Info Security

Subscribe to Info Security  feed
Updated: 27 min 41 sec ago

Only Half of UK Firms Have Cloud Security Policy

Wed, 01/17/2018 - 10:17
Only Half of UK Firms Have Cloud Security Policy

Less than a third (32%) of global organizations believe cloud security is a shared responsibility, with a similar number (34%) claiming it’s up to the cloud provider, according to new research from Gemalto.

The security firm’s 2018 Global Cloud Data Security Study revealed a worrying lack of awareness and security controls when it comes to protecting sensitive data in public cloud environments.

UK IT practitioners do not fare well: just 35% said they’re careful about sharing sensitive info with third parties via the cloud, while only half have security policies for cloud data — versus 61% and 65% of German respondents.

Most organizations globally believe payment information (54%) is at risk in the cloud, with 49% claiming the same for customer data, but half (49%) said cloud services actually make it more difficult to protect sensitive data.

Part of the problem lies with visibility: just 43% of IT practitioners globally said they were confident they know all the cloud services running in their organization, rising to 56% in the UK. Gemalto claimed over half (53%) of corporate cloud data on average is not managed or controlled by IT.

This could spell problems, with over half (57%) of respondents claiming the cloud increases compliance risks.

That’s especially concerning given that the forthcoming GDPR lands in May. The regulation is clear that any breaches in the cloud are the responsibility of both the data controller and the processor (CSP).

Joe Pindar, Gemalto director of product strategy, told Infosecurity that organizations must take responsibility for the data they collect and store, because “it only takes one hacker to get through to cause a major issue.”

"If GDPR doesn't compel organizations to have a mindset change towards data security in the cloud and across their entire network, then I don't know what will,” he added.

“The fear of being exposed, the cost, and the reputational damage should be enough to increase business implementation of techniques such as encryption and data pseudonymisation to protect consumers.”

However, less than half of IT professionals claimed to have a policy requiring safeguards like encryption.

Of those that do use it, just 52% claimed their organization is in control of the encryption keys.

Categories: Cyber Risk News

Meltdown, Spectre Patching Lags Thanks to AV Incompatibility

Tue, 01/16/2018 - 19:09
Meltdown, Spectre Patching Lags Thanks to AV Incompatibility

The race is on to patch machines against the Meltdown and Spectre CPU vulnerabilities, which affect nearly all operating systems and devices – but many organizations are lagging because Microsoft will not deliver a Windows update unless a certain registry key exists, in order to avoid serious incompatibility issues with antivirus software.

“Microsoft has acknowledged the update has incompatibility issues with third-party AV software and AMD processors, and has restricted delivery of the update accordingly,” explained Barkly researcher Jonathan Crowe, in a blog on the subject. “Specifically, it has made delivery of the Windows security updates contingent on the presence of a special registry key, which it has instructed all AV vendors to add to customer devices only after they've confirmed their products are compatible and won't cause system crashes.”

This is having real consequences: A Barkly survey of IT and security pros responsible for managing security updates at their organizations found that at half of the organizations, less than 25% of machines have received the update.

Further, 26% of respondents say they don't have any machines that have received the update, a week after it was first made available.

However, the onus to communicate the issue has been placed on the AV providers, which have done varying degrees of outreach on the issue: Only 42% of respondents in the survey said their AV vendor notified them regarding their product's compatibility with the patch.

Further, a third of IT pros that Barkly surveyed weren't fully aware of AV incompatibility issues, and nearly half (46%) weren't fully aware that Microsoft is requiring them or their AV vendor to create a registry key.

“This has created a lot of confusion, especially since the response from AV vendors has varied, with some setting the registry key for their customers and others recommending users set it themselves, manually,” Crowe said. “The situation only gets more complicated considering many organizations have more than one AV solution installed.”

Nevertheless, 64% say they were able to determine their AV was compatible – and just 6% reported experiencing system crashes due to the update.

In terms of setting the registry key, 25% of respondents say their AV vendor added it for them, while 20% say their AV vendor recommended that they add it themselves, manually. Of those respondents who were advised to add the registry key manually, roughly 50% say they have already done so, though 59% expressed at least some concern the action might cause issues.

“In addition to creating confusion, these issues have made it frustratingly difficult for organizations to confirm whether or not their machines are in fact up to date with the latest protection from Meltdown and Spectre,” Crowe said. “Eighty percent of respondents say the update process hasn't been entirely clear, overall, and that lack of clarity is leaving many with questions and concerns. Two-thirds have expressed concern that this issue isn't fully under control.”

Categories: Cyber Risk News

Man Running 'Product Testing' Service for Malware Made Thousands

Tue, 01/16/2018 - 18:56
Man Running 'Product Testing' Service for Malware Made Thousands

A UK man has confessed to running a 'product-testing' service that let hackers determine whether their malicious tools could beat antivirus scanners. In the process, he made thousands off of the enterprise.

Following a joint investigation by the UK’s National Crime Agency (NCA) and cybersecurity firm Trend Micro, Goncalo Esteves, 24, of Cape Close, Colchester, Essex, admitted that he ran the website reFUD.me, which offered the testing service. Additionally, under the pseudonym KillaMuvz he also sold custom-made malware-disguising products (dubbed Cryptex Reborn and Cryptex Lite) for those that failed the test.

A month of Cryptex Lite cost $7.99, while a lifetime license for Cryptex Reborn cost $90. For that, Esteves threw in customer support via a dedicated Skype account.

Like any entrepreneur, Esteves advertised his wares. On the hackforums.net website, a well-known message board for cybercriminals, he described his offer as “a service that offers fast and reliable file-scanning to ensure that your files remain fully undetectable to anti-malware software.”

He accepted payment in conventional currency, Bitcoin or Amazon vouchers, and NCA was able to determine that he made $44,100 from more than 800 PayPal transactions between 2011 and 2015. But the Bitcoin and Amazon vouchers payments are untraceable, so it’s likely that he made much, much more.

In all, the NCA assessed that Esteves knew exactly what the criminal aims of his customers were and that he had profited from his criminality in selling them tools to carry those aims out.

“Esteves’s crimes weren’t victimless,” said Mike Hulett, head of operations at the NCA’s National Cyber Crime Unit, in an announcement. “His clients were most likely preparing to target businesses and ordinary people with fraud and extortion attempts. While offenders like Esteves try hard to stay hidden from law enforcement, NCA officers have the training and technical capability to detect them and put them before the courts. This is bolstered by strong partnerships with the private sector. We’re grateful to Trend Micro for their ongoing support in tackling cybercrime.”

Esteves pleaded guilty to two computer misuse offenses and a count of money laundering at Blackfriars Crown Court.

Categories: Cyber Risk News

Spurred by Bitcoin Appreciation, Financially Motivated Attacks Surge

Tue, 01/16/2018 - 18:22
Spurred by Bitcoin Appreciation, Financially Motivated Attacks Surge

The percentage of companies reporting financially motivated cyber-attacks has doubled over the past two years.

According to Radware’s 2017-2018 Global Application and Network Security Report, 50% of surveyed companies have experienced a cyber-attack motivated by ransom in the past year. As the value of Bitcoin and other cryptocurrencies – often the preferred form of payment among hackers – has appreciated, ransom attacks provide an opportunity for hackers to cash out for lucrative gains months later.

“The rapid adoption of cryptocurrencies and their subsequent rise in price has presented hackers with a clear upside that goes beyond cryptocurrencies’ anonymity,” said Carl Herberger, vice president of security solutions at Radware. “Paying a hacker in these situations not only incentivizes further attacks, but it provides criminals with the vital funds they need to continue their operations.”

The number of companies that reported ransomware attacks surged in the past year, increasing 40% from the 2016 survey. Companies don’t expect this threat to go away in 2018 either: One in four executives (26%) sees ransom as the largest threat to their business sector in the coming year.

“Criminals used various exploits and hacks this year to encrypt vital systems, steal intellectual property and shut down business operations, all with ransom demands attached to these actions,” Herberger said. “Between service disruptions, outages or IP theft, hackers are leaving businesses reeling, searching for solutions after a hack occurs. As hackers and their methods become increasingly automated, it is now more important than ever for organizations to be proactive in protecting their business.”

The report, which compiled vendor-neutral survey data from 605 IT executives spanning several industries around the globe, also found that businesses are most concerned with their data when hit with a cyber-attack. Respondents noted that data leakage was their top business concern, followed by reputation loss and service outages.

Despite one in four (24%) businesses reporting cyber-attacks daily or weekly, nearly 80% of surveyed organizations have not come up with a calculation for the cost of attacks, and one in three lack a cybersecurity emergency response plan.

Interestingly, a separate finding in the survey is that respondents are not quite sure who is responsible for internet of things (IoT) security. When asked who needs to take responsibility for IoT security, there was no clear consensus among security executives. Responses pinned responsibility on the organization managing the network (35% of responses), the manufacturer (34%) and the consumers using these devices (21%).

Categories: Cyber Risk News

New Mirai Variant Targets Billions of ARC-Based Endpoints

Tue, 01/16/2018 - 10:46
New Mirai Variant Targets Billions of ARC-Based Endpoints

Security experts are warning of a new Mirai variant targeting ARC processors, which could have an even bigger impact than the notorious malware on which it is based.

RISC-based ARC processors are widely used in IoT and embedded systems and said to be shipped in over 1.5 billion products each year.

The new threat — named Okiru, which is Japanese for “wake up” — was first spotted by MalwareMustDie researcher @unixfreaxjp and touted as the first ever malware developed for ARC systems.

At the time of writing, 20/59 AV tools on VirusTotal detected the ELF malware threat.

Another researcher, Odisseus, tweeted the findings:

“This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!! Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn't been infected yet.”

However, it’s important to note that this Okiru is not the same one as that also linked to the Satori IoT botnet used to attack Huawei routers last month.

A Reddit thread explains the differences.

“Okiru variant's config is encrypted in two parts w/ telnet bombardment password encrypted, Satori does not split it in 2parts and doesn't encrypt brute default passwords,” it explains. “Also Okiru's telnet attack login information is a bit longer (can be up to 114 credentials, max counted), while Satori is having different and shorter database.”

Mirai caused huge damage when it was made open source in 2016, compromising IoT devices protected only by default credentials and conscripting them into a botnet.

Despite comprising little more than 100,000 endpoints, it managed to take some of the internet’s biggest names offline after hitting service provider Dyn.

There’s the potential to wreak even more havoc for businesses around the world if it can do the same to ARC-based endpoints.

Categories: Cyber Risk News

Ransomware Forces Indiana Doctors to Use Pen and Paper

Tue, 01/16/2018 - 09:57
Ransomware Forces Indiana Doctors to Use Pen and Paper

An Indiana healthcare organization (HCO) has the dubious honor of becoming the first in 2018 to be forced offline by ransomware.

Hancock Health suffered the attack at around 9.30 pm last Thursday, local time, the HCO revealed in a statement yesterday.

The amount of Bitcoin demanded and the type of ransomware used are at present unknown. However, local reports at the time claimed that the entire network was affected – including 20 physician offices, wellness centers, hospitals and other facilities – forcing doctors, nurses and admin staff back to using pen and paper.

The HCO appears to have recovered remarkably quickly from the incident, presumably restoring from back-ups.

Its statement continued:

“Through the effective teamwork of the Hancock technology team, an expert technology consulting group, and our clinical team, Hancock was able to recover the use of its computers, and at this time, there is no evidence that any patient information was adversely affected. Hancock is continuing to work with national law enforcement to learn more about the incident. We plan to provide additional information to our community regarding this act soon.”

HCOs are thought to be particularly vulnerable to ransomware, given their large number of diverse endpoints and users, sometimes poor levels of cybersecurity, and the criticality of IT systems.  

The NHS was famously hit hard by WannaCry in May 2017, with an estimated 19,000 operations and appointments cancelled as a result.

“As all good healthcare professionals know, prevention is better than treatment,” argued Infoblox technology director, Gary Cox.

“All organizations must ensure that their security measures are up to scratch: from having all software patched and up-to-date and making sure users observe best practice, to deploying DNS effectively as an enforcement point to block ransomware.”

McAfee chief scientist, Raj Samani, added that the cybersecurity industry needs to improve its response to attacks on public services through better threat intelligence sharing.

“Traditionally many companies see their intelligence as a way of gaining a competitive advantage. However, as the amount of disruption continues to increase, 2018 needs to be the year where intelligence sharing after a successful attack becomes the norm,” he argued.

Categories: Cyber Risk News

Fraud Doubles in Two Years to Hit 700m Attempts

Tue, 01/16/2018 - 09:17
Fraud Doubles in Two Years to Hit 700m Attempts

The volume of global fraud attacks has surged 100% over the past two years to reach 700 million in 2017 alone, according to ThreatMetrix.

The fraud prevention firm protects 1.4 billion users around the world and analyzes 100 million transactions each day, so its insight into the current landscape is invaluable.

In its ThreatMetrix Cybercrime Report 2017: A Year in Review it claims that fraudsters are moving away from using stolen credit and debit cards as these have a relatively short shelf life. Account creation attacks, carried out using a collection of stolen identity data, are now becoming more popular, with more than one-in-nine of all new accounts opened last year fraudulent.

Automated bots are also becoming an increasingly popular way for fraudsters to test stolen identities, in order to increase their value on the dark web, or else to hijack existing accounts or open new ones.

They are frequently used in “low and slow” attacks designed to evade Web App Firewalls (WAFs), ThreatMetrix claimed.

The firm blocked 1.5 billion bot attacks in 2017, with some retailers experiencing daily traffic which is 90% comprised of bots.

EMEA continues to be a hotbed for fraud, accounting for around 50% of all attacks spotted by ThreatMetrix last year. It also experienced an 80% increase in automated bot attacks.

As always, the continued deluge of data breach incidents is fueling the rise in global fraud, with spikes in fraud levels clearly linked to major incidents. ThreatMetrix claimed to have spotted “unprecedented spikes in irregular behavior” immediately after the Equifax breach.

With data breach incidents now becoming commonplace, the focus should be on protecting downstream fraud so that leaked data can’t be used by online scammers, ThreatMetrix argued.

“With the volume and complexity of attacks increasing daily, businesses need to accurately differentiate customers from criminals in real time, without impacting transaction speeds or introducing unnecessary friction,” said ThreatMetrix VP, Vanita Pandey.

“By looking beyond static data – and drilling down to the dynamic intricacies of how people transact online – companies can continue to grow their digital businesses with confidence.”

Categories: Cyber Risk News

Kremlin-Linked Hackers Target Senate Ahead of Mid-Terms

Mon, 01/15/2018 - 11:40
Kremlin-Linked Hackers Target Senate Ahead of Mid-Terms

Russian state-linked hackers accused of targeting Democratic Party officials ahead of the 2016 US presidential election have turned their focus on the Senate, according to Trend Micro.

The group known as Pawn Storm, Fancy Bear, Sednit and APT 28, set up phishing sites designed to ape the ADFS (Active Directory Federation Services) of the upper chamber, the security vendor claimed.

“By looking at the digital fingerprints of these phishing sites and comparing them with a large data set that spans almost five years, we can uniquely relate them to a couple of Pawn Storm incidents in 2016 and 2017,” explained senior threat researcher, Feike Hacquebord.

“The real ADFS server of the US Senate is not reachable on the open internet, however phishing of users’ credentials on an ADFS server that is behind a firewall still makes sense. In case an actor already has a foothold in an organization after compromising one user account, credential phishing could help him get closer to high profile users of interest.”

These tactics were used to devastating effect on the Democratic National Committee (DNC) ahead of the presidential election, with highly sensitive emails subsequently leaked under the online moniker Guccifer 2.0.

Hillary Clinton has claimed the revelations exposed in those leaks helped to turn the electorate against her during the race for the White House.

The timing of the latest phishing attempts is key, given the mid-term elections later this year.

The US is not the only country Russian-linked hackers are looking to destabilize: they’ve also targeted political organizations in Iran, France, Germany, Montenegro, Turkey, and Ukraine, according to Trend Micro.

It forms a key part of the Putin administration’s information warfare campaign against the West, alongside fake news and propaganda spread via bots and shills on social media.

There’s evidence to suggest fake Russian accounts on Twitter and Facebook also looked to sow discord ahead of the Brexit vote in 2016.

Categories: Cyber Risk News

Phishers Push Malware Disguised as Meltdown Fix

Mon, 01/15/2018 - 10:44
Phishers Push Malware Disguised as Meltdown Fix

Cyber-criminals are using interest in the recent Meltdown and Spectre chip vulnerabilities to trick users into downloading malware disguised as security patches, according to Malwarebytes.

The SSL-enabled phishing site is spoofed to look like one managed by the German Federal Office for Information Security (BSI), explained the vendor’s lead malware intelligence analyst, Jérôme Segura.

This fake domain links to a ZIP archive which appears to contain a patch for the recently disclosed chip flaws (Intel-AMD-SecurityPatch-10-1-v1.exe) but is in fact malware.

“Upon running it, users will infect themselves with Smoke Loader, a piece of malware that can retrieve additional payloads. Post-infection traffic shows the malicious file attempting to connect to various domains and sending encrypted information,” Segura explained.

“The Subject Alternative Name field within the abused SSL certificate shows other properties associated with the .bid domain, including one that is a German template for a fake Adobe Flash Player update.”

Thanks to a speedy response to Malwarebytes from CloudFlare, the site was effectively take out of action.

“There are very few legitimate cases when vendors will directly contact you to apply updates. If that is the case, it’s always good to verify this information via other online resources or friends first,” Segura warned.

He added that users should not trust sites just because they are protected with HTTPS.

“The presence of a certificate simply implies that the data that transits between your computer and the site is secure, but that has nothing to do with the intentions or content offered, which could be a total scam,” he explained.

The issue spotted by Malwarebytes has been flagged by the German authorities, but similar tactics could be used to trick users in other countries.

This all comes amid existing challenges for IT administrators surrounding the legitimate patches that have been released so far to mitigate Meltdown and Spectre.

Microsoft warned that an emergency fix it issued in the first week of January was incompatible with some AV tools and may even cause Blue Screen of Death errors on affected machines.

Categories: Cyber Risk News

Let's Encrypt Flaw Allowed Hackers to Hijack Certificates

Mon, 01/15/2018 - 10:07
Let's Encrypt Flaw Allowed Hackers to Hijack Certificates

The organization behind Let’s Encrypt has moved quickly to fix a vulnerability which could have allowed attackers to obtain certificates for domains they did not own.

The Certificate Authority (CA), which hands out free SSL and TLS certificates to make the internet a safer place, was notified of the bug last week by Detectify researcher Frans Rosén.

The problem was identified in the ACME protocol’s TLS-SNI-01 challenge process.

During that process, the ACME server validates a domain name by generating a random token and communicating it to the ACME client. That client then creates a self-signed certificate with a specific, invalid hostname and configures the web server on the domain to be validated to serve that certificate.

“The ACME server then looks up the domain name’s IP address, initiates a TLS connection, and sends the specific .acme.invalid hostname in the SNI extension,” explained ISRG executive director, Josh Aas. “If the response is a self-signed certificate containing that hostname, the ACME client is considered to be in control of the domain name, and will be allowed to issue certificates for it.”

However, Rosén noticed that in at least two large hosting firms, multiple users were hosted on the same address, and some users had the ability to upload certificates for arbitrary names without proving domain control.

These two properties violate the assumptions behind TLS-SNI and together could enable an attack.

For its part, the Internet Security Research Group (ISRG) disabled TLS-SNI-01 as soon as it was informed of the vulnerability.

The most recent update from Aas had the following:

“We have decided to re-enable the TLS-SNI-01 challenge for certain major providers who are known not to have issues while we investigate re-enabling TLS-SNI-01 in general. We’re doing this as a safe way to restore service faster for a large number of sites.”

Hari Nair, director of cryptographic research at Venafi, argued that the issue stems from weak security practices at some hosting providers.

“Let’s Encrypt has mitigated the damage to a certain extent, but ultimately, how effective those steps will be depends on how well hosting providers implement certificate security on their end,” he added.

“It’s possible that there could be a spate of revocations in response to this event. The reality is that detection of mis-issued certificates is extremely hard and checking for revocation status is not something that the industry has traditionally done well, so it’s not clear how much impact revocations will have.”

In the meantime, organizations must stay vigilant to the possibility of mis-issued or maliciously issued certificates, although Google’s move to require Certificate Transparency for all certificates, including DV certs, will help surface these kind of issues sooner, he concluded.

Categories: Cyber Risk News

South Korea Considers a Bitcoin Ban, Sparking Outrage

Fri, 01/12/2018 - 21:14
South Korea Considers a Bitcoin Ban, Sparking Outrage

South Korean regulators are mulling a ban on cryptocurrency trading, sparking outrage across the nation.

The justice minister, Park Sang-ki, said this week that the government was preparing legislation to halt the trading of Bitcoin, Monero and other virtual money.

Trading is a popular pastime in South Korea, the world’s most wired country. Its young, tech-savvy populace has seized on virtual currency as a way to earn cash amid an economy that offers dwindling job prospects for millennials, despite its relative wealth as a nation. With Bitcoin pricing exploding over the last few months, many people have earned quite a bit. About a third of the 941 office workers surveyed in December by Saramin, a South Korea-based job portal, have traded virtual currency; out of those, more than 80% made money from it, and about 20% made a whopping average return of 425% on their investment, according to the survey.

The average Korean investor owns around 5.66 million won ($5,260) in virtual currencies.

“Tax it as much as you want but don’t shut it down. My life depends on it,” one petitioner wrote on the president’s website, according to Reuters. The petition there has drawn more than 120,000 signatures against a ban, as of Friday.

Regulators are concerned that the casino-like, speculative nature of the virtual marketplace has resulted in a bubble that is destined to burst, and they worry that economic catastrophe for whole swaths of the population could follow.

“On one hand, there is a growing part of their population who has adopted cryptocurrencies and are using them to great success both for investment purposes and for direct business uses as well,” Nathan Wenzler, chief security strategist at AsTech, told Infosecurity. “These advocates are becoming more reliant on cryptocurrencies and typically support their use as being an inevitable trend that will only become more heavily adopted as time goes on. However, there are those that claim it's too risky and too volatile, and should the cryptocurrency market collapse, the government of South Korea would have to pick up the slack for the economic damage that would cause.”

There’s another dimension as well, according to Joseph Carson, chief security scientist at Thycotic, a Washington, D.C., based provider of privileged account management (PAM) solutions, having to do with cryptocurrency mining and taxation.

“China announcing they are going to clamp down on bitcoin mining…impacts China’s energy consumption and we could see a ripple effect around the world,” he said via email. “With the end of many countries’ tax years looming, the expectation is that many will dump Bitcoin to ensure they do not get hit with a huge capital gains tax bill. This could be seen as the wall at the end of the tunnel.”

He added, “I’m sure South Korea does not want to see their economy crash and significant GDP wiped overnight in value. The world is watching with huge anticipation.”

Then there are the cybersecurity concerns: For one thing, illicit mining of cryptocurrency by cybercriminals is skyrocketing and is responsible in many ways for the exploding value of currencies like Monero. Also, hacks on exchanges are not infrequent. In July, personal details on 30,000 people were stolen from South Korea-based crypto-currency exchange Bithumb, leading to the theft of funds from their Bitcoin and Ethereum accounts. The company, one of the largest exchanges for virtual currencies in the world, said the data theft happened after an employee's PC was hacked. From there, the hackers used the information to text and call users to con them out of their authentication codes, which were then used to steal funds from the accounts.

Another South Korean Bitcoin exchange, YoBit, was forced to close in December after suffering two major cyber-attacks in one year. It claimed it was “very sorry” but filed for bankruptcy after it suffered the December attack, less than eight months after the first.

In any event, South Korea has much to consider.

“By entertaining the notion of a ban on cryptocurrency trading, South Korea is evaluating whether or not the government can successfully manage the risk of what would happen if those cryptocurrencies collapsed while also promoting what they state is less immoral behaviors due to their view that cryptocurrency trading is akin to gambling and may lead to even worse offenses,” said Wenzler. “This ban, though, would impact a growing number of citizens and could cause a huge backlash against the government, both immediately and in any voting situation. At this point, it may be too early to guess at what a ban on cryptocurrency trading would do to South Korea, either economically or politically, but as the number of South Koreans who use cryptocurrencies increases, this issue will become more challenging to address at a national level.”

Categories: Cyber Risk News

Malware Serves Up Porn Ads in Kids' Apps

Fri, 01/12/2018 - 20:50
Malware Serves Up Porn Ads in Kids' Apps

A malware built to display porn ads within mobile apps, including a large number of children’s games, has been uncovered in Google Play.

Check Point researchers have found the new and nasty malicious code, dubbed AdultSwine, hiding in around 60 game apps. So far, they’ve been downloaded between 3 million and 7 million times.

AdultSwine does a range of things, starting with displaying ads from the web that are often highly inappropriate and pornographic. However, it also attempts to trick users into installing fake security apps and tries to dupe users to register and pay for premium services. It’s also built to be flexible, so its authors in the future could expand their sites to other malicious activities, such as credential theft.

The inappropriate ads being displayed come from two main sources, Check Point said: mainstream ad providers and the malicious code’s own ad library (where the porn ads stem from). All of these are displayed to children on a rotating basis while they play the infected games.

On the scareware front, AdultSwine displays an ad that claims the user’s device is infected by a virus.

“Should the user press the notification of ‘Remove Virus Now’ he is redirected to an app in the Google Play Store with a somewhat questionable connection to virus removal,” said the researchers in an analysis. “An experienced eye could easily foresee this tactic, though a child playing a game app is easy prey for such nefarious apps.”

When it comes to the fraudulent premium services, AdultSwine initially displays a pop-up ad saying that the user is entitled to win an iPhone by simply answering four short questions. If the user clicks through, the malicious code eventually asks him to enter his phone number to receive the “prize,” which, of course, is a ploy. The malware then uses the number to register for premium services.

“Although for now this malicious app seems to be a nasty nuisance, and most certainly damaging on both an emotional and financial level, it nevertheless also has a potentially much wider range of malicious activities that it can pursue, all relying on the same common concept,” Check Point warned. “Indeed, these plots continue to be effective even today, especially when they originate in apps downloaded from trusted sources such as Google Play.”

To avoid victimization, parents should examine the apps that their kids download and educate their children on fraud and how to spot it. 

Categories: Cyber Risk News

Researchers: How to Detect Drones That Spy

Fri, 01/12/2018 - 20:12
Researchers: How to Detect Drones That Spy

Researchers have pioneered a technique to detect whether a drone camera is illicitly capturing video.

Amid increasing concerns about the proliferation of drone use for personal and business applications and how it is impinging on privacy and safety, researchers at Ben-Gurion University of the Negev (BGU) and Weizmann Institute of Science have figured out how to tell if a targeted subject or house is being recorded by a drone camera.

"The beauty of this research is that someone using only a laptop and an object that flickers can detect if someone is using a drone to spy on them," said Ben Nassi, a Ph.D. student in the BGU department of software and information systems engineering and a researcher at the BGU Cyber Security Research Center (CSRC). "While it has been possible to detect a drone, now someone can also tell if it is recording a video of your location or [doing] something else."

By placing smart film on a window and entering a few software commands on a laptop to access the encrypted video (via the camera’s “first-person view” (FPV) channel) that the drone operator sees, researchers were able to detect whether a DJI Mavic drone was capturing images of the location. In a second outdoor test, they demonstrated how an LED strip attached to a person wearing a white shirt can be used to detect targeted drone activity. When researchers flickered the LED lights on the cyber-shirt, it caused the FPV channel to send an "SOS" by modulating changes in data sent by the flickering lights.

"This research shatters the commonly held belief that using encryption to secure the FPV channel prevents someone from knowing they are being tracked," Nassi said. "The secret behind our method is to force controlled physical changes to the captured target that influence the bit rate (data) transmitted on the FPV channel."

The method can be used on any laptop that runs Linux OS and does not require any sophisticated hacking or cryptographic breaking skills, he added.

"Our findings may help thwart privacy invasion attacks that are becoming more common with increasing drone use,” Nassi said. “This could have significant impact for the military and for consumers, because a victim can now legally prove that a neighbor was invading their privacy."

Categories: Cyber Risk News

House Votes to Renew Mass Surveillance Law FISA

Fri, 01/12/2018 - 11:50
House Votes to Renew Mass Surveillance Law FISA

Privacy experts are up in arms after the House of Representatives voted to renew a controversial surveillance law which could expand the government’s powers to snoop on Americans.

Section 702 of the Foreign Intelligence Surveillance Act was reauthorized by 256-164, the first time lawmakers have done so since Edward Snowden’s revelations blew the lid on mass snooping by the NSA five years ago.

The legislation is supposed to govern US intelligence agencies’ ability to gather data on foreign terror and other suspects by allowing them to lift it at entry points into the country.

However, as revealed by Snowden, the government circumvents constitutional protections from warrantless surveillance by allowing the NSA to conduct so-called “backdoor searches.”

The Electronic Frontier Foundation explained these as follows:

“The NSA uses Section 702 to target non-US persons not living in the United States, collecting emails both ‘to’ and ‘from’ an individual. Predictably, those emails include messages sent by US persons. The government stores those messages in several databases that — because of a loophole — can then be searched and read by government agents who do not first obtain a warrant, even when those communications are written by Americans.”

The reauthorized legislation will require a warrant, but only in the narrowest of circumstances.

“The bill’s narrow warrant requirement runs the Fourth Amendment through a fun-house mirror, flipping its intentions and providing protections only after a search has been made,” the EFF argued.

The new version of Section 702 voted for in the House yesterday would also allow a restart of controversial “about” data collection, which was ended last year after criticism from the FISA court.

This allows the NSA to tap the internet for communications data which is merely “about” a suspect — that person doesn’t even need to feature as sender or receiver of these messages.

Proposed amendments in the form of a USA Rights Act — which would have closed the backdoor search loophole, ended “about” searches for good and reauthorized Section 702 for only four years — have been voted down 183-233, with 55 Democrats voting against.

The FISA Amendments Reauthorization Act of 2017, to give it its full title, will now pass to the Senate, where Republican senator Rand Paul has threatened to filibuster in an attempt to stop it. The Kentucky lawmaker has a history of standing up against mass surveillance.

The FISA vote was briefly cast into doubt this week after President Trump tweeted that he opposed the legislation, as he claimed it had been used by the FBI to spy on his campaign.

After a call with House speaker Paul Ryan he hastily reversed his view, claiming support.

Categories: Cyber Risk News

Nuke Weapon Systems at Risk From Cyber-Attacks

Fri, 01/12/2018 - 10:36
Nuke Weapon Systems at Risk From Cyber-Attacks

Nuclear weapons systems are vulnerable to cyber-attacks which could at worst lead to compromise and inadvertent launches, a leading thinktank has warned.

These risks have been outlined in the new Chatham House reportCybersecurity of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequences.

It claimed that nuclear weapons systems were designed in a pre-digital age with little consideration given to the possible impact of cyber-threats.

It added:

“There are a number of vulnerabilities and pathways through which a malicious actor may infiltrate a nuclear weapons system without a state’s knowledge. Human error, system failures, design vulnerabilities, and susceptibilities within the supply chain all represent common security issues in nuclear weapons systems. Cyber-attack methods such as data manipulation, digital jamming [DoS] and cyber spoofing could jeopardize the integrity of communication, leading to increased uncertainty in decision-making.”

This uncertainty could even cause an escalation resulting in the use of nukes.

“Inadvertent nuclear launches could stem from an unwitting reliance on false information and data,” the report warned.

US Minutemen silos were highlighted as particularly susceptible to cyber-attack, while it has been reported in the past that the US has been able to infiltrate the supply chain of North Korean systems to scupper test launches.

Chatham House identified 13 key areas in such systems vulnerable to cyber-attack.

These included: communications between C&C centers and from command stations to missile platforms, missile telemetry data, technology in transport, labs and assembly facilities, real-time targeting, weather and positioning data and autonomous robotic systems.

As with many other areas of critical infrastructure (CNI), the private sector is heavily involved, but under constant attack.

“Presently, this is a relatively ungoverned space and these vulnerabilities could serve to undermine the overall integrity of national nuclear weapons systems,” the report continued. “For example, the backdoors in software that companies often maintain to fix bugs and patch systems are targets for cyber-attacks once they are discovered and become known.”

The report argued that defense contractors should be forced to disclose and share any info about cyber-attacks with their governments.

The authors recommended governments incorporate rigorous cyber-risk reduction into their nuclear command, control and comms systems.

AlienVault security advocate, Javvad Malik, argued that legacy systems in particular represent a major weakness in CNI.

“Going after connected weaponry is the next step, be it for espionage purposes, or something more sinister,” he added.

“Owing to the legacy infrastructure, rapid patches, or constant monitoring is not always feasible, therefore, it is in the best interests to keep such systems as segregated as possible to minimize the risk of external actors being able to access.”

Categories: Cyber Risk News

SCADA Apps Riddled With Major Flaws

Fri, 01/12/2018 - 09:49
SCADA Apps Riddled With Major Flaws

Mobile applications used in industrial control system (ICS) environments are shot through with vulnerabilities, exposing mission critical processes and infrastructure to attack, according to new research.

IOActive teamed up with IoT specialist Embedi to study 34 mobile applications used in Supervisory Control and Data Acquisition (SCADA) systems — selected at random from the Google Play store.

The number of these apps is growing all the time, so the researchers wanted to see if they’re unduly exposing organizations to the risk of external attack or accidental insider threats.

They found a staggering 147 vulnerabilities altogether — an increase of 1.6 per app from 2015, when the team found 50 issues in 20 such apps.

The top five security weaknesses were: code tampering (94% of the apps studied), insecure authorization (59%), reverse engineering (53%), insecure data storage (47%) and insecure communication (38%).

IOActive explained that the problem comes down to developers rushing apps to market without incorporating security by design.

“There’s not much an end-user can do to fix bugs in a mobile application themselves. The fixes will need to be done by the vendors,” IOActive principal security consultant, Jason Larsen, told Infosecurity.

“A good start would be transparency. If an application is built using secure programming practices and has gone through a review, documenting that would go a long way.”

In fact, attackers don’t even need physical access to the victim’s smartphone. If a user downloads a fake malicious app by mistake then that malware could attack the vulnerable application, the firm claimed.

IOActive recommended SCADA app developers to think carefully about security, noting the OWASP Top 10, OWASP Mobile Top 10 2016, and the 24 Deadly Sins of Software Security could help guide them through best practices.

“This is simply a continuation of the current Industrial Internet of Things (IIoT) trend,” warned IOActive security consultant, Alexander Bolshev. “Over the past two years, the number of applications on Google Play Store has doubled, and some of these applications have been installed 1000-10,000 times.”

Categories: Cyber Risk News

North Korean Defectors Targeted in Mobile Espionage Campaign

Thu, 01/11/2018 - 21:15
North Korean Defectors Targeted in Mobile Espionage Campaign

Malicious APK files are being used to attack North Korean defectors and journalists with the KakaoTalk chat app, a popular mobile communication method in South Korea.

According to the McAfee Mobile Research team, threat actors are sending malicious links via KakaoTalk and other social network services, such as Facebook, in a targeted campaign. The links claim to connect to either something called Pray for North Korea or BloodAssistant, which is a fake health care app. In both cases, they redirect to a dropper mechanism.

The dropper phishes the victim to turn on the accessibility permissions, and then installs an espionage Trojan with a range of malicious functions, including saving SMS messages, contact information, GPS location, phone call logs, installed apps and contacts; it can also record phone calls. Further, the attackers can easily extend the Trojan’s malicious functionality without needing to update the whole malware.

As for who’s behind the attacks, the targets themselves indicate that the bad actors are sympathetic to North Korea. But there are other indications that the group is homegrown in the Korean peninsula.

“The group behind this campaign is certainly familiar with South Korean culture, TV shows, drama and the language because the account names associated with the cloud services are from Korean drama and TV shows," including Korean drama character names, and competition and reality series participants, said researcher Jaewon Min, in a blog.

Narrowing it down further, McAfee found the use of the North Korean word for "blood type," which is not used in South Korea (South Korea uses a different word). There were also North Korean IP addresses in the test log files of some Android devices that are connected to the accounts used to spread the malware.

One folder is listed as the “Sun Team Folder,” possibly indicating the name of the threat actor group. If so, it has been active since 2016, according to the cloud storage creation date.

“This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware,” said Min. “We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors and on groups and individuals who help defectors.”

Categories: Cyber Risk News

North Korean Defectors Targeted in Mobile Espionage Campaign

Thu, 01/11/2018 - 21:15
North Korean Defectors Targeted in Mobile Espionage Campaign

Malicious APK files are being used to attack North Korean defectors and journalists with the KakaoTalk chat app, a popular mobile communication method in South Korea.

According to the McAfee Mobile Research team, threat actors are sending malicious links via KakaoTalk and other social network services, such as Facebook, in a targeted campaign. The links claim to connect to either something called Pray for North Korea or BloodAssistant, which is a fake health care app. In both cases, they redirect to a dropper mechanism.

The dropper phishes the victim to turn on the accessibility permissions, and then installs an espionage Trojan with a range of malicious functions, including saving SMS messages, contact information, GPS location, phone call logs, installed apps and contacts; it can also record phone calls. Further, the attackers can easily extend the Trojan’s malicious functionality without needing to update the whole malware.

As for who’s behind the attacks, the targets themselves indicate that the bad actors are sympathetic to North Korea. But there are other indications that the group is homegrown in the Korean peninsula.

“The group behind this campaign is certainly familiar with South Korean culture, TV shows, drama and the language because the account names associated with the cloud services are from Korean drama and TV shows," including Korean drama character names, and competition and reality series participants, said researcher Jaewon Min, in a blog.

Narrowing it down further, McAfee found the use of the North Korean word for "blood type," which is not used in South Korea (South Korea uses a different word). There were also North Korean IP addresses in the test log files of some Android devices that are connected to the accounts used to spread the malware.

One folder is listed as the “Sun Team Folder,” possibly indicating the name of the threat actor group. If so, it has been active since 2016, according to the cloud storage creation date.

“This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware,” said Min. “We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors and on groups and individuals who help defectors.”

Categories: Cyber Risk News

In Wake of Russia Ban, Fancy Bear Tries to Discredit the Olympics...Again

Thu, 01/11/2018 - 20:40
In Wake of Russia Ban, Fancy Bear Tries to Discredit the Olympics...Again

The Fancy Bear state-sponsored Russian hacking group is attempting to discredit the Olympics again, releasing dozens of emails purported to be stolen from antidoping officials at the International Olympic Committee (IOC), the United States Olympic Committee and various third-party groups.

Separately, ThreatConnect has identified spoofed domains imitating the World Anti-Doping Agency (WADA), the US Anti-Doping Agency (USADA), and the Olympic Council of Asia (OCASIA).

“These suspicious domains have consistencies with other previously identified Fancy Bear infrastructures and raise the question of a broader campaign against the upcoming 2018 Winter Games,” the firm said.

The supposed email leak comes just weeks after Russia's official ban from the 2018 Winter Olympics in Pyeongchang, South Korea, for widespread, systematic doping. The emails are from the end of 2016 to the spring of 2017, and they concern the investigation into said doping on the part of Russian athletes, with the apparent purpose of discrediting the IOC’s efforts as purely politically motivated and meant to marginalize the Russian state.

For instance, in one message published by the New York Times purporting to be from IOC lawyer Howard Stupp, Stupp complains that lead investigator Richard McLaren issued his damning reports without discussing the findings with sports officials.

“It seems that RM’s first report was intended to lead to the complete expulsion of the Russian team from the Rio Games,” the email reads. “And the second report? To expulse the Russian team from the Pyeongchang Games? This put the IOC...in a very difficult position.”

The group, sometimes known in a pluralized form as Fancy Bears, issued the mails with the declaration that “the Europeans and the Anglo-Saxons are fighting for power and cash in the sports world.”

The claims of injustice are thus far falling on deaf ears among Olympics officials, who also seem unconcerned about the content of the emails. It’s unclear if the emails are legitimate – Russian hackers have a history of inserting false material into what they claim is original.

"The Fancy Bears are a criminal organization which seeks to undermine the work of WADA and its partners," World Anti-Doping Agency (WADA) spokesperson Maggie Durand told WIRED. "Everything that they have posted today is dated."

This is not the first time that the group has retaliated over doping charges. In 2016, it hacked the WADA database after the IOC’s decision to recommend a ban on all Russian athletes at the Rio Games and subsequently leaked confidential medical information for US Olympic gymnastics star Simone Biles, tennis champions Serena William and Rafael Nadal, golfer Justin Rose and Britain’s Olympic gold medalist in track and field, Mo Farah.

The records did not show the use of any performance-enhancing drugs; rather, they detailed "Therapeutic Use Exemptions” (TUEs), which allow the use of banned substances due to athletes' verified medical needs. For instance, they suggested Biles has ADHD and takes medication for that and that Williams was treated with corticosteroids for injuries.

As the USADA explains on its website: “The TUE application process is thorough and designed to balance the need to provide athletes access to critical medication while protecting the rights of clean athletes to compete on a level playing field.” 

Categories: Cyber Risk News

In Wake of Russia Ban, Fancy Bear Tries to Discredit the Olympics...Again

Thu, 01/11/2018 - 20:40
In Wake of Russia Ban, Fancy Bear Tries to Discredit the Olympics...Again

The Fancy Bear state-sponsored Russian hacking group is attempting to discredit the Olympics again, releasing dozens of emails purported to be stolen from antidoping officials at the International Olympic Committee (IOC), the United States Olympic Committee and various third-party groups.

Separately, ThreatConnect has identified spoofed domains imitating the World Anti-Doping Agency (WADA), the US Anti-Doping Agency (USADA), and the Olympic Council of Asia (OCASIA).

“These suspicious domains have consistencies with other previously identified Fancy Bear infrastructures and raise the question of a broader campaign against the upcoming 2018 Winter Games,” the firm said.

The supposed email leak comes just weeks after Russia's official ban from the 2018 Winter Olympics in Pyeongchang, South Korea, for widespread, systematic doping. The emails are from the end of 2016 to the spring of 2017, and they concern the investigation into said doping on the part of Russian athletes, with the apparent purpose of discrediting the IOC’s efforts as purely politically motivated and meant to marginalize the Russian state.

For instance, in one message published by the New York Times purporting to be from IOC lawyer Howard Stupp, Stupp complains that lead investigator Richard McLaren issued his damning reports without discussing the findings with sports officials.

“It seems that RM’s first report was intended to lead to the complete expulsion of the Russian team from the Rio Games,” the email reads. “And the second report? To expulse the Russian team from the Pyeongchang Games? This put the IOC...in a very difficult position.”

The group, sometimes known in a pluralized form as Fancy Bears, issued the mails with the declaration that “the Europeans and the Anglo-Saxons are fighting for power and cash in the sports world.”

The claims of injustice are thus far falling on deaf ears among Olympics officials, who also seem unconcerned about the content of the emails. It’s unclear if the emails are legitimate – Russian hackers have a history of inserting false material into what they claim is original.

"The Fancy Bears are a criminal organization which seeks to undermine the work of WADA and its partners," World Anti-Doping Agency (WADA) spokesperson Maggie Durand told WIRED. "Everything that they have posted today is dated."

This is not the first time that the group has retaliated over doping charges. In 2016, it hacked the WADA database after the IOC’s decision to recommend a ban on all Russian athletes at the Rio Games and subsequently leaked confidential medical information for US Olympic gymnastics star Simone Biles, tennis champions Serena William and Rafael Nadal, golfer Justin Rose and Britain’s Olympic gold medalist in track and field, Mo Farah.

The records did not show the use of any performance-enhancing drugs; rather, they detailed "Therapeutic Use Exemptions” (TUEs), which allow the use of banned substances due to athletes' verified medical needs. For instance, they suggested Biles has ADHD and takes medication for that and that Williams was treated with corticosteroids for injuries.

As the USADA explains on its website: “The TUE application process is thorough and designed to balance the need to provide athletes access to critical medication while protecting the rights of clean athletes to compete on a level playing field.” 

Categories: Cyber Risk News

Pages