Info Security

Subscribe to Info Security  feed
Updated: 2 hours 38 min ago

Americans Feel Fated to Fall Prey to Cybercrime

Tue, 01/22/2019 - 14:32
Americans Feel Fated to Fall Prey to Cybercrime

Only a few days after the Senate Committee on Aging released a new report in which it found that seniors lose an estimated $2.9 billion each year to financial scams, the insolvency services of Nyman Lisbon Paul and the UK’s Driver and Vehicle Licensing Agency (DVLA) have issued scam alerts warning consumers to beware of cyber scams.

Two weeks ago, Infosecurity reported that 60% of consumers in the UK were leaving themselves vulnerable to scams, and today, Nyman Lisbon Paul tweeted a warning that “pension scam victims lost an average of £91,000 to criminals in 2018, Financial Conduct Authority (FCA) research recently revealed. Criminals often use cold-calls and offers of free pension reviews to convince their victims to comply.”

As scams become more commonplace, government agencies, organizations and concerned citizens are taking to social media to caution consumers about the myriad scams to which they could fall victim. One Twitter user posted:

In an effort to prevent people from falling victim to this and other scams, “DVLA is reminding customers that the only official place to find our services and information is on GOV.UK. Cyber scams are common so we want to help our customers to spot fraudulent activity.”

However, these warnings might be ineffective. According to a recently released report from ERP Maestro that examined the relationship Americans have with cybercrime and identity theft, 76% of Americans believe it is inevitable that they will fall victim to either identity theft or some form of cybercrime. As a result, 48% confess that they are not concerned about becoming a victim. The report found that when it comes to consumer attitudes and behaviors, 57% of Americans believe that if something happens, the damage will be reversed.

In addition, 68% of Americans feel that there is little to nothing they can do to prevent falling victim to cybercrime. Those habits can be potentially dangerous for companies that employ people who don’t take cybersecurity seriously.

"While our mission is to protect companies from cybercrime on the inside, we wanted to examine how concerned people are about cybercrime in their personal life to see if cyber safety is practiced similarly professionally," said Jody Paterson, founder and CEO of ERP Maestro, in a press release.

"Good cybersecurity habits should be practiced at both work and home, but these responses may indicate that the same beliefs and behaviors on cybercrime are also brought into the workplace, and that is a huge risk for companies."

Categories: Cyber Risk News

Dark Web Drug Dealers Get 43 Years

Tue, 01/22/2019 - 11:24
Dark Web Drug Dealers Get 43 Years

Three dark web drug dealers have been sentenced to a total of over 43 years for supplying hundreds of customers worldwide with notorious opioid fentanyl.

Jake Levene, 22, Lee Childs, 45, and Mandy Christopher Lowther, 21, were sentenced last week at Leeds Crown Court after pleading guilty to exporting and supplying class A drugs.

The group mixed fentanyl and its analog carfentanyl with bulking agents at an industrial unit in Leeds before selling them on sites like Alpha Bay under the name “UKBargins,” according to the National Crime Agency (NCA).

It’s unclear how they were brought to justice, although the trio were arrested in April 2017, less than three months before the Alpha Bay and Hansa takedowns. When policed raided the unit, a laptop was found displaying the UKBargins store on Alpha Bay.

Childs was apparently caught on CCTV in a Post Office mailing hundreds of packages of drugs to customers worldwide including as far afield as Australia, Argentina and Singapore.

Between December 2016 and April 2017 the three are said to have turned over £163,474 — selling 2853 items to 443 customers worldwide including 172 in the UK.

During the raid, 2.6kg of carfentanyl was recovered including a packet of 440g pure carfentanyl, the largest such seizure of its kind in Europe, according to the NCA.

The drug is said to be 10,000-times more potent than morphine, while fentanyl is up to 10-times stronger. Both have been linked to countless deaths over recent years.

“Fentanyl and carfentanyl are extremely potent, the latter having no medical uses for humans. Not only is it potentially lethal for those taking it, these drugs pose a serious danger to all those that come into contact with them, be that first responders like law enforcement and medical staff, or in this case, postal staff,” said NCA senior investigating officer, Graham Roberts.

“The lengthy jail terms handed down to them today are a reflection on their dangerous and careless actions.”

Categories: Cyber Risk News

Active Cyber Defence Should Be Rolled Out UK-Wide: Report

Tue, 01/22/2019 - 10:48
Active Cyber Defence Should Be Rolled Out UK-Wide: Report

The UK government’s highly successful Active Cyber Defence (ACD) program should be rolled out across other sectors to improve national cybersecurity, and could even be spurred by the government naming and shaming laggards, according to a new report.

The Cyber Security Research Group at King’s College London (KCL) argued that the ACD has done well in reducing low-level cybercrime against government services.

“There are no significant technical obstacles to extending these protections beyond the public sector and no fundamental reasons why ACD tools and techniques should not be tested and deployed as appropriate,” it claimed.

The report urged stakeholders to actively engage with the government via the National Cyber Security Centre (NCSC) to make this a reality.

It could also be a competitive differentiator for organizations in the future, the report claimed, adding that greater transparency in this area would help consumers decide which ones to trust, while incentivizing firms to improve.

“There will need to be careful calibration of ‘sticks and carrots’ to encourage industry and others to adopt ACD where possible but the existing buy-in of major companies and industry bodies will assist greatly in this process,” the report claimed.

“NCSC has no legal power to mandate ACD in any circumstance, nor does it seek it, so all progress in this area must be based on high standards of transparency, partnership and public reporting, particularly given NCSC’s status as part of GCHQ.”

ACD could even be exported abroad, helping to enhance the UK’s reputation and build out international partnerships, KCL claimed.

Launched in 2016, ACD includes several complementary elements: a takedown service designed to remove malicious content spoofing government domains; DMARC implementation to improve email security; Web Check to test government websites for vulnerabilities; and a Public Sector DNS service to prevent employees being directed to malicious sites.

After just a year of operation the program had enabled the removal of 121,479 unique phishing sites across 20,763 attack groups physically hosted in the UK, and 18,000 more sites internationally. Government domains supporting DMARC rose from just over a quarter to nearly 39%, while Web Check produced 4,108 advisories for customers, covering a total of 6,218 different issues.

During 2017, 3TB of DNS data was analysed for security threats, with over 134,000 unique queries blocked.

“The Active Cyber Defence program has been a huge success in protecting government agencies — and those who use them — from cyber threats. Our research finds that it could be legally, cheaply and efficiently rolled out beyond the public sector, to further protect people online,” said Tim Stevens, convenor of KCL’s Cyber Security Research Group.

“Greater transparency around the level of cybersecurity employed by businesses and other organisations will motivate them to adopt ACD measures that will keep users and their data safe.”

Categories: Cyber Risk News

Google’s €50m GDPR Fine Heralds a New Era

Tue, 01/22/2019 - 10:25
Google’s €50m GDPR Fine Heralds a New Era

In the first major regulatory action of the GDPR era, Google has been fined €50m ($57m, £44m) in France for failing to notify users about how their data is used.

French regulator CNIL issued the fine this week after complaints by two rights groups, noyb and La Quadrature du Net (LQDN), one of which was filed on the day the new legislation came into force.

CNIL claimed it observed two breaches of the GDPR.

First, Google violated the obligation of transparency because “essential information” on how users’ data is processed to personalize ads is spread out across multiple documents. In addition, some of the info “is not always clear nor comprehensive,” the regulator said.

Second, Google did not have a legal basis to process data for ad personalization because user consent was not validly obtained. The reason for this, again, is that user consent is not sufficiently informed, given the difficulty of locating the relevant info across numerous documents.

Also, when creating a Google account, the user must click through to modify options, with the ad personalization box pre-ticked: another no-no in the GDPR era.

The case relates specifically to the creation of a Google account on Android. Although Google’s European headquarters is in Ireland it was decided the local data protection authority there did not have a decision-making power over the OS and services.

“This is the first time that the CNIL applies the new sanction limits provided by the GDPR,” the French regulator concluded. “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”

Google reportedly said it is “studying the decision” before deciding on what to do next.

AlienVault security advocate, Javvad Malik, argued that organizations dealing with customer data need to ask themselves two questions.

“First, what purpose the data is being used for and for how long? Secondly, have the users truly given informed consent? If the answer to either is unclear, then they should not go ahead with it," he said.

Ron Moscona, a partner at the international law firm Dorsey & Whitney, said the fine was a warning shot across the bows of the digital industry as a whole.

“The data obtained from users can be hugely valuable. Consent can be a significant hurdle to harvesting that data. Business models are evolving, and companies are beginning to learn what regulators in the EU expect," he added.

“"This result is more proof that the GDPR presents a hurdle to the way companies collect and monetize data on the internet.  We’ve seen these companies evolve before to deal with regulation, and penalties such as CNIL levelled here will undoubtedly inspire them to evolve even further.”

Categories: Cyber Risk News

Plexal Announces New International LORCA Partnerships

Tue, 01/22/2019 - 09:46
Plexal Announces New International LORCA Partnerships

Innovation center Plexal has announced new partnerships with the Global Cyber Alliance (GCA) and the New York Economic Development Corporation (NYCEDC) to boost international security cooperation at the London Office for Rapid Cybersecurity Advancement (LORCA), launched in June 2018 and hosted/delivered by Plexal.

LORCA was created with £13.5m of funding from the Department for Digital, Culture, Media & Sport to be the UK’s dedicated space for industry-led cybersecurity innovation, supporting the most promising cybersecurity innovators in scaling and growing solutions to meet the most pressing industry challenges.

The new partnerships will aim to help cybersecurity companies scale internationally while also expanding Plexal’s role as a major global cybersecurity cluster.

Andrew Roughan, managing director of Plexal, said: “Sharing knowledge and being open to cooperation between global cyber-innovators and industry is more important than ever. We’re looking forward to deepening our links with new global partners and acting as the UK landing pad and connector. These important partnerships with the New York Development Corporation and the Global Cyber Alliance will mean the emerging cyber stars we support can have even greater direct access to new markets and the networks they need to succeed.”

Andy Bates, GCA executive director for UK and EMEA, added that innovation and entrepreneurship are key to shoring up cyber-defenses. “GCA is pleased to partner with Plexal and LORCA and participate in their program to work with scaleups working on cybersecurity challenges,” he said.

James Patchett, president and CEO at the NYCEDC, outlined the company’s ambition to making “New York City a hotbed for cyber-innovation, to protect every New Yorker and every business – all while creating good-paying jobs. We’re proud to help launch this important challenge, which will benefit New York City and create game-changing technology for the world to share.”

Categories: Cyber Risk News

Global Firms Face $5tr in Cybercrime Losses

Mon, 01/21/2019 - 11:00
Global Firms Face $5tr in Cybercrime Losses

Global firms could lose over $5tr to cybercrime over the next five years, a new Accenture study has warned.

The consulting giant interviewed over 1700 CEOs and other C-suite executives to compile its report, Securing the Digital Economy: Reinventing the Internet for Trust.

It claimed that as businesses become more dependent on complex web-based models, their ability to innovate and grow securely cannot keep up.

In fact, over three-quarters (79%) claimed that the growth of the digital economy will be held back unless internet security is dramatically improved, while 59% said they don’t know how to react to growing instability.

Most at risk over the next five years are hi-tech companies, which could face losses of $753bn, followed by those in life sciences ($642bn) and automotive ($505bn).

Nearly four-fifths (79%) claimed their organization is adopting new technologies faster than they can secure them, while 80% said third-party threats are increasingly difficult to mitigate.

Only 30% of those polled said they were very confident in their own cybersecurity.

“Strengthening internet security requires decisive — and, at times, unconventional — leadership by CEOs, not just CISOs,” argued Accenture CMT lead, Omar Abbosh. “To become a cyber-resilient enterprise, companies need to start by bringing CISOs’ expertise to the board, ensuring security is built-in from the initial design stage and that all business managers are held responsible for security and data privacy.”

Over half of respondents (56%) said they’d welcome stricter business regulations in the cybersecurity sphere, while three-quarters (75%) claimed that addressing security concerns will require a group effort.

That’s why Accenture is recommending business leaders focus on improved collaboration with their peers, government officials and regulators, as well as improving baseline security across the supply chain.

“No organization can tackle the challenges posed by cyber-threats on its own; it’s a global challenge that needs a global response, and collaboration is key,” explained Accenture Security senior managing director, Kelly Bissell.

“To shape a future that thrives on a strong and trustworthy digital economy, senior executives need to look beyond the bounds of their organization, team with an ecosystem of partners, and secure their entire value chains — across every partner, supplier and customer.”

Categories: Cyber Risk News

DNC: Russian Hackers Targeted Staffers After Midterms

Mon, 01/21/2019 - 10:33
DNC: Russian Hackers Targeted Staffers After Midterms

The Democratic National Committee (DNC) has claimed that one of the same Russian hacking groups blamed for leaking sensitive information in 2016 targeted its employees again just days after the 2018 midterm elections.

In court documents filed at the weekend, the DNC said that the group known as Cozy Bear (aka APT29/The Dukes) posed as a State Department official in spear-phishing emails sent to dozens of its employees.

The emails were booby-trapped with a malware-laden PDF designed to provide access to the victim’s machine.

“In November 2018, dozens of DNC email addresses were targeted in a spear-phishing campaign, although there is no evidence that the attack was successful,” the filing noted.

“The content of these emails and their timestamps were consistent with a spear-phishing campaign that leading cybersecurity experts have tied to Russian intelligence. Therefore, it is probable that Russian intelligence again attempted to unlawfully infiltrate DNC computers in November 2018.”

The revelations are part of a civil suit filed by the DNC against the Kremlin, Julian Assange and WikiLeaks, the Trump campaign, and others. It details an alleged conspiracy to win Trump the presidency by stealing sensitive DNC documents and leaking them ahead of the 2016 election.

The Kremlin has already argued for it to be thrown out, claiming that even if it did hack the DNC, this activity would fall under military operations and therefore be immune from civil claims.

In July 2018, special counsel Robert Mueller indicted 12 alleged Russian intelligence officers for their part in this 2016 operation.

That followed a February charge against 13 Russian nationals and three Russian companies for the alleged role they played in online disinformation and influence campaigns ahead of the election.

Categories: Cyber Risk News

Collection #1 Data Dump the “Tip of the Iceberg”

Mon, 01/21/2019 - 09:50
Collection #1 Data Dump the “Tip of the Iceberg”

A recently discovered trove of breached data is just a small part of a major 871GB haul up for sale on the dark web which could contain billions of records, according to experts.

The 87GB Collection #1 dump was first publicized late last week when noted researcher Troy Hunt was alerted to the files hosted on a popular cloud site. After cleaning up the data he found it contained nearly 773 million unique email addresses and over 21 million “dehashed” passwords.

It has since emerged that this data is two to three years old, gathered from multiple sources, and that the same seller, dubbed ‘Sanixer’ on Telegram, has much more recently obtained data to sell.

Authentication security vendor, Authlogics, claims to have the data from Collection #2, 3, 4, and 5 in its possession and is loading it into its breached password database.

It estimates the new trove of data comes to roughly 784GB, nine-times the size of Collection #1, and could contain over seven billion records in its raw state.

In fact, Sanixer may have even more breached and leaked data to sell: the cyber-criminal told researcher Brian Krebs that taken together, all the other packages they have up for sale are less than a year old and total over 4TB in size.

These include one dubbed “ANTIPUBLIC #1” and another titled “AP MYR&ZABUGOR #2.”

The bottom line is that users need to invest in password managers to store and support long-and-strong unique credentials for all the main sites/accounts they have online, and to opt for multi-factor authentication where it’s available.

One security vendor warned in its 2019 predictions report at the end of last year that credential stuffing tools would become increasingly popular among the black hat community as they look to monetize troves of breached data.

“Because of the volume of data breaches in the past years and the likelihood that cyber-criminals will find a lot of users recycling passwords across several websites, we believe that we will see a surge in fraudulent transactions using credentials obtained by cyber-criminals from data breaches,” Trend Micro claimed.

“Cyber-criminals will use breached credentials to acquire real-world advantages such as registering in mileage and rewards programs to steal the benefits. They will also use these accounts to register trolls on social media for cyber-propaganda, manipulate consumer portals by posting fake reviews, or add fake votes to community-based polls — the applications are endless.”

Categories: Cyber Risk News

New Year, New Features for Fallout EK

Fri, 01/18/2019 - 19:15
New Year, New Features for Fallout EK

The new year is a time for resolutions and promises of change, so much so that even malware has returned from a bit of time off with some new features, including a new Flash exploit, according to Malwarebytes head of investigations, Jérôme Segura.

The Fallout exploit kit (EK) took a little respite over the first few weeks of 2019, but it has returned, this time using CVE-2018-15982, along with HTTPS support, a new landing page format, and Powershell to run its payloads. In addition, Seguara said the team has seen an increase in RIG EK campaigns, which he suspects might have been an effort to fill that temporary void.

As the malware has returned to business, it continues to spread using malvertising chains. In September 2018, FireEye wrote that the Fallout EK was discovered affecting mostly countries in the Asia Pacific region. Though it did distribute SmokeLoader in Japan, the malware then shifted to dropping GandCrab in the Middle East.

When the malware was detected again in October 2018, the EK was being used in the HookAds campaign, which delivered victims to a fraudulent dating page, according to, which also noted that the first payload was the Minotaur ransomware, followed by AZORult during the second and third runs.  

Since Fallout EK's return, Malwarebytes researchers have discovered the malware is delivering the GandCrab ransomware, though it delivers its payload via Powershell, as opposed to iexplore.exe. “This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload,” Segura wrote.

"What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques," he continued. "In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proofs of concept. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer.”

Categories: Cyber Risk News

Malware Evades Detection One Step at a Time

Fri, 01/18/2019 - 18:40
Malware Evades Detection One Step at a Time

Malicious code was lurking about in two different apps within the Google Play store, according to researchers at Trend Micro who have disclosed that they discovered a banking Trojan in what seemed like legitimate apps.

Both the currency converter and the battery-saving app have been removed from Google Play, but not before they were downloaded thousands of times. The battery app, BatterySaverMobi, even had 73 reviews resulting in a 4.5 star rating, making it appear all the more legitimate.

“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ). Upon analysis of the payload, we noted that the code is strikingly similar to known Anubis samples. And we also saw that it connects to a command and control (C&C) server with the domain, which is linked to Anubis as well,” researchers wrote.

The apps were reportedly able to evade detection by using the device's motion sensor data.

The malware authors assume that the device is scanning for malware, so they created an emulator with no motion sensors that monitors the user’s steps so that they check for sensor data to determine whether the app is running in a sandbox environment. If it is, the malicious code does not run.

If it does run, though, the user receives a fraudulent prompt, alerting them that a system update is available.

“Here’s more proof that criminals are following users to mobile devices and investing more time and effort in attempting to exploit them. As hard as organizations might work to secure their customers’ mobile experiences, attackers work just as hard to innovate and find ways to take advantage,” said Sam Bakken, senior product marketing manager, OneSpan.

“This is why it’s imperative to give app developers a leg up with one-stop mobile app security tools that allow them to build security into mobile apps from the start, which will save them time and effort and save financial institutions and other purveyors of high-value mobile services money in terms of reduced fraud and maintaining consumer trust in their brand. In addition, meeting attackers’ innovations with mobile app security innovations such as App Shielding – which proactively detects and defends against a variety of nefarious activities executed by mobile banking Trojans such as this one – is another step in the right direction for what will be an ongoing battle.”

Categories: Cyber Risk News

Hackers Use PayPal to Phish with Ransomware

Fri, 01/18/2019 - 18:11
Hackers Use PayPal to Phish with Ransomware

A new strain of yet another ransomware campaign has been discovered in which the malicious actors have expanded payment options beyond Bitcoin; they are instead offering alternatives (such as PayPal) that include a phishing link, according to MalwareHunterTeam.

Attackers are stealing a page from Daedalus and are killing two birds with one stone by including a link to make a payment. To obtain the decryption key, victims can follow the link to the PayPal phishing page, where their login credentials are stolen. The combination of two threat vectors makes this attack particularly dangerous for unsuspecting victims.

Credit: MalwareHunterTeam

The new attack method combines “a ransom note that direct victims to a PayPal phishing page...Clicking on the Buy Now button, it directs to the credit card part of the phish already (so the login part is skipped). After filling & clicking Agree comes the personal info part & then finished,” the team tweeted. Once that payment is processed, the victim receives a confirmation.

For victims who pay with Bitcoin, the threat actors also requested that victims send an email with a reference number, which is provided in the ransom.

“Malicious actors are continually becoming more sophisticated. With this particular campaign involving phishing as an immediate follow-up threat vector to the ransomware, this attack has the potential to cause significant harm,” said DomainTools’ senior security adviser, Corin Imai.

“Not only will victims be dealing with the impact of ransomware, but many will also be directed to a carefully crafted phishing site that will attempt to steal their credentials. As seen in past attacks, ransomware campaigns have targeted individuals with the threat of releasing compromising content or rendering their computers useless, leaving victims feeling that they have no choice but to pay up. The best advice in this scenario is to be hyper-vigilant, double-check URLs, and when in doubt, don’t click.”

Categories: Cyber Risk News

CyberFirst Girls 2019 Kicks Off Next Week

Fri, 01/18/2019 - 11:37
CyberFirst Girls 2019 Kicks Off Next Week

The third annual CyberFirst Girls competition will kick off on Monday as GCHQ looks to help address a chronic gender imbalance and skills shortage in the industry.

Over the past two years, the intelligence service’s National Cyber Security Centre (NCSC) has managed to attract 12,500 female pupils from schools across the UK to take part.

Teams of up to four plus a teacher or mentor can enter, with girls in Year 8 in England and Wales, S2 in Scotland and Year 9 in Northern Ireland (12-13-years-old) able to participate.

They’ll face a week of online challenges in four key areas — cryptography, cybersecurity, logic and coding and networking — with the top 10 teams competing face-to-face at a grand final in Edinburgh in March.

Participants are also able to apply for a place on CyberFirst Girls Defenders: free four-day residential and non-residential courses taking place in April-May and designed to teach further skills in how to build and protect small networks and personal devices.

James Hadley, CEO of Immersive Labs, welcomed the initiatives as helping to encourage a new generation of cybersecurity talent.

"In my experience, men and women have distinctly different approaches to problem-solving in cyber. Women are typically more methodical — which allows them to take a long-term and determined approach to finding a resolution and complements men's slightly faster-moving approach,” he added.

“In the long term, this initiative will also set the groundwork for building a network of like-minded people to encourage and support one another when starting out in the space.”

Attracting more gender diversity into the information security industry has been a challenge for years. Today just 24% of the global workforce are women, yet the sector as a whole suffers from shortages reaching nearly three million professionals.

Government figures published in December last year claimed that over half (57%) of all UK firms and charities have a “basic technical cybersecurity skills gap.”

It’s a situation predicted to get worse if the UK leaves the European Union as it has signaled this year.

Last month, the government released a new skills strategy in an effort to reduce skills shortfalls and promised new UK Cyber Security Council will receive £2.5m of public funding to help in its mission to “lay the structural foundations” of the profession.

However, it has been criticized in the past by MPs, for failing to address the immediate challenges facing businesses in the critical national infrastructure sector.

Categories: Cyber Risk News

Facebook Disrupts New Russian Disinformation Campaign

Fri, 01/18/2019 - 10:53
Facebook Disrupts New Russian Disinformation Campaign

Facebook has removed hundreds of fake Pages and accounts after spotting a coordinated effort by Russian state-linked actors to spread disinformation in Ukraine and other former Soviet countries.

There were two linked campaigns: the first targeting Romania, Latvia, Estonia, Lithuania, Armenia, Azerbaijan, Georgia, Tajikistan, Uzbekistan, Kazakhstan, Moldova, Russia and Kyrgyzstan.

Although purporting to be independent or general interest Pages on topics ranging from weather and travel to politics, they were actually run by employees of Kremlin news agency Sputnik, according to Facebook’s head of cybersecurity policy, Nathaniel Gleicher.

The 289 fake Pages and 75 spoof accounts posted disinformation on local corruption and protests, and anti-NATO sentiment, spending $135,000 on ads, hosting 190 events and attracting 790,000 followers.

Facebook also removed 107 Pages, Groups and accounts and 41 Instagram accounts for similar “coordinated inauthentic behavior” targeting Ukrainians. Account holders pretended to be regular Ukrainian netizens, attracting 180,000 followers and spending $25,000 on ads.

This campaign apparently shared similar characteristics to the disinformation blitz carried out by the Internet Research Agency (IRA) ahead of the US mid-terms last year and the 2016 presidential election.

“We’re taking down these Pages and accounts based on their behavior, not the content they post. In these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action,” said Gleicher.

“While we are making progress rooting out this abuse, as we’ve said before, it’s an ongoing challenge because the people responsible are determined and well-funded.”

The accounts effectively promoted Sputnik content and that of its parent company, state-run Rossiya Segodnya, whilst hiding its true source. The effect was to increase Sputnik’s reach in the countries covered by 170%, according to the Digital Forensic Research Lab.

“Most posts were apolitical, but some, especially in the Baltic States, were sharply political, anti-Western, and anti-NATO,” the body said.

Categories: Cyber Risk News

DoJ Prepping Criminal Probe of Huawei IP Theft: Report

Fri, 01/18/2019 - 10:15
DoJ Prepping Criminal Probe of Huawei IP Theft: Report

Things could be about to get even worse for Huawei after a report claimed the US Department of Justice is readying an indictment against the firm for IP theft against global partner companies.

One of these is T-Mobile. That case has already been tried in a civil court in 2017, with a federal jury in Seattle siding with the US mobile carrier in finding Huawei liable for the theft of robotic technology it was developing.

The incident happened in 2014, when a Huawei engineer stole part of T-Mobile’s smartphone testing “Tappy” robot, whilst visiting its Bellevue lab as an industry partner.

Now the DoJ is reportedly flexing its muscles, with a criminal investigation into more widespread IP theft by the Shenzhen giant. An indictment could come soon, a person familiar with the matter told the WSJ.

It comes as CFO and daughter of Huawei’s founder, Meng Wanzhou, remains under house arrest in Vancouver awaiting extradition to the US.

This is said to be linked to another criminal investigation, into whether she conspired to trick US banks into unwittingly breaking sanctions on Iran by claiming Huawei subsidiary Skycom was a separate business.

All this comes as governments around the world continue to reassess whether Huawei represents a national security risk as a provider of 5G network equipment.

Although it has protested its innocence on numerous occasions, claiming it’s a victim of geopolitics, the US, New Zealand, Australia, Japan and others have banned or are restricting the firm.

In Poland, the government is mulling whether to change the law to do the same after a sales director in the country was arrested on suspicious of spying.

The German government this week became the latest to consider a ban on Huawei 5G products on national security grounds.

With 5G set to play a key role in critical infrastructure for years to come, the fear is that Huawei may be forced to do the bidding of the Chinese government in the future to provide it with a strategic advantage.

Categories: Cyber Risk News

Attackers Leverage Open Source in New BYOB Attack

Thu, 01/17/2019 - 15:37
Attackers Leverage Open Source in New BYOB Attack

An attack leveraging the open-source Build Your Own Botnet (BYOB) framework has reportedly been intercepted by Israeli cybersecurity firm Perception Point’s incident response team. According to the team, this appears to be the first time the BYOB framework has been found to be used for fraudulent activity in the wild.

While these tactics and techniques have historically been limited in used to financially backed advanced persistent threat (APT) groups, they are now more easily accessed by novice criminals, in part because of the more widespread popularity of plug-and-play hacking kits, researchers said.

In July, a BYOB framework that implements all the building blocks needed to build a botnet was developed to improve cybersecurity defenses; however, what is used by defense can also fall into the hands of those with more malicious intentions. The continued growth of these hacking kits allows any script kiddie or malicious attacker to leverage this framework and carry out attacks that otherwise wouldn’t be possible.

According to the team’s email analysis, victims received an email with an HTML attachment containing both a link to a phishing site impersonating the Office 365 login page and script code that automatically downloaded malware to the victim’s computer. The payload then awaits command after connecting to the attackers server.

Credit: Perception Point

“The attack we intercepted was a targeted email attack against one of our clients. It was distributed via the email channel so the extent of it is to whomever the attacker chose to send it to. The nature of the tool [BYOB] used in the attack is mass remote control; therefore, we presume that this wasn't a single email sent, and we expect that others might have been compromised by this attack as well,” said Shlomi Levin, co-founder and CTO, Perception Point.

“The attack was easily prepared using the BYOB framework; hence, it doesn't cost the attacker much investment, so I would expect to see more BYOB used in the future.”

Categories: Cyber Risk News

2018 Proved Highest Funding Year for Cybersecurity

Thu, 01/17/2019 - 15:17
2018 Proved Highest Funding Year for Cybersecurity

Despite a 28% decrease in cybersecurity startups during 2017, global venture capital funding for cybersecurity rebounded with record high investments, according to Strategic Cyber Ventures.

Though last year saw $5.3 billion in cybersecurity global ventures, Strategic Cyber Ventures called this an unsustainable investment rate.  

Over half of cybersecurity founders of new startups have more than a decade of executive or entrepreneurial experience, as opposed to the past two years in which there was nearly an even split between experienced founders and less-seasoned founders, the report found.

In fact, 2018 was the fifth consecutive year in which Israel enjoyed increasing round sizes at the seed stage. Additionally, the amount of funding across all stages increased, keeping the recent trend of fewer companies raising larger amounts of capital moving forward.

Though there were emerging fields among new startups in 2018, including cybersecurity solutions for cryptocurrencies and software-defined perimeter (SDP), the most overwhelmingly funded field across all stages was internet of things (IoT) security. Though most startups were within the SCADA and medical devices sub-domains, other emerging fields included threat detection, security operations, data protection and cloud security.

Nevertheless, the report said, “In cybersecurity, there are likely many zombies out there. They’ve raised big rounds, growth has slowed, perhaps due to vendor fatigue or increased competition, and now these companies can’t raise at increased valuations from prior rounds, or at all, and are being propped up by existing investors that will eventually grow weary of keeping them alive. These companies will eventually float to the surface over the next few years with less than desirable outcomes for investors and founders.”

According to Chris Ahern, principal, Strategic Cyber Ventures, "We’ve seen massive funds formed over the past few years and some of that money is making its way to cybersecurity deals. Second, we’ve seen some strong exits in the space through IPOs and M&A over the last couple of years."

The problems aren’t going away. 2018 had several massive, high-profile breaches and we’ll continue to see this into 2018 as well as a continued discussion around privacy. The real question is whether it’s a good thing that 2018 was a record year for cybersecurity investment.”

Categories: Cyber Risk News

VOIPo Left 7 Million Logs Unencrytped with No Passwords

Thu, 01/17/2019 - 14:38
VOIPo Left 7 Million Logs Unencrytped with No Passwords

Another California-based communications provider has announced a potential security incident, as VOIPo confessed that it left a database containing seven million call logs, six million text messages and other internal documents containing unencrypted passwords unprotected without a password.

After security researcher Justin Paine notified the company, he wrote, “This database was promptly secured after I notified the company. I would like to thank VOIPo for their quick assistance in securing this data.”

In the security notice shared with customers, VOIPo wrote: “We were made aware of a development server that was exposed for a small window of time. When it was discovered, it was taken offline within 15 minutes of being notified by Cloudflare that they had discovered it. It primarily had some data for database load testing made up of call logs (partial numbers only), SMS messages our system flagged as SPAM and some general server log data."

VOIPo said the dev server was isolated and no other network was at risk because additional production systems are firewalled so that any connection to those systems would not have been possible. However, these statements have been called "misleading" on Twitter.

The VOIPo database reportedly had been exposed since June 2018 and contains call and message logs dating back to May 2015. The news comes only two months after a database misconfiguration at San Diego–based Voxox leaked 26 million text messages. As was the case in the Voxox breach, if text messages containing two-factor authentication (2FA) codes or password reset links were intercepted, they could have allowed the attacker to hijack a user’s account.

“It does not take much for outsiders to find unsecured databases and access sensitive information,” said Stephan Chenette, CTO and co-founder, AttackIQ. “In fact, there are now tools designed to detect misconfigurations within cloud tools like Amazon's S3. Misconfigured security controls are an all-too-common problem. Organizations are increasingly struggling with limited and under-trained IT resources that lead to using default account passwords, unpatched systems and poorly configured network devices.”

Although VOIPo claims there is no evidence to indicate a breach occurred, “the company cannot guarantee that no unauthorized users accessed the data, especially since it was left unsecured and easily available for months,” said Ruchika Mishra, director of products and solutions, Balbix.

Categories: Cyber Risk News

WEF: Cyber-Attacks a Major Global Risk for Next Decade

Thu, 01/17/2019 - 11:26
WEF: Cyber-Attacks a Major Global Risk for Next Decade

The vast majority of senior decision makers across the globe expect data theft and cyber-disruption to increase in 2019, according to the latest report from the World Economic Forum (WEF).

The annual Global Risks Report for 2019 uses interviews with risk experts, business leaders, academics and others to better understand the challenges facing the world economy.

Rising dependency on technology ensured cyber-related risk remained front-of-mind for respondents, both in the near and long-term.

Some 82% said they expect data and monetary theft attacks to increase in 2019, while 80% said the same for cyber-related disruption to operations and infrastructure.

A slightly smaller number anticipated an increase in fake news (69%), personal identity theft (64%) and loss of privacy to companies (63%).

Over the next decade, respondents placed data fraud/theft and cyber-attacks fourth and fifth in terms of most likely risks, while cyber-attacks and “critical information infrastructure breakdown” were placed seventh and eighth in terms of biggest potential impact.

“There were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyber-attacks,” the report noted. “Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national security grounds.”

Veeam’s regional VP for UK & Ireland, Mark Adams, claimed the report highlights the continued need for investment in cyber-threat mitigation.

“Spending time and money on thorough cybersecurity and disaster recovery planning is no longer evidence of being overly paranoid,” he added. “When disaster strikes, whether from a data breach or service outage, having these kinds of measures in place to rely on is what will separate successful businesses from struggling ones.”

However, the findings show a slight change from last year’s report, which listed cyber-attacks as the third most likely global risk.

Categories: Cyber Risk News

Oklahoma Government Leaks 3TB of Sensitive Data

Thu, 01/17/2019 - 11:01
Oklahoma Government Leaks 3TB of Sensitive Data

Millions of sensitive files dating back decades have been exposed after 3TB of data on a storage server was left publicly exposed by the Oklahoma Securities Commission.

Researchers at UpGuard made the discovery on December 7 last year and it was fixed a day later by the commission, part of the state’s Department of Securities which regulates and administers the trading securities sector.

It was first registered as publicly accessible by Shodan a week earlier.

“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” explained the security vendor.

“The website for the Securities Commission has an UpGuard Cyber Risk score of 171 out of 950, indicating severe risk of breach. Among the issues lowering the website’s score is the use of the web server IIS 6.0, which reached end of life in July 2015, meaning no updates to address any newly discovered vulnerabilities have been released in the last three and a half years.”

The data, which dated back to 1986 and included email back-ups and virtual images, covered a broad sweep of different areas.

These included personal information such as the Social Security numbers of 10,000 brokers, and highly sensitive life insurance information on terminally ill AIDS patients.

Also exposed were system credentials which could allow an attacker to hijack Department of Securities workstations, third-party security filings, and accounts with Thawte, Symantec Protection Suite, Tivoli and others.

The leaked data also included “spreadsheets documenting the timeline for investigations by the FBI and people they interviewed,” potentially putting witnesses at risk.

“We need to stop making it so easy for hackers and bad actors who are simply using tools that have been around for years,” argued Suzanne Spaulding, Nozomi Networks adviser and former DHS under secretary.

“Hackers use a tool called Shodan that allows anyone to scan the internet, looking for devices and computers, connected to the internet, but not protected.”

Categories: Cyber Risk News

Researchers Find 87GB Trove of Breached Log-Ins

Thu, 01/17/2019 - 10:12
Researchers Find 87GB Trove of Breached Log-Ins

A leading security researcher has warned of a major trove of breached data being shared on hacking sites, containing over 772 million unique email addresses and more than 21 million unique passwords.

Troy Hunt, owner of the Have I Been Pwned (HIBP) breached credentials site, explained that he was alerted to the collection of 12,000 files hosted on the MEGA cloud service last week.

Although the 87GB dump was subsequently removed, he was also notified of it being shared on a hacking forum under the moniker “Collection #1.”

The total collection amounted to nearly 2.7 billion rows comprised of credentials stolen from thousands of sources in multiple breaches, said Hunt.

After cleaning up the data, he reduced this figure to 772.9 million emails — the largest ever to be loaded into HIBP — and 21.2 million dehashed passwords.

“Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all,” Hunt explained.

“However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They're also ones that were stored as cryptographic hashes in the source data breaches … but have been cracked and converted back to plain text.”

Hunt encouraged users to check whether their emails and passwords are affected, by visiting HIBP. However, they’ll have to search separately for them as the site doesn’t store paired credentials together for security reasons.

The likelihood is the data could be fed into credential stuffing programs to automatically try to unlock accounts over multiple other sites.

Hunt recommended users get a password manager to store long-and-strong unique credentials for each site.

“A password manager is also a rare exception to the rule that adding security means making your life harder,” he said.

Categories: Cyber Risk News