Info Security

Subscribe to Info Security  feed
Updated: 1 hour 28 min ago

Half of Norway’s Population May Have Been Breached

Mon, 01/22/2018 - 10:12
Half of Norway’s Population May Have Been Breached

A Norwegian healthcare provider is investigating an unauthorized intrusion into its IT systems which may have breached the personal data of over half the country’s population.

Helse Sør-Øst RHF (Health South-East RHF) delivers healthcare for the most populous part of the Scandinavian nation, including the capital, via 15 health trusts and a network of 19 pharmacies. This area is said to cover nearly three million of a population of a little over five million people.

The country’s healthcare IT security center, HelseCert, notified IT delivery partner Sykehuspartner HF (Hospital Partner HF) of “abnormal activity” at the beginning of the month, Health South East said in a statement last week.

The breach was perpetrated by an “advanced and professional” player, with police having been notified.

Measures have been taken to mitigate and remediate the threat, with HelseCert and national security authority NorCert leading the efforts.

The health authority claimed that there’s no evidence the data theft has put patient treatment or safety at risk, although it added that it is still too early to make a definitive assessment.

Either way, the incident isn’t on the same kind of scale as a government beach in neighboring Sweden revealed last year which is thought to have exposed highly sensitive information on infrastructure and the military — potentially to hostile states.

Infoblox director of Western Europe, Gary Cox, said the attack highlighted the increasing value placed on healthcare records by cyber-criminals. That’s why 85% of providers polled by the vendor in the UK and US said they’ve increased spending over the past year.

“It’s crucial that healthcare IT professionals plan strategically about how they can manage risk within their organization and respond to active threats to ensure the security and safety of patients and their data,” he added.

McAfee chief scientist, Raj Samani, warned that the affected patients may now be at risk from follow-on fraud attempts.

“The cybersecurity industry needs to work together to combat the growing rate of cybercrime targeting public services by making threat intelligence sharing compulsory so that they are best equipped to defend against this threat,” he urged.

“Once this is in place every attack will lead us a step closer to finding those responsible.”

Categories: Cyber Risk News

Smartphone Maker OnePlus Hit with Credit Card Breach Affecting Tens of Thousands

Fri, 01/19/2018 - 17:41
Smartphone Maker OnePlus Hit with Credit Card Breach Affecting Tens of Thousands

OnePlus, maker of smartphones geared to challenge the Apple–Samsung smartphone duopoly, has become the latest victim of a data breach; the incident affects around 40,000 users.

The company said that the issue affects some of its customers that have shopped online at oneplus.net may be affected by the incident.

“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” the company said, in a website notice. “The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”

The malware was live between mid-November 2017 and January 11, capturing card numbers, expiry dates and security codes. However, it didn’t affect everyone: Users who paid via a saved credit card, PayPal or with the “Credit Card via PayPal" method should not be affected. OnePlus has sent out an email to all possibly affected users.

“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,” the company said. “We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.”

Those buying a OnePlus smartphone from the e-commerce site during the danger period should take obvious steps to check their card statements and report any charges they don’t recognize to their banks. 

“I’m impressed with the meticulousness and expediency OnePlus is taking in providing customers with notification of the breach. Based on recent events, this is not how major companies tend to act," said Chris Morales, head of security analytics at Vectra, a San Jose, California, based provider of automated threat management solutions, via email. "It’s certainly unfortunate that the breach happened, but not at all surprising. It appears on first take to be similar to how many other retailers have been compromised. A piece of code is designed to monitor and collect credit card information. This is what happened at Target, except that it was local on the point-of-sale terminal. This breach should be a reminder that HTTPS, while encrypted, is not a guarantee of a secure transaction, as attackers can compromise the systems at both ends of any encrypted conversation.”

Categories: Cyber Risk News

In a Twist, Dridex Campaign Uses FTP Sites

Fri, 01/19/2018 - 17:26
In a Twist, Dridex Campaign Uses FTP Sites

A peculiar email campaign is going around, distributing a variant of the Dridex banking Trojan. The peculiarity lies in the fact that the attack uses compromised FTP sites – instead of the more usual malicious web links – as download locations for malicious documents.

According to Forcepoint Security Labs, this has exposed the credentials of the compromised FTP sites in the process.

“The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way,” explained Forcepoint researchers Roland Dela Paz and Ran Mosessco, in a blog. They added that a compromised account may be abused multiple times by different actors as long as the credentials remain the same, widening the potential for damage.

“The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already compromised sites to further abuse by other groups,” they said. “This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable.”

The use of FTP sites may be an attempt to fly under the radar of cybersecurity defenses. Also, if a compromised site is used by multiple actors, it makes attribution harder for security professionals and law enforcement.

“Cybercriminals constantly update their attack methods to try and ensure maximum infection rates,” Paz and Mosessco said. “In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations.”

The researchers also believe the Necurs botnet is behind the campaign. Various attributes point to this. For instance, the domains used for distribution were already in Forcepoint’s records as compromised domains used in previous Necurs campaigns, and the document downloaders are similar to those used by Necurs in the past. The download locations of the XLS file also follow the traditional Necurs format; and, not to be ignored, Necurs is historically known to spread Dridex.

What argues against Necurs being involved is the smaller size of the campaign. In this week's attack, about 95,000 emails were sent, compared to Necur’s average of millions of messages.

“The size of the campaign is more or less 'average,’” said Paz and Mosessco. “Given Necurs' typical association with very large campaigns, the reason for this remains something of a mystery. [Also] Necurs has recently been recorded using malicious links (as opposed to malicious attachments) to distribute Dridex, but the switch to FTP-based download URLs is an unexpected change.”

The researchers observed malicious emails being distributed earlier this week for a period of around seven hours. The emails were sent primarily to .com top-level domains (TLDs), as well as TLDs that point to major regional targets being France (.fr) , the UK (.uk.co) and Australia (.com.au).

Categories: Cyber Risk News

Most IT Execs Have Zero Control Over Password Hygiene

Fri, 01/19/2018 - 15:39
Most IT Execs Have Zero Control Over Password Hygiene

Despite the clear danger that passwords pose to organizations, more than half of IT executives in a recent survey said they rely solely on employees to monitor their own password behavior.

Despite this, employees are struggling with the task: The survey from LastPass and Ovum, which queried a few hundred IT executives and corporate employees in EMEA, revealed that 76% of employees regularly have problems with password usage or management,and nearly a third of users need help desk support at least once every month.

This onus on personal responsibility translates into companies wrestling with a lack of visibility and control. Yet the majority are not doing enough, if anything at all, to address the situation.

For instance, in terms of what organizations are doing to enforce strong passwords, 62% of IT executives rely exclusively on employee education. Employees are essentially on their own, with no technology in place to enforce any password strength requirement.

Also, outdated manual processes still prevail: IT executives at 4 in 10 companies still rely on entirely manual processes to manage user passwords for cloud applications. In fact, 75% of IT executives lack control over the cloud-based applications used by their employees, subsequently leaving the company at risk, shining a light on the disconnect between IT policy and human behavior.

Defense against password sharing is far too weak as well. When asked how they guard against unnecessary password sharing, 63% of IT execs had no technology in place and only 14% have the automated control facilities in place to know when it is happening.

“This research has clearly identified [that] there is an urgent need to close the password security gap,” said Andrew Kellett, principal analyst for Infrastructure Solutions at Ovum. “Far too many organizations are leaving the responsibility for password management to their employees and don’t have the automated password management technology in place to identify when things are going wrong.”

Matt Kaplan, GM of LastPass, added: “In many cases, an organization’s password management practices are overly reliant on manual processes and far too often place an excessive level of trust in employees to use safe password practices. The threat posed by human behavior, coupled with the absence of technology to underpin policy, is leaving companies unnecessarily at risk from weak or shared passwords. Organizations need to focus on solving for both obstacles in order to significantly improve their overall security.”

Categories: Cyber Risk News

One Identity Acquires Balabit to Merge IAM and PAM

Fri, 01/19/2018 - 11:46
One Identity Acquires Balabit to Merge IAM and PAM

Identity and access management (IAM) provider One Identity has acquired privileged access management vendor Balabit.

It is a deal that will see Balabit’s privileged account analytics and log management capabilities enhance its overall identity and access management portfolio. Financial terms of the deal were not disclosed.

Currently, Balabit’s session management technology is embedded into the recently announced One Identity Safeguard solution through an OEM partnership. With this acquisition, One Identity can further expand its PAM solutions with machine learning-driven, privileged account analytics, which it said are critical to building a complete PAM and IAM stack. 
 
John Milburn, president and general manager of One Identity, said: “With the addition of Balabit, we ensure that we can continue to deliver best-of-breed privileged session management and privileged account analytics capabilities to our customers and partners, and do so within the context of a modern, PAM solution that combines the best of One Identity and Balabit technology.

“We’re thrilled to welcome the Balabit team to One Identity, and we look forward to continue delivering the innovative technology and world-class support Balabit’s customers and partners have to come expect.”

“The addition of privileged account analytics is a perfect complement to the identity analytics capabilities in our recently released One Identity Starling IARI solution,” said Jackson Shaw, senior director of product management at One Identity. “The pairing of our technologies will enable our customers to know what entitlements their employees and privileged users have, and what they are doing with those entitlements. Identity and privileged account analytics – it’s a powerful combination that we’re excited to bring to market.”

Martin Kuppinger, founder and principal analyst at KuppingerCole, said in a blog that he expected One Identity to progress fast on creating a fully integrated solution, and this strengthens the position of One Identity in both the privilege management market and the overall identity management market.

He said: “For privilege management, the combined portfolio and the expected close integration moves One Identity into the group of the market leaders, with respect to both the number of customers and technical capabilities.

“When looking at the overall identity management market, One Identity improves its position as one of the vendors that cover all major areas of that market, with particular strengths in IGA (Identity Governance and Administration, i.e. Identity Provisioning and Access Governance) and privilege management, but also in identity federation and cloud SSO, plus other capabilities such as cloud-based MFA (multi-factor authentication). For companies that focus on single sourcing for identity management or at least one core supplier, One Identity becomes an even more interesting choice now.”

Categories: Cyber Risk News

Report Details 100+ Domains at Risk from IDN-Related Spoofing

Fri, 01/19/2018 - 11:18
Report Details 100+ Domains at Risk from IDN-Related Spoofing

Researchers have warned of a major phishing threat posed by domain names spoofed using International Domain Name (IDN) homographs.

Attackers can use IDN characters to mimic Latin script, and thus lure unsuspecting users into visiting phishing sites that are “pixel-perfect renditions of the brands they’re impersonating,” according to Farsight Security.

While the security challenges around IDNs are well known, the firm conducted its own research into the area, revealing several real-world examples to underline the scale of the problem.

From October 17 2017 to January 10 2018 the firm observed 125 top domains being subverted by over 116,000 homographs.

“We observed IDN homographs mimicking 125 top ‘phish-worthy’ domains including large content providers, social networking giants, financial websites, luxury brands, cryptocurrency exchanges, and other popular websites,” explained the vendor’s Mike Schiffman.

One example is a phishing site using the IDN characters “????????” to spoof the social network.

Other big name brands affected included Apple (àpple, appl?, ???le); Adobe (a?obe, adobe.com); Amazon (ämäzön, amazon); Bank of America (ba?kofamerica); Cisco; Coinbase; Credit Suisse; eBay; Bittrex; Google; Microsoft; Netflix; New York Times; Twitter; Walmart; Yahoo; Wikipedia; YouTube and Yandex.

From an end-user perspective the best form of defense is to be suspicious of any unsolicited email regardless of sender — especially ones featuring enticing statements or account log-in links.

Enabling phishing filters, safe browsing and 2FA for log-ins will also help to combat the risk of phishing and account hijacking.

“If you operate a popular website that allows users to interact with one another, log in, purchase and/or download things, chances are your brand (and therefore your users) will be on some target list for phishers and other internet criminals,” continued Schiffman.

“You will want to pay attention to the IDN space, and either try to register IDN domain names proactively that could be used to impersonate your brand, or subscribe to a service that allows you to monitor recent IDN homograph registration and use in an attempt to impersonate your brand.”

Categories: Cyber Risk News

Serial DDoS-er Pleads Guilty to Two Year Spree

Fri, 01/19/2018 - 10:39
Serial DDoS-er Pleads Guilty to Two Year Spree

A New Mexico man has pleaded guilty to launching DDoS attacks against a slew of websites operated by former employers, business competitors, law enforcers and courts over a two-year-period.

John Kelsey Gammell pleaded guilty at a District Court in St. Paul, Minnesota on Wednesday to one count of conspiracy to commit intentional damage to a protected computer and two counts of being a felon-in-possession of a firearm.

His campaign lasted from around July 2015 to March 2017, and revolved around the use of multiple “DDoS-for-hire” services including VDoS, CStress, Inboot, Booter.xyz and IPStresser.

One notable attack launched against a former employer was to prove his undoing.

According to court documents, Gammell had a dispute with his former employer, Washburn Computer Group, in July 2014 and proceeded to DDoS the firm.

Although he used various techniques for anonymizing his identity — such as IP address masking services and paying for the DDoS services with crypto-currency — and encryption and drive-cleaning tools to conceal digital evidence on his computers, he came unstuck by emailing his former employer.

Grand jury subpoenas were served to Google and Yahoo to hand over the account details of the registrant for those emails, which led police directly to Gammell.

Those attacks are said to have caused a minimum $15,000 loss for the electronics company.

However, it was discovered that he had also fired DDoS attacks at companies that declined to hire him in the past and competitors of his soldering business.

Those listed by the Department of Justice include: the Minnesota State Courts, Dakota County Technical College, Minneapolis Community and Technical College and the Hennepin County Sheriff’s Office.

Gammell, who is banned from possessing firearms or ammunition based on prior convictions, also admitted possessing parts to build AR-15 assault rifles, as well as several handguns and ammo.

Organizations experienced an average of 237 DDoS attack attempts per month during Q3: a 35% increase in monthly attempts compared to the previous quarter, and a 91% increase in monthly attack attempts compared to Q1, according to Corero Network Security.

Categories: Cyber Risk News

Kent Man Sentenced for Tweeting Personal Data

Fri, 01/19/2018 - 10:01
Kent Man Sentenced for Tweeting Personal Data

A UK man has been prosecuted after tweeting highly sensitive details about a vulnerable adult and threatening to publish even more personal data he acquired on a USB stick.

It’s unclear how William Godfrey, 30, of Bull Lane, Bethersden, came into possession of the USB stick but he had previously been in a relationship with a probation officer, according to the Information Commissioner’s Office (ICO).

In July 2016 he tweeted the name and address of a “vulnerable adult,” together with info on their health and sexual life, to the accounts of the ICO, Independent Police Complaints Commission and Surrey Police.

On the same day he emailed the ICO threatening to publish yet more personal info from a 40-page document which included details of a victim of a sexual offence.

It then emerged that a separate Twitter account run by the same man had tweeted Surrey Police two days earlier, naming an individual and the fact that they had been searched by police in relation to an offence.

After failing to attend a meeting to hand over the USB stick, Godfrey was eventually forced to do so by an injunction taken out by Surrey Police, the ICO revealed.

He admitted two offences of unlawfully disclosing personal data in breach of s55 of the Data Protection Act and received a 12-month conditional discharge on tight bail conditions.

“People should always be careful about what they share on social media, both about themselves and others. But when it’s sensitive and confidential personal information that they have no right to see or possess in the first place, then we will not hesitate to take action to protect people’s rights,” said ICO head of enforcement, Steve Eckersley.

”Surrey Police has also signed an undertaking to improve its procedures as a result of this case, and we are satisfied that many of our recommendations have already been taken on board.”

Categories: Cyber Risk News

Russia, China's Cyber-Capabilities Are 'Catastrophic'

Thu, 01/18/2018 - 20:31
Russia, China's Cyber-Capabilities Are 'Catastrophic'

Economic pressures and sanctions, jihadist activity and rising tensions around the world will spur cyber-activity in 2018 – with Russia and China leading the way in capabilities, which could cause potentially catastrophic attacks.

Flashpoint’s latest Business Risk Intelligence (BRI) Decision Report found that the top trends and indicators for cyber-risk decision makers to watch in 2018 include tensions in East Asia over the North Korean nuclear program, the impact of official US policy changes on the Iranian nuclear accord, US- and European Union-led economic sanctions on Russia, US recognition of Jerusalem as the capital of Israel and other nation-states’ adoption of the Russian model of engaging in cyber-influence operations. Meanwhile, the power struggle between Saudi Arabia and Iran for influence in the Middle East fuels ongoing conflict within the region, as does the continued instability and violence in Syria.  

“Few would say that 2017 was an uneventful year in the realm of global geopolitics, and this year is already shaping up to be fraught with similar volatility,” said Jon Condra, director of Asia Pacific Research at Flashpoint, in a blog. “As such, organizations seeking to proactively combat relevant threats and address enterprise-wide risk must regard geopolitical context as a core component of their intelligence programs.”

Russia and China are the two nation-states with the most concerning capabilities, the report said. Both are considered to possess the highest levels of technical sophistication, reserved for only a select set of countries. The actors can engage in full-spectrum operations, utilizing the breadth of capabilities available in cyber-operations in concert with other elements of state power, including conventional military force and foreign intelligence services with global reach. The capabilities they have are thus alarmingly advanced, according to Flashpoint: "Kinetic and cyber-attacks conducted by the threat actor(s) have the potential to cause complete paralysis and/or destruction of critical systems and infrastructure. Such attacks have the capacity to result in significant destruction of property and/or loss of life. Under such circumstances, regular business operations and/or government functions cease and data confidentiality, integrity, and availability are completely compromised for extended periods," the report noted.

For Russia’s part, its state-sponsored hacking arms (such as Fancy Bear) remain highly active, capable and influential, the report said, with retaliatory and cyber-influence activity expecting to ramp up as it is increasingly isolated from the West following election interference and information operations against Western democracies.

“Moreover, Moscow continues to crack down on digital dissent and segregate itself from the global internet,” the report found. “The result is a country moving quickly toward a unique model of domestic information control via technical control of internet infrastructure, services and data, a lack of online anonymity, and censorship.”

As for China, it too remains an active and highly capable actor in cyberspace on multiple levels, although state-sponsored activity against Western targets has dropped off a bit. The report cautions decision makers not to grow complacent.

“In 2017, Chinese actors were linked to some notable attacks, however, and Beijing forged ahead with the implementation of the National Cybersecurity Law and subsequent regulatory changes with respect to the internet, and continued its crackdown on cybercrime and illicit content online,” said the report. “Chinese policymakers and military planners have long recognized the utility of cyber-espionage and cyber-weapons as a means of fueling economic growth and diminishing the US’ advantage in the event of a conventional military conflict.”

The top risks are not all political, however: The report also noted that financially motivated cybercriminals are an active, and dangerous, presence on the Dark Web.

“Cybercrime remained a persistent problem in 2017, with several mega breaches affecting millions of individuals, a resurgence of payment-card system breaches, and a series of high-profile ransomware attacks,” Condra said. “Cybercriminals have demonstrated resilience in their ability to continuously develop new ways to circumvent security protections, resulting in billions of dollars in damages for organizations around the world. From efforts to circumvent EMV chip technology to the popularization of ransomware, noteworthy trends observed in the cybercriminal underground in 2017 will have a profound impact on the 2018 threat landscape.”

Categories: Cyber Risk News

MailChimp Found Leaking Email Addresses

Thu, 01/18/2018 - 20:11
MailChimp Found Leaking Email Addresses

MailChimp, the bulk email company responsible for sending millions of newsletters, promotional mail and other mass communiques every day, has been leaking respondents’ email addresses.

Security researcher Terence Eden found what he termed “an annoying privacy violation,” adding that the issue can expose personal information. The issue is this: When a respondent clicks a link in a MailChimp email, the browser opens the link and sends the newly visited webpage what is known as a “Referer Header” (the misspelling is intentional).

“This says, ‘Hello new site, I was referred here by this previous website,’” said Eden, in a blog. “This has some privacy implications – the administrator of a website can see which website you were on. Usually this is fairly benign, but it can leak sensitive information.”

As part of generating these Referer Headers, when users receive an email from a MailChip mailing list, it generates a unique link that points to the newsletter or other piece of mail that was sent out, he explained, which are collated in logs that can be accessed by the site administrator. The link goes to the web version of a specific user's copy of the email, which means, at the bottom, there are links to change the email address as well as unsubscribe.

The unsubscribe link, when clicked, shows the user’s full email address.

It may sound relatively harmless, but the implication is that the site administrator has a copy of not only what the person may be interested in but also a list of valid emails – which is enough to craft spear phishing or watering hole attacks. Or nefarious sorts could simply brute-force the account and set about stealing information.

“If you visit a link from a MailChimp newsletter, you risk having your email address and your reading habits broadcast to a site owner,” Eden said.

The issue is however limited in its impact to one's security posture, and researchers pointed out the mass insecurity of email addresses in general. 

“At the risk of angering the privacy gods, so what!" Chris Roberts, chief security architect at Acalvio, told Infosecurity. "Yes, it’s not good that it’s possible to reverse into the email address from a link. It never is. [However], Ancestry lost 300,000 email accounts. That’s 300,000 that I DON’T have to reverse into each and every one. I don’t have to play 'hunt the unsubscribe link'. I just get a nice, big file of 300,000 of them dropped into my lap."

Joseph Carson, chief security scientist at Thycotic, had a similar take. "Given that in recent years more than 4.5 billion credentials and identities have been leaked as a result of several major data breaches, including high-profile data breaches such as Yahoo and Equifax, as well as security researchers finding almost 2 billion compromised passwords on the Dark Net for sale, it is very likely that your email address has already been leaked, or, worse, your previously used passwords," he said, via email.

This is, however, a good reminder to improve one's basic security habits.

"With spam and phishing emails at an all-time high, it is important to be cautious about suspicious emails that contain attachments or hyperlinks, as you could be just one click away from infecting your system with ransomware or unknowingly giving your password to a cybercriminal," Carson said.

Eden responsibly disclosed the issue, and MailChimp has fixed the flaw. 

Categories: Cyber Risk News

Zyklon Spreads Using Just-Patched Microsoft Vulns

Thu, 01/18/2018 - 20:08
Zyklon Spreads Using Just-Patched Microsoft Vulns

Zyklon, a fully featured backdoor, is making the rounds using recently patched vulnerabilities in Microsoft Office.

The dismally named code has been around since early 2016; it’s an HTTP malware with a wide range of capabilities, including keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks and self-updating and self-removing. FireEye researchers, who uncovered this latest wave of attacks, said that it also can download several plugins from browsers and email software, some of which include features such as cryptocurrency mining and password recovery. Additionally, Zyklon has a mechanism to monitor the spread and impact of its activities and uses the Tor anonymity network to communicate with its command-and-control  (C2) server.

In an analysis, FireEye found that Zyklon is being delivered primarily through spam emails with an attached malicious Word document, targeting telecommunications, insurance and financial services. It’s using two Microsoft vulnerabilities: CVE-2017-8759, which was discovered by FireEye in September 2017, and CVE-2017-11882, a remote code execution bug.

CVE-2017-8759 is a .NET framework issue patched by Microsoft in October. An exploit allows attackers to install programs, manipulate data and create new privileged accounts. The second vulnerability was patched in November – though it was found to have existed for 17 years.

The threat actors are banking on administrators taking their time patching – a common tactic. Users should, of course, update their systems as soon as possible, given Zyklon’s virulent abilities.

“Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections,” FireEye researchers said in their analysis. “These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.”

This becomes even more critical given that the aforementioned plugins up the ante significantly in terms of potential damage. When enabled, Zyklon can, for instance, recover passwords from popular web browsers, including Google Chrome, Mozilla Firefox, Internet Explorer, Opera Browser, Apple Safari and many others. It also can support FTP password recovery from FileZilla, Dreamweaver and others and can collect email passwords from Microsoft Outlook, Mozilla Thunderbird, Windows Live Mail and Windows Live Messenger, MSN Messenger, Google Talk, GMail Notifier and so on.

Interestingly, one of the plugins allows Zyklon to recover PC gaming software keys from a range of popular games, including "Battlefield," "Call of Duty," "FIFA," "Age of Empires," "The Sims," "Half-Life" and "Star Wars."

Further, the malware can automatically detect and decrypt the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe and Nero; can establish a reverse SOCKS5 proxy server on infected host machines; and has the ability to hijack Bitcoin clipboards.

Suffice it to say, Zyklon can wreak havoc – and for not that much money. Researchers said that a normal build goes for $75, while a Tor-enabled build costs just $125.

“Clearly this is an infection that supports the urgency to keep systems patched with automated updates,” said Michael Patterson, CEO of Plixer, via email. “Although a system might be protected against Zyklon, variants of malware are constantly being released in a zero-day fashion. These infections can lead to costly clean-ups. As a proactive measure, companies with Microsoft products deployed should be collecting network traffic flows from all routers and virtual servers to perform network traffic analysis in the event of a breach.  Detecting and locating the source of the breach event quickly is of paramount importance. For example, Tor traffic, which is unusual on a network, can easily be found and stopped by looking at the traffic flow. Leveraging traffic analytics and adding context can lead to faster remediation and go a long way towards helping keep a company safe.”

Categories: Cyber Risk News

G-Suite Security Center Aims to Improve SMB Security

Thu, 01/18/2018 - 12:14
G-Suite Security Center Aims to Improve SMB Security

Google has added a new security center to its popular G-Suite office productivity tools designed to make it easier for administrators to manage data security and take action when things go wrong.

The internet giant claims 3.5 million businesses use G-Suite today, with most tending to be small and mid-sized firms with fewer resources to spend on IT security.

The enhancements will offer admins a dashboard view of suspicious device activity, and insight into how spam and malware are targeting employees, as well as metrics to demonstrate security effectiveness.

They can also drill down into potential threats to help take a more proactive approach to security — perhaps by offering extra end user education to employees targeted by phishing. DLP alerts could also help managers prevent data exfiltration following a breach.

A security health feature provides bespoke advice for smaller businesses on how to improve security.

“These recommendations cover issues ranging from how your data is stored, to how your files are shared, as well as recommendations on mobility and communications settings,” the firm’s product managers, Chad Tyler and Reena Nadkarni explained.

G-Suite may not have nearly as many global users as Office 365, but any attempt to improve security for smaller firms should be seen as a positive.

Just under half (46%) of all UK businesses identified at least one security breach or attack in the 12 months preceding the government’s Cyber Security Breaches Survey 2017. This figure rose to two-thirds (66%) of medium-sized firms.

Research in December from the Federation of Small Businesses (FSB) revealed that a fifth of small business owners think a lack of cybersecurity skills is preventing digital growth.

The FSB estimated that such companies in the UK suffer as many as seven million cyber-crimes every year, at a cost of £5.26bn annually.

Categories: Cyber Risk News

New Attack Group Fires RATs and Disc Wipers at Targets

Thu, 01/18/2018 - 11:33
New Attack Group Fires RATs and Disc Wipers at Targets

Researchers have detailed the activity of a sophisticated new threat group targeting mainly South Korean victims in several intelligence gathering and destructive malware campaigns.

According to Cisco Talos, “Group 123” is responsible for six campaigns throughout 2017 and into the New Year: Golden Time, Evil New Year, Are You Happy?, Free Milk, North Korean Human Rights and Evil New Year 2018.

“The links between the different campaigns include shared code and compiler artifacts such as PDB (Program DataBase) patterns which were present throughout these campaigns,” the vendor explained.

Four of the campaigns targeted South Korean with spear phishing emails containing malicious documents in the local Hancom Hangul Office Suite format. These documents installed the ROKRAT remote administration tool (RAT), sometimes directly and sometimes via a multi-staged attack.

The Free Milk campaign targeted non-Korean organizations with malicious Office documents exploiting CVE-2017-0199 less than a month after its public exposure.

“During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki,” explained Cisco. “PoohMilk exists only to launch Freenki. Freenki is used to gather information about the infected system and to download a subsequent stage payload. This malware was used in several campaigns in 2016 and has some code overlap with ROKRAT.”

The most recent campaign included a more sinister edge: a disc wiper designed to erase “the first sectors” of the targeted device.

Cisco Talos was cagey on attribution, but North Korean agents will come high up the suspect list, not least because the local documents were written in “very specific language suggesting that they were crafted by native Korean speakers rather than through the use of translation services.”

The vendor warned that this group could be around for years to come and continues to evolve, with new fileless capabilities the latest added in a bid to help attacks fly under the radar of security filters.

Categories: Cyber Risk News

ICO Hands Out £350K Fine to Nuisance Call Company

Thu, 01/18/2018 - 10:10
ICO Hands Out £350K Fine to Nuisance Call Company

The Information Commissioner’s Office (ICO) has slapped a £350,000 fine on a marketing company which made 75 million nuisance calls in just four months.

Miss-sold Products UK Ltd made the staggering number of automated calls between November 2015 and March 2016.

The calls mainly included recorded messages promoting PPI compensation claims, but did so without the recipient’s prior consent, breaking the Privacy and Electronic Communications Regulations 2003 (PECR) legislation.

The ICO explained further:

“It also broke the law by failing to identify the organisation making the calls, while it used so-called ‘added value’ numbers that generate revenue when an individual calls the number, which is then apportioned and passed to associated companies and the network carrier.”

The ICO received 146 complaints in total, with some users claiming there was no opt-out option, while others revealed they were worried the late-night calls could have been from family members or those they provided care for.

“This company blatantly ignored the laws on telephone marketing, making a huge volume of intrusive calls over a short period of time and without any apparent attempt to ensure they had the consent of the people they were harassing,” said ICO enforcement group manager, Andy Curry.

“The ICO will come down hard on rogue operators who want to treat the law and the UK public with contempt. We hope the government will bring forward plans to introduce personal liability for directors as a matter of urgency, to stop them from escaping punishment after profiting from nuisance calls and texts.”

The ICO has been frustrated in the past trying to recover fines from directors of such companies.

In this case, the director of Miss-sold had applied to strike it off the Companies House Register but the ICO has blocked the move in a bid to help it recover the financial penalty, and for the actions of the director to be fully scrutinized.

Categories: Cyber Risk News

Bug-Hunting Hackers Earn Top Dollar for Efforts

Wed, 01/17/2018 - 21:05
Bug-Hunting Hackers Earn Top Dollar for Efforts

Bug bounties can be highly lucrative for top hackers; for instance, those based in India earn 16 times the median salary of a software engineer. And on average, top-earning researchers make 2.7 times the median salary of a software engineer in their home country.

That’s according to HackerOne, the bug-bounty platform, which surveyed nearly 1,700 hackers to get a pulse on this community of internet protectors − what their motives are, how much they’re making and what they’re doing with the bounties they earn (a staggering 24% have donated bounties to charity).

The results show that while 37% of hackers say they hack as a hobby in their spare time, it garners much more for their pocketbooks than most hobbies would: About 12% of hackers on HackerOne make $20,000 or more annually from bug bounties, and the top 3% make more than $100,000 per year. The top 1.1% are making over $350,000 annually. A quarter of hackers rely on bounties for at least 50% of their annual income, and 13.7% say their bounties earned represents 90-100% of their annual income.

Perhaps it’s no surprise then that money remains a top reason for why bug hunters do what they do; however, financial gain has fallen from first place to fourth place in terms of drivers compared to 2016. Above all, hackers are motivated by the opportunity to learn tips and techniques, with “to be challenged” and “to have fun” tied for second place.

In terms of demographics, India (23%) and the United States (20%) are the top two countries represented by the HackerOne hacker community, followed by Russia (6%), Pakistan (4%) and United Kingdom (4%). Nearly 58% of them are self-taught hackers. Despite 50% of hackers having studied computer science at an undergraduate or graduate level, and 26.4% studied computer science in high school or before, less than 5% have learned hacking skills in a classroom.

Further, more than 90% of bug-bounty hackers on HackerOne are under the age of 35, with over 50% under 25 and just under 8% under the age of 18. The majority (45.3%) are between 18 and 24 years old, and 37.3% of hackers are between 25 and 35 years old.

While ethical hacking is becoming increasingly mainstream, there are still hurdles to overcome. Namely, 94% of the Forbes Global 2000 do not have a published vulnerability disclosure policy. As a result, nearly 25% of hackers have not reported a vulnerability that they found because the company didn’t have a channel to disclose it. However, 72% of hackers combined reported that companies are becoming more open to receiving vulnerabilities than they were before.

“Every day, hackers demonstrate the power of the community by reporting thousands of vulnerabilities to companies and government agencies to make the internet safer for us all,” said Marten Mickos, CEO, HackerOne. “We are blown away by the skills, the passion and integrity of these individuals showcased in this report. The work of the ethical hacker community is significantly reducing the risk of security breaches.”

Bug hunting is a rising tide: More than 1,000 organizations including Google, General Motors, GitHub, Lufthansa, Nintendo, Spotify, Starbucks, the US Department of Defense and others have established bug-bounty programs. HackerOne itself supported 1,000 customer programs and saw more than $23 million in bounties awarded to the ethical hacker community in 2017. The company plans to pay over $100 million in rewards to hackers by 2020.

Categories: Cyber Risk News

Three-Quarters of Businesses Saw Phishing Attacks in 2017

Wed, 01/17/2018 - 19:45
Three-Quarters of Businesses Saw Phishing Attacks in 2017

The war against phishing is still on, with 76% of organizations experiencing phishing attacks in 2017. Further, nearly half of information security professionals surveyed said that the rate of attacks increased from 2016.

That’s according to the Wombat Security Technologies' annual State of the Phish research report, which also found that the impacts of phishing were more broadly felt last year than in 2016, with an 80 % increase in reports of malware infections, account compromise and data loss related to phishing attacks.

The data shows that smishing (SMS/text message phishing) as an emerging threat: 45% of infosec professionals reported experiencing phishing via phone calls (vishing) and smishing.

The report is based on the analysis of tens of millions of simulated phishing attacks sent through Wombat's Security Education Platform over a 12-month period, 10,000 responses collected from quarterly surveys of Wombat's database of infosec professionals (customers and non-customers) from more than 16 industries and insights from a third-party survey of 1,000 adults each in the US, UK and Germany.

It found that while Wombat customers show positive trends and progress within their programs, with declining click rates and an increasing number of suspicious emails identified and reported, awareness of phishing and ransomware has not trickled down to the average technology user.

Globally, the majority (67%) of technology users surveyed were not able to garner a guess as to what smishing is. Across all populations, adults aged 55 and older significantly outpace millennials in their recognition of what phishing is. Meanwhile, German users struggle to define ransomware: Nearly 70% of surveyed technology users in Germany were unable to identify what ransomware is.

A silver lining is continued momentum for anti-phishing education. For the fourth consecutive year, Wombat saw an increase in the number of organizations that assess and train their users on phishing avoidance. There has also been an increased use of computer-based training: The number of organizations using computer-based training jumped from 62% in 2016 to 79% in 2017.

"The State of the Phish Report shows that simulated phishing attacks are certainly valuable tools in the battle against social engineering attacks, but it also reinforces the need for CSOs, CISOs and their teams to take a broader view of cybersecurity education," said Joe Ferrara, president and CEO of Wombat Security. "A cyclical approach to security awareness and training is the most effective. Organizations should employ a methodology that both raises awareness of cybersecurity best practices and teaches users how to employ these practices when they inevitably face a security threat."

Categories: Cyber Risk News

(ISC)² Names Board Chairperson, New Board Members

Wed, 01/17/2018 - 18:06
(ISC)² Names Board Chairperson, New Board Members

(ISC)² has announced four newly elected officers for its board of directors.

The 13-member board provides governance and oversight for the organization, grants certifications to qualifying candidates and enforces adherence to the (ISC)² Code of Ethics.

Kevin Charest, CISO for Health Care Service Corp. (HCSC) and the 2017 (ISC)² board of directors secretary, has been named chairperson. He is responsible for all facets of IT security for the largest member-owned healthcare company in the United States. Prior to joining HCSC, Charest led global cyber-defense operations for UnitedHealth Group and has also served as the CISO for the US Department of Health and Human Services.

Jennifer Minella, vice president of engineering and consulting CISO with Carolina Advanced Digital, was elected vice chairperson. With more than 15 years of experience working in the technology industry, Minella's most recent focus is in specialized areas of infrastructure security, including network access control (NAC) and 802.1X, wireless security technologies, industrial security and SCADA. She was a contributing author of the (ISC)² Official CISSP Courseware v9 and a co-author of Low Tech Hacking. She is also a consulting faculty member of IANS Research, contributing author of technology publications and a trusted technical adviser to editors and journalists across the US. She served a prior term on the (ISC)² board of directors from 2014 to 2016 and was an (ISC)²  board of directors secretary in 2015 and 2016 and (ISC)² vice chairperson in 2017 and 2018.

New treasurer Greg Thompson is a security and risk executive with extensive experience in industries ranging from telecommunications to financial services. He is vice president of global operational risk for Scotiabank. Prior to that post, he was head of global IS security and CISO for Manulife Financial.

He has been actively involved as a volunteer with (ISC)² for more than 10 years, first serving as a member of the North American Advisory Board and as a contributing member of the Executive Writer’s Bureau. This is Thompson’s second term on the (ISC)² Board of Directors. He previously served between 2012 and 2014. Thompson also served as (ISC)² board of directors treasurer in 2014 and is a trustee for the Center for Cyber Safety and Education (formerly the (ISC)² Foundation).

Secretary Wim Remes is the founder of and principal consultant at NRJ Security, based in Belgium. It advises clients on reducing their risk posture by solving complex security problems and by building resiliency into their organizations. Before starting NRJ Security, Remes was active as manager for global services EMEA at Rapid7. Previously, he worked as managing consultant at IOActive, as manager of information security for Ernst and Young and as a security consultant for Bull.

“I express my sincere gratitude to the outgoing board officers for all of their efforts to strengthen (ISC)²,” said (ISC)² CEO David Shearer. “I also thank Flemming Faber, Allison Miller, Dr. Meng-Chow Kang and Steven Hernandez, whose board terms ended in December, for their many contributions. I look forward to working with the new officers over the next year as they help us to advance the organization’s vision of inspiring a safe and secure cyber-world.”

Members of the (ISC)² board of directors are elected each year from among the organization’s global membership. The board is comprised of (ISC)²-certified volunteers who are industry leaders from around the globe representing business, government and academia. 

Categories: Cyber Risk News

World Economic Forum: Cyber-Attacks Third Most Likely Global Risk in 2018

Wed, 01/17/2018 - 13:01
World Economic Forum: Cyber-Attacks Third Most Likely Global Risk in 2018

Cyber-attacks are the third most likely global risk for 2018, behind extreme weather conditions and natural disasters.

That’s according to findings from the World Economic Forum’s Global Risk Report 2018, launched at a press conference today in central London. 

It is the first time that cyber-attacks per se have made the Forum’s top five global risks in terms of likelihood since 2014, with data fraud or theft also listed in fourth place this year.

What that shows, as outlined in the latest report, is just how much cyber-risks have intensified, particularly in 2017, both in their prevalence and disruptive potential. Notable examples were the WannaCry attack, which affected 300,000 computers across 150 countries, and NotPetya, which caused quarterly losses of $300m for a number of impacted businesses.

Speaking at the press conference Margareta Drzeniek-Hanouz, head of economic progress, World Economic Forum, said that cyber-risks are affecting society and the economy in “new, broader ways,” impacting not just the corporate sector but also government infrastructures, the geopolitical sphere and society in general.

John Drzik, president, Global Risk and Digital at Marsh, added that, looking forward, the “scale and sophistication of attacks is going to grow” as the cyber-exposure of businesses increases with the proliferation of interconnected devices, widening the attack surface. 

Therefore, there is a need for greater investment in cyber-risk management, he added, suggesting “we are still under resourced in the amount of effort put into trying to mitigate this risk.

“Cyber is at or above the scale of natural catastrophes [in terms of financial damage caused] and yet the comparative infrastructure is much smaller in scale.

“This is [also] an environment in which businesses could find a wide number of shocks,” and building resilience needs to be involved in any plans when exploring business opportunities.

In terms of how the Forum will respond to growing cyber-threats Richard Samans, member of the managing board, World Economic Forum, explained that at the World Economic Forum Annual Meeting in Davos, Switzerland next week, the Forum will be launching a new public-private platform in the form of a Global Centre for Cybersecurity.

“Cyber-risk is rapidly emerging as a major headache in boardrooms of all sorts of institutions around the world,” he said. The new center for cybersecurity will, in co-operation with Interpol, be a “framework in which there will be a better opportunity for leaders of institutions across the public and private sectors to pool information on their intelligence and response capabilities to get ahead of the curve on a number of these risks.”

Lastly, the Forum has also issued a cyber-tool ‘best practice guidebook’ for boards of directors to ensure cyber-risks are on the agenda of boards going forward.

Categories: Cyber Risk News

Alleged Leakedsource Admin Arrested in Canada

Wed, 01/17/2018 - 11:59
Alleged Leakedsource Admin Arrested in Canada

Canadian police have charged a man in connection with selling stolen identity information through the infamous Leakedsource website.

Jordan Evan Bloom, 27, from Thornhill Ontario, was arrested by the Royal Canadian Mounted Police (RCMP) back in December — the culmination of an operation begun in 2016.

Project Adoration began after intelligence revealed that Leakedsource was being hosted in Quebec.

The now-defunct site had a database of around three billion passwords and “identity records” available to purchase, with Bloom making an estimated C$247,000 ($200,000) from the business.

The FBI and Dutch police are also credited with providing crucial information that helped the RCMP’s Cybercrime Investigative Team.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” said officer in charge, inspector Rafael Alvarado. “The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality."

Bloom made his first appearance in court on Monday charged with several offenses including “trafficking in identity information,” unauthorized use of a computer and possession of property obtained by crime.

It’s unclear whether he was acting alone or if police are currently tracking accomplices.

The database contained information breached from MySpace, LinkedIn and other major companies.

It calls to mind a more recent discovery of 1.4bn clear text credentials searchable via a single database found on the dark web in December.

Such activity should be another reminder that static log-ins are an ongoing security risk to both consumers and organizations — providing ample information to hijack accounts and craft convincing phishing emails to elicit even more sensitive information.

Categories: Cyber Risk News

Oracle Patches Spectre Flaw in x86 Servers

Wed, 01/17/2018 - 10:51
Oracle Patches Spectre Flaw in x86 Servers

Oracle has released its first update round of the year, which includes fixes for products affected by one of the recently disclosed Spectre CPU vulnerabilities.

The database giant had the following:

“The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note.”

However, in reality, the update round only appears to patch one of the two Spectre vulnerabilities revealed in the first week of January: CVE-2017-5715.

It applies to Oracle x86 servers, with the following caveat:

“This includes Intel microcode that enables OS and VM level mitigations for CVE-2017-5715. Application of firmware patches to pick up the Intel microcode is required only for Oracle x86 servers using non-Oracle OS and Virtualization software. Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode.”

The firm is also thought to be prepping Spectre patches for Solaris on SPARCv9 systems.

Oracle will be hoping its Spectre fix doesn’t slow down systems as other patches have seemed to.

Research released by Barkly this week claimed that at half of the organizations the vendor spoke to, less than a quarter of machines had been patched — partly because of incompatibility problems between Windows and AV tools.

Oracle released a total of 237 fixes in this update round, slightly fewer than last quarter’s 252.

Some 153 vulnerabilities have been fixed by the vendor in business-critical applications, but the overall highest CVSS score (10.0) is in Sun ZFS Storage Appliance Kit, according to analysis from ERPScan.

“The most vulnerable application is Oracle Financials totalling 34. However, not only the number but the criticality of issues is alarming,” the firm continued. “Thirteen of them can be exploited over the network without entering user credentials. The most critical vulnerability [has a score of] CVSS 8.8.”

Categories: Cyber Risk News

Pages