Info Security

Subscribe to Info Security  feed
Updated: 2 hours 41 min ago

TLS Certificates Now Have 398 Day Lifespans

Wed, 09/02/2020 - 10:02
TLS Certificates Now Have 398 Day Lifespans

As of September, all publicly trusted TLS certificates must have a lifespan of 398 days or fewer.

According to a statement from Apple from March, where it announced it was “reducing the maximum allowed lifetimes of TLS server certificates” as part of its ongoing efforts to improve web security.

The Apple statement claimed TLS server certificates issued on or after September 1, 2020 “must not have a validity period greater than 398 days.” Specifically, this change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS.

Also, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change. “Connections to TLS servers violating these new requirements will fail,” the statement said. “This might cause network and app failures and prevent websites from loading.”

Apple recommended certificates be issued with a maximum validity of 397 days, and this change will not affect certificates issued from user-added or administrator-added Root CAs.

According to Venafi, the interval between changes in the length of certificate lifespans has been shrinking over the last decade. It found that before 2011, certificate lifespans were 8–10 years (96 months) and their lifespans were gradually reduced over the past decade, to five years and then to three years in 2015 and ultimately to 13 months, a reduction of 51% in 2020.

“Apple’s unilateral move to reduce machine identity lifespans will profoundly impact businesses and governments globally,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced. In addition, the number of machines—including IoT and smart devices, virtual machines, AI algorithms and containers—that require machine identities is skyrocketing.”

He went on to claim that if the interval between lifecycle changes continues on its current cadence, it’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to six months by early 2021, and perhaps become as short as three months by the end of next year.

“Actions by Apple, Google or Mozilla could accomplish this,” he said. “Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence and complete automation for TLS machine identities.”

Categories: Cyber Risk News

CISA: No US Voter Registration Breaches This Year

Wed, 09/02/2020 - 09:15
CISA: No US Voter Registration Breaches This Year

The head of the US Cybersecurity and Infrastructure Security Agency (CISA) has been forced to deny Russian reports that US voter registration information has been circulating on the dark web.

Russian newspaper Kommersant claimed in a story yesterday that a database of 7.6 million Michigan voters was posted to the dark web, as well as millions more related to voters from Florida, Connecticut, North Carolina and Arkansas.

However, the Michigan Department of State responded swiftly to the story, reportedly confirming that the data in question was publicly available via Freedom of Information (FOI) requests.   

In a statement on Twitter a few hours ago, CISA director, Chris Krebs, joined the official debunking of the claims.

“My main takeaway: it’s going to be critical over the next few months to maintain our cool and not spin up over every claim. The last measure of resilience is the American voter,” he said.

An official statement from the CISA and FBI claimed the two “have not seen cyber-attacks this year on voter registration databases or on any systems involving voting.”

“Information on US elections is going to grab headlines, particularly if it is cast as foreign interference. Early, unverified claims should be viewed with a healthy dose of skepticism,” it continued.

“More importantly, we encourage voters to look to trusted sources of information, in this case state election officials who have correctly pointed out that a lot of voter registration data is publicly available or easily purchased.”

The incident came as Facebook and Twitter took action to remove the social media profiles associated with Russian ‘news’ site PeaceData, which has been linked to the notorious state-backed misinformation-peddler the Internet Research Agency (IRA).

In Facebook’s case it involved taking down 13 Facebook accounts and two pages.

“This activity focused primarily on the US, UK, Algeria and Egypt, in addition to other English-speaking countries and countries in the Middle East and North Africa,” it said. “We began this investigation based on information about this network’s off-platform activity from the FBI. Our internal investigation revealed the full scope of this network on Facebook.”

Categories: Cyber Risk News

CEOs Could Face Jail Time for IoT Attacks by 2024

Wed, 09/02/2020 - 08:23
CEOs Could Face Jail Time for IoT Attacks by 2024

Corporate CEOs could soon be personally liable if they fail to adequately secure IT systems connected to the physical world, Gartner has warned.

The analyst firm predicted that as many as 75% of business leaders could be held liable by 2024 due to increased regulations around so-called “cyber-physical systems” (CPSs) such as IoT and operational technology (OT).

Gartner defines CPSs as “engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world, including humans.”

In this world, cyber-attacks can lead to human fatalities rather than mere data loss or service outages. For example, a medical device could be hijacked to prevent life-saving drugs from being dispensed, or a connected car could be remotely directed to crash.

Gartner argued that the financial impact of such attacks on CPSs resulting in fatalities could reach as much as $50 billion by 2023.

“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner.

“In the US, the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”

However, at present, many business leaders aren’t even aware of the scale of CPS investment in their organization, often because projects have happened outside of the control of IT, said Gartner.

This is where technology leaders in the organization must step up to help CEOs understand the risks that CPSs represent, and why more budget needs to be allocated to operational resilience management (ORM) in order to secure them, argued Thielemann.

“The more connected CPSs are, the higher the likelihood of an incident occurring,” she added.

Categories: Cyber Risk News

US Jails Racist Cyber-stalker

Tue, 09/01/2020 - 16:31
US Jails Racist Cyber-stalker

A white supremacist from Florida has been sentenced to 41 months in prison for threatening an African American who announced his candidacy for city council; he was also convicted of cyber-stalking another victim.

In April 2020, Daniel McMahon pleaded guilty to using social media platform Gab to threaten a man identified in court as D.G. after learning in January 2019 that D.G. planned to run for Charlottesville City Council in Virginia.

McMahon also admitted using Facebook messaging app Messenger to cyber-stalk a female political activist described in court documents as Victim 2. 

Using a Facebook account in which he called himself "Restore Silent Sam," McMahon threatened to sexually assault Victim 2's daughter, a minor who has been diagnosed with autism. 

The convicted cyber-stalker admitted that, at around the same time that he was sending these threats to Victim 2, he was searching online for content relating to sexual contact with girls who have autism.

McMahon masked his identity while online by using the pseudonyms “Jack Corbin,” “Pale Horse,” “Restore Silent Sam,” and “Dakota Stone." Under these names, the 32-year-old actively promoted white supremacy, posted racial slurs, and expressed support for racially motivated violence. 

“Americans have the right to run for office in this country without facing racially-bigoted threats of violence,” said Assistant Attorney General Eric Dreiband for the Civil Rights Division. 

“Furthermore, no American should have to live with hateful threats of sexual violence."

Following his term of incarceration, McMahon will be placed on three years of supervised release, during which time he will be prohibited from using internet-capable devices without prior court approval.

“The hallmark of our Nation’s democracy is the right to peacefully protest and engage in an effective exchange of ideas via the political process,” said US Attorney Maria Chapa Lopez for the Middle District of Florida. 

“When either of these rights are infringed [upon], and individuals are targeted, intimidated, or threatened because of their race/ethnicity or beliefs, the cornerstone of our system is put at risk. Today’s sentence demonstrates our intent to work together to preserve our Nation’s founding principles and ensure that all citizens are protected under the law."

Categories: Cyber Risk News

Cyber-Attack on Norwegian Parliament

Tue, 09/01/2020 - 16:09
Cyber-Attack on Norwegian Parliament

A number of ministers have had their email accounts hacked in a cyber-attack on Norway's parliament, the Storting. 

The Norwegian parliament's director, Marianne Andreassen, confirmed that threat actors had targeted the parliament last week.

"This has been a significant attack," Andreassen said. 

Unauthorized individuals managed to gain access to the email accounts of several elected members of parliament and also to some accounts belonging to parliament employees. 

Speaking at a press conference earlier today, Andreassen did not specify how many accounts had been hacked but said that a "limited number" of ministers and employees had been impacted by the incident. 

Individuals whose accounts were exposed in the attack have been informed, and a report has been filed with the Norwegian police.

A spokesman for Norway's main opposition party, the Labour Party, told public broadcaster NRK that the attack had impacted several Labour Party members and staff.

After the incident was discovered, the Norwegian National Security Authority (NSA) was brought in to counter the attack and get to the bottom of what had happened

"We have been involved for a few days," said NSA spokesman Trond Oevstedal. "We are assisting parliament with analysis and technical assistance."

Andreassen said that the parliament had discovered "anomalies a little more than a week ago."

"A number of risk-reducing immediate measures were implemented to stop the attack," said Andreassen. "These measures had an immediate effect."

In a statement issued earlier today, the Storting said that the attackers had made off with an unspecified amount of information.

It read: "Burglary has been registered in the email accounts of a small number of parliamentary representatives and employees. Our analyses show that different amounts of data have been downloaded."

No information has been released regarding what kind of cyber-attack was perpetrated against the Norwegian parliament or who was responsible for it. 

"We don't know who's behind it," Andreassen told reporters.

"We take the matter very seriously, and we have full attention to analyzing the situation to get an overall picture of the incident and the potential extent of damage."

The website of the Storting, Norway's single-chamber parliament, was functioning normally on Tuesday after news of the cyber-attack was released.

Categories: Cyber Risk News

BlueVoyant Increases Cybersecurity Expertise Through New Board Appointments

Tue, 09/01/2020 - 16:01
BlueVoyant Increases Cybersecurity Expertise Through New Board Appointments

Cybersecurity services company BlueVoyant has today announced a range of high profile appointments across its board of directors and advisory board.

With immediate effect, Deborah Plunkett and Ariel Litvin have joined the firm’s board of directors while Ronald Moultrie has been made vice president of its advisory board.

The appointments are designed to add substantial extra industry knowledge and experience to the business as it looks to continue its growth.

Plunkett is currently principle of the consultancy Plunkett Associates LLC, as well as senior fellow at Harvard and a professor at the University of Maryland. In more than 30 years as a cybersecurity leader, Plunkett has previously held the post of director of information assurance as the National Security Agency (NSA) and was on the National Security Council at the White House for two administrations.

Litvin, who is the CISO of a global multi-billion dollar private manufacturing company, has expertise in addressing complex business and compliance-related issues faced by modern organizations.

Moultrie, who is joining BlueVoyant’s advisory board, is currently on the boards of Altamira Technologies Corporation, iCapital Network, the National Intelligence University, Sequoia Inc. and The Better Angels Society in addition to being senior advisor to MITRE, Pallas, and Resolute Consulting. Previously, Moultrie was a senior national security official who spent over three decades serving the US government. He has also held a senior position at the Central Intelligence Navy (CIA) and was the NSA’s director of operations.

Jim Rosenthal, co-founder and CEO of BlueVoyant commented: “We are very excited to welcome Debora and Ariel to our Board and delighted that Ron has joined our Advisory Board.

“Breadth of skills, backgrounds and experiences make us a stronger company. Because of their extraordinary talent and accomplishments, the three people joining us have many cyber-related opportunities - we are really pleased that they have chosen to join BlueVoyant.”

Categories: Cyber Risk News

Skimming Attack Hits American Payroll Association

Tue, 09/01/2020 - 15:31
Skimming Attack Hits American Payroll Association

The American Payroll Association (APA) has issued a data breach notification after being hit by a skimming attack.

Threat actors installed skimming malware on both the login web page of the APA website and the checkout section of the association's online store by exploiting a vulnerability in the APA’s content management system.

The data security incident was discovered "on or around July 13, 2020." An investigation by the APA's IT team uncovered unusual activity on the APA site dating back to May 13, 2020.

As a result of the attack, unauthorized individuals gained access to login credentials, personal information, including names and dates of birth, and individual payment card information. 

A security incident notice sent to customers by the APA in August and signed by the association's senior director of government and public relations, Robert Wagner, states: "The unauthorized individuals gained access to login information (i.e., username and password) and individual payment card information (i.e., credit card information and associated data). 

"By way of account access, the electronic fields that may have been accessed include: First and Last Names; Email Address; Job Title and Job Role; Primary Job Function and to whom you 'Report'; Gender; Date of Birth; Address (either business or personal), including country, province or state, city, and postal code; Company name and size; Employee Industry; Payroll Software used at Workplace; Time and Attendance software used at work."

Cyber-attackers were also able to access profile photos and social media username information contained in some accounts.

Since the attack, the APA has installed additional antivirus software on its servers, installed "the latest security patches from our content management system," and increased the frequency of patch implementation. 

Victims of the data breach have been offered 12 months of free credit monitoring and $1,000,000 in identity theft insurance.

"The APA is an attractive target for Magecart attackers since their members have access to tools and systems that contain payroll data for millions of individuals. The attackers can brute force other payroll systems using the same stolen credentials to find other account takeover targets," commented Ameet Naik, security evangelist at PerimeterX.

Categories: Cyber Risk News

Cyber-Criminals Mimicking Global Brand Domain Names to Launch Scams

Tue, 09/01/2020 - 15:25
Cyber-Criminals Mimicking Global Brand Domain Names to Launch Scams

Cyber-criminals are regularly mimicking the domain names of mainstream global brands to scam consumers, a practice known as cyber-squatting, according to a new study by Palo Alto Networks.

It found that the types of domains most commonly impersonated for malicious purposes relate to the most profitable companies worldwide, such as mainstream search engines and social media, financial, shopping, and banking websites. The primary purpose is to launch phishing attacks and scams on users in order to steal credentials or money.

Companies mimicked in the top 20 most abused domains in December 2019 based on adjusted malicious rate included PayPal, Apple, Netflix and Amazon.

Cyber-squatting is when domain names are registered that try to trick users into believing they are related to existing brands, typically by intentionally misspelling variants of their names. Whilst not always done with malicious intent, many of these domains pose a cyber-risk to visitors, and the practice is illegal in the US.

According to Palo Alto Networks' analysis, 36.57% (5104) of squatted domain names registered in December 2019 had evidence of association malicious URLs within the domain or utilizing bulletproof hosting, while 18.59% (2595) were found to be malicious as they distributed malware or conducted phishing attacks. In total, 13,857 squatting domains were registered in December 2019, working out to an average of 450 per month.

The cybersecurity firm added that it observed “a variety of malicious domains with different objectives” in the period from December 2019 to date. Examples included a domain related to Amazon (amazon -india[.]online) specifically targeting mobile users in India to steal user credentials, a domain related to Samsung (samsung eblya iphone [.]com) that aimed to steal credit card information by hosting Azorult malware and domains related to Walmart (walrmart 44[.]com) and Samsung (samsung pr0mo[.]online) that distributed potentially unwanted programs such as spyware and adware.

Palo Alto Networks commented: “Domain squatting techniques leverage the fact that users rely on domain names to identify brands and services on the Internet. These squatting domains are often used for nefarious activities, including phishing, malware and PUP distribution, C2 and various scams.”

It advised: “We recommend that enterprises block and closely monitor their traffic, while consumers should make sure that they type domain names correctly and double-check that the domain owners are trusted before entering any site.”

Categories: Cyber Risk News

Chinese Researcher Arrested in Illegal Tech Theft Probe

Tue, 09/01/2020 - 10:25
Chinese Researcher Arrested in Illegal Tech Theft Probe

A researcher at the University of California with ties to the People’s Liberation Army (PLA) has been arrested and charged after allegedly destroying evidence.

Chinese national Guan Lei, 29, of Alhambra, faces a maximum sentence of 20 years in a federal prison after being charged with deliberately destroying a hard drive in order to obstruct an FBI investigation.

Guan, who was in the US on a J-1 non-immigrant visa, was suspected of transferring software or technical data to China’s National University of Defense Technology (NUDT), and was also being investigated for apparently lying about his military ties on a 2018 visa application, and in interviews with officers.

He apparently later admitted to receiving military training and wearing military uniforms whilst at NUDT. That same university was placed on a US entity list after being “suspected of procuring US-origin items to develop supercomputers with nuclear explosive applications,” according to an affidavit.

It is also claimed that one of Guan’s faculty advisors at NUDT was also a lieutenant general in the PLA who developed computers used by the Chinese army and Air Force, as well as military weather forecasts and nuclear technology.

Guan is said to have been observed throwing a hard drive into a dumpster outside his apartment on July 25, shortly before attempting to board a flight to China.

According to the affidavit, the hard drive “was irreparably damaged and that all previous data associated with the hard drive appears to have been removed deliberately and by force.”

Guan refused a request by FBI officers to examine his laptop and was subsequently denied permission to board the plane.

The news comes amidst a US crackdown on Chinese students fuelled by suspicions that Beijing forces legitimate students to spy for their country and sneaks military operatives into the US as students to do the same.

In January, an indictment was issued for another former NUDT ‘student’, Yanqing Ye, who was subsequently found to be a PLA lieutenant, and Zaosong Zheng, who tried to smuggle biological research out of the US. Both were students in Boston.

Categories: Cyber Risk News

Iranian Hackers Advertise on Dark Web

Tue, 09/01/2020 - 09:21
Iranian Hackers Advertise on Dark Web

A suspected Iranian state-backed group appears to have been moonlighting to drive additional income, according to a new report from CrowdStrike.

The security vendor claimed that the newly discovered Pioneer Kitten has been active since at least 2017 and is mainly focused on stealing intelligence which would be strategically useful to Tehran.

However, it is more likely to be a contractor than directly government employed, according to CrowdStrike senior intelligence analyst, Alex Orleans. This is because there’s evidence that the group has recently been advertising its wares on underground forums, in particular, access to compromised networks.

“That activity is suggestive of a potential attempt at revenue stream diversification on the part of Pioneer Kitten, alongside its targeted intrusions in support of the Iranian government,” Orleans argued. As such, it usually targets healthcare, government, technology and defense firms.

The group itself is said to favor exploits of remote, internet-connected external services and open source tooling.

“The adversary is particularly interested in exploits related to VPNs and network appliances, including CVE-2019-11510, CVE-2019-19781, and most recently CVE-2020-5902; reliance on exploits such as these lends to an opportunistic operational model,” Orleans continued.

“Pioneer Kitten’s namesake operational characteristic is its reliance on SSH tunnelling, through open-source tools such as Ngrok and the adversary’s custom tool SSHMinion, for communication with implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP).”

Some of the listed CVEs exploited by the group tie to bugs in products from Pulse Secure and Citrix which were widely exploited earlier this year, notably in ransomware attacks.

Pioneer Kitten’s targets so far have been located mainly in North America and Israeli, according to CrowdStrike. The group is also known by the monikers “Parasite,” "UNC757,” and “Fox Kitten."

Categories: Cyber Risk News

BEC Wire Transfer Losses Soar 48% in Q2 2020

Tue, 09/01/2020 - 08:27
BEC Wire Transfer Losses Soar 48% in Q2 2020

Wire transfer losses from Business Email Compromise (BEC) have soared by over 48% from the previous quarter to hit an average of more than $80,000, according to Agari.

The security vendor’s findings were revealed in the latest Phishing Activity Trends Report from the Anti Phishing Working Group (APWG).

Agari noted that BEC losses involved in bank transfer attacks jumped significantly from the $54,000 recorded in the first quarter, although these accounted for just 18% of total attacks.

Gift cards were the most popular way for scammers to monetize attacks, with BEC attackers requesting these in two-thirds (66%) of raids. Cards from eBay, Google Play, Apple iTunes, and Steam Wallet accounted for the vast majority (70%) of attacks.

However, gift card scams don’t net attackers much: the average amount requested by scammers dropped from $1,453 in the first quarter of 2020 to $1,213. Just 16% of BEC attacks were recorded as requesting “payroll diversions,” down from 25% in Q3 2019.

Despite the majority of attacks targeting users with fairly modest requests for money, some groups are continuing to push the boundaries.

One Russian cybercrime group known as Cosmic Lynx demands an average of nearly $1.3 million per BEC attack, according to Agari. As previously reported by Infosecurity, the group has been involved in over 200 BEC campaigns since July 2019, targeting executives in 46 countries.

Agari has in the past also warned of BEC gangs from West Africa operating highly sophisticated campaigns.

According to the FBI’s annual report, BEC continued to be the biggest money-maker for cyber-criminals last year, accounting for over half of all losses to cybercrime.

BEC scammers made almost $1.8 billion in 2019, over half the $3.5 billion total, according to the FBI’s 2019 Internet Crime Report. That’s up from around $1.3bn and a total of $2.7bn in 2018.

Categories: Cyber Risk News

Internet Outage Causes Chess Championship Draw

Mon, 08/31/2020 - 14:55
Internet Outage Causes Chess Championship Draw

The final game in yesterday's online Chess Olympiad was declared a draw after a widespread internet outage interrupted play. 

An issue at internet service provider CenturyLink has been blamed for global connectivity problems that disrupted the tournament and caused issues for Cloudflare, Hulu, Reddit, EA, Steam, the PlayStation Network, Xbox Live, Feedly, Discord, and dozens of other services on Sunday morning. 

Competing chess teams from India and Russia had been battling it out for victory after a 3–3 tie in the first round when the outage struck. Two of the Indian players, Nihal Sarin and Divya Deshmukh, lost connection toward the end of the game, subsequently losing on time.

A spokesperson for the Olympiad said: "It is very unfortunate that technical difficulties got in the way of the final. Until that moment, the match between India and Russia had been one of the most thrilling and balanced seen at the 2020 Online Chess Olympiad."

The Russians were initially declared the winner of the competition, but the Indian team lodged an appeal.

"The Appeals Committee examined all the evidence provided by, as well as information gathered from other sources about the Cloudflare crash that caused the outage. After being informed of their considerations and in absence of a unanimous verdict, the FIDE President made the decision to award Gold Medals to both teams," said the spokesperson.

The shared victory represents India's first ever win in a Chess Olympiad and Russia's first victory since 2002. 

The historic tournament, which nowadays is battled out every two years, has been running 1927.

In a message shared on Twitter on Sunday morning, Cloudflare said it was "aware of network related issues caused by a third-party transit provider incident" and was "working to mitigate the problem."

"Today we saw a widespread Internet outage online that impacted multiple providers," said John Graham-Cumming, Cloudflare CTO. "Cloudflare's automated systems detected the problem and routed around them, but the extent of the problem required manual intervention as well."

CenturyLink confirmed to CNN that an IP outage impacting content delivery networks (CDNs) had occurred on Sunday morning. The company said that all services had been restored by 11:12 am ET.

Categories: Cyber Risk News

Android Users Bugged by Fake Popups

Mon, 08/31/2020 - 14:24
Android Users Bugged by Fake Popups

Google Android users were pestered last week by a series of fake notifications popping up on their devices.

According to Paul Ducklin of Naked Security by Sophos', the string of phony popups first became an annoyance for users of the Google Hangouts app before bothering users of Microsoft Teams.

"Users all over the world, and therefore at all times of day (many users complained of being woken up unnecessarily), received spammy looking messages," wrote Ducklin in a blog post published on August 28.

"To be clear, it wasn’t Microsoft testing notifications in the Teams app for Android. The bogus alerts caught the software giant off guard, too."

From their content, the notifications don't appear to be malicious or criminal in intent. No dubious links or calls to action were included, with messages simply stating the header "FCM Messages" followed by the text "Test Notification!!!!" 

Pondering the identity of the sender and their motive, Ducklin commented: "The messages did indeed look like some sort of test—but by whom, and for what purpose?

"The four exclamation points suggested someone of a hackerish persuasion—perhaps some sort of overcooked 'proof of concept' (PoC) aimed at making a point, sent out by someone who lacked the social grace or the legalistic sensitivity of knowing when to stop."

Ducklin suggests that the spate of fake notifications may be connected to a recent discovery made by a cybersecurity researcher and bug bounty hunter calling themself “Abbs.” On August 17, Abbs claimed to have earned $30K for identifying a coding vulnerability in numerous Android apps that could enable someone to highjack the Firebase Cloud Messaging (FCM) service.

Describing the weakness, Abbs exclaimed: "A malicious attacker could control the content of push notifications to any application that runs the FCM SDK and has its FCM server key exposed, and at the same time send these notifications to every single user of the vulnerable application!

"These notifications could contain anything the attacker wants including graphic/disturbing images (via the 'image': 'url-to-image' attribute) accompanied with any demeaning or politically inclined message in the notification!"

The author of the notifications, which were promptly halted by Google and Microsoft, has yet to be identified.

Categories: Cyber Risk News

Fastly to Acquire Signal Sciences

Mon, 08/31/2020 - 13:40
Fastly to Acquire Signal Sciences

California edge cloud computing company Fastly has entered into a definitive agreement to acquire American cybersecurity company Signal Sciences.

Stock in Fastly rose by over 7% to $95.98 a share following the announcement of the impending $775m deal on Thursday morning. 

Under the terms of the agreement, Signal Sciences will be acquired for $200m in cash and Class A Common Stock worth roughly $575m. The transaction is due to be completed before the end of the year. 

Signal Sciences is a web application security company headquartered in Culver City, California. It was founded in 2014 by CEO Andrew Peterson, CTO Nick Galbreath, and CSO Zane Lackey following firsthand experience of the digital transformation and security challenges faced by Etsy. 

"We struggled with attempting to protect our key web applications and APIs as the legacy web application firewalls that were on the market caused more problems than they solved and slowed down our engineering and DevOps teams," said Peterson. 

"Out of necessity, we built our own solution to protect Etsy’s applications and recognized a new approach was badly needed not just by us, but by any company embracing DevOps and digital transformation."

Signal Sciences currently provides security to over 40,000 web applications, protecting trillions of web requests per month for household brands in every business vertical from finance to media to healthcare to manufacturing. 

The company has a Net Promoter Score of 83 and is described by Peterson as "one of the fastest-growing web application security companies in the world."

Fastly offers an edge cloud platform and is the creator of a software-defined network capable of handling an impressive 800+ billion requests per day. The company was founded in 2011 and is headquartered in San Francisco. 

“Now, as the digital transformation movement continues to accelerate, DevOps teams are struggling with inadequate and inflexible security tools,” said Joshua Bixby, chief executive officer of Fastly. 

“Together with Signal Sciences, we will give developers modern security tools designed for the way they work. This new solution will integrate with our Compute@Edge platform, accelerating the adoption of edge computing, while simultaneously solving for modern security challenges."

Categories: Cyber Risk News

Jakarta Cyber-attacks Touted as Political Plot

Fri, 08/28/2020 - 17:38
Jakarta Cyber-attacks Touted as Political Plot

A government ministry in Jakarta has suggested that a recent spate of cyber-attacks against its critics could be an attempt by a third party to turn public opinion against the government. 

This month, the Southeast Asia Freedom of Expression Network (SafeNet) recorded six cyber-attacks against high-risk groups such as journalists, academics, and activists. 

One attack was on Pandu Riono, an epidemiologist from the University of Indonesia, whose Twitter account was hacked. In other incidents, cyber-criminals targeted the websites of two major media outlets, and, defacing their websites. 

Speaking during a Ngobrol @Tempo online discussion on Thursday, August 2, SafeNet executive director Damar Juniarto said that the August cyber-attacks were directed at figures who had criticized the Jakarta government’s handling of the COVID-19 health crisis. 

Juniarto added that similar digital attacks had been carried out previously on people, usually activists or academics, who had criticized Papuan issues and the controversial revision of the Corruption Eradication Commission Law in 2019.

The Communications and Information Ministry has urged the public not to attribute the August cyber-attacks to the Jakarta government. A ministry spokesperson said that there is no evidence to suggest that the government is responsible for these crimes.

“Don't be too quick and premature in accusing someone of being behind it without any evidence, this could be a third party who wants to create a confrontation. Who can prove that without any data?" said Semuel Abrijani Pangerapan, director-general of application and informatics at the ministry.

He added, “Let’s work together because someone may do that to make a fight between us, between the government and civil group coalitions."

Speaking during the same Ngobrol @Tempo online discussion on Thursday, August 27, the minister said that the hacking of news media outlets and social media accounts was a global phenomenon and that such crimes could be committed by anyone, anywhere. 

"We have digital forensic experts if anyone needs our help to investigate," Semuel offered. 

Commenting after the hack on, Chief Editor Setri Yasra told The Jakarta Post, “We condemn anyone who tries to interfere with the work of the media. Press products are not always perfect, but we have a controlled mechanism, we have a press council to go to."

Categories: Cyber Risk News

US Moves to Forfeit 280 Crypto Accounts

Fri, 08/28/2020 - 16:53
US Moves to Forfeit 280 Crypto Accounts

The United States is trying to forfeit 280 cryptocurrency accounts tied to cyber-attacks on two virtual currency exchanges, which were allegedly perpetrated by North Korean threat actors.

According to a civil forfeiture complaint filed by the Justice Department yesterday, malicious actors stole millions of dollars’ worth of cryptocurrency and ultimately laundered the funds through Chinese over-the-counter (OTC) cryptocurrency traders. 

The complaint alleges that in July 2019, an actor tied to North Korea hacked a virtual currency exchange and stole over $272,000 worth of cryptocurrencies and tokens, including Proton Tokens, PlayGame tokens, and IHT Real Estate Protocol tokens.  

Stolen funds were converted into other forms of cryptocurrency in a process known as chain hopping to obfuscate the money trail. The currency was then laundered through several intermediary addresses and other virtual currency exchanges. 

It is further alleged that the hacker stole nearly $2.5m from a US company's virtual currency wallets in September 2019, then laundered it through over 100 accounts at another currency exchange.

The complaint follows related criminal and civil actions announced by the department in March this year regarding the theft of $250m in cryptocurrency through other exchange hacks by North Korean actors.

“Today’s action publicly exposes the ongoing connections between North Korea’s cyber-hacking program and a Chinese cryptocurrency money laundering network,” said Acting Assistant Attorney General Brian Rabbitt of the Justice Department’s Criminal Division. 

Assistant Attorney General John Demers of the Justice Department’s National Security Division said that while the forfeiture of the accounts could bring some relief to victims, it would do nothing to stop North Korea from committing cybercrimes against the financial industry. 

“Today, prosecutors and investigators have once again exemplified our commitment to attribute national security cyber-threats, to impose costs on these actors, and bring some measure of relief to victims of malicious cyber activities,” said Demers yesterday.

“Although North Korea is unlikely to stop trying to pillage the international financial sector to fund a failed economic and political regime, actions like those today send a powerful message to the private sector and foreign governments regarding the benefits of working with us to counter this threat.”

Categories: Cyber Risk News

DNC Warns Staffers of Romance Scam

Fri, 08/28/2020 - 16:17
DNC Warns Staffers of Romance Scam

The Democratic National Committee sent out a nationwide alert on Wednesday warning romance-seeking campaign staffers to be wary of what information they reveal to people they match with on dating apps.

Staffers were instructed to "swipe carefully" and to "trust but verify" any facts they were supplied with by prospective partners. They were also told to use the internet to carry out background searches on their potential mates. 

The DNC said it issued the warning after receiving reports that "opposition groups may be trying to 'sting' or infiltrate Democratic campaigns or organizations through dating sites."

To dissuade staffers from sharing content that could be potentially damaging to Biden's chances of becoming the 46th president of the United States, the emailed alert warned them not to "put anything out there that you wouldn’t mind the opposition seeing." 

Staffers were encouraged to imagine what would happen in the event that the "video calls, text messages, emails, photos, or DMs" they shared with a potential amor ended up on the front cover of left-leaning newspaper the New York Times.

In a move that appears to put the reputation of the Democratic party ahead of Americans' right to free speech, campaign staffers were ordered to "think twice about saying things that could be taken out of context to the detriment of our collective efforts."

According to the alert, signs that a dating match might be seeking for information rather than for a soulmate included the asking of questions geared toward the election, campaign, candidate, or opposition. 

“Any app including messaging, social media and email create opportunities for campaign staff to be targeted by phone spear phishing attacks,” commented Tim LeMaster, systems engineering director at Lookout

The timing of the socially engineered cyber-threat warning comes as the US general election campaigns approach the final furlong. With just under 70 days to go until voting begins, the DNC wrote: "We can expect our adversaries both foreign and domestic to dial up the heat."

A DNC official told The Hill that the alert was "nothing new and part of an ongoing effort to educate campaign staffers about where bad actors may exist online, how they may use social engineering tactics to gain access to information, and remind our campaign staffers to stay vigilant."

Categories: Cyber Risk News

Housemates Regularly Share Access to Online Accounts

Fri, 08/28/2020 - 14:00
Housemates Regularly Share Access to Online Accounts

Nearly half (46%) of people are comfortable sharing streaming services with members of their households, according to a new study by Kaspersky.

The analysis also showed that a third (33%) of those surveyed admitted to sharing access to their online retail services with housemates, such as eBay or Amazon Prime, while 30% allow access to their food delivery accounts and online gaming subscriptions.

Although practices such as sharing passwords can be more convenient, they also heighten the risk of account holders having their personal details accessed or stolen by cyber-criminals. Last month, a study by Akamai found that password sharing and recycling are the two largest contributing factors in credential stuffing attacks against the media industry.

Worryingly, just under a third (32%) revealed they are unsure of the safety of their online accounts because they don’t know about their housemates’ digital behaviors.

Additionally, 43% stated they are concerned about the effect of increased online activity through streaming services or gaming because of sharing accounts with other members of their households. Almost a quarter (24%) said they are worried that their housemates’ digital habits will affect the speed of their internet.

Andrew Winton, vice-president, marketing at Kaspersky, commented: “Living in shared accommodation is common in modern life and many households have to share their internet connection and access to various services. We often build friendships with our housemates, making it easy to share online services, so everyone can benefit without hassle.

“Unfortunately, if we don’t pay attention to how we share our personal details, even with our own housemates, the more likely it is for them to be discovered by people or groups we do not trust. To help make sure this does not happen, some services have specific policies in place to help multiple people use a single subscription without needing to share passwords. Whether you live with others or not, we would always recommend that you keep your devices and credentials protected with strong cybersecurity solutions to make sure your information remains safe.”

Categories: Cyber Risk News

Fake Login Page Detections Top 50,000 in 2020

Fri, 08/28/2020 - 12:30
Fake Login Page Detections Top 50,000 in 2020

Over 50,000 fake login pages were detected in the first half of 2020, with some able to be polymorphic and represent different brands.

According to research from Ironscales, fake login pages are commonly used to support hacks and spear-phishing campaigns, and its researchers found more than 200 of the world’s most prominent brands were spoofed with fake login pages.

It also found nearly 5% (2500) of the 50,000+ fake login pages were polymorphic, with one fake login able to represent more than 300 different login pages.

Ironscales’ Brendan Roddas explained polymorphism occurs when an attacker implements “slight but significant and often random change to an emails’ artifacts, such as its content, copy, subject line, sender name or template in conjunction with or after an initial attack has deployed.”

This allows attackers to quickly develop phishing attacks that trick signature-based email security tools that were not built to recognize such modifications to threats, ultimately allowing different versions of the same attack to land undetected in employee inboxes. In this research, Microsoft and Facebook led the list with 314 and 160 permutations, respectively.

The research also determined the brand with the largest number of fake login pages to be PayPal with 11,000, followed by Microsoft with 9500 and Facebook with 7000.

Ironscales said the most common recipients of fake login page emails work in the financial services, healthcare and technology industries as well as at government agencies.

Commenting, Chris Hauk, consumer privacy champion at Pixel Privacy, said: “We see fake login pages being used for one very good reason: they work. As long as users fall for this trick, the bad actors of the world will continue to use them.

“Perhaps the best way to fight these fake login pages is to better educate users as to the hazards of such pages and how to best identify when a fake login page is being visited. I also suggest using utilities that can identify such pages, such as Ironscales URL and link scanner.” 

Niamh Muldoon, senior director of trust and security at OneLogin, highlighted the main reasons why fake logins work: firstly there is still a huge lack of cybersecurity education, training and awareness amongst the internet end user community globally. “This gap in end user knowledge has grown significantly over the last six months with the pandemic,” she said. “While we have asked the public to upend their lives and transfer it online to help them maintain social distancing and keep them physically safe, many do not have the knowledge to keep themselves cyber-safe.”

Secondly, there is a lack of governance associated with website creation, domain registration and associated management. She said: “This includes verifying the integrity of sites and/or domains in a proactive fashion. While there are clear procedures and processes to have websites and domains taken down where they contain malware and/or are not legitimate, these processes are extremely time consuming, resulting in end users being exposed in the time between the fake pages appearing and the domains and IPs being blacklisted or taken down.”

However, she said “trust and security platform leaders in this field are making the threat landscape harder to traverse for malicious attackers, through clever security consciousness messaging on legitimate login pages.” She recommended partnering with a trusted identity partner that provides multi-factor authentication to reduce the risk of account compromise via these fake login pages/sites. “Ultimately, a global task force and international collaboration is needed to implement regulations associated with domain and website registration and management, to stop these sites appearing in the first place,” she added.

Hugo van der Toorn, manager offensive security at Outpost24, said this is not about attacks targeted against your company, but the names, trademarks and overall recognition of the brands which are used to achieve certain goals. “As organizations, we need to facilitate the swift reporting and follow-up on phishing attempts that infringe our brands and threaten our customers and ultimately our reputations. After receiving a positively identified phishing attempt, we need to be able to issue a notice and takedown and, within hours, shut down this one phishing campaign,” he said.

“It’s not about stopping all phishing and training employees until no one clicks. It is all about responding swiftly and adequality on behalf of the people that do recognize and report these phishing attempts.”

Categories: Cyber Risk News

30+ #COVID19 Spam Emails Analyzed Every Minute

Fri, 08/28/2020 - 11:30
30+ #COVID19 Spam Emails Analyzed Every Minute

A COVID-19 domain is blacklisted every 15 minutes, while 35 COVID-19 spam emails are analyzed per minute. 

That’s according to research by RiskIQ, which determined the top threats in 2020 and discovered that cybercrime costs organizations around $24.70 every minute, while the average cost of a malicious attack is $4.95 a minute. Therefore, cybercrime will have a per-minute global cost of $11.4m (£8.7m) by 2021, a 100% increase since 2015.

“These stats show threat activity is widespread, but also show the power of threat intelligence in defending the enterprise,” said RiskIQ CEO Lou Manousos. “More knowledge, greater awareness and an increased effort to implement necessary security controls make a huge difference in stopping these threat actors in their tracks.”

Statistics showed there are 375 new threats every minute, a new vulnerability disclosed every 24 minutes and 16,172 records compromised per minute. There is also a new Magecart attack, the credit card skimming attack vector RiskIQ initially discovered in 2018, every 16 minutes,

Asked how many COVID-19 domains they typically see in a day, Steve Ginty, director of threat intelligence at RiskIQ, said: “We see thousands of new COVID-19 domains stood up each day. Attackers always use current events in their campaigns, and something as ubiquitous and impactful has COVID-19 has proven to be particularly useful to them, which is why we see such a large-scale proliferation of threat infrastructure related to COVID-19.”

With regards to the Magecart attacks, Ginty said RiskIQ systems detect dozens of instances of Magecart activity every day. “We are unable to tell how many victims attackers claim in these attacks, but getting their code onto a website is their primary goal and a good indicator that malicious activity has taken place,” he said.

Categories: Cyber Risk News