Info Security

Subscribe to Info Security  feed
Updated: 1 hour 10 min ago

Over 90% of US Retailers Fail PCI DSS

Fri, 09/21/2018 - 08:48
Over 90% of US Retailers Fail PCI DSS

Security in the retail industry has significantly worsened over the past year, to the point that over 90% of domains analyzed recently were found to be non-compliant with PCI DSS.

SecurityScorecard analyzed 1444 domains in the US retail industry from October 2017 to March 2018, discovering that although cyber-criminals had become increasingly sophisticated, IT security departments had largely failed to keep pace.

Application security was a particular challenge, with retail second only to the entertainment sector in its poor performance.

When it came to social engineering, often the first stage of an attack or data breach in the form of phishing emails, the sector performed worst out of the 18 appraised.

In 91% of retail domains analyzed, the business failed four or more requirements of the key PCI DSS standard, with requirement six — dealing with maintaining secure systems and applications — particularly troublesome for 98%.

This includes requirement 6.2, which mandates organizations keep up-to-date with security patches: applying critical ones within one month and others within three. Some 91% failed this requirement.

“A reason many retailers lack compliance with Requirement 6.2 is that the increased number of vendors makes mapping updates more time-consuming,” the report claimed. “A retailer that uses different vendors for cloud storage, operating systems, data backup, mPOS, and POS may have a hard time following every update for each of these. In addition, some updates may be critical security updates while others focus on better usability.”

As part of the PCI DSS requirement, organizations must also understand data flows and the systems, servers, and networks that need to be protected: another area of weakness for retailers, according to the report.

“As part of the process, organizations need to build firewall and router rules that restrict inbound and outbound traffic,” it explained. “These restrictions need to specify all ‘untrusted’ networks and hosts, especially wireless ones. As part of this restriction, no public access can occur between the internet and system components in the Cardholder Data Environment (CDE).”

The challenge is ensuring retailers move from “point-in-time” compliance to continuous efforts, SecurityScorecard argued.

Categories: Cyber Risk News

Magecart Skimmed Newegg Cards for a Month

Thu, 09/20/2018 - 10:45
Magecart Skimmed Newegg Cards for a Month

The infamous Magecart code has struck again, with an attack group this time using it to skim card details from customers of online retailer Newegg for a full month, according to researchers.

The US-based, tech-focused e-tailer has yet to release a statement on the news, but RiskIQ, which has been following Magecart closely over the past couple of years, posted an analysis of the attack yesterday.

Threat researcher Yonathan Klijnsma explained that, just like in the recently disclosed BA breach, the attackers made a concerted effort to blend in to the background to avoid detection.

They did this by first registering a domain similar to the primary domain, certifying it with a Comodo certificate for authenticity. The linked IP address hosted a back-end server where skimmed card info was apparently stored.

The attackers then struck on around August 14, inserting the Magecart code on the retailer’s payment processing page, where it remained hidden for a month.

“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways, explained Klijnsma.

“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script.”

The code worked on both mobile and desktop versions of the site, and with estimated visitors to Newegg regularly numbering over 50 million per month, this could point to another significant breach of card data, according to RiskIQ.

“The attack on Newegg shows that while third parties have been a problem for websites — as in the case of the Ticketmaster breach — self-hosted scripts help attackers move and evolve, in this case changing the actual payment processing pages to place their skimmer,” concluded Klijnsma.

“We urge banks to issue new cards or added protection through OTP on cards they can correlate belonging to transactions that occurred on Newegg between August 14 and September 18.”

Newegg claims it is still determining which customer accounts have been affected.

Craig Young, security researcher at Tripwire, argued that organizations should be monitoring certificate transparency logs more closely to spot the early warning signs of an attack.

“In this case, the attack campaign started with the attackers setting up an HTTPS server at,” he explained. “For Newegg, seeing this domain come online wouldn’t immediately indicate a breach, but it should be enough for a security team to investigate further and likely reveal the newly added references to this domain in their checkout code.”


Newegg later posted a tweet to its timeline, saying it had learned that one of its servers had been injected with malware which was identified and removed from our site. "We’re conducting extensive research to determine exactly what info was obtained and are sending emails to customers potentially impacted."

Categories: Cyber Risk News

Mirai Masterminds Escape Jail Time

Thu, 09/20/2018 - 09:33
Mirai Masterminds Escape Jail Time

Three men responsible for creating and operating the infamous Mirai botnet have escaped jail time after agreeing to provide “substantial assistance” to the FBI in ongoing cases.

Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were charged with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet. Jha and Normal also pleaded guilty to charges related to operating a click fraud botnet.

However, the three will not serve time behind bars. Instead, they have each been sentenced to five years of probation, 2,500 hours of community service, and restitution of $127,000 as well as giving up “significant amounts” of cryptocurrency seized by the Feds during their investigation.

Their involvement in Mirai is said to have ended in autumn 2016, when Jha posted the source code on a criminal forum.

It was used to launch some of the biggest DDoS attacks ever seen, against the website Krebs on Security and DNS provider Dyn, the latter taking down some of the biggest names on the web including Twitter, Spotify and Reddit.

The trio’s work did not end with Mirai, however: from December 2016 until February 2017 they apparently built a click fraud botnet comprising 100,000 mainly US-based devices including home routers.

The three have already co-operated extensively with the FBI, providing help which “substantially contributed” to complex investigations and broader defensive efforts by law enforcers and researchers, according to the DoJ.

But as part of their plea agreement they must continue to “cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”

Jake Moore, security specialist at ESET, argued that injecting hacker knowledge into the government may not be a bad thing, and could even save law enforcement money in the long-run.

“Although law enforcement lacks money and young blood, it does need updating with ethical hacking techniques that could be time consuming to train the older generations, not to mention it is a far more inviting and romanticized option than jail time for the criminals,” he added.

Categories: Cyber Risk News

ICO Fines Equifax £500K After 2017 Breach

Thu, 09/20/2018 - 08:34
ICO Fines Equifax £500K After 2017 Breach

The Information Commissioner’s Office (ICO) has issued the maximum fine possible to Equifax in response to failings which led to a major 2017 breach.

The £500,000 penalty is only the second time the UK privacy watchdog has used the full extent of its powers and comes after a major incident at the credit agency exposed data on 15 million UK customers.

The breach itself affected nearly 146m customers around the world, mainly in the US, and involved highly sensitive data including Social Security numbers, driver’s license numbers, tax IDs and much more.

Equifax was widely criticized at the time for failing to patch a know Apache Struts vulnerability for several months. It was this flaw that hackers ultimately exploited to attack the firm.

The ICO’s investigation, carried out with the Financial Conduct Authority, found that Equifax contravened five out of eight data protection principles of the Data Protection Act 1998. These included: failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.

Data management systems were “inadequate and ineffective” and there were issues with data retention, IT system patching, and audit procedures, the ICO claimed.

Information commissioner, Elizabeth Denham, said the incident would have caused many UK consumers particular distress because they would not have been aware that the firm even held their personal data.

“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data,” she added.

“We are determined to look after UK citizens’ information wherever it is held. Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law.”

It’s certain that the fine would have been many times greater had Equifax been investigated under the new GDPR regime.

Categories: Cyber Risk News

AsTech Consulting Combines with Moss Adams

Thu, 09/20/2018 - 08:00
AsTech Consulting Combines with Moss Adams

Because the need for application security continues to grow with the rise of cloud technology, Moss Adams, an accounting, consulting and wealth management firm, announced today that it has combined with cyber-risk management firm AsTech Consulting to augment its application security capabilities.

Moss Adams will essentially acquire AsTech Consulting as of November 1, 2018, though the terms of what the company prefers to call a "combination" are not yet being disclosed. The deal, however, will give AsTech Consulting access to the existing Moss Adams infrastructure, resources and client relationships.

In an interview with Infosecurity Magazine, Eric Miles, partner in charge of the Moss Adams Advisory Services Practice, said, “When we add services or capabilities, it’s because our customers ask about them, and the need for application security is starting to skyrocket. Whether its with our technology clients or those who are not using self-developed software, they are beginning to recognize that their risks don’t sit within the perimeter any longer but within the app itself.”

AsTech Consulting has been in the application security business for 21 years, which is part of what made them such an appealing partner for Moss Adams. “We have a great reputation, but we are small,” said Greg Reber, CEO and founder of AsTech Consulting.

“For us, we wanted to expand our reputation to be able to reach a bigger audience and help more companies be secure. It was both the culture and the reputation of Moss Adams that made the company the best fit for us.”

Sixteen members of the AsTech Consulting team will join Moss Adams, including Reber, who will become a partner.

In preparing for the combining of the companies, AsTech Consulting has worked with the existing cybersecurity team at Moss Adams. “There is some overlap, but working together helped us understand each other. We found we have a common language through working on projects together,” Reber said.

“We are reaching an inflection point in public awareness in the need for this kind of security. Many mid-market companies are becoming more aware of the need for both perimeter and application security – or source code security, especially if they are developing their own apps, and we understand the source code issues.”

Categories: Cyber Risk News

Account Takeover Attacks Result in Phishing Scams

Thu, 09/20/2018 - 05:00
Account Takeover Attacks Result in Phishing Scams

Attackers are successfully stealing the credentials of employees and using them in account takeover (ATO) incidents more frequently, which makes business email compromise (BEC) one of the most prevalent types of cyber fraud, according to Barracuda Networks.

The latest Threat Spotlight, looked at the motives behind ATOs and found that while hackers have myriad objectives, many will commonly use ATOs to launch phishing campaigns.

“Some attackers try to use the hacked email account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks,” researchers wrote.

“The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a business email compromise (BEC) attack from the real employee's email address.”

From April to June 2018, 60 incidents occurred among the 50 randomly selected organizations. Of the 50 organizations, four to eight reported having at least one account takeover incident. The result for those companies that were compromised was that accounts were used for nefarious purposes.

A large majority (78%) of the total incidents resulted in a phishing email where the attacker usually impersonated the employee and requested that the recipients click on malicious links or open infected attachments.

Analysis of the incidents revealed that 17% were platforms for spam campaigns that appeared to come from reputable domains, while 5% of incidents involved internal email traffic in which the attacker asked the recipient to download an attachment.

Over the course of the three-month study, 50 different email accounts were compromised. Through examining the roles of the compromised employees, some of whom were compromised multiple times, researchers found that the total number of compromised employees was 60, with 6% of those identified as executives and 22% reportedly in sensitive departments.

Barracuda recommends that any request involving money made via email, particularly something like a wire transfer request coming from the CEO, not be honored without first having an in-person conversation or, at the very least, a phone call where the sender's identity has been verified. 

Categories: Cyber Risk News

Malicious Login Attempts Spike in Finance, Retail

Thu, 09/20/2018 - 05:00
Malicious Login Attempts Spike in Finance, Retail

The new 2018 State of the Internet/Security Credential Stuffing Attacks report is out, and according to the report publisher, Akamai, worldwide malicious login attempts are on the rise.

Analyzing data gathered from its Intelligent Platform and attack data from across the company's global infrastructure, researchers found approximately 3.2 billion malicious logins per month from January through April 2018. In addition, 2018 has seen 1.4 million compromised usernames and passwords.

Botnets caused a monthly average increase of 30% between May and June 2018. During those two months, researchers detected over 8.3 billion malicious login attempts from bots.

The report clarifies that not all bots are bad, but credential-stuffing botnets are particularly malicious as the goals of credential-stuffing bots are to assume identity, collect information and steal money or goods.

Reviewing an eight-month period, from November 2017 through June 2018, researchers discovered more than 30 billion malicious login attempts. Using botnets to steal login information across the web, also known as credential stuffing, results in malicious login attempts. Given the likelihood that users repeat passwords across multiple sites, financially motivated hackers are known to target login pages for banks and retailers, which is why the report focused on the financial and retail sectors.

In examining one attack in which three botnets simultaneously targeted a credit union, researchers found that one of the botnets was not triggering a spike in malicious login attempts. The stealthiest of the three turned out to be the most concerning.

“Our research shows that the people carrying out credential-stuffing attacks are continuously evolving their arsenal. They vary their methodologies from noisier, volume-based attacks through stealth-like ‘low and slow’ style attacks,” said Martin McKeay, senior security advocate at Akamai and lead author of the State of the Internet/Security report, in a press release.

“It’s especially alarming when we see multiple attacks simultaneously affecting a single target. Without specific expertise and tools needed to defend against these blended, multi-headed campaigns, organizations can easily miss some of the most dangerous credential attacks.”

Categories: Cyber Risk News

Tech Giants Charged with Tracking Children

Wed, 09/19/2018 - 15:51
Tech Giants Charged with Tracking Children

New Mexico’s attorney general, Hector Balderas, announced a lawsuit, filed against Google, Twitter, Tiny Lab Productions, MoPub, AerServ, InModi PTE, AppLovin and IronSource, on allegations that nearly 100 gaming apps targeting children contain illegal tracking software.

The apps, designed by Tiny Lab Productions, are marketed in the Google Play Store and are reported to collect personal data from children under 13 without first acquiring parent consent. Collecting the data give not only the defendants but also whoever they sell the data to the ability to track and profile children who can then be targeted for marketing purposes.

“These apps can track where children live, play, and go to school with incredible precision,” said Balderas. “These multi-million-dollar tech companies partnering with app developers are taking advantage of New Mexican children, and the unacceptable risk of data breach and access from third parties who seek to exploit and harm our children will not be tolerated in New Mexico.”

In total, 91 gaming apps are developed by Tiny Lab. Of all the apps, only five have not been a part of Google’s Designed for Families (DFF) program. Some of the apps include Angry Bunny Race: Jungle Road, Arctic Roads: Car Racing Game, DexLand, Dragon Fight: Boss Shooting Game, Dragon Panda Racing, Fun Kid Racing, Magic Elf Fantasy Forest Run and Pet Friends Park Racing.

As children gain more access to the internet both at home and in school, the games they download can pose unique risks to them, which has long been a concern for Balderas.  

“Parents should be aware of these risks and should know how to protect their children before purchasing an internet connected device for their children. Parents should be extremely selective of the apps they choose for their children,” Balderas’s office wrote in a press release.  

In addition to listing all 91 apps, the AG’s office included six pages with instructions on how to limit ad tracking across multiple devices.

Categories: Cyber Risk News

SMBs Fear Phishing, Fall Short on Cyber Training

Wed, 09/19/2018 - 15:21
SMBs Fear Phishing, Fall Short on Cyber Training

In surveying 500 small to medium-sized businesses (SMBs) across the US, Webroot discovered that many businesses fail to recognize the many cybersecurity threats their businesses face, in large part because they lack in-house security expertise. According to The 2018 Webroot SMB Pulse Report, phishing scams ranked the number-one threat to SMBs.

The report also found that while 24% of respondents viewed phishing as the number-one threat to their organization, 20% of smaller businesses – those with up to 19 employees – believed they should be focused on defending against ransomware.

Overall, 24% of SMBs were unable to identify their top threat, with the smallest organizations being the least likely to state their greatest risk. Of those companies classified as medium-sized (20-99 employees), 28% fear human error as their greatest threat. However, SMBs do realize that implementing awareness training programs would potentially help mitigate risks from cyber threats.

“Phishing is a tried-and-true tactic for bad actors. Employees are likely to click on things they shouldn’t, despite what businesses try to do to prevent it,” said Gary Hayslip, chief information security officer, Webroot, in a press release.  

“But humans get taken in by phishing scams out of simple curiosity or lack of security awareness, which underscores the need for continuous awareness training. For SMBs who feel overwhelmed by all the new cybersecurity challenges they face, partnering with an MSP is a great option to provide security expertise and management.”

Despite their fears of falling victim to a phishing scam or a ransomware attack, SMBs aren’t providing comprehensive, ongoing security awareness training for their employees, according to the report. The majority (66%) of participating businesses with up to 19 employees offer no cybersecurity training to employees.

As businesses grow in size, the numbers tend to get a little bit better, with only 29% of companies in the medium-sized and 13% of large companies (those with 100 to 500 employees) failing to provide a cybersecurity training in the workplace.

“Phishing attacks are one of the most common security challenges companies face in keeping their information secure. It’s easy and it’s effective. Cybercriminals set the bait and people click. Security awareness training with phishing simulations improve user behavior and get people to think before they click,” said Aaron Sherrill, senior analyst at 451 Research.

“Yet 451 Research Voice of the Enterprise surveys reveal that a large majority of businesses are cobbling together homegrown (and often ineffective) awareness solutions, wasting a lot of time and resources in the process. Small to medium-sized businesses need a solution that is cost effective, quick to deploy and easy to manage. Effective training programs do not need to be time consuming, cumbersome or costly.”

Categories: Cyber Risk News

IoT Malware Detections Soar 273% Since 2017

Wed, 09/19/2018 - 10:20
IoT Malware Detections Soar 273% Since 2017

New IoT malware detections have soared over 200% since 2017 to reach over 120,000, according to new stats from Kaspersky Lab.

The Russian AV vendor claimed to have spotted 121,588 modifications of malware targeted at smart devices in the first half of 2018, a 273% increase on the 32,614 detected for the whole of last year.

The most popular way to spread malware is brute-forcing of passwords: used in 93% of detected attacks. Most of the remaining cases used well-known exploits to access the devices, according to the vendor.

The most commonly compromised devices were routers, accounting for 60% of the total, followed by a long tail of other connected devices including DVRs, printers and even smart washing machines.

IoT endpoints represent an attractive target for hackers as they’re always on, connected to the internet and often not secured adequately with strong passwords and updated firmware.

The threat is such that the FBI was forced to issue a public service announcement recently warning home users of the dangers of unsecured devices: most notably that they could be conscripted into botnets to launch DDoS attacks, crypto-mining, click fraud and more.

“For those people who think that IoT devices don’t seem powerful enough to attract the attention of cyber-criminals, and that won’t become targets for malicious activities, this research should serve as a wake-up call. Some smart gadget manufacturers are still not paying enough attention to the security of their products, and it’s vital that this changes — and that security is implemented at the design stage, rather than considered as an afterthought,” argued Kaspersky Lab principal security researcher, David Emm.

“At this point, even if vendors improve the security of devices currently on the market, it will be a while before old, vulnerable devices have been phased out of our homes. In addition, IoT malware families are rapidly being customized and developed, and while previously exploited breaches have not been fixed, criminals are constantly discovering new ones.”

Earlier this year the British Standards Institution launched a kitemark scheme designed to improve baseline security in the IoT space by making it easier for buyers to spot reliable kit.

Categories: Cyber Risk News

Europol: Ransomware Will be Top Threat for Years

Wed, 09/19/2018 - 09:20
Europol: Ransomware Will be Top Threat for Years

Ransomware continues to be the biggest malware threat to businesses around the world, but mobile threats and crypto-jacking are emerging as serious challenges, according to Europol.

The law enforcement organization’s annual Internet Organised Crime Threat Assessment (IOCTA) provides a good snapshot of current industry trends. It reflects the findings of many security vendors: that ransomware is slowing but still the most widespread financially motivate threat out there, ahead of banking Trojans — and will be so for several years.

DDoS attacks were second only to malware in terms of volume in 2017, as infrastructure becomes more “accessible, low-cost and low-risk.”

On the wane as a means of infection are exploit kits, with “spam, social engineering and newer methods such as RDP brute-forcing coming to the fore.”

Europol also highlighted the emerging threat of crypto-jacking as one to watch, as it offers cyber-criminals a “regular, low risk revenue stream.” Mobile malware was also flagged.

“Mobile malware has not been extensively reported in 2017, but this has been identified as an anticipated future threat for private and public entities alike,” said the report.

As for the underground economy fueling these threats, Europol claimed success in shutting down three major marketplaces in 2017 and said that nine others closed or “exit scammed." However, new sites have unsurprisingly emerged to take their place.

“The almost inevitable closure of large, global darknet marketplaces has led to an increase in the number of smaller vendor shops and secondary markets catering to specific language groups or nationalities,” the report explained.

Javvad Malik, security advocate at AlienVault, said the report is a good validation of many of the trends security experts in the vendor and research community are seeing.

“Collaboration appears to be one of the biggest and most prominent takeaways. Being able to establish trustworthy channels to collaborate and share information and intelligence is vital,” he continued.

“Notable by its omission, there is no mention of the role of bots by organized crime and state to push agendas and misinformation, even though there are increasing industry studies that points to these as being tools in the arsenal of attackers.”

Categories: Cyber Risk News

State Department Email Breach Hit Hundreds of Staff

Wed, 09/19/2018 - 08:44
State Department Email Breach Hit Hundreds of Staff

The US State Department has confirmed an email security breach which may have affected hundreds of employees, exposing their personal information to attackers.

Reports emerged on Monday that the incident earlier this year affected “less than 1% of employee inboxes.”

“We have determined that certain employees’ personally identifiable information (PII) may have been exposed,” it reportedly noted. “We have notified those employees.”

According to State Department figures, it employees nearly 70,000 staff, meaning in the region of 700 could be affected by the breach.

It’s not known how the attack occurred, although it affected the department’s cloud-hosted email service and not a nominally more secure classified system.

Government auditors have criticized the department in the past for failing to meet cybersecurity best practice standards.

As a result, several senators wrote to secretary of state Mike Pompeo last week demanding an update on its efforts to comply.

“According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law — the Federal Cybersecurity Enhancement Act — requiring all executive branch agencies to enable MFA for all accounts with ‘elevated privileges’,” they noted.

“Similarly, the Department of State’s Inspector General (IG) found last year that 33% of Diplomatic Missions failed to conduct even the most basic cyber threat management best practices, like regular reviews and audits. The IG also noted that experts who tested these systems ‘successfully exploited vulnerabilities in email accounts of department personnel as well as department applications and operating systems'.”

Gary McGraw, vice president of security technology at Synopsys, argued that the department is not alone in lagging on cybersecurity.

“If the State Department has trouble rolling out two-factor authentication to protect the majority of its users, something that many corporations have had in place for years, how can we expect other aspects of its operations to be secure?  This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector,” he added.

Sam Curry, chief security officer at Cybereason, claimed that the US government procurement process is holding it back.

“It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do," he argued. "Fundamentally this is likely a hack that led to a breach and not some type of insider issue."

Categories: Cyber Risk News

In the Battle Against IoT Threats, AI Is a Key Weapon

Wed, 09/19/2018 - 01:49
In the Battle Against IoT Threats, AI Is a Key Weapon

The concept of defending a perimeter to thwart off cyber-attacks has long been disappearing. Since the advent of the internet of things (IoT), connected devices have created gaps in security by opening up new attack vectors. According to a new study, How AI and Automation Can Close the IT Security Gap in the Era of IoT, IT security teams are increasingly relying on artificial intelligence to close IoT-era cybersecurity gaps.

The global research study, conducted by the Ponemon Institute on behalf of Aruba, a Hewlett Packard Enterprise company, surveyed 4,000 security and IT professionals across the globe and found that when security systems incorporate machine learning and other AI technologies, they are better able to detect and stop IoT-targeted attacks.

According to the study, more than three-quarters of respondents believe their IoT devices are not secure. More than half (60%) said that IoT devices – even seemingly superfluous ones – pose a threat, yet two-thirds of respondents lack the ability to protect their devices.

“AI comes in because changes are not something that standard security techniques are well versed in. It’s hard to create visibility, but enabling technology like AI or ML [machine learning] is going to be so important for organizations attempting to achieve a strong security posture,” said Larry Lunetta, vice president of security solutions marketing, at Aruba.

The majority (68%) of respondents said AI-based products help reduce false alerts, while 63% said the technologies increase the overall effectiveness of the security team. For 60% of survey participants, AI-based technologies augment their investigation efficiencies, and 56% reported that implementing machine learning tools has afforded faster discovery of and response to attacks in which malicious actors have evaded perimeter defense systems.

Of the respondents, 25% are currently using some form of AI-based security solution, and an additional 26% have plans to deploy the tools within a year.

“Despite massive investments in cybersecurity programs, our research found most businesses are still unable to stop advanced, targeted attacks, with 45% believing they are not realizing the full value of their defense arsenal,” said Larry Ponemon, Ponemon Institute founder and primary researcher, in a press release.

“It’s become a perfect storm, with nearly half of respondents saying it’s very difficult to protect complex and dynamically changing attack surfaces, compounded by a lack of security staff with the necessary expertise to battle today’s attackers who are persistent, sophisticated, well trained and financed. Against this backdrop, AI-based security tools were viewed as a key weapon to help businesses keep up with increasing threat levels.”

Categories: Cyber Risk News

Injunction to Secure Georgia Elections Denied

Tue, 09/18/2018 - 14:32
Injunction to Secure Georgia Elections Denied

A request for a preliminary injunction in the Georgia election security lawsuit was denied by a federal judge late last night. The plaintiffs, who have long been battling to have the state switch to using paper ballots, had their request denied by US District Judge Amy Totenberg.

In a 46-page order, Totenberg ruled against switching to paper ballots for the November election, but the court wrote frankly about the flaws of state officials and Georgia’s election systems.

“While Plaintiff’s motions for preliminary injunction...are DENIED, the Court advises the Defendants that further delay is not tolerable in their confronting and tackling the challenges before the State’s election balloting system,” Totenberg wrote in the order. She added that testimony and evidence “indicated that the Defendants and State election officials had buried their heads in the sand.”

“A wound or reasonably threatened wound to the integrity of a state’s election system carries grave consequences beyond the results in any specific election, as it pierces citizens’ confidence in the electoral system and the value of voting.”

While the preliminary injunction to secure the midterm elections in Georgia was denied, the judge’s recognition that the current system is critically unsecured is a partial win for the plaintiffs.  

“The court takes election officials to task for their 'head in the sand' approach to the extraordinary threat facing Georgia voters this fall and the little understanding they exhibited about election security. The court emphasizes that our case will move forward expeditiously with discovery in pursuit of a permanent injunction,” said the attorney for the Curling plaintiffs, David Cross, partner at Morrison & Foerster.

“Unfortunately, the court concluded that it’s too late to implement paper ballots this fall (the court noted that the timing of our motion for preliminary injunction was delayed by forces beyond our clients’ control). Ironically, the ineptitude demonstrated by certain state election officials in this case likely played a significant part in the decision that those officials could not manage a change now. We will continue the fight for all Georgia voters – and the Court makes clear that while we lost this initial battle, we are on track to win the war for safe, secure, transparent, honest elections in Georgia.”

Categories: Cyber Risk News

Former Anonymous Hacker Raises $2.5m for Startup

Tue, 09/18/2018 - 13:52
Former Anonymous Hacker Raises $2.5m for Startup

After being convicted of hacking-related crimes related to the Guy Fawkes Night campaign in 2012, Adam Bennett, a former Anonymous hacker, received a two-year suspended prison sentence and 200 hours of community service, according to the Australian Financial Review. Fast-forward to 2018, and Bennett has successfully raised $2.5 million dollars from investors for his cyber startup, Red Piranha.

“I’ve always been a privacy advocate and passionate about keeping Australian businesses secure,” Bennett said in an email interview. “I wanted to build a company that helped those struggling to afford the right cybersecurity controls or didn’t have the knowledge or resources to implement them.”

According to Bennett, small and midsized business (SMBs) are largely overlooked when it comes to the development of cybersecurity products, particularly with regard to affordability and ease of use. Red Piranha was founded with the goal of giving SMBs a slight advantage in fighting off cyber-criminals in mind.

“After the conviction, I was approached directly by a number of people asking for help. It was clear that the SMBs that I was speaking to needed something affordable. That’s what led me to found Red Piranha and develop Crystal Eye, our main cybersecurity product and the first Australian-made unified threat management (UTM) platform designed specifically for SMBs,” said Bennett.

The company was born out of the frustration that SMBs are left open to attack because they lack the money and resources to protect themselves. Since Bennett founded the company, it has grown from a startup of just two people to a company with over 55 employees in just a few years.

“Investors and all our new clients are eager to work with us. Given that we’re the only company in Australia doing what we do, we don’t expect to be slowing down anytime soon,” he said.

Working to cement its position in Australia's cybersecurity landscape, the company has also found ways to help increase Australia’s national intelligence ecosystem. To that end, the company is working in partnership with organizations set up by a federal government initiative, such as AustCyber, the growth center for Australia’s cybersecurity industry.

Categories: Cyber Risk News

Hackers Say Windows 8 and 10 Easiest Entry Points

Tue, 09/18/2018 - 13:43
Hackers Say Windows 8 and 10 Easiest Entry Points

According to a newly released survey conducted at Black Hat 2018, 50 percent of hackers said that Windows 8 and Windows 10 have been the easiest attack vectors to exploit this year.

Thycotic surveyed more than 300 hackers – nearly 70 percent of whom identified as white hats – to understand the hacker perspective with regard to vulnerabilities and attack vectors.  

In 2018 Black Hat Hacker ReportThycotic reveals that hackers often leverage the reality that operating systems are only as secure as the people using them. 

“The 2018 Black Hat Hacker Report indicates that our operating systems and endpoints remain woefully vulnerable to hackers and threats from cyber-criminals,” said Joseph Carson, chief security scientist at Thycotic, in today’s press release.

While the two Windows operating systems provided easy access, the survey found that 26 percent of hackers infiltrated Windows 10 most often, while 22 percent hacked Windows 8 the most. Linux lagged behind in popularity, with hackers exploiting vulnerabilities in the OS only 18 percent of the time. Less than 5 percent of respondents said that Mac was their easiest or most often-used attack vector.

To take control of privileged accounts, 56 percent of hackers said that social engineering is the fastest account seizing technique. Most often hackers are able to elevate privilege by either using default vendor passwords or exploiting application and OS vulnerabilities, the survey stated.

In addition, survey participants reported that nearly two-thirds (74 percent) of companies are lagging when it comes to implementing the principle of least privilege. In an email interview, Carson said, “Most companies are failing at applying the principle of least privilege as they are trying to solve this challenge with a technology-only approach, which tends to focus more on security without considering employee usability.”

The problem with such an approach is that the focus is most often on security rather than employee usability. “This typically creates a conflict between employee productivity and the need for better cybersecurity, resulting in a poor security experience and employees look for ways around it.”  

Because lagging behind in privileged access policies could result in more data breaches, Carson said a failure to implement least privilege will mean a higher cost for companies when they experience a data breach.

Thycotic recommends using a combination approach between people and technology, as it provides the chance to create an experience in which productivity and security work together. “Least privilege can only be successful when employee productivity is not impacted, allowing them to continue doing their job without the need to call the IT help desk continuously,"  he said.

Categories: Cyber Risk News

Think Tank: Urgent Oversight Needed for Police AI

Tue, 09/18/2018 - 10:24
Think Tank: Urgent Oversight Needed for Police AI

A leading think tank has called for urgent regulatory and oversight mechanisms to be introduced to govern the use of machine learning technology by UK law enforcers.

The Royal United Services Institute for Defence and Security Studies (RUSI), is the world’s oldest independent defense and security think tank. Its latest report, Machine Learning Algorithms and Police Decision-Making: Legal, Ethical and Regulatory Challenges was published with the Centre for Information Rights, University of Winchester.

It argued that although machine learning is currently being used in limited scenarios such as supporting custody decisions, there’s potential for a much wider expansion of its role in policing, with forces currently trialing its use in a variety of decision-making processes.

It described the lack of a regulatory and governance framework for its use as “concerning.”

“A new regulatory framework is needed, one which establishes minimum standards around issues such as transparency and intelligibility, the potential effects of the incorporation of an algorithm into a decision-making process, and relative ethical issues,” it continued. “A formalized system of scrutiny and oversight, including an inspection role for Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services is necessary to ensure adherence to this new framework.”

The report also warned that machine learning algorithms require “constant attention and vigilance” to make sure any predictions they provide are as unbiased and accurate as possible. To help in this, RUSI recommended the setting up of local ethics boards to assess each new implementation for police.

The use of emerging technologies in policing has been controversial over the years, as regulatory oversight often struggles to catch-up with day-to-day operations.

In May this year, rights groups called on the police to stop using facial recognition technology, claiming that FOI responses from forces proved it was “dangerous and inaccurate.”

False positives at the Metropolitan Police stood at 98%.

Categories: Cyber Risk News

Government Payment Service Exposes 14m Records

Tue, 09/18/2018 - 09:47
Government Payment Service Exposes 14m Records

A popular platform for making payments to US government entities leaked over 14 million customer records through a website error before being notified, it has emerged.

Government Payment Service runs the GovPayNet portal which many Americans use to pay bills, fines, license fees and more to over 2000 government agencies in 35 states.

However, the online receipts it issued on payment were apparently sequentially numbered and by typing new digits into the address bar individuals could view other records, according to journalist Brian Krebs.

The site was notified on Friday that it had been exposing over 14m records in this way dating back to 2012.

It moved relatively quickly to address the issue over the weekend, admitting in a statement that it “did not adequately restrict access only to authorized recipients.”

“The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction,” it continued.

In fact, the exposed data included names, addresses, phone numbers and the last four digits of card numbers: more than enough to theoretically use in realistic-looking follow-on phishing attacks.

The firm continued to play down the potential impact of the security snafu.

“Additionally, most information in the receipts is a matter of public record that may be accessed through other means,” it claimed. “Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, said the leak was relatively minor but that extra should be taken by businesses interacting with the government.

“Online payment providers … should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them,” he added. “To avoid information disclosure and directory traversal issues, I also recommend denying anonymous web visitors the ability to read permissions for any sensitive data files and removing any unnecessary files from web-accessible directories."

The parent company of GovPayNet, Securus, is no stranger to security incidents, having been successfully hacked in 2015, exposing the records of 70m prisoner phone calls. Another of its services was misused by law enforcers to track real-time location of suspects through their phones.

Categories: Cyber Risk News

FBI Warns Parents of Edtech Security Risk

Tue, 09/18/2018 - 09:05
FBI Warns Parents of Edtech Security Risk

The FBI has warned US parents that school use of educational technology could be putting their children at risk from identity theft, cyber bullying and more.

Edtech platforms are an increasingly popular way to improve student collaboration and personalize learning experiences, but they also harvest highly sensitive data on students, according to the Feds.

This includes PII, biometrics, medical information, geolocation and classroom activities.

“In late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information,” noted the FBI alert.

“The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets.”

Edtech companies themselves can also be targeted: one vendor last year was found to have exposed internal data on a publicly accessible server, while another was breached, with student data ending up for sale on the dark web, according to the FBI.

The Bureau also warned of hackers targeting mobile devices used alongside edtech to get at sensitive data or monitor students via cameras and mics.

The public service announcement encouraged parents and families to discuss with local districts how edtech is used in their schools, consider identity theft monitoring for their kids, research previous school breaches for more contextual information, and more.

Categories: Cyber Risk News

Altaba Announces Class Action Settlement of $47m

Mon, 09/17/2018 - 17:21
Altaba Announces Class Action Settlement of $47m

In a letter addressed to its shareholders, Altaba Inc. (formerly Yahoo!) announced that it has sold the remaining shares of Yahoo Japan and that it has reached a settlement agreement in the class action lawsuit related to the 2014 Yahoo data breach.

In March of this year, as a result of the massive breaches that occurred between 2013 and 2016 at Yahoo, US District Judge Lucy Koh in San Jose, California, denied Verizon's attempts to dismiss claims of Yahoo's negligence and breach of contract, according to Reuters.

The legal woes resulting from the class action suit have today come to a close. “We are also pleased to announce today that we have reached an agreement in principle (subject to court approval) to settle the consumer class action litigation related to the Yahoo data breach,” Thomas J. McInerney, CEO at Altaba Inc., wrote.

“We have also received final court approval of the securities class action settlement, and we have negotiated an agreement to settle the shareholder derivative litigation (subject to court approval). We estimate that the Company will incur an incremental net $47 million in litigation settlement expenses to resolve all three cases. Together, these developments mark a significant milestone in cleaning up our contingent liabilities related to the Yahoo data breach.”

The settlement announcement comes 10 days after the plaintiffs and defendants engaged in a second day of mediation with Honorable Daniel Weinstein. As part of the agreement, the court has 45 days to approve the terms of the settlement.

“In the meantime, the parties to this action jointly and respectfully request the Court stay this litigation in its entirety to allow the parties to focus their efforts entirely on finalizing the settlement and to avoid any unnecessary waste of judicial resources,” John Yanchunis of Morgan & Morgan, lead counsel for the plaintiffs, and Ann Marie Mortimer of Hunton Andrews Kurth, LLP, attorney for the defendants wrote in a September 14 filing.

Shareholders were also informed that company proceeds will be used to repurchase stock, according to McInerney. He wrote, “Today we are announcing a new share repurchase authorization of $5.75 billion.”

Categories: Cyber Risk News