Info Security

Subscribe to Info Security  feed
Updated: 38 min 34 sec ago

California Hospital Notifies 67k Patients of Data Breach

Tue, 12/15/2020 - 17:53
California Hospital Notifies 67k Patients of Data Breach

A hospital in California has notified 67,000 patients that their personal data may have been exposed in a cyber-attack.

In a letter dated December 8, Sonoma Valley Hospital told patients that it was one of several American healthcare providers victimized two months ago in a wide-sweeping ransomware campaign.

"SVH experienced a ransomware cyber-attack on October 11, 2020 by what is believed to be a Russian threat actor," wrote the hospital.

"This event was part of a broader attack on dozens of hospitals across the country."

The hospital said the attack was discovered on the day that it occurred and that systems were shut down immediately in an effort to minimize any damage. 

SVH said that it hired external information technology and forensics experts to help its own cybersecurity team mitigate the threats and followed their advice to not pay the ransom demanded by the attackers. 

"After discovering the attack, our cybersecurity team—in partnership with outside information technology and forensics experts—successfully prevented the cybercriminal from blocking our system access and ultimately expelled them from our system," said SVH.

The hospital said that before being booted out of their system, the cyber-criminal(s) behind the attack "may have removed a copy of a subset of data."

A forensic examination of what the criminals could have accessed indicates that patients' names, addresses, dates of birth, insurer group numbers, and subscriber numbers may have been exposed. 

Other details that could have been accessed by the criminals included diagnosis or procedure codes, date of service, place of service, amount of claim, and secondary payer information.

"Based on the reports of the forensics analysts, the hospital does not believe patient financial information (such as credit card or social security numbers) was accessed, nor was patient information in the hospital’s electronic health record system," stated SVH. 

The hospital said that it is not aware of any misuse or attempted misuse of patient health information, and hospital forensics experts have searched for any potential re-disclosures.

While surgeries, emergency care, and the hospital's "Follow My Health" patient portal have not been impacted by the attack, some diagnostic tests were disrupted.

Categories: Cyber Risk News

Twitter Fined Half a Million Dollars for Privacy Violation

Tue, 12/15/2020 - 17:35
Twitter Fined Half a Million Dollars for Privacy Violation

Twitter has been fined over half a million dollars for violating European Union data protection laws in the first EU-wide privacy case. 

The EU's chief data watchdog today announced that it has issued an administrative fine of 450,000 euros ($547,000) to the social media titan for being too slow to notify Android phone users located across the EU of a data breach that threatened their privacy.

A further finding of the investigation into the breach by Ireland's Data Protection Commission (DPC) was that Twitter failed to adequately document the security incident. 

The DPC’s investigation into the incident commenced in January 2019 following receipt of a breach notification from Twitter. On Tuesday, the DPC stated that Twitter "infringed Article 33(1) and 33(5) of the General Data Protection Regulation (GDPR) in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach." 

Under EU data protection rules, it is a requirement to report a breach within 72 hours of discovery. 

The commission described the not insignificant financial penalty levied on the American company as "an effective, proportionate and dissuasive measure."

According to the Binding Decision of the Board, the data breach arose from a bug in Twitter's design that caused the protected tweets of Android device users to become unprotected without their consent if users changed the email address associated with their Twitter account. 

The bug, which affected 88,726 EU and EEA users between September 2017 and January 2019, was traced back to a code change made on November 4, 2014. It was discovered on December 26, 2018, by the external contractor managing Twitter's bug bounty program.

Referencing the significance of the Twitter inquiry, the DPC stated: "The draft decision in this inquiry, having been submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR in May of this year, was the first one to go through the Article 65 ('dispute resolution') process since the introduction of the GDPR and was the first Draft Decision in a 'big tech' case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities."

Categories: Cyber Risk News

Businesses Often Do Not Inform Customers of Tracking

Tue, 12/15/2020 - 17:00
Businesses Often Do Not Inform Customers of Tracking

Almost three-quarters of businesses admit that tracking of customer data happens, but without consent.

According to research from Zoho Corp, a survey of 1400 business leaders about third party ad tracking found 100% of respondents said their companies allow it, and 57% are “comfortable” or “very comfortable” with the way third-parties use customer data. However, 72% admit they know that tracking happens but do not inform customers.

In the USA and Canada, 62% of companies don’t inform customers that they allow tracking code from third-party services on their websites, despite the majority claiming to have well-defined consumer data privacy policies that are strictly applied.

Raju Vegesna, Zoho’s chief evangelist, told Infosecurity that he believed businesses have a moral obligation to be transparent with customers about what data they collect and who they share this sensitive information with.

“Our survey findings show an alarming disconnect between how business leaders view the strength of their privacy policies and what information they keep secret from customers,” he said. “Right now, our remote workforce is reliant on software solutions to continue business operations; business leaders need to put themselves in the position of their customers and ask ‘as a user, do I want to be tracked?’ ”

However, he claimed many businesses are failing this ethical test, which shows they care more about profits than privacy. “We shouldn’t have to wait for regulation to spur businesses to take stronger stances on consumer data privacy protections,” he said. 

Asked if businesses should be more transparent on what is collected, and who they supply this data to, Niamh Muldoon, senior director of trust and security at OneLogin, said: “Leaders in trust and security have built their brand and reputation with their customers by being transparent with the use of data while providing assurance that appropriate controls are in place to protect the data as it is inputted, processed and stored.

“The survey results highlight the lack of awareness and understanding amongst business leaders on how to build trust and security into a brand and use it as a key business differentiator.”

Matthew Pahl, security researcher at DomainTools said businesses will continue to place profit over privacy. “As soon as it becomes unprofitable for businesses to allow widespread tracking of customer habits and data, we will see a change in corporate practices.”

Categories: Cyber Risk News

#BSEC: Staying Alert to the Growing Dangers of Cybercrime

Tue, 12/15/2020 - 15:44
#BSEC: Staying Alert to the Growing Dangers of Cybercrime

Cybercrime is becoming increasingly dangerous to organizations and individuals alike, according to Chief Supt. Andrew Gould, national cybercrime programme lead at the National Police Chiefs’ Council speaking during the BankSec 2020 virtual conference.

One reason for this is that cybercrime is becoming easier to conduct, with tools more readily available from the internet and able to be deployed without much technical skill. “That barrier to entry to the criminal marketplace is lower than it’s ever been,” noted Gould.

The rise in cybercrime as a service, whereby nefarious actors from across the world can be employed relatively cheaply to help undertake attacks, has been another big factor in recent years.

The kinds of attacks being launched are also becoming more consequential. While ransomware remains the biggest attack vector, with Gould observing that the malware used is “more complex and damaging”, the behavior of cyber-villains becoming “more confrontational.”

Business fraud attacks – in particular, phishing and business email compromise (BEC) attempts, have grown exponentially recently according to Gould. “There are millions of pounds that organizations are losing to this every week which causes tremendous disruption,” he outlined.

Another trend highlighted is that criminals are conducting far more research and planning ahead of attacks, largely as a result of improved security. Much of this is discovering personal information on social media sites in order to launch more impactful phishing messages for example, with Gould stating that people should “consider the kind of information they’re posting and how that can potentially be used against you or your organization by appearing to be more realistic.”

For organizations to mitigate against these threats, Gould said it is vital that backups are in place, which unfortunately is often not the case. “You can recover from just about any security breach unless you don’t have effective backups – if you can’t restore from backups you can potentially lose everything,” he said.

His other main advice to organizations is to have strong password policies, ensuring the use of three random words and two-factor authentication is mandated across staff, as per National Cyber Security Centre (NCSC) recommendations. He commented: “If your organization is enforcing those standards for your staff and for your customers, you are going to mitigate a lot of current successful attacks.”

In terms of the police response to cybercrime in the UK, Gould explained that a much more proactive approach is now being taken. While there is a very strong and integrated national network, a greater focus on preventing these types of crime at a local level is crucial. Now, every police force in the country has a cybercrime unit which undertakes initiatives such as giving advice to victims, helping organizations improve their defences and incident response strategies, as well as identifying young people who are at risk of going down the path of cybercrime in order to “point them on a more meaningful path.”

Gould added: “Unlike other areas of crime, these are skills we want to encourage because there’s a huge skills shortage in the industry – so we want people to test their skills and improve, but in a safe way.”

He said this approach has taken the pressure off the regional teams to focus on organized crime groups, “so there’s a level of proactive, covert operations against the high end crime groups that’s gone from strength to strength.” This, he believes will lead to increased numbers of cybercrime arrests and prosecutions in the months and years ahead.

Categories: Cyber Risk News

Millions of Medical Imaging Files Freely Accessible on Unprotected Servers

Tue, 12/15/2020 - 15:02
Millions of Medical Imaging Files Freely Accessible on Unprotected Servers

Over 45 million medical imaging files are freely accessible on unprotected servers, according to a new investigation by CybelAngel

The researchers discovered that a huge range of sensitive medical images, including X-rays and CT scans, can be accessed without the requirement for a username and password. Instances were even found of login portals accepting blank usernames and passwords.

The team scanned around 4.3 billion IP addresses, and found that more than 45 million of these images were left exposed on over 2140 unprotected servers across 67 countries including the US, UK and Germany.

CybelAngel also revealed that personal information was among the data left unencrypted and without password protection online. This includes personally identifiable information such as name, birth date, address and personal healthcare information including height, weight and diagnosis.

The easy availability of this kind of imagery and data leaves patients at risk of blackmail and ransomware as well as fraud, according to the study authors, who noted that medical data is in high demand on the dark web.

The investigators added that healthcare providers may be liable to sanctions for these breaches of sensitive patient information under data protection laws such as the GDPR in Europe.

Author of the report, David Sygula, senior cybersecurity analyst at CybelAngel commented: “The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files. This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”

Todd Carroll, VP cyber operations at CybelAngel added: “Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the healthcare institutions that are governed by regulations to protect patients’ data.

"The health sector has faced unprecedented challenges this year, however the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands.” 

Categories: Cyber Risk News

DHS, CISA and NCSC Issue Warnings After SolarWinds Attack

Tue, 12/15/2020 - 14:00
DHS, CISA and NCSC Issue Warnings After SolarWinds Attack

Government agencies have issued warnings about the fresh spate of attacks, apparently from nation-state actors against major security vendors.

Last week FireEye disclosed that it had spotted an attack from nation state actors looking for data on government clients, where attackers were able to access some internal systems and steal some of FireEye’s red team tools. It was later disclosed that the attack was enabled by using trojanized updates to SolarWinds’ Orion IT monitoring and management software, although Solarwinds said that fewer than 18,000 of its global customers had been affected.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 21-01 in response to the SolarWinds compromise which calls “on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

In a statement, CISA acting director Brandon Wales said “the compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks.”

He said: “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”  

Also, Alexei Woltornist, assistant secretary for public affairs at the Department of Homeland Security, said DHS is aware of cyber breaches across the federal government and working closely with its partners in the public and private sector on the federal response.

A spokesperson for the UK’s National Cybersecurity Centre (NCSC) said in a statement: “The NCSC is working closely with FireEye and international partners on this incident. Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact. The NCSC recommends that organizations read FireEye’s update on their investigation and follow the company’s suggested security mitigations.”

It recommended organizations ensure any instances of SolarWinds Orion are configured according to the company’s latest guidance, and have these instances installed behind firewalls, disabling internet access for the instances, and limiting the ports and connections to only what are critically necessary.

Commenting, Sam Curry, chief security officer at Cybereason, said: “If 2020 has taught us anything, it is that the COVID-19 pandemic has improved the resiliency of security professionals and reinforced how determined defenders are to rid networks of cyber-espionage adversaries. In fact, all UK companies should respond with a cold, logical, rational response.

“In general, now is not the time for security experts to panic. A practical and measured response is advised.”

If SolarWinds is being used in your organization, Curry recommended strengthening your security posture as follows:

  • Isolate machines running SolarWinds until further information is available as the investigation unfolds
  • Reimage impacted machine
  • Reset credentials for accounts that have access to SolarWinds machines
  • Upgrade to Orion Platform version 2020.2.1 HF1 as soon as possible. Solar Winds has also provided further mitigation steps

"In addition, set up a task force to look through all data logs, check the hygiene of systems and make sure everyone is generally on high alert for future attacks,” he said. “Ensure your company is always on the hunt for adversaries. The sooner you do these things the sooner you can assume no one is lurking in your network in silent mode.”

Categories: Cyber Risk News

#BSEC: The Continuous Evolution of Cyber-Attacks

Tue, 12/15/2020 - 12:01
#BSEC: The Continuous Evolution of Cyber-Attacks

Current and likely future cyber-attack trends were highlighted by Sarah Armstrong-Smith, chief security advisor, Microsoft Cybersecurity Solutions Group (UK) during the BankSec 2020 virtual conference.

Through its analysis, Microsoft found that phishing and business email compromise (BEC) attacks remain the most common tactic employed, but are becoming increasingly sophisticated in nature. “The ultimate aim is credential theft,” noted Armstrong-Smith, revealing that in the last year, Microsoft have processed six trillion different messages, blocking 13 billion malicious emails.

One trend observed in regard to BEC attacks is the rise of CEO impersonation, while brands commonly spoofed include large tech companies like Microsoft and Amazon.

There has also been a substantial growth in high impact ransomware incidents in recent times, with a notable feature being that they are “driven by human ransomware and active reconnaissance,” according to Armstrong-Smith. She added: “Cyber-criminals really do take their time to learn about your company and how and when they are going to launch an attack.” This targeted approach means that attacks can be launched in as little as 45 minutes from accessing an organizations’ system.

Armstrong-Smith additionally highlighted how cyber-criminals are rapidly responding to the changing news cycle, which has been especially evident during the COVID-19 pandemic this year. This enables attacks to be timed to be most impactful. For instance, once a global pandemic was declared from the beginning of March, and governments began taking action to stop the spread of the virus, “there was a massive peak in COVID-related attacks,” including phishing lures and fake domains.

At the same point this year, Microsoft detected a huge rise in DDoS attacks, designed to exploit businesses while they were distracted in a number of areas, such as shifting to remote working. Another method employed by malicious actors is to combine DDoS attacks and ransomware. Armstrong-Smith noted: “Cyber-criminals are really evolving in terms of what they’re doing and how they do it.”

This means organizations must be ready for further changes in the methods used by cyber-criminals going forward. One of these could be in response to improved cybersecurity technologies, and in particular, the growing use of machine learning to detect threats. According to Armstrong-Smith, there are signs that threat actors are looking at disrupting and “poisoning” the algorithms of machine learning tools, skewing the results they give, and therefore security decisions made.

A further major security threat that is expected to surge in the coming years relates to the increasing use of IoT devices by employees and organizations. This issue has been exacerbated this year by the shift to home working, where staff have “multiply different devices that are potentially sat on the same network.” Armstrong-Smith noted that we are likely to see moves to smart buildings and even smart cities in the future, which will mean “everything is actually interconnected in one way or another, across the internet.”

In response to this evolving threat landscape, she said it is vital that organizations improve their resilience. This requires a mindset shift, moving “away from trying to stop everything to actually assuming compromise,” and the ability “to recover as quickly as possible.”

Categories: Cyber Risk News

Spotify Resets Passwords After Leaking User Data to Partners

Tue, 12/15/2020 - 11:39
Spotify Resets Passwords After Leaking User Data to Partners

Spotify has been forced to issue a password reset for users after admitting that their information was exposed to some of the firm’s third-party business partners.

The music streaming giant said in a customer data breach notification sent to the California attorney general that the privacy snafu was only discovered and fixed after seven months.

“On Thursday November 12, Spotify discovered a vulnerability in our system that inadvertently exposed your Spotify account registration information, which may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify,” it explained.

“Spotify did not make this information publicly accessible. We estimate that this vulnerability existed as of April 9, 2020 until we discovered it on November 12, 2020, when we took immediate steps to correct it.”

Spotify said it has contacted all of those partners to ensure they delete the exposed customer information, and has reset the passwords of affected users.

“We have no reason to believe that any unauthorized use of your information has or will occur, however, we urge you to change the passwords of all other online accounts for which you use the same email address and password,” it added.

This is the third security incident affecting the firm in recent months. A few days ago a hacktivist calling themselves ‘Daniel’ hijacked the Spotify for Artists page, posting messages in support of Taylor Swift and Donald Trump.

A few days before that, in late November, security researchers discovered a leaky cloud database containing logins for up to 350,000 Spotify users likely to have been part of a credential stuffing campaign.

Laurence Pitt, technical security lead at Juniper Networks, urged internet users to use a password manager to help them store strong, unique credentials for each online account.

“Many people pay for premium Spotify services and with access to a password, anyone would be able to redirect a subscription for their own use,” he added.

“Password re-use is dangerous because if any of the data from this exposure does fall into the wrong hands, then it will end up in brute-force attack databases providing valid username/password combinations for access to other services.”

Categories: Cyber Risk News

Government Threatens Tech Firms with Fines of 10% of Turnover

Tue, 12/15/2020 - 11:07
Government Threatens Tech Firms with Fines of 10% of Turnover

The UK government will introduce an Online Safety Bill next year which could result in fines higher than the GDPR for companies that allow illegal content to be posted on their platforms.

The plans are nominally aimed at protecting children online by banning things like terrorist content, child sexual abuse material, and anything promoting suicide. Misinformation is also included, if it is deemed to cause major physical or psychological harm.

Regulator Ofcom will be given the power to fine companies up to 10% of global annual turnover or £18 million, whichever is higher, for serious transgressions. It will also be empowered to block such services if they choose not to comply, although it’s unclear exactly how.

So-called Category One companies — like Facebook, Twitter, TikTok and others with a major online presence and “high-risk features” — will face the most stringent requirements, although the majority of firms online fall into lower categories.

However, the law nevertheless places new requirements not only on social media giants but a swathe of online services including messaging, cloud storage, search engines, video games and online forums.

As some of these platforms run end-to-end encryption there are concerns over whether they will be effectively penalized for not being able to monitor content being disseminated by users.

Stephen Kelly, CEO of entrepreneur’s network Tech Nation, welcomed the proposals.

"Given our leadership in the application of ethics and integrity in IT, it should be no surprise that the UK is moving decisively to tackle online harms, one of the biggest and most complex digital challenges of our time,” he argued.

“Equally, it offers the UK the opportunity to lead a new category of tech, such as ‘safetech,’ building on our heritage of regtech and compliance, which already assure global markets and economies."

However, others were less confident. Adam Hadley, director of the Online Harms Foundation is reported as describing the plans as “at best ineffective and at worst counterproductive.”

“Creating onerous financial penalties on tech companies only incentivises overzealous removal of content, leading to content that is not illegal being removed and pushing conspiracy theorists on to self-owned underground platforms, where their views cannot be challenged or easily monitored,” he argued.

Categories: Cyber Risk News

SolarWinds: Our Office 365 Emails Were Compromised

Tue, 12/15/2020 - 09:50
SolarWinds: Our Office 365 Emails Were Compromised

The company at the center of revelations over a widespread Russian information-stealing campaign has said that fewer than 18,000 of its global customers were affected.

SolarWinds produces popular software that helps organizations manage their IT networks and infrastructure. However, it was revealed by FireEye that attacks which compromised the security vendor and US government departments had used the software as a key attack vector.

In a way not dissimilar to the NotPetya attacks of 2017 which began by compromising legitimate Ukrainian accounting software to deliver malware via updates, the attackers appear to have trojanized SolarWinds Orion product.

“FireEye has detected this activity at multiple entities worldwide,” the vendor said on Sunday.

“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals.”

Exactly how many organizations had been affected by the attacks was a point of speculation up until now. However, an SEC filing by SolarWinds provided some clarity.

Despite the company boasting 300,000 global customers, it claimed that only 33,000 used the Orion product during and after the period the malicious updates are thought to have been issued: March-June 2020.

“SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000,” it revealed.

“The communication to these customers contained mitigation steps, including making available a hotfix update to address this vulnerability in part and additional measures that customers could take to help secure their environments. SolarWinds is also preparing a second hotfix update to further address the vulnerability, which SolarWinds currently expects to release on or prior to December 15, 2020.”

Another question mark hanging over the firm is how it was compromised in the first place. Although it didn’t clarify whether the incidents were related, the same SEC filing revealed that SolarWinds had been notified by Microsoft that its Office 365 emails had been compromised by an unnamed “attack vector.”

“[They] may have provided access to other data contained in the company’s office productivity tools,” it noted.

Categories: Cyber Risk News

Pornhub Removes All Unverified Content

Mon, 12/14/2020 - 19:14
Pornhub Removes All Unverified Content

One of the internet's most popular purveyors of pornography has removed all unverified content from its website.

Pornhub said it took the step last week in an effort to combat the rising tide of Child Sexual Abuse Material (CSAM) flooding the internet. Unverified uploaders have been banned from posting new content, and downloads have been eliminated.

Currently, only content partners and people within the site's Model Program can upload content to Pornhub. However, the site plans to implement a verification process in the new year that will allow any user to upload content "upon successful completion of identification protocol."

Announcing the changes on their website, Pornhub compared their approach to verification with that of other companies with a huge online presence. 

"As part of our policy to ban unverified uploaders, we have now also suspended all previously uploaded content that was not created by content partners or members of the Model Program. This means every piece of Pornhub content is from verified uploaders, a requirement that platforms like Facebook, Instagram, TikTok, YouTube, Snapchat and Twitter have yet to institute," announced Pornhub.

The company said that its efforts to combat the appearance of illegal content on its site had "been effective."

"Over the last three years, Facebook self-reported 84 million instances of child sexual abuse material. During that same period, the independent, third-party Internet Watch Foundation reported 118 incidents on Pornhub," stated the site. 

"That is still 118 too many, which is why we are committed to taking every necessary action."

Pornhub closed their announcement by stating that "all social media platforms share the responsibility to combat illegal material."

The content purge follows the recent creation of Pornhub's Trusted Flagger Program, an initiative that empowers 40 non-profit organizations to alert the site of content they think may violate Pornhub's terms of service.

Partner organizations have a direct line to the site's moderation team, and any content flagged by a Trusted Flagger is disabled immediately. 

Pornhub voluntarily partnered with the National Center for Missing & Exploited Children (NCMEC) to report incidents of CSAM that appear on its site. In early 2021, NCMEC will release the total number of CSAM incidents reported on Pornhub.

Categories: Cyber Risk News

US Jails Journalists' Cyber-Stalker

Mon, 12/14/2020 - 18:43
US Jails Journalists' Cyber-Stalker

A cyber-stalker from Arizona who joined up with a neo-Nazi group to harass and threaten journalists, advocates, and other targets has been sentenced to prison.

Johnny Roman Garza admitted to conspiring with other members of the Atomwaffen Division to deliver menacing messages to journalists online and in person, sometimes targeting their homes. The campaign was created to intimidate individuals who had exposed anti-Semitic behavior. 

The 21-year-old confessed to affixing a threatening poster to the bedroom window of a prominent Jewish journalist and editor on January 25, 2020. Along with the victim's name and address, the poster showed a man holding a Molotov cocktail and wearing a skull mask while standing in front of a burning house.

According to court documents, the act was part of a coordinated plot against multiple targets that Garza said was designed to "have them all wake up one morning and find themselves terrorized by targeted propaganda."

In September, Queen Creek resident Garza pleaded guilty to one count of interfering with federally protected activities because of religion, one count of conspiracy to mail threatening communications, and one count of cyberstalking. 

In his plea agreement, Garza admitted to conspiring with other defendants via an encrypted online chat group to identify journalists and advocates that the group could threaten. 

The group focused primarily on journalists and advocates who were people of color and/or of the Jewish faith. 

Appearing before US District Judge John Coughenour on December 9, Garza said he committed the crimes after failing in with a bad crowd.

According to the Omaha World Herald, Garza told Coughenour that when committing the crimes, he was “in a time of darkness and isolation” that allowed "rebellious and resentful" influences to impact his decisions.

“Very unfortunately, I fell in with the worst crowd you can probably fall in with, a very self-destructive crowd at the least,” said Garza.

Garza's defense attorney, Seth Apfel, said that since committing his crimes, his client had “not just disavowed the views that he had, but really embraced a new way of being.”

Coughenour sentenced Garza to 16 months in prison and three years of supervised release.

Categories: Cyber Risk News

Combat Online Predators Act Clears US House

Mon, 12/14/2020 - 17:53
Combat Online Predators Act Clears US House

Legislation to enhance federal criminal penalties for adults convicted of cyber-stalking children has been passed to America's President Donald Trump for signature. 

The Combat Online Predators Act seeks to amend the federal criminal code to increase the maximum prison term for a stalking offense by an additional five years if the victim is under 18 years of age. It also requires the attorney general to create a report detailing best practices for the enforcement of state, local, tribal, and federal stalking laws in the United States.

The bill was first introduced in November 2017. It was passed by the House of Representatives in 2018 with broad bipartisan support and unanimously passed in a modified form by the Senate. 

However, time ran out before the House could vote on the altered version of the bill and send it to the president for signature. 

The bill was subsequently reintroduced and passed by the Senate last October. Now it is finally with the president after winning the approval of the House of Representatives last week

Under current law, it is a federal crime for an individual to harass or intimidate another individual, in person or online, in a way that causes them to fear that they may be physically harmed or places them in significant emotional distress. 

The maximum criminal penalty for stalking is five years in prison. A ten-year custodial sentence may be imposed if the defendant causes serious physical injury to the victim or uses a dangerous weapon. 

If signed into law, the bill would increase the maximum penalties for stalking to 10 years and 15 years, respectively. Adult defendants convicted of stalking a minor could be incarcerated for a total of 15 years.

The bill was inspired by the experience of the Zezzo family of Pennsylvania, whose teenaged daughter was cyber-stalked on social media by the 51-year-old father of one of her friends. 

"As families have navigated through the COVID-19 pandemic, children are spending more time online and in front of a web cam,” Tony Zezzo, father of the victim, told Times Leader.

“Individuals who stalk and cyber-stalk our children are taking advantage of these new tools and opportunities to exploit children. This legislation has never been more critical than it is today."

Categories: Cyber Risk News

Outpost24 Announces Completion of €19m Funding Round

Mon, 12/14/2020 - 15:30
Outpost24 Announces Completion of €19m Funding Round

Cybersecurity assessment provider Outpost24 has announced it has closed a new funding round worth SEK 200m (€19m).

The company said the funding, which was led by asset manager Swedbank Rohur and Nordic equity investment firm Alcur Fonder, will enable it to expand its offering and services worldwide.

This comes amid a growth in demand for cloud based security solutions in the past 12 months, with organizations forced to shift to a remote working model.

Outpost24 aims to help organizations identify, assess and prioritize IT vulnerabilities through risk-based insights. In recent years the Swedish firm, which is owned by Monterro, has grown its operations in Europe and the US with the acquisitions of SecludIT and Pwnie Express.

Peter Larsson, managing partner at Monterro and chairman of the board of Outpost24 commented: “This funding round, done during a global pandemic, is a vote of confidence in our full stack security assessment vision. Having seen what a great technology and team we’ve built, our investors are onboard with our mission to help enterprise companies automate cyber hygiene and reduce risks.”

Martin Henricson, CEO of Outpost24 said: “As malware and phishing attacks continue to make their way through corporate defense, there’s a real need for companies to level up cyber-hygiene through continuous assessment and unified security insights. I’m excited to embark on the next stage of growth for Outpost24 by helping our customers meet their risk reduction goals and achieve greater efficiency.”

Last week, cloud security provider Orca Security announced a $55m Series B fund round to expand its cloud security and compliance capabilities.

Categories: Cyber Risk News

Data Leak Exposes Details of Two Million Chinese Communist Party Members

Mon, 12/14/2020 - 14:20
Data Leak Exposes Details of Two Million Chinese Communist Party Members

Sensitive data of around two million members of the Communist Party of China (CPC) have been leaked, highlighting their positions in major organizations, including government agencies, throughout the world.

According to reports from The Australian newspaper, featured in the Economic Times, the information includes official records such as party position, birthdate, national ID number and ethnicity. It revealed that members of China’s ruling party hold prominent positions in some of the world’s biggest companies, including in pharmaceutical giants involved in the development of COVID-19 vaccines like Pfizer and financial institutions such as HSBC.

The investigation by The Australian centred around the data leak, which was extracted from a Shanghai server in 2016 by Chinese dissidents.

It noted that CPC members are employed as senior political and government affairs specialists in at least 10 consulates, including the US, UK and Australia, in the eastern Chinese metropolis Shanghai. The paper added that many other members hold positions inside universities and government agencies.

The report emphasized there is no evidence that spying for the Chinese government or other forms of cyber-espionage have taken place.

In her report, The Australian journalist and Sky News host Sharri Markson commented: "What's amazing about this database is not just that it exposes people who are members of the Communist Party, and who are now living and working all over the world, from Australia to the US to the UK, but it's amazing because it lifts the lid on how the party operates under President and Chairman Xi Jinping.

"It is also going to embarrass some global companies who appear to have no plan in place to protect their intellectual property from theft, from economic espionage."

In September, the Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Justice issued a joint advisory warning US government agencies and private sector companies to be on high alert for cyber-attacks by threat actors affiliated with the Chinese Ministry of State Security (MSS).

Categories: Cyber Risk News

Google Cloud Hires Goldman Sachs Man as First CISO

Mon, 12/14/2020 - 11:20
Google Cloud Hires Goldman Sachs Man as First CISO

Google has hired the first security boss for its cloud business in the form of British-born Phil Venables.

A 25+ year veteran of the industry with experience in CISO roles in some of the world’s biggest banks, Venables officially joined Google Cloud this month, according to his LinkedIn profile.

After graduating from the University of York with a BSc in Computer Science, Venables went on to gain a Masters in computation at Oxford University before starting his career at a range of petrochemical, defense and finance companies.

This led to a stint as information security manager at Barclays, before CISO roles at Standard Chartered, Deutsche Bank and eventually Goldman Sachs, where he remained for two decades, moving into the private equity part of the business recently.

His role as VP at Google will involve not only a focus on inward-facing security but also helping to solve customer challenges.

According to the latest figures from October, Google remains in third place in the global cloud infrastructure market with a share of 7%, some way behind Microsoft Azure (19%) and AWS (32%). It’s also coming under strong pressure from Alibaba Cloud (6%).

All four are battling to secure new business customers attracted to the cloud as they look for ways to streamline business processes, drive innovation and improve IT efficiency amidst a pandemic-fuelled recession.

At Google Cloud, Venables will continue to work on best practices for cloud migration and security standards, according to reports. The platform has a good reputation in security circles: although it is in some ways less mature than the likes of AWS, that has meant security could be baked into more services from the start.

“Cloud becomes almost like a digital immune system, in that it’s detecting issues and then rapidly providing support for all of their customers to help defend themselves,” Venables is quoted as saying.

Categories: Cyber Risk News

Former Cisco Engineer Gets Two Years for $2.4M WebEx Attack

Mon, 12/14/2020 - 10:31
Former Cisco Engineer Gets Two Years for $2.4M WebEx Attack

A former Cisco engineer has been sentenced to 24 months behind bars after causing millions of dollars in damages and losses for his former employer.

Sudhish Kasaba Ramesh, 31, of San Jose, pleaded guilty back in August to one count of intentionally accessing a protected computer without authorization and recklessly causing damage to Cisco.

Ramesh resigned his job at the networking giant in April 2018 after working there for nearly two years.

However, for a reason not explained in the court documents, he unlawfully accessed Cisco cloud infrastructure in September 2018, deploying code which deleted 456 virtual machines supporting the WebEx Teams application for clients.

In fact, over 16,000 customer WebEx Teams accounts were shut down for two weeks as a result of his actions. Although no data was compromised in the operation, it is said to have resulted in Cisco spending $1.4 million on extra staff costs to remediate the issue and a further $1 million in compensation for customers.

Ramesh will also be forced to serve a one-year period of supervised release following his two year stint in prison and to pay a $15,000 fine.

According to Verizon, 30% of the breaches it analyzed earlier this year were linked to insider actions. However, most of these are thought to be the result of human error rather than malicious intent.

While malicious insider threats are relatively rare, they can be difficult to detect and prevent.

Back in 2018, it emerged that a disgruntled Tesla employee passed over for promotion caused “quite extensive and damaging sabotage” to the company’s systems.

According to an Accenture report last year, the cost of malicious insider threats jumped 15% from 2017 to reach $1.6 million.

Categories: Cyber Risk News

Russian Hackers Steal Data for Months in Global Supply Chain Attacks

Mon, 12/14/2020 - 09:40
Russian Hackers Steal Data for Months in Global Supply Chain Attacks

Russian hackers who stole red team tools from FireEye may have been in action on a much broader scale, operating a sophisticated supply chain campaign targeting multiple global organizations and governments.

FireEye revealed in an update on Sunday that nation state attackers inserted malicious code into legitimate software for SolarWinds’ popular Orion product to gain remote access into victim environments.

Although it didn’t name any victims or the identity of the group, a Reuters report on Sunday citing “people familiar with the matter” pointed the finger at Moscow and claimed that the US Treasury and Commerce departments were both hit.

It’s claimed the attackers may have had access to staff emails since spring.

SolarWinds also confirmed the attack in an advisory over the weekend, and urged users to upgrade as soon as possible. Its software was seeded with a malicious backdoor dubbed “Sunburst” by FireEye.

“The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” the security vendor explained in a technical blog.

“The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

The attackers conducted a carefully planned, patient and highly sophisticated campaign based around a light malware footprint, prioritization of stealth and advanced OpSec to cover their tracks and use difficult-to-attribute tools, it added.

“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” said FireEye. “We anticipate there are additional victims in other countries and verticals.”

It’s unclear what the end goal of the group was, although a New York Times story named it as APT29, or Cozy Bear, which has been associated with previous attacks on the Democratic National Committee in 2016 and COVID-19 vaccine data earlier this year.

The Commerce Department’s National Telecommunications and Information Administration (NTIA), which decides which tech imports and exports to block on national security grounds, was reportedly one of the targets.

Categories: Cyber Risk News

US Frees ISIL Cyber-Operative

Fri, 12/11/2020 - 18:59
US Frees ISIL Cyber-Operative

A Kosovan hacker, imprisoned in the United States for stealing personal data belonging to US military and government personnel and sending it to the Islamic State of Iraq and the Levant (ISIL), has been granted compassionate release.

Ardit Ferizi was sentenced to 20 years in prison in September 2016 after he confessed to providing material support to a designated foreign terrorist organization and to accessing a protected computer without authorization.

Ferizi's case made headlines for being the first-ever hacking conviction in the United States' War on Terror. 

The 24-year-old hacker, known online as “Th3Dir3ctorY,” was arrested in Kuala Lumpur, Malaysia, in 2015 at the age of 19 and extradited to the United States in January 2016.

According to court documents, Ferizi admitted that in June 2015 he gained system administrator-level access to a server that hosted the website of an electronics company located in Arizona. The website contained databases with personally identifiable information (PII) belonging to tens of thousands of the company's customers.

Ferizi searched the databases for PII belonging to US military members and other government personnel, stealing information belonging to approximately 1,300 such individuals. He then passed it on to Junaid Hussain, a now-deceased ISIL recruiter and attack facilitator. 

The hacker admitted that he gave the data to Hussain with the understanding that ISIL would use it to "hit them [the United States] hard." 

A document containing the stolen data was published on Twitter on August 11, 2015, by Hussain. Inside the document was the statement, “We are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!”

Last week, federal judge Leonie Brinkema of the Eastern District of Virginia ordered the release of convicted cyber-criminal Ferizi after he submitted a handwritten motion stating that his obesity and asthma made him vulnerable to COVID-19. 

Brinkema ordered Ferizi to spend two weeks in quarantine, after which time he will be deported to his native Kosovo, where he will remain on supervised release for 10 years.

Categories: Cyber Risk News

Norwegian Police Pin Parliament Attack on Fancy Bear

Fri, 12/11/2020 - 18:17
Norwegian Police Pin Parliament Attack on Fancy Bear

Norwegian police have blamed Russian advanced persistent threat (APT) group Fancy Bear for the summer cyber-attack on Norway's single-chamber parliament, the Storting.

In what was described as "a significant attack" by the parliament's director, Marianne Andreassen, unauthorized individuals managed to gain access to the email accounts of several elected members of parliament and to some accounts belonging to parliament employees on August 24. 

On September 1, the Storting confirmed that a limited number of accounts had been compromised and that varying amounts of data had been downloaded by the attackers. Some of the compromised accounts belonged to members of Norway's main opposition party, the Labour Party.

Two weeks later, Norway's foreign minister, Ine Eriksen Soereide, laid the blame for the attack squarely at Russia's door. 

Speaking on October 13, Soereide said: “This is a serious event that hit our most important democratic institution. Based on the information available to the government, it is our assessment that Russia stood behind this activity."

The attack was reported to Norway's Police Security Service (PST) by the Storting on September 1, which subsequently launched an investigation.  

On December 8, the PST announced that a brute-force attack had been executed to break into user accounts of the Storting's email system and that "sensitive content has been extracted from some of the affected email accounts."

Investigators found that the actor tried to "move further into the Storting's computer systems" but was not successful.

Police concluded that the hit on the Storting was part of a larger campaign nationally and internationally that has been going on since at least 2019. 

"The analyses show that it is likely that the operation was carried out by the cyber actor referred to in open sources as APT28 and Fancy Bear," stated the PST.

"This actor is linked to Russia's military intelligence service GRU, more specifically their 85th Special Services Center (GTsSS)."

The PST said that the attack confirmed that insecure passwords used for private and business email accounts expose both individuals and the Storting as a parliamentary institution and that two-factor authentication and settings could prevent similar attacks from occurring.

Categories: Cyber Risk News