Info Security

Subscribe to Info Security  feed
Updated: 50 min 7 sec ago

Global Fraud Hits £3.2 Trillion

Tue, 05/22/2018 - 10:22
Global Fraud Hits £3.2 Trillion

Experts have urged organizations to focus more on fraud prevention after new figures were released revealing that doing so could add a staggering £44 billion to the UK economy.

Researchers at the University of Portsmouth’s Centre for Counter Fraud Studies teamed up once again with tax and advisory firm Crowe, Clark and Whitehill to produce The Financial Cost of Fraud 2018 report.

Once again, the findings are based on representative samples of items of expenditure in each organization and whether incorrect payments are the result of error or fraud. In total, it reviewed 600 loss measurement exercises related to £15.6 trillion of expenditure in 40 sectors globally.

Fraud is costing the global economy £3.2 trillion annually, and in the UK stands at £110bn.

Although this is a drop from last year’s estimate of £125bn, in some organizations losses can reach more than 10% of total expenditure, the report claimed.

Since 2008, there has been a massive rise of 49.5% in average losses, that amounts to 6.8% of total expenditure over the period.

Head of forensic and counter fraud at Crowe, Clark and Whitehill, Jim Gee, has told Infosecurity in the past that the cyber-element of fraud is “inextricably linked” to the overall picture, as digitization takes hold across the globe.

The findings come after other reports showed a continued uptick in cyber-driven fraud in the UK. Cifas claimed identity fraud jumped 1% last year, with cyber comprising 84% of the figure.

In addition, a PwC report from February revealed that almost half of UK organizations (49%) have suffered from cyber-related fraud in the past two years.

Crowe, Clark and Whitehill argued that visibility into the problem is a vital first step towards mitigating fraud risk.

“It is also the case that work to measure losses is highly cost-effective,” it said. “Efforts to reduce losses are helped by greater knowledge about the scale of the problem. The data shows that organizations which re-measure the same area of expenditure have consistently lower loss rates.”

Categories: Cyber Risk News

DrayTek to Issue New Firmware After Zero-Day Attacks

Tue, 05/22/2018 - 09:23
DrayTek to Issue New Firmware After Zero-Day Attacks

Taiwanese router-maker DrayTek is working to issue an emergency security update after reports emerged that customers had been hit by a zero-day attack.

The vulnerability in question allowed hackers to change the router DNS settings, enabling them to take unsuspected users to phishing or other malicious sites.

An urgent noticed posted by the company had the following:

“We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers. In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router. The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.”

DrayTek urged users in the meantime to check their DNS settings and correct them if altered or restore them from a config back-up.

“We also recommend only using secured (TLS1.2) connections for web admin (for local and remote admin) and disable remote admin unless needed, or until firmware is updated,” it added.

The affected models are: Vigor2120; 2133; 2760D; 2762; 2832; 2860; 2862; 2862B; 2912; 2925; 2926; 2952; 3200; 3220; BX2000; 2830nv2; 2830; 2850; and 2920.

There are thought to be in the region of 800,000 DrayTek routers in the wild globally, although it’s not known how many are vulnerable to the bug.

Nominet researcher Sion Lloyd argued that because DNS is the underlying protocol that directs internet traffic, it is overlooked by admins and therefore seen as a prime target by hackers.

"In order to mitigate or prevent attacks prior to patching hardware, security teams should pay heed to their threat intel feeds, which will include blacklisted domains/IP addresses, and make sure this data is applied in a timely manner,” he added. “Blocking known bad identifiers is a game of cat and mouse, but it is an effective way of severing connections to servers which are out to abuse your users. Also monitoring for changes to configuration files or DNS traffic being sent to new or unexpected servers would give an alert that something might require remediation."

Categories: Cyber Risk News

Greenwich Uni Hit by £120K ICO Fine

Tue, 05/22/2018 - 08:55
Greenwich Uni Hit by £120K ICO Fine

Greenwich University has had the dubious honor of becoming the first university in the UK to be fined by the Information Commissioner’s Office (ICO).

The privacy watchdog slapped the £120,000 fine down after a 2016 incident in which the personal details of nearly 20,000 staff, students and alumni were stolen in a breach.

The hackers managed to infiltrate the university’s network after targeting multiple vulnerabilities in a microsite from 2004 which was still up and running.

The stolen PII included the contact details of 19,500 people such as names, addresses and telephone numbers. For around 3,500 of these people, much more sensitive data including information on extenuating circumstances, details of learning difficulties and staff sickness records was also taken and subsequently posted online.

That will certainly have increased the size of the fine significantly, as the ICO takes a dim view of organizations that fail to protect data which, if leaked, could cause significant distress to the individual.

The ICO claimed Greenwich University didn’t have the technical and organizational measures in place to ensure a breach would not occur.

The university is just lucky the incident happened in 2016 rather than next week, when the GDPR will empower the ICO to levy even higher fines if it chooses.

”Whilst the microsite was developed in one of the university’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said ICO head of enforcement, Steve Eckersley.

“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data and the number of people affected have informed our decision to impose this level of fine.”

Proofpoint cybersecurity specialist, Adenike Cosgrove, argued that data breaches are the new normal.

“As in this case, human error can mean the difference between a normal day and a data protection disaster. In additional to technical controls, employees must also be trained on the working practices required of the GDPR,” she added. “What we’re seeing from a lot of organizations is a situation where technology solutions and processes are in place to a certain degree, but the equally important employee awareness aspect is still yet to be adequately addressed.”

Categories: Cyber Risk News

Bank Robbing? There's a Vulnerable Web App for That

Mon, 05/21/2018 - 17:29
Bank Robbing? There's a Vulnerable Web App for That

Gone are the days when criminals masked their identities and busted into a bank declaring, "This is a stick up!" According to Bank Attacks 2018, published today by Positive Technologies, cybercriminals are reaping big financial gains with relatively low risk by going online to rob banks. 

Analysis of information systems performed by the company for banks over the past three years found that attackers can obtain unauthorized access to financial applications at 58% of banks.

While banks are well armed against external attacks with strong perimeter protections, they remain susceptible to insider threats, according to the report. "Whether by puncturing the perimeter with social engineering, vulnerabilities in web applications, or the help of insiders, as soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries," Positive Technologies wrote in a press release.

Using techniques similar to those of the Cobalt gang, known for its attacks on financial institutions, penetration testers compromised the workstations used for ATM management at one-quarter (25%) of the banks tested. 

The report also noted that during the reconnaissance stage of collecting information about the target, many criminals search for malicious insider on web forums. These unscrupulous insiders are willing to share company information for a fee. Using stolen credentials and phishing campaigns are the most common and effective techniques criminals use to access banks because "it is both difficult and risky to organize attacks on servers or web applications, since the attackers are very likely to get caught," the report said.

Vulnerabilities in web applications leaves many banks at risk. Still, remote access is another dangerous feature that often leaves the door open to access by external users. "The most common types are the SSH and Telnet protocols, which are present on the network perimeter of over half of banks, as well as protocols for file server access, found at 42 percent of banks," the report said.

"The good news is that it's possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken," said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, in the press release.

"Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions. It's critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations center. In addition, SIEM solutions substantially simplify and improve the effectiveness of incident management."

Categories: Cyber Risk News

#IRMS18 Can Blockchain be Compliant with GDPR?

Mon, 05/21/2018 - 14:59
#IRMS18 Can Blockchain be Compliant with GDPR?

Speaking at the IRMS Conference in Brighton, Dyann Heward-Mills, CEO, HewardMills focused on emergence of Blockchain, and the need for GDPR compliance.

She called the relationship between the regulation and distributed ledger “critical” as data protection officers need to understand its impact, how it sits with data subject rights and the Right to be Forgotten.

“Critical is the implementation of privacy by default and design with the technology,” she said. “When presented with a technology like Blockchain, what does a DPO do? Well you conduct your data protection impact assessment over the technology.”

She agreed that it is “very robust and secure and unlikely to be encountering challenges” regarding loss of personal data, but how does it sit with data retention?

From a regulatory perspective, Heward-Mills acknowledged that there is no central regulation required, but is it desired? In terms of how GDPR applies to Blockchain, she asked the audience if encrypted data and metadata is still considered to be personal information?

“Where there are decentralized systems, how does the legislation actually apply? Is it still fit for purpose?”

Looking at the key principles, she rated Blockchain against the principles of Article Five of the GDPR:

These were as follows:

“Processed lawfully, fairly and in transparent manner” – Not transparent due to encryption

“Collected for specified, explicit and legitimate purpose” – Arguably legitimate – for authentication purposes

“Adequate, relevant and limited to what is necessary” – Not necessary, ledger exists forever

“Accurate and where necessary, kept up to date” – May not be accurate, and no way to delete it

“Identification for no longer than necessary” – Not necessary, ledger exists forever

“Processed in a manner that ensures its security” – Secure, due to encryption

Heward-Mills said that with the GDPR, privacy by design was one of central pillars but with Blockchain, it is decentralized, everyone has a ledger and how is it possible to regulate in a decentralized way of operating?

She acknowledged that there is an “opportunity to shape the approach of supervisory authorities in this context” as the regulators were still figuring out how to work with such technology.

Following on with the role of the DPO in this, she said there will be a critical role in shaping how the regulators respond to this emerging technology, but what we can offer “is the voice of corporate reality and challenges that are presented in using this technology.”

She said: “This is a really exciting time. Given that the regulator wants to receive perspectives from practitioners, I think we have a real opportunity to shape the future of this technology.”

Concluding, Heward-Mills said that there is some uncertainty on how it is evolving and how it is being regulated, but it is growing in importance and there will be more discussion on how it is applied.

“It is not always anonymous and it is possible through different data sets to decode on use and individuals behind the ledger and either we need to find some exemption in terms of how Blockchain is perceived, and its application under data protection laws, but the law needs to be updated as there are certain principles that are so incompatible fundamentally.”

Categories: Cyber Risk News

Roaming Mantis Preys on Multilingual Victims

Mon, 05/21/2018 - 14:25
Roaming Mantis Preys on Multilingual Victims

A new wave of Android malware originally seen targeting victims across Asia via DNS hijacking has evolved into multilingual malware, broadening its attack surface and evading detection as it spreads across Europe and the Middle East, according to new research from Kaspersky Lab.

Roaming Mantis, Android malware distributed through DNS hijacking, was discovered earlier this year but has since evolved beyond targeting smartphones in Asia. The malware now supports 27 languages and has extended into Europe and the Middle East, adding a phishing option for iOS devices and a PC crypto-mining capability.

Designed to steal user information, the malware also provides attackers with control over the compromised device. Researchers believe a financially motivated Korean- or Chinese-speaking cybercriminal group is behind the operation.

“The attackers substantially extended their target languages from four to 27, including European and Middle Eastern languages. And yet, they keep adding comments in Simplified Chinese,” security researcher Suguru Ishimaru wrote in an 18 May SecureList blog post.

"But, of course, this multilingualism is not limited to the landing page," Ishimaru continued. "The most recent malicious apk (MD5: 'fbe10ce5631305ca8bf8cd17ba1a0a35') also was expanded to supports 27 languages."

Researchers believe the attackers used an automatic translator to expand their initial set of languages into dozens of others and infect more users, but they have changed more than the languages.

Though the criminal group originally targeted Android devices, it is now targeting iOS devices as well, “using a phishing site to steal user credentials. When a user connects to the landing page via iOS devices, the user is redirected to ‘’,” Ishimaru wrote.

While an authentic DNS server would recognize that such a domain name doesn’t exist, Ishimaru said, “a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘’ in the address bar of the browser.”

An additional feature included in the extended translations of the malware is PC web mining for the most popular crypto-currency among cybercriminals, Coinhive, accomplished via a special script executed in the browser.

Categories: Cyber Risk News

Parent and Teen Data Leaked from Monitoring App

Mon, 05/21/2018 - 14:20
Parent and Teen Data Leaked from Monitoring App

A security researcher discovered two leaky servers of a California-based company, TeenSafe, which left the email addresses and passwords of parents and teens unprotected. According to ZDNet at least one of the servers used by the TeenSafe app leaked data from tens of thousands of accounts.

TeenSafe is an app, available for both iOS and Android, for parents who wish to monitor the texts, calls, locations and even the social media exchanges of their teens. The parents enter their email addresses and those of their teenagers. The database stores not only the email and password information but also the child’s device name and the device’s unique identifier, as reported by ZDNet.

“Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data,” ZDNet wrote.

UK-based security researcher Robert Wiggins found the issue with one server containing production data – live customer information – while the second server stored test data. In a tweet to Infosecurity Magazine, Wiggins said, “It appeared to be intercepting the phone’s requests to iCloud for FindMyPhone and other bits related to iCloud.”

Wiggins said the problem was with the type of service running: its default was set for no password and no SSL. “They should’ve firewalled it off to IP’s only,” Wiggins said.

The TeenSafe website claims that it uses “industry-leading SSL and vormetric data encryption to secure your child’s data,” ensuring parents, that their “child’s data is encrypted – and remains encrypted – until delivered to you, the parent.” However, the leaked data discovered by Wiggins was in plaintext. 

"It is sad to see a company charged with storing our kids' Apple ID passwords get this wrong, especially after Amazon introduced several new features to avoid this back in November. Both parents and data custodians should not assume that data is being properly stored. Just saying your website uses SSL is no longer enough," said James Lerud, head of the Verodin behavioral research team.

Companies charged with storing sensitive data should actively disclose what steps they are taking to perform continuous validation, added Lerud. "Parents/customers should start expecting assurances before trusting a company with their data." 

Categories: Cyber Risk News

#IRMS18 ICO Begins Countdown to GDPR Compliance with Reassurances

Mon, 05/21/2018 - 12:23
#IRMS18 ICO Begins Countdown to GDPR Compliance with Reassurances

As the final few days countdown until the GDPR becomes law, the Information Commissioner’s Office (ICO) reassured conference delegates that the regulation is an opportunity rather than a barrier.

Speaking in the opening keynote at the IRMS conference in Brighton, Louise Byers, head of risk and governance at the ICO, who also acts as the regulator’s data protection officer, and is responsible for the ICO’s records and management team, opened by acknowledging that she is in a unique position but “faces some of the same challenges and some of the same conversations that you are facing today as well.”

She said that as “custodians of information and data, records management professionals have a unique role to play in safeguarding information rights,” and referencing a talk given in April by the Information Commissioner Elizabeth Denham, she said: “There’s never been a better time to be in data protection.”

In current times, she said that allegations surrounding Cambridge Analytica have provided an opportunity for the public to focus on privacy and how their data is handled.

“The GDPR rebalances the relationship between the public and organizations and it gives greater control over how their data is used, and it compels organizations to be transparent about their actions, but it doesn’t end there.”

Along with new regulations such as the NIS Directive and E-Privacy Directive, Byers said that “Friday is a beginning not an end,” and that “GDPR is not Y2K”, but an opportunity to revolutionize the way that businesses work and engage with those who are most important to you.

Byers said that those organizations that thrive under the rules will see an opportunity to commit to data protection and embed it in their policies, processes and culture, and that some organizations are “embracing it for the opportunity it presents rather than the perceived barriers it throws up.”

Regarding its position as the regulator of the GDPR, Byers said that “we’re expecting more of everything.” This includes: more breach reports as the law requires it; more complaints as people will be better informed of their rights; and greater engagement as businesses turn to the ICO for advice at the outset of projects.

This has allowed the ICO to “develop, to grow and reinvent ourselves.” This has seen a “fundamental” series of changes at the ICO including its mission in transparency in digital economy, recruitment, funding and its approach to technology with its new three year strategy

Byers went on to say that the ICO will “not be changing our approach to fines in four days time,” but its aim is to prevent harm, and put support and compliance at the heart of its regulatory action. 

While voluntary compliance is the preferred route, she said that action will be taken where necessary and this will be backed up with “hefty fines” which can be levied on those who organizations who persistently, deliberately or negligently flout the law.

In conclusion, Byers said that its 12 Steps to GDPR compliance has been downloaded six million times in two years, and it will updating its guidance on how things change in the future. In her position as data protection officer for the GDPR, Byers identified three key areas to achieve compliance:

  • The first regards information rights and records management, as this is “the starting point for everything as it enables you to know what you have got, and who knows what you have." 
  • The second is collaboration, as securing senior buy-in is crucial, and work with all parts of the organization to identify key players.
  • The third is communications, both internal and external, and working with all areas of the business to deliver strong communications around the requirements and the importance of breach reporting and recording. 

“If I had to sum up the impact of GDPR in one word, it would be people,” she said. “This is all about individuals, balancing the law and increasing the public’s trust and confidence in the way their data is handled.”

Categories: Cyber Risk News

#IRMS18: ICO Dismisses Brexit Impact on GDPR

Mon, 05/21/2018 - 11:21
#IRMS18: ICO Dismisses Brexit Impact on GDPR

Brexit should not affect the UK’s participation in enforcing GDPR.

Speaking in the opening keynote at the IRMS conference in Brighton, Louise Byers, head of risk and governance at the Information Commissioner’s Office (ICO), said that the response to “this uncertainty” has been to set two clear goals:

  • The first is to maintain a high value of data protection for UK citizens and consumers wherever their data resides. “It includes uninterrupted data flows to Europe and the rest of the world and legal certainty for business and law enforcement.
  • The second is to continue to play a full role in EU institutions and maintain a strong working relationship with the European Data Protection Board, the EU body in charge of the GDPR.

“We’re making progress on both fronts,” she said. “The Government has made good on its promise to fully implement the GDPR and it is going further through the Data Protection Bill and other legislation. In two recent speeches, the Prime Minister made the case for an ongoing role for the ICO in the European landscape.”

Byers admitted that is was unclear what that future role will include, but the ICO remains deeply committed to being embedded in the EU data protection community.

Categories: Cyber Risk News

Man Gets 15 Years for DDoS Revenge Campaign

Mon, 05/21/2018 - 10:38
Man Gets 15 Years for DDoS Revenge Campaign

A New Mexico man has been handed down a 15-year prison sentence for launching DDoS attacks against former employers and business competitors and public services.

John Kelsey Gammell pleaded guilty on January 17, to one count of conspiracy to cause intentional damage to a protected computer and two counts of being a felon-in-possession of a firearm.

He was sentenced late last week to 180 months behind bars, plus restitution to his victims to be decided at a later date.

Those victims include companies Gammell used to work for, companies that chose not to hire him, competitors of his business, law enforcement agencies and courts.

Washburn Computer Group, the Minnesota State Courts, Dakota County Technical College, Minneapolis Community and Technical College, and the Hennepin County Sheriff’s Office were just some of those whose websites he targeted.

Between July 2015 and March 2017 he’s said to have launched attacks from his own computer and via multiple DDoS-as-a-service offerings on roughly three dozen target websites.

Gammell also used IP address anonymization services, crypto-currency to pay for “DDoS-for-hire” services, and fake email accounts to hide his identity, as well as encryption and drive-cleaning tools to conceal digital evidence on his machines at home, according to the DoJ.

Despite being a convicted felon, Gammell possessed several handguns and AR-15 assault rifle parts, which helped to bump up his sentencing further still.

The case highlights the ease with which even lone attackers can launch damaging attacks on organizations.

DDoS-as-a-service sites offer a range of packages starting at as little as $5 per month, although attacks typically cost as little as $25 per hour, according to research by Kaspersky Lab last year.

Categories: Cyber Risk News

New Mirai Variant Adds Three Exploits

Mon, 05/21/2018 - 09:55
New Mirai Variant Adds Three Exploits

Security experts are warning of a new Mirai variant which features three exploits to target unpatched IoT endpoints.

The “Wicked” variant is named after some of the code strings found in it by researchers at Fortinet, they revealed late last week.

While the original version of Mirai used brute force techniques to compromise devices, Wicked relies on known exploits — used depending on the port the bot is connected to.

If connected to Port 8080, the malware will use a remote code execution (RCE) Netgear exploit which works on DGN1000 and DGN2200 v1 routers, and is the same tool used by the Reaper botnet to compromise target machines.

For Port 81, an RCE exploit is used that targets CCTV and DVR devices.

An old command injection vulnerability (CVE-2016-6277) is exploited via Port 8443 to compromise Netgear R7000 and R6400 devices.

For Port 80, the black hats have added a technique which hijacks compromised web servers with malicious web shells already installed.

“After a successful exploit, this bot then downloads its payload from a malicious website, in this case, hxxp://{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot,” explained Fortinet.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

In fact, it is believed that the same author, who used the pseudonym “Wicked” in an interview last April is responsible for Owari, Sora, Omni and Wicked.

“This also leads us to the conclusion that while the Wicked bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” the researchers argued.

Categories: Cyber Risk News

Google Set to Remove Green Padlock from HTTPS Sites

Mon, 05/21/2018 - 09:04
Google Set to Remove Green Padlock from HTTPS Sites

Google has announced it is changing the way it marks up secure HTTPS pages, removing the green padlock.

The web giant explained in a blog post at the end of last week that “users should expect that the web is safe by default,” and so will only be told in future if they site they’re visiting is not secure.

“Since we’ll soon start marking all HTTP pages as ‘not secure’, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure. Chrome will roll this out over time, starting by removing the ‘Secure’ wording and HTTPS scheme in September 2018 (Chrome 69),” wrote Chrome Security product manager, Emily Schechter.

“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red ‘not secure’ warning when users enter data on HTTP pages.”

The move could confuse consumers looking out for a padlock in the short term, but ultimately should be seen as a positive move in forcing businesses to improve the security of their sites, argued Venafi VP EMEA, Craig Stewart.

“However, as we’ve already seen from the depreciation of SHA-1 certificates, organizations are typically slow to react to warnings of this kind and can often underestimate the task at hand. Many organizations do not properly track which certificates they have applied where, and have thousands of certificates that they are unaware of,” he added.

“Just the task of discovering these and making sure they are upgraded to HTTPS will be a big task and, if done manually, there are likely to be gaps which cause disruption to customers and business processes. This is why businesses need to take control of their security and use automation to enable them to be agile in applying new changes such as switching from HTTP to HTTPS certificates.”

Categories: Cyber Risk News

Small-Business Owners Unaware of Looming GDPR

Fri, 05/18/2018 - 16:35
Small-Business Owners Unaware of Looming GDPR

With only a week remaining before the General Data Protection Regulation (GDPR) goes into effect across the European Union, nearly a quarter of small-business owners are completely unaware and unprepared for its impact, according to data released in Shred-it's eighth annual Security Tracker report released 17 May.

The research, conducted by Ipsos, surveyed 1,000 small-business owners with fewer than 100 employees, as well as a second sample group that included more than 100 C-suite executives from businesses with over 250 employees.

"The research makes clear that there is a huge disparity in terms of preparedness and focus based on the size of businesses," Shred-it wrote in a press release. While 97% of C-suite executives at large companies have a basic understanding of GDPR, only 78% of small-business owners possess at least a basic awareness of the forthcoming regulations.

"Almost half (47%) of leadership at large firms report having detailed GDPR knowledge, but "that figure for small businesses is just 10%," Shred-it wrote.

Brian Vecci, technical evangelist at Varonis said, "While some companies have prepared for the GDPR for months and even years, others have only recently realized they need to comply and have to scramble a bit to catch up."

Everyone is in the final countdown, but with only one week until the deadline, Vecci said, "Companies need to zero in on their sensitive data and, more importantly, discover the data at risk that could ultimately knock them out of the GDPR compliance ring. Companies need to make sure they know what sensitive data they have and where that data might be at risk and cause them problems after May 25."

Neil Percy, VP of market development and integration EMEA at Shred-it, agreed, stating, “Companies need to audit their current data flows and assess where confidential information may be at risk, either in digital or physical form, and take steps to restrict accessibility and delete or, if in physical format, securely destroy it when necessary.”

There are additional provisions within the regulations that small businesses need to be aware of. In a 16 May blog post, Shawn Ryan at Imperva wrote (emphasis Ryan's), “One of the more notable provisions of the GDPR is Article 33 or the mandatory 72-hour breach reporting requirement. Article 33 dictates that, in the event of a personal data breach, data controllers notify the appropriate supervisory authority 'without undue delay and, where, feasible, not later than 72 hours after having become aware of it.'”

Categories: Cyber Risk News

2018: Scariest Year of Evil Things on the Internet

Fri, 05/18/2018 - 15:28
2018: Scariest Year of Evil Things on the Internet

Acts of evil on the internet are on the rise, according to the 2018 Internet of Evil Things survey. In its fourth consecutive year, the survey, conducted by Pwnie Express, polled more than 500 security professionals and found their collective responses to be "the scariest survey results we've seen yet."   

The report indicates that security professionals have a heightened concern for growing threats, with 85% of respondents believing their country will suffer a major critical infrastructure cyber-attack in the next five years.

"The attack on a Schneider Electric safety system was considered a watershed moment because it demonstrated how hackers 'might cause physical damage to a plant, or even kill people by sabotaging safety systems before attacking industrial plants,'" the report quotes Reuters as saying.

In addition to confronting issues with malware and ransomware, the survey found that nearly one-third of respondents reported being part of a distributed denial-of-service (DDoS) attack. Of those, more than 22% discovered attacks on wireless communications or access points. 

While many respondents (64%) admitted to being stressed and uneasy about the lack of security in the internet of things (IoT), "one in three respondents said that their organizations were unprepared to detect connected device threats." Despite nearly half (49%) of respondents admitting that they are concerned about consumer IoT devices, only 23% said they can monitor devices like smartwatches and other types of IoT devices.

Satya Gupta, CTO and co-founder, Virsec, echoed the concerns of survey respondents but noted that, while understandable, anxiety needs to be turned into actionable security.

"There is still a gap in understanding between IT and OT [operational technology]," Gupta said. "While most of the concern focuses on the devices (is my refrigerator spying on me?), most attacks come through IT channels. Especially in the ICS [industrial control system] space, the real dangers are from IT systems that automatically control myriad sensors, switches and other devices. Hacking a one-off device will cause limit damage, but hacking an ICS SCADA system can bring down an entire power plant or worse."  

Despite the risks, security professionals continue to be left out of purchasing decisions. Only 60% of survey respondents said that they have a role in the purchasing approval process for IT devices, which includes computers, mobile devices, and servers. 

While 75% of security professionals said that they have a security policy in place for IT devices, only 35% have security policies for their building OT/IoT devices.

Categories: Cyber Risk News

Customer Consent Allows Leak of Location Data

Fri, 05/18/2018 - 14:34
Customer Consent Allows Leak of Location Data

Whether stolen or accidentally leaked, the location data of mobile phone customers has been making headlines for much of May. The latest announcement came yesterday from KrebsOnSecurity, with news that a bug in the website of US-based tracking firm LocationSmart was leaking real-time location information of mobile phone customers.

What is known is that the vulnerability was discovered in a free demo tool available on LocationSmart’s website and was revealing to virtually anyone who wanted it the general whereabouts for customers of AT&T, Sprint, T-Mobile, and Verizon.

After KrebsOnSecurity verified the tool was leaking information "without the need for any password or other form of authentication or authorization," LocationSmart took the service offline.

However, in an email to Infosecurity Magazine, LocationSmart confirmed that Carnegie Mellon University security researcher Robert Xiao was only able to locate the subscribers by personally obtaining their consent.

With its enterprise mobility platform, LocationSmart said it strives to bring secure operational efficiencies to customers. "All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber."

Tim Erlin, VP of product management and strategy at Tripwire, said that the increased connectivity and access that we gain comes at a price. “Connections go both ways. Consent and comprehension aren’t the same thing. Consumers routinely consent to sharing data without understanding what that really means. "

"LocationSmart’s service was vulnerable to abuse, and those types of errors occur. The surprise isn’t about a vulnerable service but about the content of that service. No one wants to imagine that they can be tracked without cause.”

The email from LocationSmart also confirmed that it has disabled the vulnerability in the consent mechanism of its online demo identified by the researcher.

"We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission. On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability," LocationSmart wrote.

The company said it is continuing its efforts to verify that no subscriber’s location was accessed without their consent and that no other vulnerabilities exist. "LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process," the company wrote.

Categories: Cyber Risk News

BYOD Threats Exposed: 61% of UK SMEs Suffer Cyber-Attacks

Fri, 05/18/2018 - 10:30
BYOD Threats Exposed: 61% of UK SMEs Suffer Cyber-Attacks

Small UK businesses that operate a BYOD policy are more likely to suffer a cybersecurity-related incident, according to new figures from Paymentsense.

The merchant service provider polled over 500 small business owners nationwide and found that 61% have experienced an incident following their introduction of BYOD.

The findings seemed to suggest that the rate of security issues increases with greater penetration of BYOD.

Some 40% of microbusinesses with up to 10 staff have such a policy, and 14% reported a security incident. But 51% of businesses with 51-100 people and 69% of firms with 101-250 employees allowed BYOD, and their figures for security incidents stood at 70% and 94% respectively.

The most common incidents over the past 12 months were malware-related (65%), followed by viruses (42%), distributed denial of service (26%), data theft (24%) and phishing (23%).

The findings highlight the challenge facing firms with fewer resources to spend on IT security, of how to enable more productive ways of working without exposing themselves to greater cyber-risk.

Paymentsense head of digital, Chafic Badr, argued that firms need to have guidelines in place which teach staff how to follow cybersecurity best practices, adding that “regular engagement and communication with staff at all levels is important.”

"As with all cybersecurity issues, the biggest factor is the human one — employees need to be aware of their responsibilities and the risks associated with a BYOD system. This is particularly important when you consider personal data responsibilities in the post-GDPR landscape,” he added.

“If mistakes are made, having an incident response plan clarifies responsibilities and ensures the timely action is taken to contain and control the situation.”

The findings chime with a recent government report which found that 43% of UK businesses have suffered a cyber-attack or breach over the past 12 months. However, the figures rose to 49% for those that operated a BYOD policy.

Categories: Cyber Risk News

Court Convicts Scan4You Mastermind

Fri, 05/18/2018 - 09:39
Court Convicts Scan4You Mastermind

Trend Micro has released details on how a three-year collaborative investigation with the FBI resulted in the eventual conviction of the two men behind a prolific counter anti-virus (CAV) service.

Russian hacker Jurijs Martisevs pleaded guilty in March 2018 while Latvian resident and former Russian citizen Ruslans Bondars was convicted after a five-day jury trial this week of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage and aiding and abetting.

From at least 2009 to 2016 the two are said to have operated the Scan4You site, which helped cyber-criminals test their wares against over 30 AV engines, giving attacks a greater chance of success.

In 2012, Trend Micro noticed some unusual activity while researching a private exploit kit called g01pack. Minutes before the exploits were used in the wild, IP addresses in Latvia checked the security vendor’s web reputation system to see if it blocked the URLs hosting the exploits.

After investigating further, the vendor said it noticed that those IP addresses were not only checking g01pack’s exploit URLs but many others.

According to a new report, The Rise and Fall of Scan4You, Trend Micro handed over its findings to law enforcers in 2014 and the two were finally arrested after a painstaking three-year investigation.

“In this case our global threat intelligence network and team of researchers proved an invaluable resource for the FBI as it honed-in on this notorious CAV service,” said chief cybersecurity officer, Ed Cabrera. “This is a big blow to cybercrime, helping to disrupt countless threat actors and prove there are consequences to their actions. We stand shoulder to shoulder with law enforcement in our efforts to secure the connected world.”

Scan4You had a huge impact on the cybercrime industry, according to the Department of Justice.

It claimed a single customer of the service tested malware subsequently used to steal 40 million credit and debit card numbers, 70 million addresses, phone numbers and other pieces of PII, costing one retailer over $290 million in losses. 

The convictions come after another Trend Micro collaboration, this time with the UK’s National Crime Agency (NCA), resulted in the guilty plea earlier this year of a man who ran the site, ironically a de facto reseller of the Scan4You service.

Categories: Cyber Risk News

CPS Fined £325K for Losing Police Interview Videos

Fri, 05/18/2018 - 08:54
CPS Fined £325K for Losing Police Interview Videos

The Crown Prosecution Service (CPS) has been fined £325,000 by the UK’s privacy watchdog after losing DVDs containing recordings of police interviews with child sex abuse victims.

The DVDs contained recordings of interviews with 15 victims set to be used at trial, according to the Information Commissioner’s Office (ICO).

They contained intimate details of the case including information about the alleged perpetrator.

It is not known what happened to the DVDs in question. They were sent by tracked delivery between two CPS offices, with the second office in a shared building. The entry doors are said to have been locked but this still gave access to the DVDs to anyone in the building as they were not in tamper-proof packaging and were simply left in reception.

The CPS did not discover until a month later that the DVDs had been lost.

This is the second time the CPS has been fined by the ICO for losing sensitive video evidence, with the first incident occurring in November 2015 and resulting in a £200,000 penalty.

ICO head of enforcement, Steve Eckersley, said the CPS must take urgent action to prove it can be trusted with highly sensitive information like this.

“The victims of serious crimes entrusted the CPS to look after their highly sensitive personal data - a loss in trust could influence victims’ willingness to report serious crimes,” he added in a statement.

“The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress.”

The incident highlights the fact that employee negligence and poor process is often to blame for data breaches, rather than malicious third-party cyber-attackers.

ICO stats released this week revealed that human error was by far the biggest factor in incidents reported in the financial year 2017-18.

The latest incident does not bode well for the CPS given the GDPR takes effect from next week. Any further losses of this kind could result in significantly higher fines.

Categories: Cyber Risk News

GDPR Could Bring Swathes of Spam Due to Whois Redundancy

Fri, 05/18/2018 - 08:50
GDPR Could Bring Swathes of Spam Due to Whois Redundancy

The introduction of GDPR next week could see a future increase in the amount of malicious spam, due to the end of blocking malicious domains by registrar.

Speaking to Infosecurity this week, Caleb Barlow, vice president of threat intelligence at IBM Security, said that the Whois database “is the fundamental ethos of how we protect the internet and we are seeing those services get shut down” as GDPR offers the ability to protect the identity of the domain owner.

Barlow called this an “unintended consequence of this privacy law” and that the end of disclosure of who owns the domain will prevent tracking the owners.

He said: “Millions of emails come in every day and we use Whois to see who sent it and block spammers, so the message doesn’t even make it in as it is blocked at the network layer. When a new domain gets registered we look at the Whois information and name and address.”

This issue was addressed by David Redl, the new head of the US National Telecommunications and Information Administration, earlier this year. He said: “The Whois service can, and should, retain its essential character while complying with national privacy laws, including the GDPR. It is in the interests of all internet stakeholders that it does.”

In April, ICANN president and CEO Goran Marby said: “Without a moratorium on enforcement, Whois will become fragmented and we must take steps to mitigate this issue”

The ICANN statement said that a moratorium on enforcement action by data protection acts would potentially allow for the introduction of an agreed-upon accreditation model, and for the registries and registrars to implement the accreditation model in conjunction with the measures in the agreed final interim compliance model.

“A fragmented Whois would no longer employ a common framework for generic top-level domain (gTLD) registration directory services,” ICANN said. “Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law.”

Barlow explained that while a malicious registrant will not use their real name, but there will be some consistency if they register 1000 domains, so the phone number or email would be the same “and when we detect one we can flag them all as bad, and this proliferates across the internet in minutes.”

Barlow said that losing the ability to know who registered a domain will hit the efficacy of malicious domain takedowns, and this could lead to two bad scenarios: one is where the amount of spam and attacks go up and companies block everything, including those who legitimately want to keep their details private; and the second issue will be more spam carrying malicious links or ransomware.

“This gives bad guys a free reign, as most domains are malicious,” Barlow said. “We need to filter them out, and the only way is with Whois.”

He concluded by saying that the cybersecurity industry can get in front of this, and monitor new domains and their activity “as bad guys register domains anonymously and wait a few months so test it, put legit traffic on it and then flip it to be malicious.”

However, we can expect a lot of spam in a few months with no way to block it. “Ironically the new privacy law could cause further loss through cyber-attack.”

Categories: Cyber Risk News

US Lacks Policy to Address, Deter Cybercrime

Thu, 05/17/2018 - 15:10
US Lacks Policy to Address, Deter Cybercrime

Key stakeholders in government and private industry experts gathered today in Washington D.C. to talk with Bloomberg News investigative reporter, Michael Riley about The Future of Cybersecurity: Risk and Resilience Across Critical Infrastructure.

The discussion was also streamed live and included a panel of four cybersecurity experts who weighed in on the government's role in protecting private industry from cyber-attacks. Alarmingly, most of the discussion confirmed a high level of distrust for the government. Members of the private sector don't feel the government would protect them if they were attacked.

Scott Goodhart, VP and CISO, AES Corporation said that much can be done to improve information sharing, particularly since most of the intelligence that is collected is information that people wouldn't understand. "I need indicators of compromise in order to take action," Goodhart said.

"In our sector, we are strong with sharing information with each other. There's a level of trust there," Goodhart said. However, in a regulated industry, sharing is less frequent because people don't want regulators on their backs.

The problem, said renowned cybersecurity expert, Niloofar Razi Howe, is that there is an authority and capability mismatch. "The Department of Homeland Security (DHS) has the authority, but the Department of Defense (DOD) and the National Security Agency (NSA) have the capability. That creates issues with communicating in real time."

Lack of a coordinator, clarity, policy and strategy contribute to this fissure between the public and private sectors, especially when it comes to things that only a government can do.

"Deterrence policy is unique to the government," said Razi Howe. Short of policies that deter any type of cyber malfeasance, organizations can't protect themselves. Not only is the US without deterrence policies, but panel members agreed there is no real comprehensive conversation about what the current administration is doing in its cybersecurity strategy.

Daniel Ennis, head of threat intelligence, BlueVoyant, though, does have trust that the government is doing something. "There is a great deal of planning and activity that occurs that is not transparent to people in the public. I don't want folks to think that the government is not trying to deter," Ennis said.

Still, there is confusion about who is in charge, and the elimination of the cybersecurity coordinator position did little to clarify that confusion. Ennis did say that the "divisiveness downtown is not helping. Now we have to come together and collaborate. We need to enjoin to form a centralized management and engage the public in a way that they understand the threat."

Categories: Cyber Risk News