US lawmakers have been warned of the growing risk to national and corporate security posed by Chinese efforts to dominate 5G infrastructure and the IoT supply chain.
The US-China Economic and Security Review Commission’s 2018 report to Congress claimed that significant state support for these technologies, along with alleged cyber-espionage, IP theft and other measures, have helped China to achieve dominance in the manufacturing of “global network equipment, information technology, and IoT devices.”
However, without the right tools to conduct rigorous supply chain assessments, the US government is left exposed to mounting cyber-related risk.
“China’s central role in manufacturing global information technology, IoT devices, and network equipment may allow the Chinese government — which exerts strong influence over its firms — opportunities to force Chinese suppliers or manufacturers to modify products to perform below expectations or fail, facilitate state or corporate espionage, or otherwise compromise the confidentiality, integrity, or availability of IoT devices or 5G network equipment,” the report warned.
These risks are compounded by the “lax security protections and universal connectivity of IoT devices” — creating multiple weaknesses which hackers could exploit to target critical infrastructure, private enterprises and individuals, it continued.
“These types of risks will grow as IoT devices become more complex, more numerous, and embedded within existing physical structures,” the commission claimed. “The size, speed, and impact of malicious cyber-attacks against and using IoT devices will intensify with the deployment of 5G.”
The report listed a series of recommendations which could signal a major new focus from Washington on supply chain security.
These included: an annual Office of Management and Budget report to ensure Chinese supply chain vulnerabilities are adequately addressed, an investigation into “trade-distorting practices” from Chinese state-owned enterprises, an assessment of any US-China “collaborative initiatives in technical cooperation” and an NTIA/FCC investigation into Chinese supply chain threats to 5G.
The US Office of Personnel Management (OPM) has still not implemented over a third of the recommendations made by government auditors after a devastating 2015 breach.
Some 29 recommendations remain “open” out of the 80 that were made by the Government Accountability Office (GAO). These include key best practice security steps which many would consider basic, such as installing the latest OS versions on networks supporting “high-impact” systems.
Also missing were plans to avoid multiple staff using the same admin accounts, password encryption at rest and in transit, and “procedures governing the use of special privileges on a key computer.”
Amazingly, the OPM has still not been able to demonstrate to the GAO that it has reset all passwords after the breach, or that it installs critical patches in a timely manner. Nor has it shown that it periodically evaluates accounts to ensure privileged access is warranted, or assesses controls on certain systems as part of continuous monitoring.
“Implementing all of the remaining open recommendations expeditiously is essential to OPM ensuring that appropriate security controls are in place and operating as intended,” a congressional briefing document noted.
“Until OPM implements these recommendations, its systems and information will be at increased risk of unauthorized access, use, disclosure, modification, or disruption.”
These concerns are key, given that the OPM was breached, it is thought by Chines hackers, after they obtained credentials from a contractor.
This access was then used to install backdoors and subsequent info-stealing malware on the department’s network.
The incident exposed 21.5 million sensitive records relating to current and former federal employees including security clearance investigations which could prove useful for intelligence operatives looking to blackmail individuals.
The good news is that the OPM said it plans to implement 25 of the 29 open recommendations by the end of 2018 and three more by the end of fiscal year 2019.
Card details stolen from British Airways and Newegg customers by Magecart operators went up for sale on the dark web in just over a week after the raids, potentially generating millions in revenue, according to new insight.
In the report, “Group 6” is pegged for the BA and Newegg attacks, described as “extremely selective” and only choosing victim organizations where a high-volume of traffic and transactions are guaranteed.
In the report, the researchers show screenshots from one of the most popular “dump shops” on the dark web.
Dated September 13, the BA-linked advertiser claims to have “CVV2 DUMPS UPDATE (HIGH VALID)” with a huge range of countries listed including the UK, US, Germany, France, Spain, Italy, Canada etc.
The Newegg ad is listed for the 27th of the same month and offers a “BIG CVV2 UPDATE” of around 500,000 cards.
Reports suggest the details were on sale for between $9-50, which means those behind the digital skimming campaigns may have been able to net tens of millions of dollars.
However, BA is still insisting that there’s not been any verified instance of fraud as a result of the incident.
Customers should not wait around to find out, according to ESET UK cybersecurity expert, Jake Moore.
“If your data was included in this breach and if you haven’t already, you’ll need to take action to protect yourself. Call your bank or card issuer, cancel the card and request a new card. No bank will ever mind being contacted for you being cautious,” he advised.
“You’ll also want to check your card statements for suspicious activity or purchases online — in particular small amounts just in case they are testing your card before a larger transaction is placed online. It also might be worth adding extra fraud alert security on your account. And it goes without saying, make sure all your passwords are unique online.”
Whether it’s a question of to whom the CISO reports or quantifying what the CISO is actually responsible for, the role has changed over time, leaving many wondering how to balance the competing demands of IT, security, innovation and compliance.
In the final panel that closed out the second annual Infosecurity North America conference in New York, Martin Gomberg, the author of CISO Redefined, moderated a discussion, “The Changing Role of the CISO: Balancing the Competing Requirements of IT, Security, Innovation and Compliance to Optimize Business Performance and Shareholder Value,” that aimed to answer the ambiguous question of where the CISO should sit.
Participating in the conversation were Bernadette Gleason, VP BISO at Citi; Randle Henry, former CISO at Hewlett-Packard and consultant at Tevora; Ben Harris, VP of policy/compliance and CISO at Rakuten Marketing; and Derek Vadala, global head of cyber risk group at Moody’s.
“It seems like we are facing these challenges newly now, but it’s been almost 15–16 years that the CIO role has been in transition,” Gomberg said. With the CIO role now focusing more on innovation, what then happens to the role of the CISO?
The answer wasn’t quite clear. Across the panel, the roles and responsibilities differed in their responses to the question of what drives them on a daily basis. When asked whether compliance, innovation or risk is their greatest driver, Henry said risk, while Harris noted the influence of GDPR and Vadala noted the adoption of innovation.
“I focus most of my time on policy, strategy and architecture and a lot less time on the operation piece. One of the biggest challenges is the amount of tasks that have to be done,” Harris said.
Vadala echoed that the accumulation of responsibilities contributes to the challenges of today’s CISO. “I think in some cases those roles have accumulated a lot of aspects that are in some cases misaligned and may be becoming a little inefficient because it doesn’t allow individuals and teams to focus in on problem areas.”
"So how does today’s CISO go about making sure they are getting the budget they need?" Gomberg asked.
“Something that I struggle with is that the budget is pushed down from the top still and set, which is unfortunate, but we try to go bottom-up across the different groups and identify the risks that need to be addressed,” Harris said.
Finding and keeping talent in the cybersecurity industry is a challenge for organizations of all sizes around the globe. As a result, the talent market is highly competitive, which is why a panel of experts came together at this year’s Infosecurity North America conference in New York to talk about building an effective cybersecurity team in a highly competitive market.
Let by moderator Alexander Abramov, president, ISACA New York Metro, three panel members discussed what they are looking for in new recruits and how to effectively close the growing skills gap.
“When I look for talent, I have a preference toward deep, technical talent. I have a blind spot for, so if you don’t have the social skills, come to me. I would much prefer to hire someone who doesn’t have the social skills but has the deep technical skills,” said Cindy Cullen, managing director, NDegrees, and a member of the (ISC)2 international board of directors 2019–2021.
On the flip side, Cullen said that recruiting, especially if trying to recruit someone with experience, is a real challenge. “My perspective is to work with universities. I worked with a local university on a capstone project, so I was able to see which ones were the good ones and decide whether to extend an offer or endear myself to other people.”
Not all hiring managers are looking for recruits with those deep technical skills, however. Roger Parsley, managing director, Robert Half International, said he looks for people who put the team success ahead of individual success. In return, the organization has to create a retention-focused culture in which people want to stay.
Once you get over the hurdle of finding the talent you need, you have to deal with the reality that they may choose to go elsewhere if they aren't happy. It’s what Matt McKeever, CISO, LexisNexis Legal & Professional, called the missionary versus mercenary conflict. Those who are driven by salary are likely not going to stay, so focus on keeping those employees that are driven by passion.
One way to effectively do that is to “promote a culture of creativity and innovation within the organization,” Parsley said. “If people feel that they are engaged and have the opportunity to think outside of the box and you expose them to cutting-edge technology and involve them in design, it’s a very powerful concept.”
At the second annual Infosecurity North America conference at the Jacob Javits Convention Center in New York, Tom Brennan, US chairman, CREST International, moderated a panel called Securing the Workforce: Building, Maintaining and Measuring an Effective Security Awareness Program to Drive a Company-Wide Responsibility for Security.
For some, security awareness is largely about compliance, but creating an effective program in which all members of the organization understand their role in protecting the organization is about more than checking a box. Commenting on whether security awareness is a matter of compliance or an investment in personnel, Chris Budd, VP, information security specialist CISO Americas, Deutsche Bank, said that it’s actually both. “More and more, regulators want to see that we are in compliance with regulations, and they want to see that this is happening in-house,” Budd said.
So what is an effective in-house program? Panelists agreed that if users are subjected to mandatory compliance training, they are not going to learn anything. Security awareness training, then, has to be an investment in personnel.
“There is no cyber perimeter in this world that will save you from social engineering,” Budd said.
The panel represented a range of sectors, one of which included Matt Nappi, the CISO at Stony Brook University, where getting buy-in from end users is a different beast. “We have a wide ranging audience made up of many different constituents with different needs and different goals, so we use marketing to reinforce training so that we can tailor the message to specific users,” Nappi said.
Because students are customers of the university, security has to appeal to them in a different way, which is why Nappi uses gamification to grab their interest. “We try and build credibility and use different forms of communication depending on the different audience," he said.
Making security practical to the user is the key to success, and creatively finding ways to appeal to the wide range of users in a multicultural organization comprised of an array of customers with cultural and language differences has been a conundrum that Marina Spyrou, SVP, global cyber security and risk leader at Nielsen, has had to tackle.
“The threats vary by region, so we do global training and awareness. One thing that has been very successful is that we created a community of security champions at the grass roots,” Spyrou said.
What has proven largely successful and resulted in measurable metrics is the use of real-life examples of different types of phishing. “We take incidents that have happened and share them as examples, saying this email came through. Here is what it might look like translated in other languages and regions,” she said.
The success of a program relies, to a certain degree, on the ability to get funding. While some of the panelists do have to rely on metrics to justify their budgetary requests, John Whiting, CISO, DDB Worldwide, said that getting money wasn’t a problem. “The question is how are you going to make it effective. In advertising, people are autonomous by nature and don’t like controls, so it’s important to get the risk factor out there with middle and senior management to let them know about data classification and their roles.”
While that’s not the case at every organization, Budd did say, “Sometimes funding helps to improve your metrics, but sometimes the metrics help to improve your funding.”
Breaches get worse and attacks keep happening, as threat actors have all of the capability thanks to user’s habits.
Speaking at Infosecurity North America in New York City, author, speaker and chief hacking officer of KnowBe4 Kevin Mitnick said that threat actors are able to collect information on their victims all too easily, and when evaluating a company it is also straight-forward to determine suppliers, customers, partners, vendors and employees to enable a social engineering exercise.
In his opening keynote “How to fight back against hacker attacks”, Mitnick cited several examples of how to socially engineer a company and bypass traditionally strong security tools like anti-virus and two-factor authentication.
In one example, he said he had been hired by a Canadian retailer for an assessment and he was able to determine who an HR provider was, so he set up a cloned website using the Canadian .ca domain, called a member of the company and told them they were “standardizing top level domains” and to try .ca first, which allowed him access to all payroll data, and all salary history.
He said: “The attack was not so interesting to me, but the longest part of it was waiting for the DNS to propagate on the .ca domain, which took about half an hour.”
Mitnick was also able to demonstrate how to bypass two-factor authentication as “most companies offer one type of authentication” in the case of Paypal invoice which asked for credentials and once these were intercepted, so was the victim’s session cookies. To prevent this, he recommended using U2F protocol tokens, but said that these can also be stolen.
Overall, Mitnick demonstrated how simple it is to hijack a victim with a small amount of personal data when doing testing, and to defend against such attacks, to try using tactics that “the threat actors use” and create tools that the employees want to use.
The CEO and finance director of film company Pathé’s Dutch operation were sacked after falling victim to a sophisticated BEC scam that netted the criminals €19m ($21m), it has emerged.
Finance boss Edwin Slutter and chief Dertje Meijer are now suing for unfair dismissal, according to reports based on newly released court documents.
The scam followed a tried-and-tested path, with fraudsters spoofing the email address of a higher-up: in this case the CEO of the French film company, back in March.
Emailing Meijer, they claimed the firm was in acquisition talks with a Dubai company and needed to send a confidential payment of €826,521 ($931,600) which would be repaid at the end of the month.
After consulting with Slutter, and receiving an invoice for said amount, Meijer authorized the payment, made to a bank account operated by “Towering Stars General Trading LLC” in Dubai.
Three more payments followed, until by March 27, Pathé Nederland had paid over a total of €19.2m, according to DutchNews.nl.
The Paris HQ eventually caught wind of what happened and the two were sacked by the month’s end.
In the end, the court decided that Slutter should not have been sacked on the spot. It reportedly ordered that he be paid his monthly salary of €13,500 ($15,200) from March until the end of the year, when his contract should be formally dissolved.
The case is yet another warning of the perils of BEC, also known as CEO fraud, which has netted cyber-criminals over $12.5bn since 2013.
Stephen Burke, CEO at Cyber Risk Aware, argued that senior executives should work on the assumption that they are being actively targeted.
“Details on C-Suite executives are often publicly available which makes it incredibly easy for cyber-criminals to customize social engineering attacks on a company. They could send believable phishing emails or call the company to establish an executive’s whereabouts to inform the type of messaging to use in their attack,” he explained.
“To overcome this, organizations must make security awareness a priority, so C-Level executives can learn how to follow best practice, as well as being empowered to report anything suspicious.”
A car repair company employee has been sentenced to six months in jail for data theft, in the first case prosecuted by the UK’s privacy watchdog.
Mustafa Kasim used his colleagues’ log-ins to access thousands of customer records without permission, while working for Nationwide Accident Repair Services (NARS), according to the Information Commissioner’s Office (ICO).
He continued to do so after moving to another firm which used the same software system (Audatex), used to estimate the cost of vehicle repairs.
It’s not clear why Kasim accessed these details, which included customers’ names, phone numbers, vehicle and accident information. However, an investigation was begun after NARS noted an increase in customer complaints about nuisance calls — indicating their personal data had been sold on to a third party.
Although the ICO would normally prosecute such cases under the GDPR-based Data Protection Act 2018 or its antecedent, in this case it chose to do so under the Computer Misuse Act 1990.
Kasim pleaded guilty to a charge of “securing unauthorized access to personal data” between January 13 2016 and October 19 2016 at London’s Wood Green Crown Court.
“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behavior,” said Mike Shaw, group manager of the ICO’s Criminal Investigations Team.
“Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress. The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.”
Questions have been raised about Cathay Pacific’s incident response after new details emerged about the world’s biggest airline data breach.
The Hong Kong carrier had originally claimed last month that it “discovered unauthorized access” to data on 9.4 million passengers and “took immediate action to investigate and contain the event.” Reports at the time suggested that the firm first found evidence of the activity in March and confirmed data had been accessed two months later.
That would have been bad enough, but in a new filing to the Hong Kong legislature (LegCo) this week the airline admitted that after discovering the initial suspicious activity it “was subject to further attacks which were at their most intense in March, April and May but continued thereafter.”
“These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention,” it continued. “[They] also expanded the scope of potentially accessed data, making the challenge of understanding it more lengthy and complex…”
Under local laws, Cathay wasn’t mandated to notify the authorities immediately of a breach, but the fact that it couldn’t work out until August which passenger data had been accessed or exfiltrated will raise some eyebrows.
The SAR’s privacy commissioner said last week that it was launching a compliance investigation into the firm’s handling of the breach, and new data protection laws may be rolled out in the city-state.
The airline is said to be working with 27 regulators in 15 jurisdictions following the incident, although it could escape GDPR investigation given the initial intrusion was discovered in March.
The airline's assurance that there’s been no evidence of misuse of the stolen data is meaningless, according to High-Tech Bridge CEO, Ilia Kolochenko.
“Worse, it may mean that someone very smart is exploiting the data in a non-trivial way, and probably very detrimental for the victims. Moreover, the stolen data can appear for sale on the black market at any time,” he added.
“Taking into consideration the gravity of the breach, customers of Cathay will likely have no reliable recourse apart from promptly changing all their credit cards and IDs. Cathay may face numerous class actions and individual lawsuits from disgruntled customers, in parallel with severe monetary sanctions imposed by regulators from different countries.”
One UK law firm is already preparing a class action suit.
The Seattle-based retailer suffered a data breach in which a wide range of personal information was exposed. In addition to disclosing employee names, their Social Security numbers and dates of birth, checking account and routing numbers, salaries and more were also revealed.
Co-president Blake Nordstrom reportedly apologized to employees in an email in which he had notified staff about the data breach. According to a statement from the company, the anomalous activity was detected on October 9, 2018, after a contract worker had inappropriately handled some Nordstrom employee data.
What followed was what Terry Ray, CTO at Imperva, said was protocol worthy of a pat on the back. “Employee data was collected and given to a third party, most likely to manage direct deposits of wages, certainly not unusual in business and a necessary reason to gather such data.”
While the contract worker inadvertently exposed data, Nordstrom reportedly has taken appropriate action in responding to the incident, which is currently being investigated.
"Nordstrom’s own security team became aware of the exposure in a reasonable time. Many breaches and exposures aren’t identified for months or years and, often times, not disclosed in a reasonable amount of time," said Ray.
"Additionally, most breaches are identified by external researcher or law enforcement before the company; however, this is not the case with Nordstrom. Nordstrom knows what was exposed – employee data (names, addresses, banking details) – not customers' [data]. In more than half of breaches and exposures companies do not know what data was exposed or stolen. Nordstrom then took immediate steps to remediate, removing the contract worker and putting additional controls put in place."
Though no evidence of data theft has been discovered, the company has been proactive about notifying all employees of the incident.
"Taking that a step further, Nordstrom offered affected employees two years of identity theft protection, which companies often only offer post breach, for exposure. All in all, Nordstrom appears to be handling this exposure very responsibly. Kudos to them,” Ray said.
A security researcher at Imperva recently identified a vulnerability within Facebook that could have allowed other websites to extract private information about users and their contacts.
Discovered by Imperva security researcher Ron Masas, the vulnerability reportedly preyed on the unique cross-origin behavior of iframes, which embeds another HTML page into the current page. By manipulating Facebook’s graph search, it was possible to craft search queries that reflected personal information about the user.
“A unique feature of the uncovered bug is the exploitation of the iframe element within Facebook’s search feature. This allowed information to cross over domains, essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas.
“Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company. Interestingly, the vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends.
Warning that the technique could increase in popularity throughout 2019, Masas added, "Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook’s use of iframes to leak the user's personal information. Interestingly, this technique leaves almost no trace unlike authentication bypasses.”
According to Imperva, the vulnerability was reported to Facebook under its responsible disclosure program in May 2018. Masas worked with the Facebook security team to mitigate regressions and ensure that the issue was thoroughly resolved.
In a statement shared with TechCrunch, Facebook spokesperson Margarita Zolotova wrote, “We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
In an attempt to develop a set of shared principles for securing cyberspace, France’s president, Emmanuel Macron, launched the Paris Call for Trust and Security in Cyberspace at yesterday’s UNESCO Internet Governance Forum (IGF).
The Paris Call has the backing of more than 50 countries. Notably missing from the list are Russia, China and the United States. In addition to the many countries that have signed the declaration, private and civil organizations have made a commitment to support the collective effort to work on several initiatives, which include increasing prevention against and resilience to malicious online activity, protecting the accessibility and integrity of the internet and cooperating in order to prevent interference in electoral processes, according to the France Diplomatie.
“We condemn malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals and critical infrastructure and welcome calls for their improved protection. We also welcome efforts by States and non-state actors to provide support to victims of malicious use of ICTs on an impartial and independent basis, whenever it occurs, whether during or outside of armed conflict,” wrote the Paris Call.
The willingness of supporting states to work together to prevent and recover from malicious attacks is indeed an admirable promise, but Paul Bischoff, privacy advocate at Comparitech.com said, “To be clear, countries who signed the pact did not agree to any specific rules, goals, or penalties. Instead, they agreed to figure all that out together at a later date. So the pact is mostly symbolic.”
A realistic concern Bischoff noted is the strong likelihood that Russia and China will not sign. “Many of the pact's measures imply taking action against them. Russia and China are the source of most of the world's malware and cyber-attacks, many of which are state sponsored. Russia in particular is at the forefront of everyone's mind when it comes to election hacking. The pact says it will try to 'prevent malign interference by foreign actors.' Who does 'foreign actors' refer to if not the Russians? 'Prevent ICT-enabled theft of intellectual property' is a finger-wag at China.
“The US is also involved in a fair deal of cyber-espionage, and it has its own interests to worry about. The US is home to most of the world's largest and most profitable tech and internet giants, many of which served as a medium for previous election hacking campaigns. This pact could seek to regulate them. And after seeing Trump walk away from the Paris Climate Accord, I'm not sure why anyone would be surprised at this result."
Though the intent of the call is to apply international humanitarian law to cyberspace, Colin Bastable, CEO of Lucy Security, said, “This is grandstanding by a politician, a nothingburger, made no more appetizing when juxtaposed with today’s other, more ominous, announcement that French civil servants will be embedded in Facebook. We can rest assured that personal cyber insecurity, the consumer issue of our times, will not be enhanced by either of these announcements from Paris.”
New research from SailPoint has revealed that poor staff cybersecurity behaviors within organizations are getting worse, despite a greater focus on security awareness in the workplace.
The firm quizzed 1600 global employees, discovering that 75% of respondents reuse passwords across both personal and professional accounts, a figure up from 56% in 2014. Interestingly, the percentage of 18-25-year-olds who admitted reusing passwords was even higher (87%), suggesting employees’ approaches to security are worsening as more millennials enter the workforce.
What’s more, almost a quarter (23%) of all those polled said they only change their work password two times or fewer a year and 15% would consider selling their workplace passwords to a third party.
In terms of frictions between the IT department and the rest of the workforce, more than half of respondents considered IT to be “a source of inconvenience,” whilst 13% would not immediately inform IT if they had been hacked.
Furthermore, SailPoint’s research suggested that new technologies are creating new areas of risk for organizations. Nearly half (48%) of respondents use or are planning to use AI chatbots/personal assistants at work, and 31% had deployed software without IT’s help.
Speaking to Infosecurity Bruce Hallas, security awareness, behavior and culture expert, and owner & principal consultant, Marmalade Box, said that password management is probably one of the security policies that employees receive consistent training on, so when 75% of employees reuse passwords across personal and professional accounts it raises questions about the effectiveness of current awareness raising and behavior improvement methods.
“Where organizations rely on employees to remember and then change their password periodically in line with policy, without a system prompt, you’re statistically likely to a high level of non-compliance,” he added.
“If 23% of respondents change their passwords twice or fewer times a year, but this is in line with their organizational policy, then that’s fine, but probably not ideal. If the 23% are in breach of their organization’s password policy then you’ve got to focus on why those behaviors prevail. A simple starting point might be [to ask] ‘do they even remember the policy’ after they’ve had their training.”
Juliette Rizkallah, CMO, SailPoint advised: “By taking an identity-centric approach to security, IT can gain full visibility and control into which applications and data that users, including both human and non-human bots, are accessing to do their jobs. This approach allows enterprises of all sizes to confidently address the tension between enablement and security exposed in our Market Pulse Survey.”
Security experts and trade unions have expressed doubts and concerns over some firms’ reported plans to microchip their employees.
Swedish firm Biohax is said to be in talks with several legal and financial firms in the UK to fit the rice grain-sized chips, which are implanted into the flesh between the thumb and forefinger.
They could then be used as an authentication device to enable or restrict access to certain parts of a building or facility.
“These companies have sensitive documents they are dealing with,” Biohax founder, Jowan Österlund is reported as saying. “[The chips] would allow them to set restrictions for whoever.”
The firm has already partnered with US firm Three Square Market in a voluntary scheme to chip its employees.
Another firm, UK-based BioTeq, has already chipped 150 users, although most are individuals, according to the Guardian.
However, both the CBI and TUC reportedly expressed concerns over the practice: the former arguing that “firms should be concentrating on rather more immediate priorities,” while the latter claimed it could be abused by employers to give them “even more power and control over their workers.”
In a longer article, the TUC went further, arguing: “we’d like to hear what security concerns could possibly justify the use of such technology on staff.”
It added that with costs per chip potentially reaching £260, the economic case for microchipping employees is also pretty flimsy.
“Intrusive surveillance undermines trust in the workplace by making people feel they’re always being watched,” it concluded.
“So instead of microchipping their workforce, bosses need to start engaging with staff and unions to make new technology work for everyone.”
Security experts were also unconvinced.
Outpost24 CSO, Martin Jartelius, argued that the chips could drive a dangerous false sense of security.
“While there is no doubt that this may ease the problem of employee two-factor tokens, as the chip is implanted under their skin and cannot be easily stolen, the assumption that something is less likely to be hacked because it’s under your skin is flawed and dangerous,” he added.
“It’s reasonable to assume that when something is implanted into a person it is less likely to be forgotten and to be stolen, but it doesn’t mean ‘because the microchip is in my thumb it’s less likely to get hacked.’ The very location of a microchip in your hand may actually lead to increased exposure, as the hands form the basis of our physical interaction with our surroundings.”
Some 60% of European retailers have seen an increase in fraud over the past year, despite the vast majority having prevention systems in place, according to Adyen.
The payments platform provider polled 5000 consumers and 500 retailers in the UK, Spain, France, Germany and the Nordics to compile its 2018 European retail report.
Over three-quarters said they “are prepared” for fraud or have active fraud prevention systems in place, with a majority looking to biometrics like fingerprint scanners (57%) and voice authentication (56%) to improve resilience.
However, current solutions appear to be failing given the rise in fraud across a majority of retailers surveyed. That’s bad news as consumer expectations around security grow higher.
Some 69% of European shoppers polled said they would avoid any brands hit by a data breach, for example.
The research also highlighted potential regulatory concerns in the market.
The EU’s Second Payment Service Directive (PSD2) mandates strict new authentication standards to help minimize fraud as well as implementation of 3D Secure 2.0 by 2019. However, while over 20% of retailers said they already comply and 27% are planning to in the next 12 months, nearly a quarter (24%) said they don’t have plans to do so.
“As technology makes the shopping experience more engaging and convenient, it also powers the sophisticated fraudsters. Retailers need to walk a very fine line of doing everything in their power to help prevent fraudulent transactions and protect their customers, but they also don’t want to be overly cautious and decline legitimate transactions,” explained Adyen’s UK MD, Myles Dawson.
“Payments technology is key in this regard. Machine learning and advanced data analysis plays a vital role in accurately identifying the shopper behind each transaction to reduce chargebacks and false positives.”
UK identity fraud fell in the first half of 2018 for the first time in five years, but fraud against online retail accounts rose by 24% year-on-year, alongside fraudulent applications for credit and debit cards (12%), according to Cifas.
Cyber-attacks are the number one business risk in the regions of Europe, North America and East Asia and the Pacific, according to a major new study from the World Economic Forum (WEF).
Its Regional Risks for Doing Business report highlights the opinions of 12,000 executives from across the globe.
While “unemployment or underemployment” and “failure of national governance” take first and second place respectively, cyber threats have moved from eighth in last year’s report to fifth this year.
It tended to be viewed as a greater risk in more advanced economies: 19 countries from Europe and North America plus India, Indonesia, Japan, Singapore and the United Arab Emirates ranked it as number one.
In Europe, the UK and Germany both placed cyber-attacks as the number one risk.
“When looking at the causes of breaches, it’s evident that email attachments, links and downloads are the most common methods used by hackers. Be it HR professionals opening infected CVs from unknown sources, or employees clicking links on malware-riddled social media sites on their lunch break, users provide hackers with an easy route to bypass security,” he added.
“These simple attack methods are still effective because the architecture cybersecurity is built on is fundamentally flawed, as it overwhelmingly relies on detecting these threats. We’re increasingly seeing zero-day and other polymorphic malware being used to evade detection. Even the more sophisticated detection-based tools that utilize machine learning, AI and behavioral analytics to identify anomalies and patterns can potentially struggle to determine what is good and what is bad – and are certainly never able to be 100% accurate.”
Mimecast cyber-resilience expert, Pete Banham, argued that attacks represent a clear risk to productivity and growth.
“New cyber-threats will continue to adapt to take advantage of weaknesses in systems and procedures, especially as global cloud computing vendors aggregate IT risks,” he said.
“Business continuity and cybersecurity are together now major boardroom issues. The only way to mitigate these new risks is to adopt a strategy of cyber-resilience that brings together threat protection, durability and recoverability.”
WannaCry ransomware is still the most widespread cryptor family and has hit almost 75,000 users as of Q3 2018, according to new research from Kaspersky Lab.
The firm discovered that since the WannaCry outbreak in May 2017 that cost the NHS £92m, the ransomware has affected 74,621 users across the globe and is still active one and half years on, accounted for 28% of all cryptor attacks in Q3 2018, a growth of more than two-thirds compared to Q3 2017.
“It is concerning to see that WannaCry attacks have grown by almost two-thirds compared to the third quarter of last year,” said David Emm, principal security researcher at Kaspersky Lab. “This is yet another reminder that epidemics don’t cease as rapidly as they begin – the consequences of these attacks are unavoidably long-lasting.”
Despite the WannaCry attacks highlighting the importance of patching to resist the EnternalBlue exploit that the ransomware leverages, Kaspersky Lab’s findings show that there still remain plenty of unpatched computers worldwide and that criminals continue to target them.
“Cyber-attacks of this type can be so severe that it’s necessary for companies to take adequate preventive measures before a cyber-criminal acts – rather than focus on recovery,” added Emm.
Kaspersky Lab’s advice for effective ransomware defense included:
- Updating your operating system to eliminate recent vulnerabilities and using a robust security solution with updated databases. It is also important to use a security solution that has specialized technologies to protect your data from ransomware
- If you have bad luck and all your files are encrypted with cryptomalware, it is not recommended to pay cyber-criminals, as it encourages them to continue their dirty business and infect more people’s devices. It is better to find a decryptor on the internet
- It is also important to always have fresh backup copies of your files to be able to replace them in case they are lost, and store them not only on the physical object but also in cloud storage for greater reliability
- To protect the corporate environment, educate your employees and IT teams, keep sensitive data separate, restrict access and always back up everything
- Last, but not least, remember that ransomware is a criminal offence. You shouldn’t pay. If you become a victim, report it to your local law enforcement agency
The implementation of major EU-wide security legislation took a major leap forward on Friday as the government officially identified the organizations that will be required to comply with the NIS Directive.
Known in full as the directive on the security of network and information systems, the law will be applied slightly differently by each member state.
A key driver for the directive is to improve baseline security among providers of critical infrastructure, known as “operators of essential services” (OES). It will help to do this with GDPR-like maximum fines of £17m or 4% of global annual turnover, and mandatory 72-hour notifications of serious incidents.
Although the directive came into force on May 10, Friday was the deadline for governments to identify these OES organizations, which cover several sectors: energy, transport, healthcare, water and digital infrastructure.
“The number of targeted intrusions into the UK’s critical infrastructure is increasing. Employing preventative cybersecurity solutions that seamlessly integrate security into control systems is therefore essential,” argued Palo Alto Networks CSO, Greg Day.
“The NCSC has made effective implementation of NIS a priority since it came into effect in May, issuing detailed guidance for both businesses and implementing agencies. Today’s step, whereby the UK government informs those entities considered operators of essential services, is another important milestone in the UK’s efforts on the hugely important issue of cybersecurity.”
Matt Walmsley, EMEA director at Vectra, welcomed the latest deadline as helping to force operators in key sectors to focus on improved security.
“Bad actors, and particularly those of nation states, are well-resourced, innovative and highly motivated, and organizations have limited time, finite human and technical resources and capabilities with which to protect their rapidly expanding attack surface,” he added.
“Nation states, or their sponsored proxies, have broad motivations, and expecting the unexpected is a difficult task. All organizations therefore need to realize that breaches are a case of if not when and so equip themselves to identify and respond to attacks to remediate them in their early stages before damage is done. It’s a tough and never-ending task for the defenders, and one increasingly requiring levels of automation and empowerment from artificial intelligence.”
A Chinese headmaster has been fired after secretly mining cryptocurrency using his school’s electricity supply, according to reports.
Hunan man Lei Hua had dismissed reports from teachers of excessive power consumption in the building as the fault of air conditioning units and heaters, according to the BBC.
However, when they found the eight cryptocurrency mining machines he had hooked up to the power supply, the game was up.
They reportedly ran up an electricity bill of 14,700 yuan (£1600) mining Ethereum 24 hours a day.
After laying out 10,000 yuan on just one mining machine and seeing the exorbitant electricity costs that resulted, Hua apparently decided to minimize his overheads by moving the operation to the school in summer 2017.
However, it not only ended up costing the school a fortune in energy bills but also reportedly overloaded the network, interfering with teaching.
Hua was fired last month, while his deputy, who tried to get in on the scheme by buying and plugging his own machine into the school computer room, was given an official warning.
The case highlights the impact of cryptocurrency mining on organizations, especially those whose servers may have been hijacked in cryptojacking attacks.
A Canadian university was forced to shut down its entire IT network recently after discovering the malware on its systems.
Those attacks are on the rise. McAfee revealed that coin mining malware detections rose 629% in the first quarter to more than 2.9 million samples, while Trend Micro reported a massive 956% increase between the first half of 2017 and the same period this year.
"Just like in this school, cryptomining operations could be running within your organization’s network — draining vast amounts of energy without your knowledge. IT teams need to be vigilant,” argued Barry Shteiman, VP of research and innovation at Exabeam.
“The best thing to do is look for anomalies in your electricity bill. You should also measure changes in your HVAC usage for heat dissipation, although this will be more difficult. Beyond that, look for sudden changes in capacity or usage, as well as significant deviations in pattern and velocity.”
He added that “entity analytics” tools could also be used to help spot the irregular network behavior indicative of a cryptomining attack.