers with an ever-expanding attack surface.

SANS found that most organizations globally are forecasting a 10%-25% growth in the volume of connected devices, which will lead to a doubling in size of systems connected to these devices every three to seven years, the report claimed.

Worryingly, a third (32%) of respondents said that IIoT devices connect directly to the internet, and are therefore not protected by current security controls. Nearly 40% revealed that identifying, tracking and managing devices was a significant security challenge.

Categories: Cyber Risk News

Surrey Police Seize £1m+ in Digital Currency for Government Coffers

Tue, 07/24/2018 - 08:49
Surrey Police Seize £1m+ in Digital Currency for Government Coffers

Surrey Police has become the first force in the UK to convert Bitcoin to cash after seizing over £1.2m worth of the cryptocurrency from the member of an organized crime gang.

Latvian national Sergejs Teresko was apparently kidnapped from his home in Virginia Water in April last year, with neighbors and his girlfriend raising the alarm. However, when police arrived at the rented house they found it had been turned into a cannabis growing operation.

Also in the property were £263,000 in cash, various designer watches including a £12,000 Rolex, and a Keepkey digital wallet device.

This was found to contain 295 Bitcoin, worth nearly £1.8m in today’s prices but around £1.2m back then. Surrey Police then sold the currency on a Bitcoin exchange

“The CPS secured an order permitting the restrained Bitcoin to be converted into pounds, before a confiscation order was made — the first time the Proceeds of Crime Act has been used in this way,” said Nick Price, head of the proceeds of crime team at the Crown Prosecution Service (CPS).

“Our dedicated proceeds of crime team restrained the criminal proceeds at an early stage for the purposes of this confiscation order to ensure that Teresko’s crimes do not pay.”

Teresko was found to have made over £2m from his crimes and ordered to pay back over £1.4m of it within three months or be forced to spend another decade in prison. He was convicted of money laundering and drug offences at Kingston Crown Court recently and sentenced to nine years and three months.

“Cryptocurrency is used legitimately by a lot of people but it’s also used by criminals. We know that in dark marketplaces bitcoin is the chosen medium of exchange,” said detective inspector Matt Durkin.

“We were not going to accept that bitcoin was out of the reach of law enforcement, it’s not and nor are other types of cryptocurrency.”

Categories: Cyber Risk News

US Adults Don't Know Cybersecurity Career Options

Mon, 07/23/2018 - 17:23
US Adults Don't Know Cybersecurity Career Options

When it comes to cybersecurity careers, adults in the US reportedly don’t know the various job opportunities available in the field, despite the growing demand for professionals to fill the enormous skills gap.

According to a new survey from the University of Phoenix, US adults are not familiar with certain cybersecurity jobs, and the majority have never considered a career in the field. Most are unfamiliar with what cybersecurity professionals do and the education it takes to work in the field.

Conducted online between 26 April and 10 May 2018 by the Harris Poll, the survey included 2,000 US adults over the age of 18. Of the total participants in the survey, 859 said that they have been hacked in the past three years. The survey examined US adults’ perceptions of different aspects of cybersecurity, including career familiarity, gender disparity and workplace readiness.

Only about one in 10 respondents was very familiar with the 11 different cybersecurity job titles presented in the survey, and at least 20% had never heard of them. More than half ( 52%) had never heard of a penetration tester, while just under half (46%) had no knowledge of the “white hat” ethical hacker job title. Only 13% of respondents had heard of a security software developer, and as little as 8% of participants were familiar with the roles of security engineer and computer security incident responder.

“More than a quarter of survey respondents said that they possess some of the IT skills taught in the university’s cybersecurity-focused programs, such as programming (33%), data analytics (26%) and coding and web development (both 31%),” said Dennis Bonilla, executive dean for the college of information systems and technology, school of business and college of criminal justice at University of Phoenix.

While the report found that 44% of women had experienced a personal security breach in the past three years, it also found that 89% of female respondents said that they had never considered a career in cybersecurity. Of the women who participated in the survey, 54% said they would need improved education to consider a career in cybersecurity.

Categories: Cyber Risk News

Surge in Software Supply Chain Attacks

Mon, 07/23/2018 - 16:12
Surge in Software Supply Chain Attacks

The results of a newly released global supply chain survey showed that companies lack both visibility and awareness when it comes to identifying and combating software supply chain attacks.

CrowdStrike, in conjunction with research firm Vanson Bourne, surveyed 1,300 senior IT decision makers and professionals across industry sectors from organizations around the globe. They found that nearly 80% of respondents believe software supply chain attacks have the potential to become one of the biggest cyber-threats over the next three years.

Despite that belief, few organizations have the ability to mitigate the risks from downline vendors. According to the report, 71% of respondents believe their organization does not always hold external suppliers to the same security standards even though 66% of the organizations surveyed said they had experienced a software supply chain attack in the past 12 months.

“Once a supplier is compromised, the attackers can modify trusted products to perform malicious actions or provide a backdoor to the target environment. Unaware of these malicious changes to their applications, suppliers unwittingly deliver them to their trusting clients as legitimate software updates,” CrowdStrike’s Dan Larson wrote in today’s blog post.

Survey results also found that of those organizations that suffered a supply chain attack, 90% had suffered a financial loss as a result of the attack, the average cost of which was over $1.1m. The vast majority (87%) were prepared with some level of a response plan, yet only 37% of respondents in the US, UK and Singapore had done their due diligence and vetted their suppliers.

On average, it took companies nearly 63 hours to detect and remediate software supply chain attacks.

“Fast-moving, advanced threats like supply chain attacks require organizations to adopt new best practices in proactive security and incident response,” Shawn Henry, president of CrowdStrike Services and chief security officer said in a press release. “The new attack methods we see today call for coordinated, efficient and agile defenses.”

Categories: Cyber Risk News

Attackers Go After GPON Routers, Again

Mon, 07/23/2018 - 16:05
Attackers Go After GPON Routers, Again

Using automated analysis via a Python script, researchers at eSentire observed an increase in exploitation attempts on gigabit passive optical network (GPON) routers. Though the router attacks had declined since the surge reported back in June, the researchers identified a new, coordinated weaponization campaign targeting D-Link routers on 20 July.

The company reported a botnet recruitment campaign being launched and saw a surge of exploit attempts from over 3,000 different source IPs, introducing a variation of the OS command injection attack against the 2750B D-Link router.

“A sample of packets from various source IPs involved in this event pointed to a single C2 server hosting malware that appeared. VirusTotal results for the malware indicated similarities with the Mirai botnet. Variants of Mirai code have been spotted in the Satori botnet,” researchers wrote.

While none of these exploits appeared to be successful in corporate environments, likely because they lack consumer-grade routers, “it is unknown whether this attack had any success on home networks where these devices are more likely to be deployed. A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” researchers wrote in a blog post.  

The mass number of attacks is indicative of a potential botnet and researchers suggested that the botnets built using the compromised routers could be offered as a service, adding “It is not uncommon for botnet controllers to attempt to increase the number of devices in their botnet by using tactics similar to this. The infected devices can then be used to launch additional attacks such as distributing malicious content or launching DDoS attacks.”

In addition, the company also released an advisory on the topic and noted that only Dasan routers using ZIND-GPON-25xx firmware and some H650 series GPON are vulnerable, and that there are no official patches at this time. Researchers are continuing to monitor the associated signatures.

Categories: Cyber Risk News

Foreign Secretaries Illegally Handed GCHQ Data Request Powers

Mon, 07/23/2018 - 10:12
Foreign Secretaries Illegally Handed GCHQ Data Request Powers

A new Investigatory Powers Tribunal (IPT) ruling has exposed the inadequacy of current oversight mechanisms meant to keep the surveillance state in check, and the willingness of telecoms firms to hand over customers’ data to GCHQ, according to a leading rights group.

Privacy International (PI) claimed victory today after a tenacious legal investigation which had forced GCHQ to make “substantial corrections” to evidence it originally gave to the court mid-case.

Its job was made harder by the fact that the IPT relies heavily on closed hearings where claimants like PI can’t see or challenge evidence presented by the government, and only progressed after the “extraordinary” decision was taken to allow the group to cross-examine a GCHQ witness.

The IPT’s decision held that successive foreign secretaries unlawfully delegated to GCHQ decisions about what data to acquire from telecommunication companies — effectively rendering 10 years’ worth of secretly collected data illegal.

"In theory the agency [GCHQ] could have used the general form of such directions to impose on the CSP a requirement to produce communications data which extended beyond the scope of any data requirement which had been sanctioned by the Foreign Secretary,” the IPT apparently ruled.

The judgement also casts an unforgiving light on the telcos themselves, which appeared to have handed over highly sensitive data on their customers without question in response to verbal requests.

“The foreign secretary was supposed to protect access to our data by personally authorizing what is necessary and proportionate for telecommunications companies to provide to the agencies. The way that these directions were drafted risked nullifying that safeguard, by delegating that power to GCHQ — a violation that went undetected by the system of commissioners for years and was seemingly consented to by all of the telecommunications companies affected,” argued PI solicitor, Mille Graham Wood. 

“It is proof positive of the inadequacy of the historic oversight system; the complicity of telecommunications companies who instead of checking if requests were lawful, just handed over customers' personal data as long as their cooperation was kept secret; and the scale of the task facing the new investigatory powers commissioner, Sir Adrian Fulford.”

Categories: Cyber Risk News

Supplier Error Leaks Decade of Data from Carmakers

Mon, 07/23/2018 - 09:01
Supplier Error Leaks Decade of Data from Carmakers

A security error by a third-party supplier has left over 100 manufacturing firms including several big-name carmakers red-faced after sensitive documents were exposed.

Over 150GB of data was left on a publicly accessible server by Level One Robotics, a supplier to Tier 1 automotive firms including VW, Chrysler, Ford, Toyota, GM and Tesla, and German manufacturing giant ThyssenKrupp.

The infrastructure found to be responsible was an exposed rsync server unrestricted by IP or user, with the data located therein downloadable to any rsync client that connected to the rsync port, according to Upguard.

“The 157GBs of exposed data include over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements, detailing the sensitivity of the exposed information,” the security vendor explained.

“Not all types of information were discovered for all customers, but each customer contained some data of these kinds. Also included are personal details of some Level One employees, including scans of driver’s licenses and passports, and Level One business data, including invoices, contracts, and bank account details.”

Even worse, the rsync server was publicly writable at the time the privacy snafu was discovered, meaning a malicious outsider could have altered the documents stored there or even uploaded malware.

Level One was praised for reacting quickly to the incident once notified by Upguard. However, organizations were urged to do more to secure their supply chains.

“Organizations and their vendors must have standardized deployment processes that create and maintain assets securely, reducing the likelihood of a data incident,” said Upguard.

“If this security is not built into the processes themselves, there will always be misconfigurations that slip through and lead to data exposure. They must also have an exposure response plan, so that when they are affected, they can act quickly to remediate, as Level One did in this case.”

Categories: Cyber Risk News

SingHealth Scammers Try to Cash in on Major Breach

Mon, 07/23/2018 - 08:41
SingHealth Scammers Try to Cash in on Major Breach

Singaporean healthcare giant (HCO) SingHealth is warning patients not to fall for follow-on vishing and smishing attempts after the country suffered its most serious breach to date last week.

The Ministry of Health explained in a statement on Friday that 1.5 million patients who visited outpatient clinics and polyclinics between May 2015 and July 2018 had non-medical data stolen. This included names, NRIC numbers, addresses, gender, race and dates of birth. Even the Prime Minister Lee Hsien Loong is said to have been affected.

Information on dispensed medicines for around 160,000 of these patients was also exfiltrated.

“CSA [Cyber Security Agency of Singapore] has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database,” the government explained.

“Forensic investigations have confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs.”

SingHealth is in the process of contacting those affected by text, but has been forced to warn patients of attempts to hijack the process by scammers.

A Facebook update provided information on what an official SMS from the HCO looks like, to help individuals avoid being duped by phishing texts. A separate “phone scam alert” confirmed that SingHealth will not contact patients by phone unless they’ve been specifically asked to, and will not ask for personal and financial information.

Darktrace APAC managing director, Sanjay Aurora, argued that the authorities had done quite well to detect, investigate and report in under a month, following the July 4 discovery of suspicious activity.

“Like other kinds of personal data, medical information can be easily monetized via criminal forums. But beyond making a quick buck, a more sinister reason to attack would be to cause widespread disruption and systemic damage to the healthcare service — as a fundamental part of critical infrastructure — or to undermine trust in a nation’s competency to keep personal data safe,” he said.

“Networks in the healthcare sector are now ‘digital jungles’ and well-resourced attackers take the time and effort to conduct low and slow attacks to discover vulnerabilities, often silently exploiting them over long periods of time. Once their work is done, they are expert in covering their tracks, making attribution extremely difficult.”

Categories: Cyber Risk News

Has GDPR Impacted Insider Threats?

Fri, 07/20/2018 - 15:10
Has GDPR Impacted Insider Threats?

According to new research from Clearswift, the introduction of GDPR has led to a slight drop in insider threats in both the UK and Germany. Survey respondents said that insider threats make up 65% of reported incidents in 2018, compared to 73% last year. German companies reported similar declines, with insider error incidents at 75% this year, down from 80% last year.

The research surveyed 400 senior IT decision makers from global organizations with more than 1,000 employees and found that 38% of IT security incidents occur as a direct result of their employees’ actions, with 75% of all incidents originating from their extended enterprise, which includes employees, customers and suppliers. Former employees represent 13% of cybersecurity incidents for the participating organizations.

According to this year’s survey, despite the reality that internal threats are the greatest risk to most organizations, employees believe that the majority of incidents (62%) are accidental, which is only a slight decrease from 65% in 2017.

“Although there’s a slight decrease in numbers in the EMEA region, the results once again highlight the insider threat as being the chief source of cybersecurity incidents,” Dr. Guy Bunker, SVP of products at Clearswift, said in a press release. “Three-quarters of incidents are still coming from within the business and its extended enterprise, far greater than the threat from external hackers. Businesses need to shift the focus inwards."

“Organizations need to have a process for tracking the flow of information in the business and have a clear view on who is accessing it and when," Bunker continued. "Businesses need to also ensure that employees ‘buy into’ the idea that data security is now a critical issue for the business. Educating them on the value of data, on different forms of data, what is shareable and what's not, is crucial to a successful cybersecurity strategy."

Given that the percentage changes are so slight, Ben Herzberg, director of threat research at Imperva, said that the minimal decline reinforces the notion that companies should not assume that their internal network is safe from threats.

“I’m not sure if GDPR is the cause of the change in the statistics gathered, but with or without GDPR, it’s important for organizations to know exactly where they store their data, and be accountable for it.”

Categories: Cyber Risk News

Who Are ComplyRight's Security Employees?

Fri, 07/20/2018 - 14:38
Who Are ComplyRight's Security Employees?

The website of human resources firm ComplyRight was reportedly breached and sensitive data compromised, according to KrebsonSecurity. In addition to tax forms from thousands of the company’s clients, other sensitive information accessed in the breach included names, addresses, phone numbers, email addresses and Social Security numbers.

As part of his investigation, Krebs reported that he searched ComplyRight employee profiles on LinkedIn in an effort to reach members of the security department, yet he was unable to find anyone whose job title was related to security. He also noted that the company had no current listing for security job openings.

“The fact that the company touts its security prowess, yet Brian Krebs couldn’t identify a single employee with a security title, is deeply concerning – and just another reason for consumers to question their trust in digital businesses,” said Jeannie Warner, security manager at WhiteHat Security.

“Every single company that touches sensitive data needs to make security a consistent, top-of-mind concern. And any company offering software as a service should have an obligation to perform the strictest security tests against vulnerable avenues into client networks: APIs, network connections, mobile apps, websites, databases," Warner said. "Interestingly, in a check on its website, it is still not advertising anyone in IT security, nor is security mentioned in the requirements for digital product hires.”

According to WhiteHat Security research, a number of web applications remain "always vulnerable" and susceptible to attack on a daily basis. “Despite the fact that web applications often house sensitive consumer data, they are often forgotten when it comes to implementing security measures – making them an easy target for hackers, who can exploit them and gain access to back-end corporate databases,” she said.

As a human resources firm, ComplyRight handles forms overflowing with personally identifiable information, such as 1099s and W-2s. While the size of the hack isn’t known yet, the company disclosed that it first learned of the incident in late May 2018, at which point it disabled the platform and remediated the issue on the website.

“In consultation with third-party forensic cybersecurity experts, we took swift action to secure the data of our partners, business customers and the individuals potentially impacted,” ComplyRight wrote in its incident notice. The company also reported that it initiated a through communication plan to alert those individuals potentially affected by the breach, which the company said is less than 10% of those who have prepared tax forms on the web platform.

Categories: Cyber Risk News

Rosenstein Warns Russia Is Only One Tree in Forest

Fri, 07/20/2018 - 14:13
Rosenstein Warns Russia Is Only One Tree in Forest

In the closing session of the first full day of the 2018 Aspen Security Forum, Deputy Attorney General Rod Rosenstein warned not only of increased threats from Russian influence operations but also of the additional global cyber-threats from other nation-states.

Sharing key points from the Justice Department’s new cyber-digital task force report, Rosenstein said that Russian interference in the 2016 presidential election was “just one tree in a growing forest,” according to The Hill.

Affirming that Russia is not the only foreign adversary targeting the US with cyber-threats, Rosenstein’s comments come only days after The New York Times reported that a "besieged Trump" appeared to be ad-libbing when he said that foreign meddling “could be other people also...a lot of people out there.”

During his presentation, Confronting Global Cyber Threats, which followed earlier sessions Defending Democratic Institutions: Election 2018 and Beyond and Securing the Homeland, Rosenstein reportedly warned, “These actions are persistent, they’re pervasive, they are meant to undermine democracy on a daily basis – regardless of whether it is election time or not.”

Combating the advanced, persistent threats from different nation-state actors, including North Korea, China and Iran, is at the root of the report Rosenstein referenced in yesterday’s talk.

“Computer intrusions, cybercrime schemes and the covert misuse of digital infrastructure have bankrupted firms, destroyed billions of dollars in investments and helped hostile foreign governments launch influence operations designed to undermine fundamental American institutions,” the report said.

Technology’s rapid advancement has empowered malicious foreign actors to reach “unprecedented numbers of Americans covertly and without setting foot on U.S. soil. Fabricated news stories and sensational headlines like those sometimes found on social media platforms are just the latest iteration of a practice foreign adversaries have long employed in an effort to discredit and undermine individuals and organizations in the United States,” according to the report.

Rosenstein’s remarks were part of a panel moderated by David Sanger, chief Washington correspondent at The New York Times. Panel members included Thomas Bossert, former assistant to the president for Homeland Security and Counterterrorism; Greg Clark, Symantec’s CEO; and Lisa Monaco, former assistant to the president for Homeland Security and Counterterrorism.

Categories: Cyber Risk News

MoneyTaker Grabs $1m from PIR Bank

Fri, 07/20/2018 - 11:11
MoneyTaker Grabs $1m from PIR Bank

Hacker group, MoneyTaker, stole $1m from Russian bank PIR, transferring the money to 17 accounts at other major Russian banks and before cashing out. Group-IB were hired to respond to the incident and limit the damage, and it is thought that the withdrawal of the stolen funds means most of the money is lost to PIR Bank.

Group-IB confirmed that the attack on PIR Bank started in late May 2018, with the hackers gaining access to the bank by compromising a router used by one of the bank's regional branches. In a press release, the company said: "The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.

“Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response, this was detected by Group-IB employees and removed by the bank’s sysadmins.” 

Back in 2017, Group-IB confirmed that 20 companies across the globe had already fallen victim to the hacking group. Conducting successful attacks on financial institutions and legal firms in the USA, UK, and Russia, the group had been primarily targetting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT (US). 

The first attack by MoneyTaker was recorded in spring 2016, when they stole money from a US bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers did not conduct attacks for almost four months and only attacked banks in Russia in September 2016. In these instances, its target was AWS CBR, the Russian interbank transfer system. In general, in 2016, Group-IB recorded 10 MoneyTaker attacks against organisations in the U.S., UK and Russia. Since 2017, the geography of their attacks has shrunk to Russia and the US. In 2018, Group-IB tracked two MoneyTaker attacks in Russia.

According to a blog on the company's website, MoneyTaker constantly changes its tools and tactics to bypass anti-virus and traditional security solutions. Most importantly, they carefully eliminate their traces after completing their operations, resulting in the group going largely unnoticed. The group has been active since around spring 2016 when they stole money from a US bank after gaining access to the card processing system. 

“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible," Olga Kolosova, Chairperson of the Management Board, PIR Bank LLC. "At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents.”

Categories: Cyber Risk News

UK Puts Huawei on the Naughty Step for Security Issues

Fri, 07/20/2018 - 10:29
UK Puts Huawei on the Naughty Step for Security Issues

A report by Huawei's Cybersecurity Evaluation Centre (HCSEC) has found that the company's products, which are deployed or are contracted to be deployed in the UK, have underlying engineering issues.

Addressed to the UK National Security Advisor, HCSEC Oversight Board's fourth annual report explained that there were still concerns regarding the company broadband and mobile infrastructure products, referring to a security critical third party software used in a variety of products which was "not subject to sufficient control."

"There have been a number of detailed technical discussions between Huawei R&D and HCSEC, some including National Council Security Centre," said the report. "These discussions are working towards a full understanding of the problem, a short-term mitigation plan and a more strategic fix for the underlying cause of the problem.

"However, there is a significant risk in the UK telecoms infrastructure if Huawei and the operators are unable to support these boards long-term."

According to the BBC, the HCSEC was set up in 2010 in response to concerns that BT and others' use of Huawei's equipment could pose a threat. The body is overseen by UK security officials, including GCHQ.

Prior to this report, the previous three had concluded that any risks posed to the UK's national security "had been mitigated." However, in this latest report, the HCSEC had found two areas of concern; the building of consistent binary code and insufficient management of third-party software.

In other countries such as the US, Chinese companies such as Huawei and ZTE have been banned, most recently from retail stories on US military bases. In Australia, there is also talk of Huawei being banned from its new 5G network due to security concerns.

In April 2018, the Wall Street Journal reported that the company was under US criminal investigation for illegal Iran sales, violating export sanctions.

In a statement, Huawei said: "The oversight board has identified some areas for improvement in our engineering processes. We are grateful for this feedback and committed to addressing these issues.”

Categories: Cyber Risk News

UK Gov Launches Consultation to Speed-Up Cybersecurity Strategy

Fri, 07/20/2018 - 08:56
UK Gov Launches Consultation to Speed-Up Cybersecurity Strategy

The Department for Digital, Culture, Media and Sport (DCMS) has launched a consultation into developing the cybersecurity profession in the UK to support the National Cyber Security Strategy (NCSS). To support this effort, it has also proposed to create a UK cybersecurity council, which would sit independently of the government. 

The NCSS sets out the government's ambition to ensure there is a sustained supply of the best possible home-grown cybersecurity talent, which is to be achieved by 2021. This consultation, which closes on August 31, is for a broad range of interested parties including cybersecurity professionals, existing cybersecurity professional organizations in the UK, students and recent graduates, academia and law enforcement communities. 

Margot James, chair of the DCMS, wrote about why an intervention was needed to support the NCSS: "The cybersecurity profession is relatively new and has developed organically over recent years. It is broad and varied; those working in the cybersecurity ecosystem are found across multiple disciplines including engineering, technology, business, social science, compliance and law, with a wide range of different competencies.

"We heard strongly during our pre-consultation engagement that to build on the good work, more needs to be done to create the environment for the cybersecurity profession in the UK to develop at the pace required," she continued. "There was a strong sense from many we engaged with that there is no generally accepted, unifying narrative of what makes a cybersecurity professional. Misconceptions and stereotypes about cybersecurity professionals remain and we heard clearly that many still consider cybersecurity to be a complex subject area and a career which lacks clear routes into and through it."

The NCSS has specified goals to reach between now and 2021. By the end of 2019, there will be an early development and alignment of a coherent set of career specialism pathways into and through the cybersecurity profession and a draft Code of Ethics will be agreed between participating cybersecurity professional organizations. 

To support this, a number of established councils, chartered professional bodies, academics and industry groups have established a collaborative alliance to advance the development of the cybersecurity profession. With an overall aim to provide clarity around the skills, competencies and career pathways within this fast-moving area of professional practice, the initial objective for The Alliance is to support commitments expressed within the UK NCSS to provide a focal point for advising national policy, including the stated intent to recognize professionals through Chartered status. 

The Alliance brings together a range of expertise and disciplines, including BCS, The Chartered Institute for IT, Chartered Institute of Personnel & Development (CIPD), CREST, The Engineering Council, IAAC, The Institution of Analysts and Programmers (IAP), The IET, (ISC)2 and techUK. Talal Rajab, head of program - cyber and national security, techUK, commented on the coming together of these bodies: "techUK is pleased to be a founding member of the Alliance and contribute to the development of the cybersecurity profession. 

"Our digital economy is underpinned by the need for cybersecurity expertise and skills across a range of disciplines. Through bringing together these professional bodies and harnessing the full range of established cybersecurity professional expertise, the Alliance will go a long way to providing a focal point for the sector on the cybersecurity skills, competencies and standards needed to ensure that the UK has the skills needed to remain resilient to the growing cyber-threat.”

This announcement from the government follows the announcement from The Joint Committee for National Security Strategy which criticized the government for not acting urgently enough on critical national infrastructure cybersecurity. Kamila Hankiewicz, managing director, Girls in Tech, also feels strongly that not enough is being done to get people, especially women, into cybersecurity roles: "The current education model is flawed and results in a low number of women applying for technology roles. This means our nation misses out a huge group of talent in positions needed for the future workforce. 

"A shortage of female talent is predominantly down to a lack of awareness of the opportunities that exist and a flawed perception that you need to be strictly technical to work in industries such as cybersecurity, automation or crypto-investing. It is our responsibility, as the future leaders of the UK, to ensure that our governments are investing in children at an early age - preventing them from developing an unconscious bias towards STEM and getting them excited about the opportunities that the future digital economy presents."

Categories: Cyber Risk News

Vulnerable IoT Vacuums, DVRs Put Homes at Risk

Thu, 07/19/2018 - 13:51
Vulnerable IoT Vacuums, DVRs Put Homes at Risk

The internet of things (IoT) has seen a string of vulnerabilities across multiple devices, the latest of which are new vulnerabilities in Dongguan Diqee 360 robotic vacuum cleaners, which could allow cybercriminals to eavesdrop, perform video surveillance and steal private data, according Positive Technologies.

Researchers Leonid Krolle and Georgy Zaytsev uncovered the Dongguan Diqee 360 security issues found on vacuums, which most likely affect not only those made by the company but those sold under other brand names as well. The devices affected by vulnerability CVE-2018-10987 are at risk of an authenticated remote code execution, potentially allowing an attacker to send a User Datagram Protocol (UDP) packet enabling them to execute commands on the vacuum cleaner as root.

A second vulnerability, CVE-2018-10988, involves a microSD card that reportedly could be used to exploit weaknesses in the vacuum's update mechanism. The researchers said that these vulnerabilities may also affect other IoT devices using the same video modules as Dongguan Diqee 360 vacuum cleaners. Such devices include outdoor surveillance cameras, DVRs, and smart doorbells.

That an authenticated attacker can gain access to the device in itself isn’t a major issue. “The difference is that this vacuum cleaner does not simply wander around the house, cleaning,” said Yotam Guzman, VP of marketing, SecuriThings. “It also serves as a mobile surveillance bot, with both day and night capabilities. Imagine that someone can get access to the device and watch the video feed, without the owners even realizing it. Even worse – someone can program the route of the device to drive around the house, filming the inside, which is very similar to what reconnaissance drones do in 'Star Wars' or other sci-fi movies."

"This is another incident/vulnerability that demonstrates just how hackable cheap connected devices are. Buyers of vacuum robots should really think if they want their nice little R2-D2-like helper to have reconnaissance capabilities.”

In related news, another vulnerability (CVE-2013-6117) has resurfaced despite being nearly five years old. Login passwords for tens of thousands of Dahua DVR devices were reportedly cached and indexed inside search results returned by IoT search engine ZoomEye.

Commenting on Twitter about the vulnerability, Ankit Anubhav, principal researcher at NewSky Security, wrote, “The attackers do not even need to write code to connect to the port as they can login to public scanner like ZoomEye which store the output of requests in their website and dump it.

“A new low has been achieved in the ease of hacking IoT devices. One does not even need to connect to the Dahua devices to get the credentials.”

Categories: Cyber Risk News

Attention Airline Passengers, Your Data Is at Risk

Thu, 07/19/2018 - 13:02
Attention Airline Passengers, Your Data Is at Risk

A new report, Attention All Passengers: Airport Networks Are Putting Your Devices & Cloud Apps at Severe Risk, released by Coronet found that some of America’s airports are cyber-insecure.

The data collected identified San Diego International Airport, John Wayne Airport-Orange County (CA) International Airport and Houston’s William P. Hobby International Airport as lagging in cybersecurity.

Over the course of five months, vast amounts of data on device vulnerabilities and Wi-Fi network risks were collected from more than 250,000 consumer and corporate endpoints that traveled through America’s 45 busiest airports.

After extensive analysis, the data was compile into an Airport Threat Score, which identified not only the most cyber-insecure airports but also the least vulnerable. Chicago-Midway International, Raleigh-Durham International and Nashville International ranked top of the list for low vulnerability.

According to the report, business travelers are at heightened risk of unintentionally facilitating unauthorized device access, data theft and malware/ransomware spread across their endpoints. Once devices are infected, the integrity and confidentiality of the employers’ essential cloud-based work apps, such as G Suite, Dropbox and Office 365, are jeopardized.

The data suggested that all flyers are at an elevated risk of connecting to unencrypted, unsecured or improperly configured networks, which can prompt identity theft, financial fraud, and personal files and picture theft.

“Far too many U.S. airports have sacrificed the security of their Wi-Fi networks for consumer convenience,” said Dror Liwer, Coronet’s founder and CISO.

“As a result, business travelers in particular put not just their devices, but their company’s entire digital infrastructure at risk every time they connect to Wi-Fi that is unencrypted, unsecured or improperly configured," said Liwer. "Until such time when airports take responsibility and improve their cybersecurity posture, the accountability is on each individual flyer to be aware of the risks and take the appropriate steps to minimize the danger.”

Categories: Cyber Risk News

IBM Can't Contain Itself, Launches Nabla

Thu, 07/19/2018 - 11:34
IBM Can't Contain Itself, Launches Nabla

IBM researchers have created a new approach to container isolation with the launch of Nabla containers, designed for strong isolation on a host. The containers achieve isolation by adopting a strategy of attack surface reduction to the host and using only nine system calls.

According to the Nabla website, IBM researchers have "measured exactly how much access to the kernel common applications exhibit with Nabla containers and standard containers by measuring the number of system calls containerized applications make and correspondingly how much kernel functions they access.

"A containerized application can avoid making a Linux system call if it links to a library OS component that implements the system call functionality. Nabla containers use library OS - aka unikernel - techniques, specifically those from the Solo5 project, to avoid system calls and thereby reduce the attack surface. Nabla containers only use 9 system calls, all others are blocked via a Linux seccomp policy."

There has been a fierce debate within the industry regarding whether isolated containers or virtual machines (VMs) are more secure. James Bottomley, IBM research engineer and Linux kernel developer, wrote a blog regarding 'one of the biggest problems about container vs Hypervisor security': "No-one has actually developed a way of measuring security, so the debate is all in qualitative terms, but no-one actually has done a quantitative comparison."

The researchers then tested Nabla through the metric of performance, and showed that it is "far and away the best containment technology for secure workloads given that it sacrifices the least performance over docker to achieve the containment." The blog also noted that Nabla was two-times more secure than using hypervisor-based containment. 

There are some limitations to Nabla, however, in that Nabla runtime only supports images built for nabla as well as missing features, which the team is currently working on. 

Categories: Cyber Risk News

Campaign's Election Data Exposed in Virginia

Thu, 07/19/2018 - 10:07
Campaign's Election Data Exposed in Virginia

A Virginia-based political campaign and robocalling company Robocent left hundreds of thousands of voter records on a public, exposed and unprotected Amazon S3 bucket. This year has already seen a lineup of attempted attacks on local elections and campaigns, but this news comes less than a week after the indictment of 12 Russian officials for meddling in the 2016 US presidential election.

According to an 18 July blog post by Bob Diachenko, head of communications at Kromtech Security, Robocent’s self-titled bucket was reportedly "indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found. Repository contained both audio files, with pre-recorded political messages for robocalls dials (*.mp3, *.wav), and voter data (*.csv, *.xls files)."

Voter names, phone numbers, addresses, age, gender, jurisdiction breakdown and political affiliation were some of the information included in the data, which Robocent co-founder told ZDNet was publicly available information that the company was only "keeping track of."

“Voter data is extremely sensitive and leaks like this highlight the need for organizations to maintain visibility into where their data is located within their cloud infrastructure and whether the storage system is risk appropriate given the sensitivity of the information. It’s easy for a fast-growing or seasonal organization like this one to lose track of that risk over time,” said Sam Bisbee, CSO, Threat Stack.

“Many companies have critical AWS cloud security misconfigurations. It’s an easy mistake to make. AWS customer needs to take responsibility for their security by prioritizing infrastructure visibility. Find ways to proactively create transparency within the cloud to effectively manage the security of data and systems and you give your organization the best chance of defending itself against cybercriminals.”

The security of the 2018 midterm elections is a growing concern, which makes the lack of proper cybersecurity hygiene through virtually all job roles within the election ecosystem, private and public, problematic for security, said Ben Johnson, CTO and co-founder, Obsidian Security.

“Given this abysmal state of election security, one has to assume that any voter data that hasn’t already leaked soon will,” Johnson said. “Companies, campaigns and individuals are all racing to collect and utilize data without doing nearly enough to properly safeguard it. When you combine poor practices with lucrative data and motivated, sophisticated attackers, this picture will get worse before it gets better.”

Categories: Cyber Risk News

Gov Slow to Address Urgent CNI Security Needs

Thu, 07/19/2018 - 09:50
Gov Slow to Address Urgent CNI Security Needs

A committee of MPs and peers in the UK has criticised the government for its lack of urgency in addressing the cybersecurity skills gap in relation to critical national infrastructure (CNI).

According to a report released following the meeting with The Joint Committee on the National Security Strategy, the shortage in specialist skills and deep technical expertise is one of the greatest challenges faced by the UK's CNI operators and regulators in relation to cybersecurity. The report also calls for ministers to step forward and take the lead in developing a strategy to give drive and direction.

The committee references the May 2017 WannaCry attack on the National Health Service, believing it demonstrated a fundamental need to ensure the UK is able to keep CNI secure from cyber-threat. They go on to say that a lack of detailed analysis of which CNI sectors and specialisms are most acutely affected is impacting on the government’s ability to understand, and therefore address, the gap between skills supply and demand.

"Our Report reveals there is a real problem with the availability of people skilled in cybersecurity but a worrying lack of focus from the government to address it," said chair of The Joint Committee, Margaret Beckett MP. "We’re not just talking about the ‘acute scarcity’ of technical experts which was reported to us, but also the much larger number of posts which require moderately specialist skills.

"We acknowledge that the cybersecurity profession is relatively new and still evolving and that the pace of change in technology may well outstrip the development of academic qualifications. However, we are calling on government to work closely with industry and education to consider short-term demand as well as long-term planning. As a very first response, government must work in close partnership with the CNI sector and providers to create a cybersecurity skills strategy to give clarity and direction. It is a pressing matter of national security to do so."

In its recommendations, the committee proposed the government should address the need for continuing professional development for teachers and lectures, enabling their knowledge to keep pace with the rapidly changing cybersecurity landscape. It also references increasing the numbers of women in the cybersecurity workforce, saying that a version of the CyberFirst Girls Competition could be used to attract returning mothers to the cybersecurity profession.

"I sympathise with the NCSC and others who have been tasked with addressing the cyber-skills gap for a few years now," said Eerke Boiten, professor of cybersecurity, De Mortfort University. "They have pumped significant amounts of money out of the five year Cyber Security Strategy into various initiatives, not all of them looking likely to be productive. In particular, an initiative to introduce cyber security at secondary schools contained no thought on how to integrate this with the computing curriculum.

"I think that both for the medium term and the gender balance issue, secondary schools have to be the focal point. The drop in take up and the general perception of the Computer Science A level are serious concerns. Increasing the number of highly qualified teachers is indeed essential, but calling for more CPD is not going to be effective until there is resource for it at a time when most secondary schools are being cut financially. 

"The government would also do well to note the points made about recruiting from abroad," he continued. "Brexit makes any job in the UK unattractive for most EU applicants; the limits on Tier 2 visas also have an adverse effect. The NSS recommendations gloss over this only where they talk of the 'implications, risks and opportunities of Brexit'."

A standalone skills strategy, promised by government in November 2016 and which would frame and give impetus to its various efforts, will be published by December 2018.

Categories: Cyber Risk News

Pages