Info Security

Subscribe to Info Security  feed
Updated: 36 min 33 sec ago

Cisco Rushes Out 25 Patches for Wireless Vulnerabilities

Thu, 07/19/2018 - 09:44
Cisco Rushes Out 25 Patches for Wireless Vulnerabilities

Cisco has advised users of its Policy Suite that it has discovered vulnerabilities, which allow remote attackers to access different features of the solution.

The company's Policy Suite provides a framework for building rules that can be used to enforce business logic against policy enforcement points such as network routers and packet data gateways. It is mainly used by wireless and mobile organisations.

According to Cisco, the vulnerability is due to a lack of authentication, meaning an attacker could gain access and make changes to existing repositories and create new ones. Furthermore, a vulnerability in the Cluster Manager could allow a remote attacker to log into an affected system using the root account, which has a default, static user credentials. An exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.

Cisco has also pushed out patches for its SD-WAN, with seven high-rated advisories, and its VPN subsystem. For the SD-WAN solution, there is a file overwrite and a denial-of-service vulnerability.

The vulnerability affects releases prior to Release 18.2.0, with no workarounds that can address it. The tech giant has released free software updates that address the vulnerability, with its security incident response team believing that there has not been any malicious use.

The previous week other vulnerabilities were announced by the company for its web-based user interface of the Cisco IP Phone 6800, 7800 and 8800 Series, plus others.

Access to further information can be found here

Categories: Cyber Risk News

US Retail Weak in Encryption, Security Practices

Wed, 07/18/2018 - 12:47
US Retail Weak in Encryption, Security Practices

A large majority of US retailers have experienced a breach, which according to the 2018 Thales Data Threat Report exceeds the global average. The report found that 75% of retailers have experienced a breach in the past year, compared to 52% in 2017.

US retail lags behind the global average when it comes to implementing encryption, with only 26% of retailers reporting that they have begun implementation. Still, retail is more inclined to store sensitive data in the cloud as widespread digital transformation is under way, with 95% of retail organizations expected to use sensitive data in an advanced technology environment, such as cloud, internet of things (IoT) and containers. More than half of respondents said they believe sensitive data is currently being used in these environments without the proper security protocols.

“This year’s significant increase in data breach rates should be a wake-up call for all retail organizations. Digital transformation is well under way and the business benefits of the cloud, big data, IoT and mobile payment technologies are compelling and fueling widespread adoption,” Peter Galvin, chief strategy officer, Thales eSecurity, said in a press release.

“However, with the flow of sensitive data through all of these disparate platforms and technologies, the attack surface increases exponentially and with it the risk of a data breach.”

The report found that in 2018, retail data breaches more than doubled, from 19% in 2017 to 50% this year, making retail the second-highest vertical to experience a data breach in the last year, ahead of healthcare and financial services and only slightly behind the U.S. federal government. 

“These increases come as no surprise to retailers. While nearly 95% of retailers acknowledge vulnerability to data breaches, now almost half recognize they are extremely vulnerable. This is an increase of 30% from the previous year,” said Garrett Bekker, principal analyst for information security at 451 Research.

Even though 84% of retailers plan to increase IT security spending, the report indicates that their spending plans don’t correlate with the most effective defenses.

“While this trend can be partially attributed to US retailers aggressively pursuing a multi-cloud strategy, these organizations continue, year after year, to spend on the same security solutions that worked for them previously. With increasingly porous networks and expanding use of external resources (SaaS, PaaS and IaaS most especially), traditional endpoint and network security are no longer sufficient to protect sensitive data,” said Bekker.

Categories: Cyber Risk News

Federal Agencies Struggle with DMARC Compliance

Wed, 07/18/2018 - 12:17
Federal Agencies Struggle with DMARC Compliance

According to new research from Proofpoint, the majority of federal agencies are behind schedule when it comes with complying to the Department of Homeland Security’s (DHS's) Binding Operational Directive (BOD) 18-01. With less than 90 days remaining for agencies to secure their email systems, some agencies have not started their Domain-based Message Authentication, Reporting & Conformance (DMARC) email authentication compliance journey for any of their domains, according to the research.

Email authentication, when deployed, can prevent spoofing for the trusted domains of federal agencies that are in compliance, but a lot of work goes into implementing and enforcing DMARC. Federal agencies run the risk of blocking legitimate email, and DHS’s aggressive timelines have created a lot of work for agencies that are trying to be compliant.

Proofpoint’s research found that 28% of agencies have not yet begun to move toward DMARC compliance. Based on this finding, it is unlikely that all agencies will reach DMARC compliance for each of their domains by the October 2018 deadline – given that this deadline is only a few short months away, the research concluded.

Of the agencies that have started DMARC compliance, about 72% are working on their implementation project themselves and gathering DMARC data, and only 19% of agencies have engaged a vendor to help them implement email authentication. Agencies are delayed in complying with the deadline, and, according to Rob Holmes, VP of email security, Proofpoint, what is going on behind the scenes is making compliance slower than anticipated.

“We anticipate there is a gap in compliance as BOD 18-01 was issued with little advance notice and without a reserved budget," said Holmes. "Without having previously budgeted to become compliant within the DHS’s deadlines, many agencies have tried to work within the internal resources they have available.”

Federal agencies have been charged with many different pieces in their overall security portfolios, and DMARC authentication, though critical, is only one of those.

“A small percentage of agencies have blind DMARC deployments and are not gathering any data at all,” Holmes said. “Of the total domains included in the directive, 36% have already achieved the one-year compliance standard of publishing a valid SPF record and a valid DMARC record with a 'reject' policy. A further 22% have satisfied the January 2018 standard of publishing a DMARC with a 'monitor' policy but have more work to do, while 42% are not even compliant with the January milestone, due to SPF and/or DMARC gaps.”

Categories: Cyber Risk News

Web Forums, Social Media Targets for Credentials

Wed, 07/18/2018 - 11:52
Web Forums, Social Media Targets for Credentials

Web forums were the greatest targets for credential spills during 2017, which saw more than 2.3 billion credentials from 51 different organizations reportedly stolen, according to a new report from Shape Security. Of those 51 different organizations, companies providing online services contributed the largest number of compromised credentials, with over 2 billion credential spills. In total, the criminal enterprise is costing US businesses over $5bn a year.

The report, released today, studied the life cycle of stolen credentials, taking a holistic, behind-the-scenes look at the extent to which credentials can be monetized and weaponized long after a breach occurs. Because web forums serve as hyper-specialized communities of online users, they tend to have lower membership and thus a smaller collection of credentials. “However, they are easy targets for credential spills because many are volunteer-run and lack a corporate security or IT function," the report stated. While web forums were found to be the most frequently targeted, they are not actually the source of the greatest number of spills.

“Social media sites were typically responsible for the largest spills. This makes sense because those organizations rely on a network effect to succeed, so they are likely to have the largest user bases,” the report said.

While the report found the frequency of credential spills remained consistent for two years, the average size of spills in 2017 was lower than in 2016. “Additionally, over the course of two years, spills have been reported on a very regular basis; in 2017, the longest gap between reports was 31 days,” it said.

On average, there’s a 15-month window between credentials being compromised and the breach, during which time criminals carry out their most damaging credential stuffing attacks. Credential stuffing attacks make up from 58% to 90% of login traffic, depending on the industry. According to the report, the US consumer banking industry suffers almost $50m potential losses each day due to credential stuffing attacks.

In the banking industry alone, credential stuffing attacks cost an average of $1.7bn annually. In the e-commerce industry, the average cost jumped to $6bn annually. Over time, though, the value of the stolen credentials decreases. As more people have access to those credentials, they fall out of favor for criminals.

Categories: Cyber Risk News

Millions of Health Records at Risk Following LabCorp Suspected Breach

Wed, 07/18/2018 - 11:12
Millions of Health Records at Risk Following LabCorp Suspected Breach

LabCorp, a healthcare diagnostics company, has shut down its systems after a suspected network breach, which could have put millions of health records at risk. 

In a report to the United States Securities and Exchange Commission, the company announced that during the weekend of July 14 2018, it had detected suspicious activity on its IT network and immediately took specific systems offline. The company said that the suspicious activity has been detected only on LabCorp Diagnostics systems, and that "there was no indication that it affected systems used by Covance Drug Development."

LabCorp provides diagnostic, drug development and technology-enabled solutions for more than 115 million patients per year, according to its website. It typically processes tests on more than 2.5 million patient specimens per week and supports clinical trial activity in around 100 countries. It has over 1900 patient service centers in the US. 

The filling itself does not go into detail as to which systems might have been affected, but concerns over patient data are justified. In August 2017, the NHS suffered a data breach where 1.2 million patient names were hacked, and another breach which resulted in 655,000 patient records from three hacked healthcare providers being sold. 

According to Healthcare IT News, in June 2018 LabCorp successfully won a court battle over an alleged HIPAA violation and was accused of not providing enough privacy protection at its Providence Hospital computer intake system. LabCorp argued an individual can’t bring a lawsuit under HIPAA and filed a motion to dismiss. The judge agreed.

HIPAA has also published that there have been 2181 healthcare data breaches since 2009, the largest being Anthem Inc. which had 78.8 million records stolen from a database hack.  

"We take it for granted that doctors and medical professionals will have complete access to our health profiles and background... however the very nature of this access, and the vast amount of information held within the healthcare industry, make it a prime and profitable target for criminals," wrote Suzanne Widup, senior analyst, Verizon Security, back in March 2018. "Knowing which security threats are out there, and what steps to take to proactively prevent security incidents is vital if personal healthcare information is to be kept safe."

While it has not been confirmed by LabCorp who is behind the suspected attack, Verizon's 2018 Protected Health Information Data Breach Report highlighted that healthcare was the only industry in which internal actors were the biggest threat to an organisation, driven by financial gain or looking up personal records of celebrities.

Categories: Cyber Risk News

US Vote-Counting Computers Had Flaw, Allowed Hackers Access

Wed, 07/18/2018 - 10:18
US Vote-Counting Computers Had Flaw, Allowed Hackers Access

In the US, vote-counting computers used in government elections contained a security vulnerability which could have been used to affect election results. The systems, which were sold by Elections Systems & Software (ES&S), contained remote-access software and were sold between 2000 and 2006, with some machines still being used as late as 2011. 

Election-management systems are not voting terminals - they are in county election offices and contain software that in some counties is used to program all the voting machines used in the county. The systems also tabulate final results from voting machines. 

In a report by Motherboard, in a letter sent to Senator Ron Wyden D-Oregon, which came to light on July 17 2018, the company admitted that it had "provided pcAnywhere remote connection software to a small number of customers between 2000 and 2006." The article goes onto say that originally in February 2018, ES&S had denied installing the software on any of its election systems it sold and said: "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software." The company's machines were used in a number of states and at least 60% of ballots cast in the US in 2006 were counted on the systems.  

This news comes alongside the continuing investigations into suspected Russian meddling in the 2016 US presidential elections. On July 14 2018 deputy attorney general, Rod Rosenstein, announced that 12 individuals had been changed as part of the investigation. 

During 2006, hackers stole the source code for the pcAnywhere software, which wasn't made public knowledge until 2012 when a hacker posted some of the code online. This forced Symantec, the distributor of the software, to admit it had been stolen. Security researchers also found a vulnerability in the software that would allow an attacker to seize control of a system, without the need to authenticate with a password. Researchers at Rapid7 also conducted research and found that 150,000 online computers were configured to allow direct access to hackers.  

Alarmingly, pcAnywhere was still being used in 2011 by Venango County, Pennsylvania, and it has not been clear whether the security flaws were patched or if there could have been more vulnerabilities. According to Motherboard, ES&S wrote in its letter to Wyden that it would be willing to meet privately in his office to discuss election security, but when the company was asked to attend a hearing on election security last week before the Senate Committee on Rules and Administration, ES&S declined to send anyone to answer Senate questions.

Wyden said he’s still waiting for ES&S to respond to the outstanding questions he sent the company in March. “ES&S needs to stop stonewalling and provide a full, honest accounting of equipment that could be vulnerable to remote attacks,” he told Motherboard. “When a corporation that makes half of America’s voting machines refuses to answer the most basic cybersecurity questions, you have to ask what it is hiding.”

Categories: Cyber Risk News

GDPR Fueling Rise of PII Theft, Cryptomining Plateauing

Wed, 07/18/2018 - 09:33
GDPR Fueling Rise of PII Theft, Cryptomining Plateauing

Scammers are increasingly targeting Personally Identifiable Information (PII), turning away from bitcoin scams and putting resource behind traditional technology support scams. 

According to Malwarebytes's Cybercrime tactics and techniques: Q2 2018 report, the new General Data Protection Regulation (GDPR) could be fueling this increase in PII theft, as the information could be more valuable on the black market. The company observed that a victim had allowed a phishing scammer entry into their computer, which resulted in stolen email credentials. 

The report also noted that phone scamming had risen in awareness with the general public, with potential victims being more vigilant. However, scammers still tried filtering down to unsuspecting victims by using tactics such as calling to route straight to voicemail to request a callback, hanging up on victims who aren't entirely convinced and requiring a small upfront payment before the scam. 

"Because of the new policies ushered in by the EU’s GDPR in late May, organizations will only have a limited time to hold onto PIIs of their customers, making it more valuable to criminals," said the report. "This means we may see an uptick in data - stealing threats, from spyware and info stealers to keyloggers and good old-fashioned phishing scams."

Interestingly, Malwarebytes found that cryptomining detections were declining, but were still dominating the threat landscape for both businesses and consumers. The report explains that many criminals are not getting the return on investment from cryptomining they were expecting, and is expected to stabilise as it follows market trends in cryptocurrency.

Enterprise systems remain vulnerable to cryptomining, with detections every month fluctuating throughout 2018: "By Q3, we may be able to identify an ongoing trend and/or campaign trying to spread these tools," said the report. "More than likely, though, we'll see a decline in business detections as we head into Q3, which has already been observed on the consumer side." 

Android cryptominers also saw a decline from Q1, with May seeing a 16% drop from the previous month. There were 244% more miner detections than in Q1. 

Categories: Cyber Risk News

GDPR Hurts Security but Publicity Might Help

Tue, 07/17/2018 - 13:15
GDPR Hurts Security but Publicity Might Help

A survey of 900 security professionals conducted by AlienVault at Infosecurity Europe found that spending on GDPR compliance efforts has hindered threat detection but cybersecurity publicity might actually benefit the industry. Additionally, the survey reflected the strong belief that cybersecurity is becoming entrenched in politics.

Of the professionals that participated in the survey, 51% said the additional resources their organization are spending on GDPR compliance takes vital resources away from detecting threats.

In addition, the report noted that not all security publicity is bad. An overwhelming majority (84%) of respondents said that the increased cyber-threat publicity has been very useful. Without offering reasons as to how all of the press coverage is useful, the report stated, “It is likely that large public breaches raise awareness for the need of cybersecurity.”

A majority (56%), believe cybersecurity has become a political pawn, with only 17% disagreeing with that perception. “It’s easy to see why many professionals feel this way. Encryption, in particular, finds itself at the forefront of many discussions, polarizing opinion as to whether or not law enforcement should have ‘back doors’ or other means of accessing communication to crack down on crime,” the report wrote.

Cloud security threats will be the most concerning external threat moving forward, followed by distributed denial-of-service (DDoS) attacks and the international threat landscape, including threats of nation-state attacks.

Phishing is the most concerning internal threat, with 55% of respondents expressing concern that their organization will fall victim to a phishing attack. Ransomware came in at a close second, with 45% of participants ranking it as the most concerning internal threats.

Respondents were asked to select their top threat concerns. More than a quarter (29%) of respondents worry about a shortage of skilled staff, and 27% are concerned about nonmalicious insider mistakes. Less than a quarter (23%) of security professionals fear social media threats.

“The human element of phishing is what makes it attractive to attackers and [a] concern for security departments. No single control can defend against a phishing attack, and ultimately, humans make mistakes. In fact, human error can be traced back to the root cause of many breaches,” the report stated.

AlienVault said user awareness and education are important but don’t go far enough in preparing for these types of attacks. To fortify their overall security posture, companies should create a layered defense comprising of people, technology and process, according to the report.

Categories: Cyber Risk News

Government, Finance Will See Increased Attacks

Tue, 07/17/2018 - 11:50
Government, Finance Will See Increased Attacks

The number of cyber incidents saw a 32% jump in the first quarter of 2018 compared to the same period in 2017, according to a new report from Positive Technologies. According to the report, hackers are motivated by data theft, and malware attacks have spiked 75% since Q1 2017.

“Attackers are planning to either use these credentials in future attacks or profit by selling this information on the black market,” Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said in today’s press release.

According to the report, individuals were the primary victims of malware, which was used in five out of six attacks, often in combination with social engineering and exploitation of web vulnerabilities. 

Next to individuals, at 28%, government is the second-highest sector targeted by attacks, accounting for 16% of total attacks. Healthcare was at 8%, finance at 7% and IT at 5%.

Spyware, which grants an attacker access to sensitive internal information and allows hackers to collect personal data and account credentials, was the most commonly used type of malware. The report also noted the factors that contribute to an attacker successfully accessing sensitive information with malware, which include a lack of antivirus protection and end user error, such as clicking on malicious links and downloading infected files.

In addition, cryptocurrency miners, such as WannaMine and RubyMiner, were used in nearly one quarter (23%) of malware attacks. “Our research shows that 63% of attacks included use of malware. Spyware, in particular, is used most often because it allows obtaining not only personal information and corporate secrets but credentials for the services and systems needed to attack internal corporate infrastructure,” Galloway said.

Positive Technologies predicts that the unique number of cyber-attacks will continue to escalate, with attackers honing in to use existing attack vectors against government and finance targets. Phishing campaigns using SANNY spyware against government targets were often detected as the source of malware placed on government infrastructure.

Still, finance and banking are the most frequent victims of cyber-attacks.

Categories: Cyber Risk News

Lost Devices on TfL Network Raise Data Breach Risk

Tue, 07/17/2018 - 11:04
Lost Devices on TfL Network Raise Data Breach Risk

Over 26,000 mobile devices and laptops were lost on the Transport for London (TfL) network between April 2017 and April 2018, raising serious questions about threats individual devices pose to company data security, says think tank Parliament Street.

Through a Freedom of Information (FOI) request, the think tank discovered that 26,272 devices were lost and handed into TFL lost property, with Apple devices taking the top spot followed by Samsung and Lenovo. In an independent study by Centrify, it is suggested that in the UK, younger employees are the "main culprits" for data security breaches in the workplace.

Responding to the research, Robert Coleman, UKI CTO, CA Technologies said: "With businesses investing heavily in purchasing and developing growing volumes of applications to improve employee productivity, the security threat posed by lost and stolen devices has increased dramatically.

"Nobody can prevent mobiles and tablets from being misplaced, but companies can ensure that the applications which reside on these devices are only accessible by the correct privileged users so that fraudsters cannot exploit them as a backdoor into the business."

Mobile working and the security of data still continue to concern enterprises. In a report by Apricorn, nearly one in five organizations (18%) suggested their mobile workers didn't care about security, with a third of them experiencing a data loss as a direct result of mobile working.

Parliament Street's report recommends that businesses implement an identity verification strategy for every employee, increase training and "scrap trust" as a strategy: "With cyber-attacks rapidly on the rise, a healthy paranoia is a positive force for change within the organization."

Ojas Rege, chief strategy officer, MobileIron said that two new developments could help organizations in this area: “Biometrics, like fingerprint and facial recognition, provide an easy and more secure way for individuals to access their mobile devices and apps. Machine learning takes data inputs from devices, networks, and apps to constantly monitor and identify evolving threats of which the user is almost never aware.”

Categories: Cyber Risk News

Telefonica Calls Authorities after Massive Breach

Tue, 07/17/2018 - 11:02
Telefonica Calls Authorities after Massive Breach

The Netherlands-based Telecompaper reported that Telefonica, a top-10 telecom vendor based in Spain that delivers telecom services across more than 20 countries, was hit by a major security breach. Personal customer data of millions of its clients was possibly exposed in the breach. The company reportedly said the flaw was fixed and that the breach was reported to the authorities.

Information exposed by the breach was reported to have included customers' fixed-line and mobile numbers, their full names, national ID numbers, home addresses, banks and call and data records.

Though the company does not yet know the full extent of the breach, the data exposed in the security breach reportedly could be downloaded by a hacker. “Surprisingly, the Telefonica customer data was easily downloadable as an unencrypted spreadsheet,” said Pravin Kothari, founder and CEO of CipherCloud.

“Moral of the story? Cyber-attackers will get into any network sooner or later. End-to-end encryption would have provided safe harbor for Telefonica if they used it to protect the data. With encryption there would be no breach to report under GDPR as stolen encrypted data would be unusable,” said Kothari.

With GDPR in effect, Telefonica must now comply with the notification and follow-up mandates. “This sort of data exposure is why so many organizations who transact with customers online – from the banking and finance sector to e-com and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioral analytics,” said Ryan Wilk, vice president of customer success, NuData Security, a Mastercard company.

“In doing so, they’re shifting from 'let's make our company a bunker for everyone' to 'let's leave the bunker for risky users only.' They do so by using technology that doesn't rely on data that could have been exposed in a breach, thus preventing post-breach damage. Passive biometrics technology cannot be mimicked by hackers and helps break the chain of perpetual fraud that grows whenever customer data is breached and stolen,” said Wilk.

Categories: Cyber Risk News

Reprise Software Refuses to Patch RLM Issue

Tue, 07/17/2018 - 09:50
Reprise Software Refuses to Patch RLM Issue

Reprise Software has refused to patch a vulnerability in its Reprise License Manager (RTM) which has been flagged by SpiderLabs at Trustwave.

Discovered by security consultant, Adrian Pruteanu, the issue comes about by running on the non-standard port 5054 where by default RLM's web server does not require authentication. Attackers can specify an arbitrary license file on the server to read and modify which could result in information leakage or remote code execution via upload of malware.

Pruteanu said: "During a recent penetration engagement, I came across a particularly interesting web application called RLM, running on the non-standard port 5054. This naturally caught my eye. After a bit of poking around, I was able to identify a critical vulnerability which allowed me to execute code on the server, eventually leading to full domain compromise.

"Regrettably, despite my best efforts, the vendor has refused to issue patches as they do not believe these findings to be vulnerabilities," he continued.

In its response to Trustwave, Reprise wrote: "We tell end users not to run the RLM server - which implements the web server - in privileged mode. There is no reason it needs to run with elevated privileges. The license and options file editors in the web interface are no more dangerous than Notepad or Wordpad.”

The vulnerability was flagged to Reprise on May 16 2018, with the vendor discontinuing communication on May 29.

"Security holes are rarely made up of isolated vulnerabilities," said Eerke Boiten, professor of cybersecurity, De Montfort University, Leicester. "In this case it appears to be an administrative web interface that doesn’t authenticate properly, combined with a server running with too high privileges, and one or more unnamed vulnerabilities that allow this to be exploited to the level of full code execution.

"Responsible behavior would be to fix each element of this, not to just change the user manual to ensure that anyone who has a recent copy of it will not make a dangerous mistake."

Categories: Cyber Risk News

Russia Publishes Only 10% of CVEs

Tue, 07/17/2018 - 09:01
Russia Publishes Only 10% of CVEsRussian vulnerabilities published by year

A report by Recorded Future has found that Russia's vulnerability database, while highly focused, is incomplete and slow, and only publishes 10% of known vulnerabilities.

Run by the military organization, Federal Service for Technical and Export Control of Russia (FSTEC), the vulnerability database, also known as BDU, has published only 11,036 vulnerabilities of the 107,901 Common Vulnerabilities and Exposures (CVEs) reported by NVD (approximately 10%). FSTEC populates the BDU database with vulnerabilities that primarily present a threat to Russian state information systems. This gives researchers information on which technologies, hardware, and software are used on Russian government networks.

The report highlights that FSTEC didn't start publishing vulnerability data until 2014, roughly 15 years after the US NVD was established, but still covered 25% of the CVEs from years before the database was started. Furthermore, among the vulnerabilities that FSTEC published the fastest, 75% were vulnerabilities for browsers or industrial control-related software.

Percentage of vendor CVEs covered by FSTEC

Interestingly, when it comes to monitoring vendors and technologies, Recorded Future found that Russia focused more on Adobe more than any other vendor, covering nearly half of all its vulnerabilities. However, of the vulnerabilities that were not published, 386 had a CVSS score of 10, and 871 had a score greater than eight.

Over the course of the past year, Recorded Future also examined the publication speeds, missions and utility of the NVDs of two countries: China and the US. It found that Russia was on average 83 days slower than China to publish vulnerabilities, and 50 days slower than the US.

"As the research demonstrates, FSTEC broadly publishes only about 10% of known vulnerabilities," Priscilla Moriuchi and Dr Bill Ladd wrote. "The larger question is, 'Why?' Why waste resources on a vulnerability disclosure database that does not address 90% of vulnerabilities for its users?

"There are three likely hypotheses," they went onto say. "FSTEC is vastly under-resourced and can only focus on key technologies for Russian users; FSTEC is a military organization and is publishing 'just enough' content to be credible as a national vulnerability database, or the FSTEC has a dual offensive and information security mission and publishes based on the competing needs. This would be similar to how China’s NVD (CNNVD) functions." 

Categories: Cyber Risk News

From National Security to Cybersecurity

Mon, 07/16/2018 - 11:54
From National Security to Cybersecurity

In an effort to address the growing skills gap in the cybersecurity industry, a team of former Royal Marines Commandos have launched a business providing free cybersecurity training, accredited qualifications and careers for ex-service members looking for a path back to the civilian life while maintaining their roles as security defenders.

Crucial Academy offers accredited training courses covering both offensive and defensive cybersecurity, information assurance and threat intelligence. The courses, developed by former military personnel, include a module that gives students real-world experience, but unlike graduates of other training providers, Crucial Academy graduates will reportedly begin their new careers free of debt.

Course developers have already made a successful transition to notable cybersecurity companies and financial technology companies, and they bring that wealth of experience to their offerings at Crucial Academy at its proclaimed state-of-the-art training facility in Brighton, England.

The first cohort began its courses at the end of June and completed its work last week, and the next cohort is slated to begin soon. In order to take the courses, candidates must first undergo a rigorous selection process that assures they are the proper match for the training.

“I was proud to serve my country and I wanted to give something back to the military for all the skills and experiences the Marines gave me, and I know my colleagues feel the same,” Crucial Group’s chief executive and former Royal Marine Commando Captain Neil Williams said in a press release.

“People who have spent time in the forces have an incredible work ethic, resilience and a security-driven mindset that makes many very well suited to a career in cybersecurity," Williams continued. "Following my experience of leaving the forces, I know that the transition can be very challenging. We’re pleased to be able to help give them a pathway into a successful career – and in a sector where they can make such a difference.”

After successful completion of the training, qualified Crucial Academy candidates are introduced to a cybersecurity career with one of the academy’s commercial partners, an additional offering that also benefits businesses by helping them to meet their growing demand for qualified cybersecurity personnel. According to a 2016 skills gap analysis from ISACA, there will be an estimated a global shortage of 2 million cybersecurity professionals by 2019.

“The other benefit to our model of course is that it also helps businesses future-proof their recruitment and growth plans by providing a pipeline of trained cybersecurity professionals,” Williams said.

Categories: Cyber Risk News

Russia Fends Off 25 Million Cyber-Attacks During World Cup

Mon, 07/16/2018 - 11:35
Russia Fends Off 25 Million Cyber-Attacks During World Cup

Russia prevented nearly 25 million cyber-attacks and other criminal acts during the football World Cup, according to the Kremlin. The Moscow Times reported that Russian President Vladimir Putin praised the world of the country's security forces, along with international cooperation, ensuring a safe tournament. 

“I expect that your close and constructive interaction will continue and will contribute to ensuring the security of our states and our citizens in the future,” Putin was cited as saying.

Ahead of the World Cup, a cooperation center staffed by law enforcement officers from 34 countries was opened to monitor potential fan violence. Facilitating coordination between officers from 32 countries - those which qualified for the tournament - the center hosted at least six British police officers, and the hosts of the next World Cup 2022, Qatar.

A survey conducted by Lastline at Infosecurity Europe 2018, found that 72% of security professionals believed an attack was likely during the World Cup given the fact that attacking high-profile international events is trending among cyber-criminals.  

During the World Cup, many organisations have come forward warning of potential risks to attending and non-attending fans. Researchers from McAfee warned fans to be wary of malicious apps and phishing emails created to specifically target football supporters. According to the alert issued last week: "Some fans have looked to the “Golden Cup” app to stream data and records from past and present games, not knowing that cybercriminals have also used the app to install spyware on devices of unsuspecting fans. 

"This threat campaign, called Android/FoulGoal.A, looks like a typical sporting app with general information and background around the games. However, in the background and without user consent, the app silently transfers information to cybercriminals, including victims’ phone numbers, installed apps, device model, and manufacturer, available internal storage capacity, and more."

It has also been reported that around 100 Israeli military individuals fell victim to a honeypot attack that came in the form of a malicious World Cup score tracking app and two fake online dating apps. They were available on Google Play. 

David Grout, Southern Europe Technical Director, FireEye, said that while the numbers quoted by President Putin are high, they are not unexpected: "Vladimir Putin’s statement that government security services have thwarted 25 million cyber-attacks linked to the FIFA World Cup may seem like a surprisingly high number, but not necessarily for those who work in the field. Every major event, whether sporting, political or otherwise, are likely to attract cyber attacks. The 2018 World Cup is no exception. Before the competition had even started there was evidence of Phishing attacks.

"This included phishing attacks that started several weeks before the tournament and carried on throughout," he explained. "These campaigns use several levers such as low-cost ticket offers, the chance to win a trip to Russia, promotions for items related to the World Cup (national team jerseys, mugs featuring players etc). The main goal in this type of attack is to recover your banking information and force you to go through with the transaction to get the card number information, expiration date and also CCV.

"There were also risks from state-sponsored groups attempting to destabilse the IT and EO infrastructure used during the World Cup. Historically we’ve seen an acceleration of attacks and leaks of information trying to discredit the actions of an organisation tied to an event, the most notorious example being the APT28 campaign against the world anti-doping agency (WADA)."

Categories: Cyber Risk News

Russia Indictments Reminder of Phishing Threats

Mon, 07/16/2018 - 11:24
Russia Indictments Reminder of Phishing Threats

In the aftermath of the 13 July announcement that the Mueller investigation indicted 12 Russian military officials, Americans have debated everything from the legitimacy of the investigation to the consequences of the election interference, but Sen. Rand Paul (Ky.) told CNN, “We should now spend our time protecting ourselves instead of having this sort of witch hunt on the president. I think we need to be done with this and start actually protecting our elections from foreign countries."

Experts in the cybersecurity industry agree, noting that the indictments serve as a reminder that US national and election security remain vulnerable to threats from phishing campaigns. As local, state and federal officials take another look at their election security infrastructure prior to the 2018 midterms, email security must sit atop the priority list, according to founder and CEO of IRONSCALES Eyal Benishti.

“Any forthcoming phishing mitigation strategy must prioritize humans and machines working together to not just identify threats, but to remediate them and share the attack intelligence with other government and elections organizations in real time," said Benishti. "The consequences of keeping the status quo intact with email security and phishing mitigation are too severe to ignore."

Despite President Trump’s tweet that the investigation is a “rigged witch hunt,” security commentators tend to agree with Sen. Paul. According to Jonathan Reiber, Illumio's head of cybersecurity strategy and former chief strategy officer for cyber policy in the Office of the Secretary of Defense, the new indictment does two main things. 

First, with its detailed breakdown of the GRU’s hacking tactics and capabilities, it shows how dangerous the Russians are and how important it is for everyone to stay vigilant, verify information sources and invest in cybersecurity capabilities to prevent breaches from occurring and spreading," said Reiber.

“In play-by-play granular detail, the indictment shows how Russia hacked key US political personnel and amplified that stolen data to the Nth degree through DCLeaks (a Russian front organization), social media and contact with specific persons. The tactical take-away is clear: breaches will happen and organizations need to invest in capabilities to stop intruders in their tracks,” he said.

Spear-phishing attacks remain pervasive and have the potential to wreak havoc on local, state and national elections. “This attack vector can be weaponized to impact international affairs, take down critical infrastructure or steal important intelligence,” said Cofense CTO and co-founder Aaron Higbee.

“Additionally, recent news demonstrates that threat actors are continually using clever phishing techniques to bypass next-generation perimeter technologies, as seen this month with the ZeroFont technique used to breeze by AI-based email security controls," continued Higbee. "Friday's announcement reinforces the need to empower humans in our phishing defense practices worldwide, as relying on technology, AI and machine learning alone isn’t enough to stop these attacks before the damage is done.”

Categories: Cyber Risk News

Spread of 'Fake News' Could Affect Irish Elections, says Gov Report

Mon, 07/16/2018 - 10:52
Spread of 'Fake News' Could Affect Irish Elections, says Gov Report

A high-level government report has found that Irish elections are exposed to interference through cyber-attacks and the spread of "fake news". Reported by the Sunday Independent this weekend, the unpublished report found that social media and search engines were most at risk of being used to influence the outcome of the country's elections. 

The report was compiled by the Interdepartmental Group on the Security of Ireland's Electoral Process and Disinformation. It consulted a wide range of officials and examined the experience of governments in other countries before drafting the report. 

Within it, there was found to be a low-level risk of election interference when votes were being counted, as well as being adversely impacted through either broadcast or print media.

"Overall, the assessment finds that risks to the electoral process in Ireland are relatively low, taking into account factors already in place," the report states. "It is recognized, however, that the spread of disinformation and the risk of cyber-attacks on the electoral system pose more substantial risks."

However, a 2018 study conducted by MIT found that fake news reached more people, penetrated deeper into social networks and spread much faster than accurate stories. Statistically, a false story reaches 1500 people six-times quicker, on average, than a true story does. 

Speaking to The Atlantic in March 2018, Soroush Vosoughi, a data scientist who led the study, said: "It seems to be pretty clear that false information outperforms true information, and it that is not just because of bots. It might have something to do with human nature." 

The expert group, which is led by the Department of Taoiseach, was established following the publication of Fianna Fail TD for Kildare North James Lawless's Online Advertising and Social Media (Transparency) Bill in 2017. It aims to introduce laws which would prevent organizations in other countries from paying for online political advertising in Ireland, similar to what was seen in the 2016 US presidential elections. 

Those found guilty of the crime could be fined up to €10,000 or imprisoned for five years, and would also make it a criminal offence to knowingly spread fake news online. 

Categories: Cyber Risk News

"Red Alert" Warning on US Cyber-Attacks, Now at "Critical Point"

Mon, 07/16/2018 - 10:17
"Red Alert" Warning on US Cyber-Attacks, Now at "Critical Point"

The United States' director of national intelligence issued a "red alert" warning on a dangerous new level of cyber-warfare during a Washington think tank conference. He also spoke of Russia as one of the "worst offenders" ahead of US President Trump's meeting with Russian President Vladimir Putin in Finland. 

Dan Coats addressed the Hudson Institute last Friday, commenting: "Today, the digital infrastructure that serves this country is literally under attack." He compared the "warning signs" to the same ones "ignored" ahead of the September 11 terrorist attacks. 

"It was in the months prior to September 2001 when, according to then-CIA Director George Tenet, the system is blinking red. And here we are nearly two decades later, and I'm here to say, the warning lights are blinking red again," Coats said.

His comments were backed up on Saturday by John Podesta, the former chairman of Hilary Clinton's presidential campaign, who said to CNN: "As the director of national intelligence said, the red lights are blinking, but I think the White House is essentially asleep at the switch."

As well as China, Iran, and North Korea, Coats talked about Russia as being the "most aggressive foreign actor" and that they "continue their efforts to undermine our democracy." Targets for these attacks include the federal government, the US military, state and local government and U.S. businesses. He also talked about the risks to the 2018 midterm elections, but was quick to point out that it shouldn't be the only focus: "Focusing on the potential impact of these actions, on our midterm election, misses the more important point: these actions are persistent, they're pervasive, and they are meant to undermine America's democracy on a daily basis, regardless of whether it is election time or not.

"What's serious about the Russians is their intent," he continued. "They have capabilities, but it's their intent to undermine our basic values, undermine democracy, create wedges between us and our allies." 

The comments came the same day the Justice Department announced the indictment of 12 Russian military intelligence agents, accusing them of trying to hack Democrats' emails and computer networks during the 2016 election. 

Back in February, Crowdstrike CTO, Dmitri Alperovitch, told CNBC that the US government was exceptionally vulnerable to cyber-attacks, and despite its "very good" intelligence operations, their "procurement process is so archaic that they are not actually able to buy the technologies they need to protect themselves fast enough."

Categories: Cyber Risk News

US Orgs Overly Optimistic About Cyber-Readiness

Mon, 07/16/2018 - 08:05
US Orgs Overly Optimistic About Cyber-Readiness

Senior executives at most US organizations believe the cybersecurity of their firms is above board, according to a new survey of 500 senior IT executives. The survey included responses from interviews conducted with executives across multiple sectors in the US and 10 other countries.

Results of the survey conducted by FICO revealed that 68% of US firms said they are better prepared for data breaches than their competitors, reflecting an 8% increase since last year. Canadians were more likely to rate their firm a top performer for cybersecurity among the executives interviewed from the US, UK, Canada, Brazil, Mexico, Germany, India, Finland, Norway, Sweden and South Africa.

Within the US, the most confident sectors were power and industry providers, with 86% rating their firms above average or top performers. Respondents from the the financial services sector were the least confident, with only 60% rating their firms as either above average or in the range of top performers. Telecommunications providers fell between those two industries, with 72% of respondents ranking their firm as having above-average cyber-readiness, yet only 44% of telecommunications providers believe their firm’s cybersecurity position will improve in a year’s time.

“Firms have a lot to lose when it comes to their privacy and security risk and must have an accurate picture of how protected they really are,” said Doug Clare, vice president for cybersecurity solutions at FICO. “These figures point to the fact that many firms don’t know how they compare against their competitors, which could lead to an under-investment in cybersecurity protection.”

Maxine Holt, research director at Ovum, which FICO commissioned to conduct the survey, said, “IT leaders have greater funding than ever to protect organizations from the continuously evolving threat landscape and meet complex compliance demands.”

“These same IT leaders are undoubtedly keen to believe that the money being spent provides their organization with a better security posture than any other – but the rapid pace of investment, often in point solutions, rarely takes an organization-wide view of security.”

Categories: Cyber Risk News

Spambot Targets WordPress with Spray and Pray

Fri, 07/13/2018 - 14:54
Spambot Targets WordPress with Spray and Pray

Researchers at Imperva published their discovery of a new comment spam campaign that is leveraging the popularity of the World Cup to trick people into clicking on links that take them to shady betting sites.

The campaign, which mainly targets WordPress sites, is launched by a botnet and implemented in the form of comment spam. Despite its being one of the oldest tricks in the hacker’s book, comment spam is still pretty popular.

The comments appear to be little more than meaningless, generic text generated from a template and posted in the comment sections of blogs and news articles. When researchers sifted through the comments, they discovered a pattern: The linked sites offered betting services on 2018 FIFA World Cup matches.

Using the spray-and-pray technique, the spambot attempts to post a comment to the same URI across multiple sites, even those sites that might be vulnerable or don’t have a comments section. Researchers found that the top 10 links advertised by the botnet lead to World Cup betting sites, with eight of those top advertised sites containing links to the same betting site.

“In the weeks before the World Cup, the botnet had emphasized other, non-spam attacks, including unsuccessful attempts to invoke remote code execution (RCE) via PHP and to abuse unrestricted file upload to WordPress sites,” the researchers wrote.

Commenting on the discovery, Johnathan Azaria, security researcher at Imperva, said, “Our research once again highlights that attackers follow public trends and essentially go where the money is."

“In this campaign, attackers are taking advantage of the popularity of the World Cup. Anyone who visits the betting sites could easily be duped into handing over sensitive information to attackers,” Azaria said.

Researchers suspect that this is a botnet for hire, orchestrated by the betting sites in an attempt to increase their SEO and "reflects how malicious or unsolicited campaigns tend to intensify during events that draw large audiences who keep track of developments online, are enticed to purchase products online from sponsoring organizations or both," said Chris Olson, CEO of The Media Trust.

Categories: Cyber Risk News