Info Security

Subscribe to Info Security  feed
Updated: 1 hour 14 min ago

Security Should Be Business Focused, Says ISF

Wed, 06/19/2019 - 17:18
Security Should Be Business Focused, Says ISF

A security assurance program that focuses on business needs can help organizations meet the needs of business stakeholders, according to a new report released by Information Security Forum (ISF).

The report, Establishing a Business-Focused Security Assurance Program, offers organizations ways to establish a security assurance program that takes a business-focused approach by “identifying how to move from current to future approaches, introducing three fundamental elements that underpin successful business-focused security assurance and describing a repeatable process to provide security assurance.”

Given that implementation of security assurance programs vary significantly among businesses, the report is an effort to formalize the structure through four strategic objectives:

  • Identifying the specific needs of different business stakeholders

  • Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place

  • Reporting on security in a business context

  • Leveraging skills, expertise and technology from within and outside the organization

“Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected by focusing on how effective controls are,” said Steve Durbin, managing director, ISF, in today’s press release.

“A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence.”

“In today’s fast-moving business environment, filled with constantly evolving cyber-threats, business leaders want confidence that their processes, projects and supporting assets are well protected. An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls – complacency can have disastrous consequences,” continued Durbin.

“Establishing a business-focused security assurance program is a long-term and ongoing investment. The ISF approach presented in this report will help organizations to review current approaches and determine how to turn aspirations into reality.”

Categories: Cyber Risk News

Security Should Be Business Focused, Says ISF

Wed, 06/19/2019 - 17:18
Security Should Be Business Focused, Says ISF

A security assurance program that focuses on business needs can help organizations meet the needs of business stakeholders, according to a new report released by Information Security Forum (ISF).

The report, Establishing a Business-Focused Security Assurance Program, offers organizations ways to establish a security assurance program that takes a business-focused approach by “identifying how to move from current to future approaches, introducing three fundamental elements that underpin successful business-focused security assurance and describing a repeatable process to provide security assurance.”

Given that implementation of security assurance programs vary significantly among businesses, the report is an effort to formalize the structure through four strategic objectives:

  • Identifying the specific needs of different business stakeholders

  • Testing and verifying the effectiveness of controls, rather than focusing purely on whether the right ones are in place

  • Reporting on security in a business context

  • Leveraging skills, expertise and technology from within and outside the organization

“Taking a business-focused approach to security assurance is an evolution. It means going a step further and demonstrating how well business processes, projects and supporting assets are really protected by focusing on how effective controls are,” said Steve Durbin, managing director, ISF, in today’s press release.

“A business-focused approach requires a broader view, considering the needs of multiple stakeholders within the organization: what do they need to know, when and why? Answering these questions will enable adoption of testing, measurement and reporting techniques that provide appropriate evidence.”

“In today’s fast-moving business environment, filled with constantly evolving cyber-threats, business leaders want confidence that their processes, projects and supporting assets are well protected. An independent and objective security assurance function should provide business stakeholders with the right level of confidence in controls – complacency can have disastrous consequences,” continued Durbin.

“Establishing a business-focused security assurance program is a long-term and ongoing investment. The ISF approach presented in this report will help organizations to review current approaches and determine how to turn aspirations into reality.”

Categories: Cyber Risk News

SACK Panic Vulnerability in Linux

Wed, 06/19/2019 - 17:01
SACK Panic Vulnerability in Linux

Researchers at Netflix have discovered new denial-of-service (DoS) vulnerabilities in Linux and FreeBSD kernels, including a severe vulnerability called SACK Panic that could allow malicious actors to remotely crash servers and disrupt communications, according to an advisory published at its Github repository.

“The vulnerabilities specifically relate to the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels,” the advisory stated.

Netflix researchers added that there are patches for most of these vulnerabilities and additional mitigation strategies to consider if patching is not possible.

“The issues have been assigned multiple CVEs: CVE-2019-11477 is considered an Important severity, whereas CVE-2019-11478 and CVE-2019-11479 are considered a Moderate severity,” a Red Hat advisory stated.

These flaws can reportedly impact any organization running large fleets of production Linux computers and, if left unpatched, allow remote attackers to take control and crash the machines.

“The Linux TCP SACK vulnerability is a truly serious threat. First, this is a threat to man Internet-facing servers of the big giants of the internet (Google, Amazon, etc.) – and right now the focus is on upgrading the endless servers that are used as the infrastructure for the internet and the countless applications that rely on them,” said Armis’ VP of research, Ben Seri.

“Once the dust settles and the majority of this infrastructure has received the proper patch, many organizations will then need to deal with the long tail of the patching cycle. At the very end of this tail are the devices that don't receive automatic updates and might not receive any update at all – the [internet of things] and unmanaged devices that in many cases are built on top of Linux. This vulnerability also goes back a long time (since Linux v2.6.29, that was released 10 years ago), so the amount of legacy devices that use the vulnerable code will be very significant in this case, and these types of devices are unlikely to receive patches at all.”

Categories: Cyber Risk News

Hackers Gobble Up Data From EatStreet Diners and Partners

Wed, 06/19/2019 - 11:01
Hackers Gobble Up Data From EatStreet Diners and Partners

Online food ordering service EatStreet has revealed a major data breach affecting customers and restaurant partners.

Although the number of companies and individuals affected isn’t known, the firm claims to partner with over 15,000 restaurants in hundreds of US cities, so the figure could theoretically surge into the millions.

The two-week incident happened in May, when an “unauthorized third party was able to acquire information in our database,” according to letters sent to EatStreet’s customers, delivery partners and restaurants.

For the latter two, the information stolen may have included names, phone numbers and email addresses, plus bank account information.

However, for customers of the service, things look even worse, with the hacker potentially making off with credit card number, expiry date, CV2 number, billing and email address, name and phone number. That’s more than enough information to commit a serious range of identity fraud and to launch follow-on phishing attacks.

EatStreet claimed to have responded quickly to the incident, and said it has “reinforced” multi-factor authentication, rotated credential keys and reviewed and updated its coding practices to improve security going forward.

Interestingly, the firm’s website was also down at the time of writing.

“The case of the Eatstreet breach is a doomsday scenario for the average consumer where a service was used for convenience or necessity, and ended up causing a major threat to the consumer's interests,” argued Colin Little, senior threat analyst at Centripetal Networks.

“With the number of mobile or cloud-based consumer services a person leverages day-to-day, and the two-week time-to-detect for complete access to a database that contains some of the most sensitive PII, this event shows that consumers deserve organizations who will proactively hunt for threats to minimize the risk to consumer data.” 

Categories: Cyber Risk News

AMCA Files for Bankruptcy Protection After Breach

Wed, 06/19/2019 - 09:50
AMCA Files for Bankruptcy Protection After Breach

The parent company of healthcare debt collection firm American Medical Collection Agency (AMCA) has filed for bankruptcy protection following a major breach which is thought to have affected as many as 20 million patients.

Its Chapter 11 filing in the Southern District of New York reveals the action was taken due to a “cascade of events” and “enormous expenses that were beyond the ability of the debtor to bear.”

These were precipitated by that eight-month breach, discovered in March this year, which affected millions of patients of clients including Quest Diagnostics, LabCorp and BioReference. These were customers of the medical testing firms who owed them money.

Data stolen by the hackers included payment card details, bank account information, personally identifiable information (PII) and lab test details, according to reports.

Russell Fuchs, CEO of parent company Retrieval-Masters Creditors Bureau, lent AMCA $2.5m to help pay for a mass mailing effort of breach notifications for users which is said to have cost $3.8m. Some $400,000 was apparently spent on IT services to help with the remediation and investigation of the incident.

The news of a debt collection business being short of cash will fill few neutral observers with sadness.

However, the breach itself threatens to plunge those debtors whose details were stolen into a nightmare of phishing attempts, identity theft and possible damage to their credit ratings.

That’s probably why lawmakers have stepped in. Democrat Senators Bob Menendez, Cory Booker, and Mark Warner wrote to Quest Diagnostics asking about the incident, which affected nearly 12 million of its patients.

“While I am heartened to learn that no evidence currently suggests Quest Diagnostic’s systems were breached, I am concerned about your supply chain management, and your third-party selection and monitoring process,” said Warner in his letter.

Categories: Cyber Risk News

Only Quarter of IaaS Users Can Audit Config Settings

Wed, 06/19/2019 - 09:05
Only Quarter of IaaS Users Can Audit Config Settings

Most global organizations benefit from better security in the cloud than on-premise, with some key exceptions, including data loss prevention and configuration settings, according to McAfee.

The security giant polled 1000 enterprises around the world and combined its findings with threat data gleaned from its products to compile the Cloud Adoption and Risk Report.

The vast majority (87%) said they “experience business acceleration” through their use of cloud services.

However, while 52% benefit from improved security versus on-premise, and just 10% of data is hidden in shadow IT environments, there were caveats.

Only 36% of respondents said they could enforce DLP in the cloud, and just a third said they could control collaboration settings to determine how data is shared. Perhaps even more worryingly, only a quarter (26%) of IaaS users said they could audit configuration settings.

Misconfigured cloud infrastructure is an increasing problem: previous McAfee figures suggested 5.5% of Amazon S3 buckets in use are misconfigured to be publicly readable. They also revealed that enterprises are under-estimating the number of services they use by more than 6000% – believing they only use 30 but in reality using as many as 1935 unique services.

John Noakes, cloud specialist at IT solutions firm Insight UK, argued that this cloud sprawl should be cause for “major alarm.

“To have any hope of controlling risk, organizations need to understand the risks they face, and take firm control of their cloud environments. This means having rigorous controls in place to govern how cloud services are purchased and managed, so that IT is not left unaware of the potential scale of any problem,” he added.

“It means following best practice with commissioning and configuring cloud infrastructure, so that data is not left wide open to the public. Part of the problem is that legacy tools, skills and processes aren’t fit for the cloud era, yet many organizations haven’t adapted. As a result, they continue to leave themselves wide open to unnecessary risk.”

Categories: Cyber Risk News

Only Quarter of IaaS Users Can Audit Config Settings

Wed, 06/19/2019 - 09:05
Only Quarter of IaaS Users Can Audit Config Settings

Most global organizations benefit from better security in the cloud than on-premise, with some key exceptions, including data loss prevention and configuration settings, according to McAfee.

The security giant polled 1000 enterprises around the world and combined its findings with threat data gleaned from its products to compile the Cloud Adoption and Risk Report.

The vast majority (87%) said they “experience business acceleration” through their use of cloud services.

However, while 52% benefit from improved security versus on-premise, and just 10% of data is hidden in shadow IT environments, there were caveats.

Only 36% of respondents said they could enforce DLP in the cloud, and just a third said they could control collaboration settings to determine how data is shared. Perhaps even more worryingly, only a quarter (26%) of IaaS users said they could audit configuration settings.

Misconfigured cloud infrastructure is an increasing problem: according to the report, over 1/20 of Amazon S3 buckets in use are misconfigured to be publicly readable. In fact, it found that enterprises are under-estimating the number of services they use by more than 6000%.

John Noakes, cloud specialist at IT solutions firm Insight UK, argued that this cloud sprawl should be cause for “major alarm.

“To have any hope of controlling risk, organizations need to understand the risks they face, and take firm control of their cloud environments. This means having rigorous controls in place to govern how cloud services are purchased and managed, so that IT is not left unaware of the potential scale of any problem,” he added.

“It means following best practice with commissioning and configuring cloud infrastructure, so that data is not left wide open to the public. Part of the problem is that legacy tools, skills and processes aren’t fit for the cloud era, yet many organizations haven’t adapted. As a result, they continue to leave themselves wide open to unnecessary risk.”

Categories: Cyber Risk News

Facebook Announces Digital Wallet and Coin, Libra

Tue, 06/18/2019 - 18:00
Facebook Announces Digital Wallet and Coin, Libra

Because it possibly stands to faces billions of dollars in fines from the US Federal Trade Commission (FTC), Facebook, today announced its plans for Calibra, a Facebook subsidiary that will provide financial services and enable users to have access to and participate in the Libra network.

“Calibra will let you send Libra to almost anyone with a smartphone, as easily and instantly as you might send a text message and at low to no cost. And, in time, we hope to offer additional services for people and businesses, like paying bills with the push of a button, buying a cup of coffee with the scan of a code or riding your local public transit without needing to carry cash or a metro pass,” the news release stated.

Intended to be officially released in 2020, the digital currency is powered by blockchain technology. However, not all responses to the news have been positive. The cryptocurrency is “a glorified exchange traded fund which uses blockchain buzzwords to neutralize the regulatory impact of coming to market without a licence as well as to veil the disproportionate influence of Facebook in what it hopes will eventually become a global digital reserve system,” according to the Financial Times.

While some remain weary, given Facebook’s recent track record of failing to protect consumer data, the company added that “Calibra will have strong protections in place to keep your money and your information safe. We’ll be using all the same verification and anti-fraud processes that banks and credit cards use, and we’ll have automated systems that will proactively monitor activity to detect and prevent fraudulent behavior.”

The idea that social and financial data could be combined is worrying, said Ray Walsh, digital privacy expert at ProPrivacy.

“Although Facebook claims that it will keep the distinct data sets at arm's length – it is hard to believe that consumer habits will not be tracked in order to allow Facebook to better serve ads. After all, that is how the firm produces the majority of its revenue streams.

“Facebook has proven, time and time again, that it is not to be trusted with consumer data, and it seems unlikely that it does not plan to exploit as much consumer data as it is legally permitted to do so. Facebook's whitepaper claims that it will not source transaction data from the Libra Blockchain without consumer consent. For the time being, no privacy policies or Terms of Service are available for Libra coin.”

Categories: Cyber Risk News

Accenture Acquires Deja vu Security

Tue, 06/18/2019 - 16:55
Accenture Acquires Deja vu Security

Deja vu Security has become a part of Accenture’s cyber-defense offerings through an acquisition announced on June 17.

The Seattle-based Deja vu Security was founded in 2011 and has been providing a range of business application security solutions with a focus on integrating security into the product development lifecycle. Accenture continues to invest in next-generation cybersecurity solutions that will deliver end-to-end security for clients’ business. Financial terms of the agreement were not disclosed.

No financial details of the deal have been disclosed. “Deja vu Security brings to Accenture a deep expertise in the techniques, tools and methods for securing connected devices and IoT networks,” the press release said. The transaction heightens Accenture’s ability to improve the “security of things.”

“For technology companies, third-party suppliers and consumers alike, IoT security controls often remain an afterthought which is why it’s critical that security is built in from the start for any new products, processes or services,” said Kelly Bissell, senior managing director of Accenture Security. “Deja vu Security’s team of innovative specialists brings considerable technical cybersecurity skills, making them a strong strategic fit and [helping] our clients reduce the risk of their connected solutions. We are very excited to welcome the Deja vu Security team to Accenture.”

Deja vu Security and its employees are reportedly excited about the transaction, according to the press release. “Accenture’s people-focused culture and innovative mindset are core values that both companies share, and our unique capabilities complement each other perfectly. We are thrilled to be joining such a high-caliber global organization,” said Adam Cecchetti, Deja vu Security’s chief executive officer.

Categories: Cyber Risk News

DNS Attacks Grow More Frequent and Costly

Tue, 06/18/2019 - 16:39
DNS Attacks Grow More Frequent and Costly

Domain name server (DNS) attacks have grown in frequency and cost, according to multiple research reports published this week.

The Domain Fraud Threats Report from Proofpoint found that Chengdu West Dimension Digital, NameSilo, Public Domain Registry and GoDaddy are the top fraudulent domains. Of the millions of fraudulent domains registered, 1 in 4 have security certificates and more than 90% remain active on a live server. In addition, more than 15% have mail exchanger records.

“Fraudulent domains 'hide in plain sight' by using many of the same top-level domains (TLDs), registrars, and web servers as legitimate domains. For example, 52% of all new domain registrations in 2018 used the .com TLD. The TLD was similarly popular with fraudsters: nearly 40% of new fraudulent domain registrations used .com,” Proofpoint’s Ali Mesdaq wrote in a June 17 blog post.

In related news, IDC’s 2019 Global DNS Threat Report, commissioned by Efficient IP, found that DNS attacks cost an average of $1.07 million for organizations, a jump of 49% from last year.

While many organizations have faced a 34% increase in DNS attacks since 2018, more than 85% of top retail brands found domains selling counterfeit versions of their products and 63% of organizations suffered application downtime. The report also found that 45% of organizations had their websites compromised, and 27% experienced business downtime.

“One in five businesses lost over $1 million per attack and causing app downtime for 63% of those attacked,” a June 18 press release said. The study also highlighted the changing popularity of attack types, which reflect a shift from volumetric to low signal, including phishing, malware-based attacks and old-school distributed denial of service (DDoS).

“With an average cost of $1m per attack and a constant rise in frequency, organizations just cannot afford to ignore DNS security and need to implement it as an integral part of the strategic functional area of their security posture to protect their data and services,” said Romain Fouchereau, research manager European security at IDC.

Categories: Cyber Risk News

#OktaForum: Biometrics Are Authentication Preference, Privacy Concerns Remain

Tue, 06/18/2019 - 13:01
#OktaForum: Biometrics Are Authentication Preference, Privacy Concerns Remain

Biometrics are seen as a positive step forward in authentication, but employees maintain privacy concerns.

According to a survey of 4013 workers across the UK, France and the Netherlands, the Okta Passwordless Future Report found that 78% of respondents use an insecure method to help them remember their password, including: using the same passwords for multiple accounts (34%), writing passwords down (26%),  17% typing passwords on a phone or computer (17%) and using well-known passwords (6%).

Dr Maria Bada, research associate at Cambridge University, said: “Passwords are often quite revealing. They are created on the spot, so users might choose something that is readily to mind or something with emotional significance.

“Passwords tap into things that are just below the surface of consciousness. Criminals take advantage of this and with a little research they can easily guess a password.”

The research also found that 70% of respondents believe biometrics would benefit the workplace, but 86% have some reservations about sharing biometrics with employers. 

Todd McKinnon, CEO and co-founder of Okta, said: “Passwords have failed us as an authentication factor, and enterprises need to move beyond our reliance on this ineffective method.”

Speaking to Infosecurity, McKinnon said that Okta sees the role of biometrics is the “last mile” and the value it provides is for the policy layer, and you need to determine what your policy is.

“There is still a bunch of work that has to happen to map that, and to have access to a certain server or application, so I envisage that there will be different levels that are high or low risk,” he added.

McKinnon pointed to the need for a central policy to link all of the biometric access data together for the appropriate scenario. He said that Okta provides the technology to enable access, but it is up to the customer to determine how they enable access, whether it is via a personal phone or a corporate device, “based on the resources you are trying to access.”

On the issue of trusting employees, McKinnon said that there are too many bad user experience cases where a person cannot get a text on a personal phone, or too much data is collected due to privacy issues “because the policy is not flexible and the company does not have the right resource to check, so they over-collect information.”

Dr Bada said: “Biometric technology can be promising in creating a passwordless future, but it's essential to create an environment of trust, while ensuring privacy and personal data protection.’’

Categories: Cyber Risk News

#OktaForum: Trust is Key to Identity and Security

Tue, 06/18/2019 - 12:01
#OktaForum: Trust is Key to Identity and Security

Trust remains the most important factor in enabling security and identity management.

Speaking at the Okta Forum in London, Okta CEO Todd McKinnon said that every company is a technology company now, and if you are not a technology company “your replacement will be a technology company.”

McKinnon explained that technology comes with risks, such as the “war on talent” which is making finding the right people hard, while “unprecedented regulations” like GDPR are bringing frameworks to companies who preceded the technology revolution, while social networking has led people to be concerned about trust and privacy.

“There is a tremendous potential of technology, but it is not without issues and risks and can lead to the erosion of trust,” he said. “At Okta, we believe that the potential of technology is amazing, but a lack of trust won’t enable us to reach its potential, so we need to trust the new frontier as we’re all technology companies.”

McKinnon said that there is a “burden to be secure” and for Okta the solution is that identity is key. “Connect people to technology and get identity right and solve the trust problem,” he advised.

He went on to say that the use of any technology is not about identity or security, “but to push for you to be successful” and to enable that, Okta built the Okta Identity Cloud

McKinnon said that the company was focused on building the best products, having a comprehensive set of integrations, supporting use cases and building up data “to help you do the right actions in your environment.”

Speaking to Infosecurity, McKinnon explained that after the revolution of technology companies, the “backlash against technology” and the impact on privacy had “evened up the ante as companies need to get identity right.”

Categories: Cyber Risk News

White Hats Update GandCrab Decryptor to Hasten its End

Tue, 06/18/2019 - 10:55
White Hats Update GandCrab Decryptor to Hasten its End

Infamous ransomware GandCrab could finally be on the way out, after white hats released yet another updated decryptor tool designed to help victims to get their data back.

In partnership with various law enforcement agencies including Europol, the Metropolitan Police, the FBI and NCA, Bitdefender has released the latest in a string of tools which it claimed has saved tens of thousands of organizations $50m in unpaid ransom money.

This effectively neutralizes every version of the ransomware-as-a-service offering up to and including the latest, v5.2. It can be downloaded from the No More Ransom project.

Although the ransomware rose to claim a 50% market share in August 2018, these efforts have done much to limit its appeal on the cybercrime underground.

“The three decryptors released in collaboration with partner law enforcement agencies – and particularly the GandCrab decryptor for version 5.1 – compelled GandCrab affiliates to shrink their business to avoid unnecessary costs,” claimed Bitdefender senior threat analyst, Bogdan Botezatu.

“For instance, in February 2019, after the release of the decryptor for version 5.1, affiliates kept pushing decryptable versions of the malware for more than a week, allowing fresh victims to decrypt their data for free. As of March 2019, GandCrab’s market share has shrunk back to 30%, with almost one in three infections tied to the group.”

GandCrab differs from many of its counterparts in that it’s offered via an affiliate model: distributors effectively purchase a license to spread the malware, keeping most of the profits themselves but sharing 40% with the original developers.

It’s a model that has served those ransomware authors well: a few weeks ago they published a statement claiming to have generated $2bn from their endeavors over the past year, personally netting $150m.

In the same note they claimed to be retiring, and stopped distribution partners from accessing the latest version of the ransomware.

This could spell the end for GandCrab, but it won’t be the end of the ransomware threat for businesses.

Botezatu claimed his firm sees 12 new ransomware strains each month, of which only around 10% are decryptable.

Categories: Cyber Risk News

Oregon State Uni Attack Exposes Data on Hundreds

Tue, 06/18/2019 - 09:32
Oregon State Uni Attack Exposes Data on Hundreds

Another US university has been hit by a successful cyber-attack, this time potentially compromising personal information (PII) on hundreds of students and family members.

Oregon State University (OSU) issued a public notice on Friday after one of its employee’s email accounts was hacked last month and used to spam others with phishing emails.

Forensic investigators found several documents in the breached inbox which contained the PII of 636 students and their relatives, a statement from the university noted.

“OSU is continuing to investigate this matter and determine whether the cyber-attacker viewed or copied these documents with personal information,” said Steve Clark, the university’s vice-president for university relations and marketing.

“While we have no indication at this time that the personal information was seen or used, OSU has notified these students and family members of this incident. And we have offered information about support services that are available, including 12 months of credit monitoring services that the university will enable at no cost.”

Andrew Clarke, EMEA director at One Identity, argued the incident shows that people remain the “first and last line of cyber-defense.

“Creating a framework for identifying, authenticating, and authorizing correct access for sensitive information and ensuring that it is implemented across the entire organization can help protect information pertaining to individuals, which is the most critical type of data held by many institutions,” he added.

“PII such as social security numbers, names and physical addresses, and usernames and passwords are a key target, and just one major breach of such data and there is a loss of faith in the organization and knock-on impact on the business."

Universities are an increasingly popular target for both financially-motivated cyber-criminals and even state-sponsored hackers – who are looking for large troves of personal data on students and staff to monetize sensitive IP in ground-breaking research.

Earlier this year, Georgia Tech suffered a breach of 1.3 million staff and student records after a web app vulnerability was exploited by attackers.

Categories: Cyber Risk News

Trans Charity Mermaids Apologizes Over Leaked Emails

Tue, 06/18/2019 - 09:00
Trans Charity Mermaids Apologizes Over Leaked Emails

A transgender charity has apologised after journalists were able to find sensitive internal emails via a public internet search.

Mermaids UK, which supports trans children and young people, said the emails came from 2016 and 2017, when it was a smaller organization without the internal processes and access to technical support which would now prevent such incidents.

Although the original Sunday Times report which uncovered the leak said the emails included “intimate details of vulnerable youngsters” which could be found simply by typing the organization’s name and charity number in, Mermaids sought to downplay the seriousness of the incident.

“Mermaids understands that the information could not be found unless the person searching for the information was already aware that the information could be found,” it said in a statement.

“The material mainly consisted of internal information involving full and frank discussion of matters relevant to Mermaids, but unfortunately included some information identifying a small number of service users. Mermaids has contacted these people. The information, seen in its actual and proper context, is normal internal information for a group such as Mermaids.”

The emails in question, which the BBC claims number around 1100, were apparently stored in a ‘private’ user group exposed online.

As well as contacting those whose details appeared in the leaked emails, the charity has contacted privacy regulator the Information Commissioner’s Office (ICO) and the Charity Commission and said it immediately remediated the incident.

“So the overall position is that there was an inadvertent breach, which has been rapidly remedied and promptly reported to the ICO, and there is no evidence that any of this information was retrieved by anybody other than the Sunday Times and those service users contacted by the journalist in pursuit of their story,” it concluded.

The scope of the incident falls well before the GDPR was introduced, although if the ICO judges there to have been a serious risk to vulnerable individuals, it may decide to take action under the old data protection regime.

Categories: Cyber Risk News

NYT: US Targets Russian Power Grid

Mon, 06/17/2019 - 15:50
NYT: US Targets Russian Power Grid

After news broke that the US has ramped up its digital attacks on Russia, according to a New York Times article, President Trump tweeted that the story was a "virtual act of treason by a once great paper...ALSO, NOT TRUE.”

Though there are no details of the malware that was reportedly placed inside Russia’s power grid system, the NYT reported that National Security Presidential Memoranda 13, a classified document, grants the Department of Defense (DoD) the power to conduct offensive online operations without receiving presidential approval.

Specifically, General Paul Nakasone, commander of the US Cyber Command, holds that authority to make these decisions about offensive strategies. Without confirming that the DoD is taking more aggressive measures, House minority whip Steve Scalise told Meet the Press on June 16, “I'm glad the administration has been taking aggressive actions."

"Meet the Press" exclusive interview with House minority whip Steve Scalise

“An offensive cyber-strategy is a necessary component of a larger military and diplomatic strategy against a determined US adversary like Russia. After all, let’s not forget that Russia has been targeting US utilities for several years, at least,” said Carlos Perez, R&D practice lead at TrustedSec.

“US-CERT warned just last year about Russia’s cyber-operations against multiple US utilities. We’ve also seen Russia put these capabilities to real-world effect, as in the case of the two cyber-induced power outages that affected Ukraine. We have to take this threat seriously, and having a cyber-response ready to go is of paramount importance."

Perez clarified that the operations described by the New York Times also do not constitute cyber-war, nor do they exceed the legal restrictions set by our own government.  

"The Department of Defense Law of War Manual has codified cyber operations, which this current action falls within. As you’ll notice, these guidelines include such operational objectives as reconnaissance, acquiring and securing access to key systems, and implanting access tools into infrastructure for the purpose of acquiring foreign intelligence, gaining information about an adversary’s capabilities and gathering information to determine intent, just to name a few.”

While trying to avoid the risk of escalating the situation with Russia, Perez said that this action and others taken by US cyber-ops teams are aimed at preparing the battle space with Russia, so that the US will be ready at some future point, should direct action need to be taken.

“This is also about deterrence, as we are signaling to Russia that we have the technical means and capabilities and the will to use them if we have to. As for the risk of ending up in a full-scale cyber-war, the reality is that we have been close to it with several events that have happened but remained in an economic, intelligence and influence conflict with Russia, as well as other countries, like China, Iran and, to a lesser extent, North Korea. These are low-intensity conflicts but they could escalate at any point, even without us engaging in our own offensive cyber-ops.”

Categories: Cyber Risk News

Seven Million Venmo Transactions Published on GitHub

Mon, 06/17/2019 - 13:22
Seven Million Venmo Transactions Published on GitHub

Venmo users are being advised to set their accounts to private after a computer science student scraped seven million Venmo transactions, proving that users’ public activity can be easily accessed, according to The Next Web (TNW).

Over a six-month period, Minnesota State University computer science student Dan Salmon, collected a data set, which Salmon exported from MongoDB, of more than seven million Venmo transactions, which he published on GitHub.

“I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key. There is some very valuable data here for any attacker conducting OSINT research,” Salmon wrote.

“I would highly encourage all users to switch their Venmo account to private by going to Settings > Privacy and selecting "Private" as well as Past Transactions > Change All to Private. Screenshot instructions are available here.”

"Transparency may often be used against the legitimate interests of end users. Probably very few of us wish to share all their payment transactions with the rest of the world even if we have nothing to hide. Venmo should explicitly and conspicuously notify all its users that their transactions are accessible by everyone unless they update their settings,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

“[The] developer’s API should be provided only to vetoed, properly verified third parties within a scope of a binding legal agreement capable of protecting users’ privacy regardless of technical flaws one may discover now or in the future,” Kolochenko said.

“Anti-scraping functionality probably requires holistic testing via an open bug bounty program, for example, to spot and remediate as many anti-automation bypasses as possible. This will not provide absolute protection but at least will considerably reduce the efficiency of data-scraping campaigns. Without all these common-sense measures, Venmo may face serious legal ramification and severe monetary penalties in many jurisdictions, let alone disgruntled users and loss of revenue."

In an email to Infosecurity, a Venmo spokesperson said, "Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this. The safety and privacy of Venmo users and their information is always a top priority. 

"Venmo does a number of things to keep our users informed and help them protect and control their privacy, including:

  • "The social newsfeed: When people open the app, the first thing they see is the newsfeed. This is the first step in educating users that Venmo is a social forum and the newsfeed allows you to see what others have chosen to share on Venmo and the experiences that are happening on Venmo.
  • "Users choose what to share: Like on other social apps, Venmo users can choose what they want to share and which audience they share it with. It is very clear in each payment what audience it is being shared with and we have made this even more prominent in recent years."

Categories: Cyber Risk News

Eliminate Outdated Identity Proofing, Says GAO

Mon, 06/17/2019 - 13:12
Eliminate Outdated Identity Proofing, Says GAO

The remote identity proofing used by four large government agencies has been deemed outdated by a new report released by the U.S. Government Accountability Office (GAO).

According to the report, the Postal Service, Department of Veteran Affairs, Social Security Administration and the Centers for Medicare and Medicaid Services use outdated tactics to verify citizens’ data over the phone.

Of the six agencies GAO interviewed, only two have eliminated the use of knowledge-based verification methods. The remaining four government agencies rely on “consumer reporting agencies (CRAs) to conduct a procedure known as knowledge-based verification,” the report said. That is, individuals are asked questions based on information available in their credit reports.

As a result, any fraudster could potentially use information available from the 2017 Equifax breach or the latest hack of the week to answer security questions and start collecting social security checks of vulnerable Americans or embezzle veterans’ healthcare benefits.

“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications,” the report said.

In addition to cost, agencies noted additional challenges to implementation, which include “mobile device verification[, which] may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” the report stated.

Beyond recommending that the agencies discontinue the practice of knowledge-based verification, the GAO also recommended that the NIST augment its technical guidance to include implementation guidance and assist agencies in adopting more security authentication processes.

“It’s unfortunate that data breaches have become a part of our modern lives. But this report shows most of the damage isn’t done in the initial breach. In fact, most of the real damage comes from account takeovers by social engineering contact center agents long after the breach. Here’s the reality – hackers aren’t going away. The solution is to de-weaponize personal information. Stop relying on it for authentication,” said Pat Cox, VP and GM at Neustar.

“Identity interrogation and knowledge-based authentication, where citizens verify their identity by demonstrating knowledge of personal information, as basic as address or date of birth – information which could have been gleaned from dozens of recent data breaches – isn’t stopping identity theft."

Categories: Cyber Risk News

Microsoft Urges Azure Customers to Patch Exim Worm

Mon, 06/17/2019 - 11:05
Microsoft Urges Azure Customers to Patch Exim Worm

Microsoft has urged Azure users to update their systems following the discovery of a major new attack campaign targeting popular email server software.

The worm, which Infosecurity reported on last week, targets mail transfer agent product Exim running on Linux-based email servers. It’s claimed that Exim is running on over half (57%) of the world’s email servers, with as many as 3.5 million vulnerable to the new attack.

In a security update on Friday, Microsoft confirmed that the attack imperils servers running Exim version 4.87 to 4.91. It said that although Azure has “controls” in place to prevent the spread of the worm, customers could still be vulnerable to infection and should update their systems as soon as possible.

“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,” Microsoft explained.

“There is a partial mitigation for affected systems that can filter or block network traffic via?Network Security Groups (NSGs). The affected systems can mitigate Internet-based ‘wormable’?malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution?(RCE)?exploitation if the attacker’s IP Address is permitted through Network Security Groups?”

Two waves of attack have been spotted in the wild, downloading a cryptocurrency mining payload to monetize the threat. The more sophisticated of the two uses Tor services and creates “deceiving windows icon files” to throw security teams off the scent.

As well as downloading the payload, the malware searches for additional vulnerable servers on the internet, connects to them, and infects them with the initial script, according to Cybereason.

Categories: Cyber Risk News

Twitter Shuts Down 5000 State-Sponsored Accounts

Mon, 06/17/2019 - 09:37
Twitter Shuts Down 5000 State-Sponsored Accounts

Twitter has taken down nearly 5000 fake accounts, most of them apparently backed by the Iranian state, in a bid to clean the platform of government-sponsored attempts to spread propaganda.

The social network claimed in a post last week that it had closed 4779 accounts linked to Tehran, 1666 of which tweeted nearly two million times, with content “that benefited the diplomatic and geostrategic views of the Iranian state.”

Another subset of 248 accounts were engaged with discussions related to Israel, while 2865 “employed a range of false personas to target conversations about political and social issues in Iran and globally.”

Four accounts were lined to the infamous Internet Research Agency (IRA), the Kremlin-linked organization responsible for a mass disinformation campaign on social media ahead of the 2016 US Presidential election.

Also removed by Twitter during this cull were 130 fake accounts linked to organizations including Esquerra Republicana de Catalunya, which spread content designed to “inorganically influence the conversation” about Catalan independence.

Twitter closed down a further 33 accounts run by a “commercial entity” operating in Venezuela “that were engaging in platform manipulation targeted outside of the country.”

“Our Site Integrity team is dedicated to identifying and investigating suspected platform manipulation on Twitter, including potential state-backed activity. In partnership with teams across the company, we employ a range of open-source and proprietary signals and tools to identify when attempted coordinated manipulation may be taking place, as well as the actors responsible for it,” wrote Twitter head of site integrity, Yoel Roth.

“We also partner closely with governments, law enforcement, and our peer companies to improve our understanding of the actors involved in information operations and develop a holistic strategy for addressing them.”

Categories: Cyber Risk News

Pages