Info Security

Subscribe to Info Security  feed
Updated: 2 hours 47 min ago

EU Parliament Approves Controversial Copyright Law

Wed, 03/27/2019 - 10:09
EU Parliament Approves Controversial Copyright Law

The European Parliament approved major new changes to EU-wide copyright laws which critics claim could lead to de facto mass censorship of online content.

Tech giants like Google and Amazon have been mobilizing their users for months to protest ahead of the vote, but in the end the Copyright in the Digital Single Market directive was voted in by 348 MEPs to 274.

Most controversial is Article 13, which requires sites and internet platforms to filter any user-generated content that is being uploaded without permission, or else be held liable for infringement. Although they already scan for unlicensed content, this will put a greater liability on such sites for doing so.

While artists have claimed that the new law will help protect their content from infringement, advocates of internet freedom argue that it could amount to backdoor censorship of the web — although memes and use of copyrighted content for parody are excluded.

Also hotly contested was Article 11, which demands that news aggregators and search engines pay to feature links from news sites on their pages.

As it currently stands, the law will only cause more confusion, not least because — as a directive and not a regulation — member states will be given greater latitude to interpret it when transposing into local law.

This could cause a great deal of inconsistency across the EU, argued the Electronic Frontier Foundation’s international director, Danny O’Brien.

“It’s unclear who is supposed to impose consistency in the EU between, say, a harsh French regime and a potentially softer German solution, or interpret the Directive’s notoriously incoherent text,” he wrote.

This could mean it falls to the courts to decide, with rights holders on one side and internet companies on the other.

“But there’s also opportunities for the courts to rein in the directive — or even throw out its worst articles entirely,” O’Brien added.

“One key paradox at the heart of the directive will have to be resolved very soon. Article 13 is meant to be compatible with the older E-Commerce Directive, which explicitly forbids any requirement to proactively monitor for IP enforcement (a provision that was upheld and strengthened by the ECJ in 2011). Any law mandating filters could be challenged to settle this inconsistency.”

Google also pointed to potential “legal uncertainty” and claimed the law will “hurt Europe’s creative and digital economies.”

The directive is now likely to gain approval when the European Council meets later this month, unless any member states change their minds.

Categories: Cyber Risk News

So Long and Farewell: Dream Market Says Goodbye

Tue, 03/26/2019 - 18:28
So Long and Farewell: Dream Market Says Goodbye

Cyber-criminals have long relied on the Dark Web’s largest marketplace, Dream Market, to buy and sell illicit goods, but today threat researchers at IntSights and Flashpoint found that the notorious online store is scheduled to shutdown on April 30, 2019.

On March 26, multiple threat actors posted on the DNM Avengers forum after purportedly receiving messages stating that Dream Market would shut down at the end of April, according to Evelyn French, senior analyst, Flashpoint.

“A threat actor operating under the alias nigafawefawg stated that they received the following message, allegedly on Dream Market: 'This market is shutting down on 04/30/2019 and is transferring its services to a partner company, onion address: weroidj*********.onion (currently offline, opening soon),'" French said.

“Other threat actors commenting in the same thread reported receiving similar notification messages, while some threat actors denied receiving the notifications,” French continued. Flashpoint is also monitoring similar discussions on numerous other marketplaces and forums, including Empire Market Forum, Wall Street Market Forum, Pirate Ship, and Italian Deep Web.

Whether the closure is being driven by law enforcement or fatigue on the market itself or the founders are just trying to reinvent and start fresh, “the closure of Dream Market will be a big hit to dark web economy as Dream Market holds more than 65,000 listings of digital goods, including hacked databases, hacking tutorials, hacking tools, malicious software and almost 90,000 listings of different drugs,” said Ariel Ainhoren, head of the cyber threat research team, IntSights.

“A lot of dark web users started talking about drawing their balance from the site and vendors started talking about moving their business to other known markets, such as Wall Street and Berlusconi markets, but it is too early to tell what the effect of this announcement will be.”

As the message was released to all market users it seems that the owner or owners of the forum want to cash out in an orderly fashion. Though there has been some speculation that law enforcement is a driving force in the shutdown, Ainhoren said it seems less probable that law enforcement would issue this type of announcement.

“A couple of weeks ago two very known forums named Kickass and Torum went down after a threat actor named the Thedarkoverlord (9/11 papers) posted that he can be contacted on these forums. His activity drew a lot of fire and attention from law enforcement to these forums, and they suffered repeated attacks by unknown attackers until they were taken down. It could be that the targeting of these forums rang the bell for Dream Market operators to take their gains from six years of operation and close shop,” Ainhoren said.

Categories: Cyber Risk News

Georgians Ask House for Study on Cyber-Bullying Law

Tue, 03/26/2019 - 16:19
Georgians Ask House for Study on Cyber-Bullying Law

Georgia residents today gave testimony before a House committee in support of HR 553, which would create a House study committee on cyber-bullying.

Meanwhile, a new cyber-bullying law will go into effect in the state of Michigan on March 27, 2019. In advance of the new law taking effect, Livingston County Sheriff's office deputy Bill Schuster spoke to parents about keeping kids safe online via a video shared on Detroit Free Press.

Ben Halpert, founder of Savvy Cyber Kids, told his state representatives, “Those wishing to cause our children harm now have more effective ways of doing so. The smartphone, any internet-enabled device, has taken the front door off our homes and invited in threats to our children.

“Thanks to iPhones, Android phones, and other technology, the bullied child is not only tormented at school, but also through their device, whether it is a school-issued Chromebook or their personal tablets, smartphones, computers or gaming systems.”

Halpert, who visits schools across the country to talk to students and staff about cybersecurity and online safety, said that before his presentations he issues students an anonymous poll asking what their biggest issue is with social media.

“It is always bullying,” Halpert wrote in his testimony.

“According to the Georgia Department of Education Georgia Student Health Survey, THOUSANDS of students are cyberbullied DAILY in our state through social media. But this is not just a student issue. Adults are targets of bullying and cyberbullying as well. We need to do more for the citizens of Georgia by studying the potential for legislation that addresses cyberbullying.”

Titania Jordan, chief parenting officer of Bark, also testified before the House committee. “Our technology has analyzed more than a billion messages, and our findings are harrowing. In 2018 alone, based on Bark data, over 60% of tweens and 70% of teens experienced cyberbullying, whether as a bully, a victim, or a witness,” Jordan's testimony read.

“And frankly, the term itself – cyberbullying – feels a little cutesy. What it really is? Online harassment, verbal abuse, threats, and even extortion.”

In support of her assertion that the House committee needs to take action, Jordan added, “The onus is on us as parents, communities, and governments, to address the proliferation of cyberbullying and its subsequent effects on our children. We ask that the House see the imperative need to start a subcommittee to confront cyberbullying.”

Categories: Cyber Risk News

Telecom Fraud Scams on the Rise

Tue, 03/26/2019 - 15:40
Telecom Fraud Scams on the Rise

From the EU to Texas, law enforcement and security professionals are warning that the telecom threat landscape is evolving as fraudsters leverage telecom infrastructure to conduct network-based fraud attacks, according to multiple sources.

Infosecurity reported that according to the Cyber-Telecom Crime Report 2019 published by Europol and Trend Micro telecoms fraud costs the industry and end customers over €29bn ($33bn) each year. The report found that the evolution from switchboard operators to packet-switched networks and circuit switched networks in telecommunications has broadened the telecom threat landscape. As a result, criminals are supplanting traditional financial crimes with telecom fraud. 

While the report found that telecom fraud is increasingly originating from developing nations or failed economies, multiple media outlets across the US have warned of scam calls that are making their way around the country.

In both Ector County, Texas, and Middlesex County, Massachusetts, the sheriffs’ offices warned residents about a call scam that claims to be originating from the sheriff’s office. An audio clip tells the recipient that they failed to report to jury duty and must resolve this matter with urgency.

“Nationwide, these scammers are attempting to use the criminal justice system and the threat of arrest as a tool to frighten people into paying large sums of money,” said Middlesex Sheriff Peter J. Koutoujian told 7 News. “We want residents to be aware of these scams and these tactics in order to better protect themselves.”

Likewise, the state of Washington has also seen a rise in these phone scams, and reporter David Rasbach of the Bellingham Herald warned: “Scammers often try to disguise their identities by spoofing the information that appears in your call identification display and trick you into answering. They use local area codes, numbers that may look familiar or even impersonate a legitimate business, utility or government agency.”

Categories: Cyber Risk News

Most Security Pros Are Impacted by Geopolitics

Tue, 03/26/2019 - 13:48
Most Security Pros Are Impacted by Geopolitics

Two-thirds of cybersecurity professionals have been forced to change where and with whom they do business because of escalating concerns around nation state attacks, according to Tripwire.

The security vendor polled 218 security professionals at the RSA Conference in San Francisco recently and found that geopolitical trends are exerting a surprisingly big influence on their roles.

It reflects an age in which technology providers like Huawei are being branded a security risk because of their links to hostile states, while state-sponsored attackers target both government and private sector organizations to steal sensitive information and cause disruption.

"It’s becoming clear that simply stating ‘we’re not a target’ isn’t a sufficient defense against these attacks. The interconnectedness of the modern economy means that our mental model of what constitutes critical infrastructure has become outdated," Tripwire VP of strategy, Tim Erlin, told Infosecurity.

"Most companies do better with predictability and stability, and this is true of physical as well as logical infrastructure. If you can’t count on the network within a specific country, your business will be adversely impacted. Additionally, if those business relationships are likely to make you a target for cyber-attacks, your business will be adversely impacted."

The impact of geopolitics on cybersecurity professionals is only set to increase: 87% claimed that nation-state attacks would increase ahead of geopolitical events in 2019, while over three-quarters (79%) said they are more concerned about state-sponsored cyber activity this year.

Nearly half (48%) of those polled said they believe cybersecurity implications are not taken into serious consideration when geopolitical decisions are made. A further 66% said governments are neglecting cyber versus other elements of national security.

It’s long been the UK government’s aim to make the nation the safest place in the world in which to do business online. That suggests at least that its leaders understand the importance of security at a national level.

However, its National Cyber Security Programme has been hamstrung by poor planning and management, according to the National Audit Office (NAO).

A report produced by the agency earlier this month claimed that the lack of an initial business case meant there was no way to assess whether the £1.9bn of funding was sufficient to meet its 12 strategic objectives.

What’s more, it failed to develop a “robust performance framework” soon enough, meaning that there’s still not enough evidence to prioritize funding on the objectives likely to deliver “the biggest impact, address the greatest needs and deliver best value for money.”

Categories: Cyber Risk News

Most Security Pros Are Impacted by Geopolitics

Tue, 03/26/2019 - 13:48
Most Security Pros Are Impacted by Geopolitics

Two-thirds of cybersecurity professionals have been forced to change where and with whom they do business because of escalating concerns around nation state attacks, according to Tripwire.

The security vendor polled 218 security professionals at the RSA Conference in San Francisco recently and found that geopolitical trends are exerting a surprisingly large influence on their roles.

It reflects an age in which technology providers like Huawei are being branded a security risk because of their links to hostile states, while state-sponsored attackers target both government and private sector organizations to steal sensitive information and cause disruption.

The impact on cybersecurity professionals is only set to increase: 87% claimed that nation-state attacks would increase ahead of geopolitical events in 2019, while over three-quarters (79%) said they are more concerned about state-sponsored cyber activity this year.

Nearly half (48%) of those polled said they believe cybersecurity implications are not taken into serious consideration when geopolitical decisions are made. A further 66% said governments are neglecting cyber versus other elements of national security.

It’s long been the UK government’s aim to make the nation the safest place in the world in which to do business online. That suggests at least that its leaders understand the importance of security at a national level.

However, its National Cyber Security Programme has been hamstrung by poor planning and management, according to the National Audit Office (NAO).

A report produced by the agency earlier this month claimed that the lack of an initial business case meant there was no way to assess whether the £1.9bn of funding was sufficient to meet its 12 strategic objectives.

What’s more, it failed to develop a “robust performance framework” soon enough, meaning that there’s still not enough evidence to prioritize funding on the objectives likely to deliver “the biggest impact, address the greatest needs and deliver best value for money.”

Categories: Cyber Risk News

#Infosec19: Skills Shortages Are Exposing Firms to Cyber Risk

Tue, 03/26/2019 - 11:01
#Infosec19: Skills Shortages Are Exposing Firms to Cyber Risk

Over half (52%) of IT and security professionals believe that cybersecurity skills shortages are putting their business at an increased risk of attack, according to a new poll from Infosecurity Europe.

Now in its 24th year, Europe's leading cybersecurity show asked over 9700 of its Twitter followers a series of questions on skills challenges, as well as its community of CISOs.

The biggest barrier to recruiting was seen as a lack of available talent, according to nearly a third (30%) of respondents. This was followed by lack of recruitment budget (27%) and lack of interest in careers within the sector (26%).

As a result, nearly half (46%) said they have found it difficult to encourage new talent into the sector.

This chimes with current estimates from (ISC)2 that claim the industry is experiencing a shortfall of 2.9 million professionals, including 142,000 in EMEA. A separate report claims the number could rise to 3.5 million by 2021.

“There are shortages of technical skills, particularly in SOC analysis, threat intelligence, research, incident response and forensic investigation,” said Paul McKay, senior analyst at Forrester Research, and a speaker at Infosecurity Europe 2019.

“This is a result of difficulty in filling entry level roles, and keeping people interested once they’re there. At the top end, boards want CISOs to improve how they articulate business risk and manage the dynamics of how security can enhance the business strategy and vision. This requires commercial acumen and the so-called ‘soft skills’ — actually the hardest to master.”

Lisa Hamilton, Deloitte’s cybersecurity associate director, claimed that encouraging greater diversity would help to tackle these challenges.

“To do this, we need to be open-minded when sourcing talent, focusing less on prerequisites and more on behaviors, characteristics and enthusiasm,” she argued.

Infosecurity Europe will take place at London Olympia from June 4-6. Also at the show, security expert and HaveIBeenPwned? founder Troy Hunt will be this year’s Hall of Fame inductee.

Categories: Cyber Risk News

Over One Million Asus Users Backdoored in Sophisticated APT

Tue, 03/26/2019 - 10:25
Over One Million Asus Users Backdoored in Sophisticated APT

Security experts have uncovered a sophisticated new APT campaign which may have infected more than one million Asus users via a backdoored utility.

Kaspersky Lab revealed that the group behind Operation ShadowHammer focused their efforts on a supply chain attack of the sort seen in recent years affecting legitimate software from CCleaner and ShadowPad.

They targeted the Asus Live Update Utility, which is virtually ubiquitous among newer models from the Asian computer giant. Trojanized versions of the utility were signed with legitimate certificates and distributed from official Asus servers, allowing it to remain undetected.

However, while the initial backdoor may have been unwittingly installed over a million times, the hackers were actually after a much smaller group of targets. Only those belonging to a group of several hundred users received a second-stage malware download, once the threat had checked their MAC address against a hardcoded list.

In total, Kaspersky Lab said it was able to identify 600 MAC addresses targeted by over 230 unique backdoored samples with different shellcodes.

Three other computer vendors in Asia have been targeted in a similar manner, and subsequently notified by the Russian AV firm. It believes a China-related APT group behind the Winnti backdoor is the prime suspect.

“The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base. It is not yet very clear what the ultimate goal of the attackers was and we are still researching who was behind the attack,” said Vitaly Kamluk, Kaspersky’s APAC director of the global research and analysis team.

“However, techniques used to achieve unauthorized code execution, as well as other discovered artifacts suggest that ShadowHammer is probably related to the BARIUM APT, which was previously linked to the ShadowPad and CCleaner incidents, among others. This new campaign is yet another example of how sophisticated and dangerous a smart supply chain attack can be nowadays."

Categories: Cyber Risk News

Privacy a Top Concern in 'Biometric Exit'

Mon, 03/25/2019 - 16:27
Privacy a Top Concern in 'Biometric Exit'

Despite bipartisan concerns over privacy, most airlines reportedly support the use of facial recognition, and the US Customs and Border Patrol (CBP) has implemented facial recognition in 17 international airports, including Atlanta, New York City, Boston, San Jose, Chicago, and two airports in Houston, according to American Military News

Largely controversial because of privacy concerns, the facial recognition program will reportedly be in place across the country's top 20 airports by 2020, according to documents obtained earlier this month by BuzzFeedNews.

Intended to supplant the long-existing, time-consuming process of paper checking, the use of a cloud-based facial biometric matching service is touted as more secure and efficient. "CBP is solving a security challenge by adding a convenience for travelers. By partnering with airports and airlines to provide a secure stand-alone system that works quickly and reliably, which they will integrate into their boarding process, CBP does not have to rebuild everything from the ground up as we drive innovation across the travel experience,” a CBP spokesperson told American Military News.

At the forefront of the opposition is the Electronic Privacy Information Center (EPIC), which said that under the Biometric Exit program "CBP would create exit records for passengers and retain them in CBP's Advance Passenger Information System ("APIS"). CBP officers would take a photo of the passenger and match it to a photo in the flight-specific galleries in the Automated Targeting System ("ATS") consisting of compilations of photos from the Automated Biometric Identification System ("IDENT"), the Department of State's Consolidated Consular Database, and U.S. Citizen and Immigration Service's Computer Linked Adjudication Information Management System ("CLAIM 3").

"Photos of U.S. citizens could be retained until their identities were confirmed, and the photos of non-U.S. citizens could be retained for up to fifteen years in the DVS system in ATS."

While supporters point to enhanced passenger convenience through the use of biometrics, it is not only EPIC that has raised some privacy concerns. "Convenience versus privacy will be one of the biggest issues that the US will grapple with over the next few years," said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.

"For airports, sporting events and brick-and-mortar stores, facial recognition would be convenient and easy to move people through at a faster pace. Facial recognition combined with passive biometrics can provide a quick and easy way of identifying people. However, transparency of the process, how data is stored and removed and what it is being used for are all procedures that will have to be hammered out to protect people’s privacy.”

Categories: Cyber Risk News

Orgs Grapple with Pros and Cons of Remote Workers

Mon, 03/25/2019 - 15:28
Orgs Grapple with Pros and Cons of Remote Workers

Despite the growing number of employees that work remotely, security professionals fear that remote workers pose risks to the enterprise, according to a new study published by OpenVPN.

An overwhelming majority (90%) of survey respondents said that remote workers are a security risk to the organization, according to the report Remote Work Is the Future – But Is Your Organization Ready for It? The report’s findings are based on a survey of 250 IT leaders, from the manager level through the C-suite.

Still, 92% of respondents agreed that the benefits of remote work outweigh the security risks. “For employees, it provides greater efficiency and lower stress levels: 82% of telecommuters reported less stress and 30% said it allowed them to accomplish more work in less time,” the report said. In addition, companies reportedly save an average of $11,000 per year per remote employee.

Despite the fact that 93% of organizations have a remote work security policy in place and 90% of organizations offer security training for remote workers, more than a third (36%) of companies have experienced a security incident due to a remote worker. That more than one in three organizations have suffered a security incident because of a remote worker is somewhat alarming when considering that nearly 70% of employees globally now work remotely at least once a week, the report said.

Of those who have suffered a security incident, 68% experienced it within the last year, yet the survey shows that nearly a quarter of organizations (24%) haven’t updated their remote work security policy in the same time frame.

While less than half (49%) of IT leaders said they only somewhat agreed that remote employees adhere to the organization’s remote work policies, the results vary depending on the role of the respondent. “Executives are particularly concerned about the risk remote workers pose, as nearly three-quarters (73 percent) of VP and C-suite IT leaders believe remote workers pose a greater risk than onsite employees, compared to 48 percent of IT managers and 45 percent of IT directors,” the study found.

Categories: Cyber Risk News

Medtronic Flaws Could Let Hackers Control Devices

Mon, 03/25/2019 - 14:45
Medtronic Flaws Could Let Hackers Control Devices

Life-saving medical devices are vulnerable to attacks that could leave them under the control of a hacker, according to security alerts from both the Department of Homeland Security (DHS) and the US Food & Drug Administration (FDA).

The FDA’s March 21 security alert warned caregivers and patients who use Medtronic cardiac implantable cardioverter defibrillators (ICDs) or cardiac resynchronization therapy defibrillators (CRT-Ds) to treat patients with heart failure or rhythm problems that a critical security vulnerability in the devices exists because they do not use encryption, authentication or authorization.

“The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.”

If the vulnerabilities were exploited, criminals could use radio communications to take control of the medical devices while the devices are inside a person. According to Medical Advisory ICSMA-19-080-01, an attacker would need to have an RF device, such as a monitor, programmer, or software-defined radio, that is “capable of transmitting or receiving Conexus telemetry communication…[and in] adjacent short-range access to the affected products.” Additionally, the RF functionality would need to be active.

“Medical device manufacturers who aren’t engaging in real security or, in this case, even basic security practices, should probably have their FDA approvals revoked,” said HackerOne's head of IT Aaron Zander.

“Unlike a kids' toy or a car where a recall is as simple as sending something back in the mail or driving it back to the dealership, an embedded device, one literally embedded in you, isn’t meant to come out and be replaced regularly. The surgery to replace this with a ‘better’ or ‘safer’ version in itself is dangerous and comes with life-threatening repercussions. On top of that, not everyone had a choice on which type of device they would receive. People didn’t spend months hunting for the ‘perfect pacemaker with all the features,’” Zander said.  

“It’s what the hospital and their doctors thought was right at the moment the patient needed it. Not every piece of hardware can be upgraded to have its software handle more secure communications, and we’re seeing the side effects. The fact that there are more stringent controls on the software that doctors use to send each other instant messages than there are on the software that goes into a pacemaker shows that the medical device field needs to advance in terms of both regulation and security. The repercussions of not acting now are deadly.”

Categories: Cyber Risk News

Medtronic Flaws Could Let Hackers Control Devices

Mon, 03/25/2019 - 14:45
Medtronic Flaws Could Let Hackers Control Devices

Life-saving medical devices such as pacemakers are vulnerable to attacks that could leave them under the control of a hacker, according to security alerts from both the Department of Homeland Security (DHS) and the US Food & Drug Administration (FDA).

The FDA’s March 21 security alert warned caregivers and patients who use Medtronic cardiac implantable cardioverter defibrillators (ICDs) or cardiac resynchronization therapy defibrillators (CRT-Ds) to treat patients with heart failure or rhythm problems that a critical security vulnerability in the devices exists because they do not use encryption, authentication or authorization.

“The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.”

If the vulnerabilities were exploited, criminals could use radio communications to take control of the medical devices while the devices are inside a person. According to Medical Advisory ICSMA-19-080-01, an attacker would need to have an RF device, such as a monitor, programmer, or software-defined radio, that is “capable of transmitting or receiving Conexus telemetry communication…[and in] adjacent short-range access to the affected products.” Additionally, the RF functionality would need to be active.

“Medical device manufacturers who aren’t engaging in real security or, in this case, even basic security practices, should probably have their FDA approvals revoked,” said HackerOne's head of IT Aaron Zander.

“Unlike a kids' toy or a car where a recall is as simple as sending something back in the mail or driving it back to the dealership, an embedded device, one literally embedded in you, isn’t meant to come out and be replaced regularly. The surgery to replace this with a ‘better’ or ‘safer’ version in itself is dangerous and comes with life-threatening repercussions. On top of that, not everyone had a choice on which type of device they would receive. People didn’t spend months hunting for the ‘perfect pacemaker with all the features,’” Zander said.  

“It’s what the hospital and their doctors thought was right at the moment the patient needed it. Not every piece of hardware can be upgraded to have its software handle more secure communications, and we’re seeing the side effects. The fact that there are more stringent controls on the software that doctors use to send each other instant messages than there are on the software that goes into a pacemaker shows that the medical device field needs to advance in terms of both regulation and security. The repercussions of not acting now are deadly.”

Categories: Cyber Risk News

US Government Leaks PII of 2m+ Disaster Survivors

Mon, 03/25/2019 - 11:10
US Government Leaks PII of 2m+ Disaster Survivors

A US government agency responsible for disaster relief has accidentally leaked the personal data of millions of disaster survivors with a third-party contractor, it has revealed.

The Federal Emergency Management Agency (FEMA) sits within the Department of Homeland Security to help US citizens before, during and after disasters.

It announced on Friday that the privacy leak affected the personally identifiable information (PII) of disaster survivors using the Transitional Sheltering Assistance program.

The agency admitted that it “provided more information than was necessary” to the contractor, potentially exposing those details to the risk of loss or theft by malicious third-parties and insiders.

It claimed not to have found any evidence so far of this data being compromised.

“Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” the statement continued.

“FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”

According to reports, 2.3 million disaster survivors were affected, including victims of hurricanes Harvey, Irma and Maria and the 2017 California wildfires.

Personal details shared with the contractor apparently included home addresses and bank account information.

The news is particularly embarrassing for the DHS, given its lead role in coordinating cybersecurity efforts across federal government departments.

The department was slammed by government inspectors back in May 2018, after they found it did not practice what it preached in terms of risk management.

Specifically, 64 systems “lacked valid authority to operate, and components did not remediate security weaknesses” in a timely manner, according to the OIG.

Categories: Cyber Risk News

Most UK Retailers See Increase in Cyber-Attacks

Mon, 03/25/2019 - 10:38
Most UK Retailers See Increase in Cyber-Attacks

The majority of UK retailers are seeing an increase in cyber-attacks, prompting them to spend more on security, according to the latest survey from the British Retail Consortium (BRC).

The industry body’s 2019 Retail Crime Survey covers the period of April 2017 to March 2018 and includes the responses of retailers which generate a third of the market’s total revenue.

It found that almost 80% of respondents had seen an increase in cyber-attacks, with spending on cybersecurity rising by 17% since the previous annual report to reach around £162m for the industry last year.

Phishing was viewed as a high-risk cybercrime by the largest number of respondents (80%) followed by data theft (50%). Denial of service, whaling and web-based attacks also garnered between 40-50% of respondents.

Clare Gardiner, director of engagement at the National Cyber Security Centre, lauded the GCHQ body’s outreach efforts, which has resulted in a jointly produced BRC Cyber Security Toolkit.

“Cyber-attacks can have a huge impact, but to help potential victims pro-actively defend themselves we have published a range of easy-to-implement guidance on our website,” she added.

“Organizations can also share threat intelligence in a confidential way through the NCSC’s online Cyber Information Sharing Partnership (CiSP), which increases awareness to dangers and reduces the impact on UK businesses.”

Retailers are a major target for cyber-criminals as they often store large volumes of customer PII and financial data, and customers can also be a lucrative target for follow-on fraud.

Some 60% of European retailers claimed to have seen an increase in fraud from 2017 to 2018, according to a report from Adyen last November.

Most recently, retailers have been forced to combat another menace, digital skimming code on their payment pages designed to covertly lift card details as they’re entered in by customers.

Groups using this Magecart code have compromised hundreds of e-commerce sites, possibly more.

In the US, Point of Sale malware is still the biggest cyber-threat for retailers as EMV migration continues to lag, according to a Trustwave 2018 report.

Categories: Cyber Risk News

Europol: Telecoms Fraud Costs €29bn Annually

Mon, 03/25/2019 - 10:01
Europol: Telecoms Fraud Costs €29bn Annually

Telecoms fraud costs the industry and end customers over €29bn ($33bn) each year, according to a new report from Europol and Trend Micro.

The duo claimed in their detailed 57-page Cyber Telecom Crime Report 2019, that increasingly, crime in the sector is seen as a low-risk alternative to traditional financial crime.

However, crucially the anti-money laundering controls that prevent bulk cybercrime in the finance sector are not present in telecoms, where SIM cards are used instead of traditional banking methods.

The report highlighted failed states as a growing perpetrator of this cross-border crime, using it to top-up government coffers.

“The drivers of this simultaneous awakening are the reduced cost and increased availability of telecom equipment capable of hacking inter-carrier trust, the availability of information on the topic, and the flattening (homogenization) of telecom deployments in 4G,” it continued.

“These drivers will continue in 5G, and be further multiplied by the effect of the nested tiers of automation (and attack effect amplification) contained in the core cost-reducing design drivers of 5G architecture.”

International Revenue Sharing Fraud (IRSF) is perhaps the best known and longest-running form of phone fraud. This often involves the use of premium rate phone numbers under the control of the fraudster, which victims are tricked into calling, thereby generating revenue for them.

One technique for doing so is the “wangiri” scam popular in Japan, where fraudsters call a victim and hang up after one ring, encouraging them to call the number back.

IRSF “chaining” can also be used to launder money across multiple jurisdictions and telecoms providers, the report claimed.

Vishing was highlighted as a popular tactic, but as it requires more skill and carrier knowledge to execute, it is reserved mainly for harvesting of high value resources like card details, and access to the victim’s phone and/or bank account.

The report’s authors encouraged telecoms providers to engage with Europol’s EC3 CyTel working group to share intelligence, resources and training for the greater good, in combating what is a major trans-national form of cybercrime.

Categories: Cyber Risk News

Virtualized Calls a Top Threat for ATO Attacks

Fri, 03/22/2019 - 17:47
Virtualized Calls a Top Threat for ATO Attacks

According to the 2019 State of the Call Center Authentication report from TRUSTID, a Neustar company, one of the most exploited areas in a company’s security chain is the call center.

Companies may be investing more in their cybersecurity defenses, but fraudsters are evolving in their tactics. As such, they’ve discovered that by targeting call centers, they can easily obtain personally identifying information (PII), which is likely one reason the report found that call center professionals are increasingly the target of fraudsters employing social engineering in an attempt to takeover (ATO) customer accounts.

In fact, 51% of respondents that work in the financial services industry identified the phone channel as the top threat for ATOs. At 32%, spoofed calls lagged behind criminal activity reportedly coming through virtualized calls, which 40% of respondents said they saw more of this year.

“Virtualization (e.g., web-based calling services (Skype), Google Project Fi (routed through T-Mobile or U.S. Cellular), or a business PBX) is the biggest threat vector to call centers today. The calls are authentic, unique and legitimate. Their signaling data and call certificates are correct and will pass by technology designed to detect spoofing attempts,” the report said.

“Virtualization frees criminals from the need to imitate specific callers’ numbers. They just have to reach an agent from a number that is legitimate but unrelated to a customer’s record.”

An overwhelming majority (72%) of call center representatives believe that if calls were authenticated before answered, the number of ATO attacks could be diminished without impacting the customer’s experience.

“Our data also suggest that they are eager for change. 46% of call center leaders were ‘very’ or ‘somewhat’ dissatisfied with their current caller authentication method(s), a 50% increase since 2018.”

When comparing survey results year-over-year, the number of companies planning to implement multifactor authentication has doubled. “As more breached personal information enables more account takeover through the phone channel in the year ahead, we expect more call center leaders to advocate for a completely new multi-factor authentication strategy.”

Categories: Cyber Risk News

New Variant of AZORult Trojan Written in C++

Fri, 03/22/2019 - 17:18
New Variant of AZORult Trojan Written in C++

After analyzing several previously unknown malicious files that were detected earlier this month, Kaspersky Lab determined the files were a new version of a data stealer known as the AZORult Trojan. Because the files are written in C++, and not Delphi, researchers have dubbed the variant AZORult++.

According to researchers, this latest version is potentially more dangerous than earlier variants. In addition to amassing data – including credentials, browser history and cookies – and distributing it to command-and-control (C&C) servers, AZORult++ can also establish a remote desktop connection by creating a new user account and discreetly adding it to the administrators’ group.

The data stealer is reportedly used most often to target victims in Russia and India, according to analysis. “AZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing,” wrote Alexander Eremin.

AZORult++ does not have loader functionality or support for stealing saved passwords. Though the C++ version has been deemed deficient when compared to its predecessors, it does have some of the same signatures recognized in the Delphi-based version.

“Like AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What’s more, this key we had already encountered in various modifications of version 3.3,” Eremin wrote.

“Despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop,” Eremin said.

Because the variant has undergone several changes to functionality, researchers believe that this data stealer is still in development, and that we can expect to see an expansion of its functionality and attempts to widen its distribution.

Categories: Cyber Risk News

Zero-Day WordPress Plugin Exploited in the Wild

Fri, 03/22/2019 - 16:43
Zero-Day WordPress Plugin Exploited in the Wild

A WordPress zero-day in the Easy WP SMTP plugin is actively being exploited in the wild, according to NinTechNet.

The plug-in allows site owners using WordPress to both configure and send outgoing emails through an SMTP server, preventing messages from landing in the recipient’s junk folder. By exploiting what is categorized as a critical vulnerability, hackers reportedly gained administrative access and were able to alter content on WordPress websites.

In the proof-of-concept (PoC), NinTechNet researcher Jerome Bruandet said he used “swpsmtp_import_settings to upload a file that will contain a malicious serialized payload that will enable users registration (users_can_register) and set the user default role (default_role) to 'administrator' in the database.”

With the largest market share among all content management systems (CMSs), WordPress is used by one-third of all websites, according to Web Technology Surveys (w3techs).

“Because of its sheer dominance in the CMS space along with the presence of many WordPress plugins, WordPress sites are a ripe target for cyber-criminals. In this case, the Easy WP SMTP plugin has over 300,000 active installations and despite the availability of a patch for it, there are reports that attackers continue to target sites running the vulnerable plugin,” said Satnam Narang, senior research engineer at Tenable.

“The vulnerability exists in version 1.3.9 of the plugin, so users running older versions of the plugin are not vulnerable. However, all users, especially those using 1.3.9, should update to the latest version of the plugin, 1.3.9.1, as soon as possible."

This latest exploit also evidences the importance of vetting plugins to ensure they are up to date and executing only authorized tasks, according to Brandon Chen, digital security and operations manager of The Media Trust.

“Removing them when they’re no longer needed [is] part of protecting users from identity and financial theft. Each plugin represents at least a few attack surfaces, because the code that enables the plugin to function is coming from at least one vendor, who is likely bringing in outsourced code. Every plugin you introduce into your digital environment introduces third parties you may or may not know – and chances are, you don’t know most of them.”

Categories: Cyber Risk News

UK E-commerce Fraud Soars 27% in 2018

Fri, 03/22/2019 - 12:05
UK E-commerce Fraud Soars 27% in 2018

UK e-commerce fraud hit nearly £400m in 2018, accounting for the vast majority (78%) of all card not present (CNP) fraud and fueled by an ongoing epidemic in data breaches and social engineering, according to UK Finance.

The banking industry group’s annual roundup, Fraud the Facts 2019, claimed that £393 million of e-commerce fraud amounted to 59% of total card fraud and represented a 27% increase on 2017 figures.

“Data compromise, including through data hacks at third parties such as retailers, is a major driver of these fraud losses, with criminals using the stolen card details to make purchases online,” the report noted.

“There were several high-profile data breaches occurring in 2018, with significant brands affected, alongside a number of lower-level incidents. The data stolen from a breach can be used for months or even years after the incident. Criminals also use the publicity around data breaches as an opportunity to trick people into revealing financial information.”

UK Finance also claimed the increase came as a result of phishing emails and scam text messages as well as social media scams advertising the sale of discounted ‘goods.’

“When a customer goes to buy the product, the criminal uses their card details to purchase the item from a legitimate source and then keeps the payment from the customer,” it claimed.

CNP fraud — which includes phone and mail order as well as internet-based scams — accounted for 76% of the total losses last year, versus 61% in 2009. It rose 24% from 2017-18 to top £506m, with over two million cases recorded — a 47% increase from 2017.

Authorized push payment (APP) scams are also growing fast. They soared 90% in volume and 50% in value to reach £354m in losses last year, although this could be down in part to more UK Finance members reporting APP fraud.

“Criminals’ use of social engineering tactics through deception and impersonation scams is a key driver of authorized push payment scams,” the report claimed.

“Typically, this involves the criminal posing as a genuine individual or organization and contacting the victim using a range of methods including via the telephone, email and text message. Criminals also use social media to approach victims, using adverts for goods and investments which never materialize once the payment has been made.”

APP fraud also hit businesses, which accounted for nearly 36% of total losses.

Categories: Cyber Risk News

Researchers Raise Privacy Alarm Over Medicine Apps

Fri, 03/22/2019 - 11:09
Researchers Raise Privacy Alarm Over Medicine Apps

Researchers have raised serious privacy concerns over the use of medical apps in the Google Play store after noting that the majority share user data with third parties.

Published in The BMJ this week, the study led by University of Toronto researchers identified 24 top-rated “medicines related” apps on the Android marketplace in the UK, US, Canada and Australia.

They simulated real-world use of the apps in the lab via four dummy scripts.

“To identify privacy leaks, one source of user data was modified and deviations in the resulting traffic observed,” the research explained.

The paper found that 79% of those apps studied shared user data with 55 unique entities. Nearly two-thirds of these (67%) “related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.”

A further third (33%) of these unique entities provided cloud and other related IT infrastructure services.

The paper warned that the functionality gained from these apps may not be enough to compensate the privacy lost by users.

“Sharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent,” it concluded.

“Privacy regulation should emphasize the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.”

Tripwire director of security research and development, Lamar Bailey, argued that data collected by health apps could also be at risk of theft by cyber-criminals.

“Although it is well known and documented that apps use customers’ data as a currency, it is particularly troubling when that data includes sensitive information such as medical records and health metrics,” he added.

“It is paramount that these apps clearly state in their registration process if they plan to divulge their customers’ information to third parties, so that subscribers are able to opt out. All too often these terms on usage are buried in the user agreement and the only way to opt out is to not use the app."

Categories: Cyber Risk News

Pages