Info Security

Subscribe to Info Security  feed
Updated: 21 min 33 sec ago

Pakistan Banks Not Breached, but Probably Skimmed

Thu, 11/08/2018 - 10:00
Pakistan Banks Not Breached, but Probably Skimmed

Pakistan’s central bank has sought to quash reports that the country’s lenders have been hacked en masse, following an apparent coordinated skimming campaign.

Mohammad Shoaib, head of the Federal Investigation Agency’s cyber-crime unit, apparently told two TV stations that “almost all” banks had been hacked, with a “large amount of money” stolen.

However, the State Bank of Pakistan (SBP) tweeted yesterday that it “categorically rejects reports of banks' data being hacked.” It added later that “no #bank or law enforcement agency has provided any evidence/info about #databreach to #SBP as yet.”

It ‘clarified’ that just one bank had been hacked, although it's unclear which lender this was.

BankIslami temporarily shut down its international and online payments system on October 27 after noticing unusual transactions of 2.6 million rupees ($20,000), according to a PakCERT report seen by Reuters.

“Subsequently, several other banks issued security alerts and either completely blocked customers’ debit and credit cards or blocked their online and international use,” the report continued.

The activity was apparently related to a skimming operation which harvested the details of 20,000 debit and credit cards from 22 Pakistani banks, which were subsequently put on the dark web for sale.

It appears they were then used to carry out the fraudulent online transactions, which were eventually spotted by the lenders. A small number of foreign cards were also caught in the data dump, presumably those which had been used by visitors at the affected skimming ATMs or merchant terminals.

It’s not just banks in Pakistan that are being targeted with ever-greater frequency. US financial services firms suffered three-times more data breaches in the first six months of 2018 than during the same period in 2016, according to Bitglass.

Verizon’s latest Data Breach Investigations Report also warned of the growing threat from ATM skimming and jackpotting.

Categories: Cyber Risk News

Flaw Leads to RCE in WordPress Plugins, WooCommerce

Wed, 11/07/2018 - 16:05
Flaw Leads to RCE in WordPress Plugins, WooCommerce

A WordPress design flaw could grant an attacker remote code execution, leading to a privilege escalation in WooCommerce and other WordPress plugins, according to RIPS Technologies.

In a 6 November blog post, researchers said that if the vulnerability is exploited, it would give shop managers – employees of the store that can manage orders, products and customers – the ability to delete files on the server and take over any administrator account.

The file deletion vulnerability was first detected and reported in WooCommerce. Though not considered critical, the vulnerability was fixed in version 3.4.6. Researchers found that deleting certain plugin files in WordPress can actually lead to a full-site takeover. This can occur if security checks are disabled in an unpatched design flaw within the privilege system of WordPress.

“Affected were over 4 million WooCommerce shops. No other requirements other than an attacker being in control of an account with the user role shop manager were required,” researchers wrote. “Such access could be obtained via XSS vulnerabilities or phishing attacks. Once the vulnerability described here is exploited, the shop manager can take over any administrator account and then execute code on the server.”

To assign privileges, WordPress gives certain capabilities to different roles, such as the shop manager. When this role is defined, it is able to edit customer accounts, which happens during the installation process of the plugin, researchers said. That role is stored as a core setting of WordPress in the database, making it independent of the plugin.

Only privileged users can edit another user, and default settings and meta capabilities that can be added to plugins are only executed when the plugin is active, which researchers identified as a design flaw.

“The issue is that user roles get stored in the database and exist even if the plugin is disabled. This means that if WooCommerce was disabled for some reason, the meta privilege check which restricts shop managers from editing administrators would not execute and the default behavior of allowing users with 'edit_users' to edit any user, even administrators, would occur. This would allow shop managers to update the password of the admin account and then take over the entire site.”

Categories: Cyber Risk News

High Turnover Rate Expected for IT Pros in 2019

Wed, 11/07/2018 - 15:35
High Turnover Rate Expected for IT Pros in 2019

Many IT professionals will seek increased salaries and opportunities to advance their skills outside of their current organizations come 2019, according to the 2019 State of IT Careers published today by Spiceworks. While fewer than 10% of IT professionals plan to leave the industry altogether, more than a quarter say they will look for new roles within the sector.

The report found that 43% of IT pros in Europe have plans to find a new employer next year, in large part because they are seeking a pay raise, though more than half (51%) want to advance their skills and 37% would prefer an improved work/life balance.

“2019 will see significant turnover in IT teams across Europe, with many employees looking to move on and companies planning to step up hiring,” said Peter Tsai, senior technology analyst at Spiceworks in a press release.

“Acquiring the right skills will be pivotal for both employers and employees to make a success of this shift, but the signs are positive. IT professionals are prioritizing skills development as a central part of their career plans which can only bode well for the businesses that are in need of more specialists.”

According to the report, 32% of organizations intend to hire more IT staff in 2019, which will hopefully allow them to overcome their biggest challenge of keeping IT infrastructure up-to-date. While 45% of respondents said that refreshing aging infrastructure is expected to be their greatest obstacle, 43% of organizations in Europe noted that regulations will likely be a struggle for them.

When hiring new staff, participating organizations said that cybersecurity skills and AI expertise will be the top skill sets they look for in recruits.

“Companies looking to maximize efficiencies and grow profits understand the potential artificial intelligence has to automate tasks and reduce the cost of doing business. But to effectively deploy and manage AI-enabled tech, organizations need workers with relevant AI skill sets and experience. And large enterprises, which often have resources dedicated to R&D, are already ahead of the game when it comes to experimenting with and getting value out of AI," Tsai said in the report.

While larger enterprises are looking for cybersecurity and AI expertise, midsize companies intend to hire staff adept in DevOps, and smaller companies will likely seek out IT professionals well-versed in hardware and infrastructure, according to the report. Still, 59% of responding companies have no plans to make changes to their IT staff next year, while 5% will decrease their IT staff and 8% remain unsure of what will happen with IT staffing.

Categories: Cyber Risk News

National School for Cybersecurity Opens in Senegal

Wed, 11/07/2018 - 15:07
National School for Cybersecurity Opens in Senegal

The French minister for Europe and foreign affairs, Jean-Yves Le Drian, has taken a step toward fighting cybercrime in Senegal with the opening of a new cybersecurity school, according to France Diplomatie.

The school, set to begin training students in 2019, will serve as a best-practice hub in Africa. Reportedly the first of its kind in all of Africa, the National School of Cybersecurity is located in Dakar, where it is temporarily housed in Senegal’s National School of Public Administration. To provide security professionals of African states with enhanced capabilities to fight cybercrime and improve cooperation on security and defense between France and Africa, the school will train cybersecurity experts who currently hold high-level positions in the industry.

Offering primarily short trainings that will run over the course of days or weeks, the program will focus on legal and governance issues as well as information systems security and threat intelligence strategies. Specific to fighting cybercrime, the school has two tracks for diplomas in specialized digital investigations and digital tracing techniques.

The school is targeting executives and managers who already play an important role in digital security, and the trainings are designed to expose them to new skills. The academy also hopes to be able to expand the training programs to reach universities and civil society.

Alongside Senegal’s foreign minister, Sidiki Kaba, Le Drian participated in a ceremony celebrating the start of the school, which will play a significant role in helping other West African countries combat cybercrime for security services, judiciary and private enterprise, French officials told

The announcement coincided with the Dakar International Forum for Peace and Security, which took place on November 5 at the Centre International de Conference Abdou Dio, where Senegalese President Macky Sall said that African countries need to strengthen cybersecurity in the face of evolving threats, according to The Guardian.

“We’re all exposed, nobody is secure and each country is potentially under threat of terrorism,” President Sall reportedly said. “We’re ticklish when we talk of freedom online but the risks online are real. Cybercrime can become a weapon of mass destruction of communities and their values.”

Categories: Cyber Risk News

Enterprises Sinking Under 100+ Critical Flaws Per Day

Wed, 11/07/2018 - 11:45
Enterprises Sinking Under 100+ Critical Flaws Per Day

Enterprises are forced to deal with an estimated 100+ critical vulnerabilities each day, with Flash and Microsoft Office accounting for the majority of top app flaws, according to new research from Tenable.

The security vendor analyzed anonymized data from 900,000 vulnerability assessments across 2100 enterprises to compile its latest Vulnerability Intelligence Report.

It predicted that the industry is set to disclose 19,000 new vulnerabilities this year, up 27% from last year — although other estimates put the 2017 figure at nearly 20,000.

Other stats from the Tenable report highlighted the increasing challenge facing system administrators tasked with prioritizing patches.

It claimed that, on average, an enterprise finds 870 vulnerabilities per day across 960 assets, with 61% listed as high severity. Yet just 7% have public exploits available, making it difficult to know which of the remaining 93% to fix first, the firm argued.

That’s especially true when one considers that many hackers deliberately target older vulnerabilities that may have been forgotten about.

Out of the 20 application vulnerabilities affecting the largest number of enterprises, several came from 2015.

Half of that top 20 related to Adobe Flash bugs, followed by Microsoft Office at 20%, with the eight top web browser CVEs from Google and Microsoft impacting 20-30% of enterprises on a single day.

“When everything is urgent, triage fails. As an industry, we need to realize that effective reduction in cyber risk starts with effective prioritization of issues,” said Tom Parsons, senior director of product management, Tenable.

“To keep up with the current volume and velocity of new vulnerabilities, organizations need actionable insight into where their greatest exposures lie; otherwise, remediation is no more than a guessing game. This means organizations need to focus on vulnerabilities that are being actively exploited by threat actors rather than those that could only theoretically be used.”

Categories: Cyber Risk News

Elon Musk Bitcoin Scammers Hijack Verified Status Accounts

Wed, 11/07/2018 - 10:45
Elon Musk Bitcoin Scammers Hijack Verified Status Accounts

Scammers are back on Twitter impersonating their favorite celebrity, Elon Musk, in a bid to convince people to invest in their phony Bitcoin scheme.

This time, the scheme raises serious questions over how easy it is to hijack and alter verified accounts on the social network. In this case, two US lawmakers with verified status, Frank Pallone and Brenda Lawrence, reportedly had their accounts taken over, alongside corporate accounts such as those belonging to film production firm Pathe UK.

The scammers then changed the display name to ‘Elon Musk,’ using one non-standard character to avoid setting off any alarms at Twitter HQ.

The error-strewn tweet itself read: “I’m giving 10 000 Bitcoic (BTC) to all community! I left the post of director of Tesla, thank you all for your suppoot! I decided to make the biggest crypto-giveaway in the world, for all my readers who use Bitcoin. Participate in giveaway…”

A further message then asks users to send anywhere between 0.1 and 2 BTC to a payment address below to receive from 1 to 20 BTC in return.

One report suggested over 400 people had already sent virtual currency to the address, netting the scammers in the region of $180,000. However, others claimed that fraudsters in these situations typically fill their wallets with funds to make the ‘giveaway’ look more legitimate.

Either way, it raises more questions about Twitter’s ability to police fraud on its site.

While those who had their account hijacked could have largely prevented this by turning on two-factor authentication, the changing of verified status display names should have raised the alarm, according to experts.

"The nature of this scam brings to light some seemingly obvious issues with Twitter's verified account system. The thieves hacked verified accounts and switched the name to Elon Musk to get attention and credibility,” explained Comparitech privacy advocate, Paul Bischoff.

“If the purpose of the blue check mark is to assure a person's handle matches their real identity, then why is it possible to change a verified account's display name? Changing the name should immediately invalidate the verified status."

Reports in March claimed that Twitter was planning to ban most crypto-currency advertising in a bid to head off rising levels of fraud.

Categories: Cyber Risk News

HSBC Customer Accounts Breached in US

Wed, 11/07/2018 - 09:46
HSBC Customer Accounts Breached in US

HSBC has revealed that unauthorized third parties accessed some of its customers' accounts, in what appears to have been an incident confined to its US operations.

The UK lender explained in a customer message posted online by the California Attorney General's Office that the attacks lasted from October 4 to 14.

“When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account. You may have received a call or email from us so we could help you change your online banking credentials and access your account,” it stated.

“The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.”

It’s believed that less than 1% of its US customers have been affected, but they’re not limited to Californians.

HSBC said it has “enhanced” its authentication process, presumably to include some form of multi-factor log-in.

Experts agreed the hackers most likely used credential stuffing techniques to force their way into user accounts with previously breached log-ins, rather than effecting a more sophisticated central breach of HSBC’s IT systems.

“Consumers need to increase their vigilance. Reused passwords lost in one breach then become a free ticket to your other accounts,” warned Arxan Technologies VP, Rusty Carter.

“Consumers should employ unique passwords for every site and service they use and change them at least once a year, unless there’s a breach then of course sooner. Secure, paid service or locally run password managers make this easier in many cases than using a password you’ll remember.”

Jarrod Overson, director of engineering at Shape Security, said his firm sees over 232 million account takeover attempts at global financial institutions each day.

“Credential stuffing attacks against banks typically result in about one account takeover per 2,000 attempts, which sounds small but adds up to thousands of accounts over the course of a multi-day or multi-week attack,” he continued. “The damage doesn't stop there — the impact can easily extend to many other services including online retailers, gaming providers, airlines, and other financial institutions."

Categories: Cyber Risk News

Symantec Acquires Appthority and Javelin Networks

Tue, 11/06/2018 - 14:07
Symantec Acquires Appthority and Javelin Networks

On November 5, Symantec announced that it acquired Appthority and Javelin Networks in an effort to enhance its endpoint security solutions, adding key technology integrations to Symantec’s Integrated Cyber Defense Platform.

Through its acquisition of Appthority, Symantec will enable its customers to analyze mobile apps and identify malicious behaviors and vulnerabilities. Building Appthority’s technology into Symantec endpoint protection mobile will augment its ability to deliver a broad spectrum of protections for modern endpoints and operating systems.

“Mobile apps are a critical threat vector that every company must address to protect their enterprise security,” said Adi Sharabani, SVP, modern OS security, in a press release. “The Appthority technology extends SEP Mobile’s capabilities in limiting unwanted app behaviors, supporting regulatory compliance and assessing vulnerabilities.”

“Mobile users increase the enterprise attack surface with each app they install. This acquisition unites Appthority with Symantec’s comprehensive endpoint security portfolio, which is the first solution on the market that can protect all traditional and modern endpoints and now apps,” said Domingo J. Guerra, Appthority co-founder.

“Armed with Symantec’s industry-leading security research and tools, SEP Mobile integrated with Appthority technology is expected to deliver the most comprehensive Mobile Threat Defense solution, with enhanced app analysis capabilities, both in real time and on-demand,” added Anne Bonaparte, Appthority CEO.

Javelin Networks, a privately held company founded by red team post-exploitation experts, protects enterprises against active directory-based attacks. Effective November 5, the Javelin Networks team became part of Symantec’s endpoint security business.

“In the cloud generation, identity management services, such as Active Directory, are a critical part of a user’s interaction with their organization’s applications and services. They are also a critical information repository that attackers regularly exploit,” said Javed Hasan, senior vice president of endpoint and data center products, Symantec.

“The addition of Javelin Networks technology to our industry-leading endpoint security portfolio gives Symantec customers a unique advantage in one of the most vulnerable and critical areas of IT infrastructure. Most importantly, it can help expose exploitable backdoors in AD and stop attacks at the point of breach while preventing lateral movement.”

Categories: Cyber Risk News

Side-Channel Vulnerability PortSmash Steals Keys

Tue, 11/06/2018 - 13:28
Side-Channel Vulnerability PortSmash Steals Keys

Researchers have found that Intel processors are being impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes.

The new side-channel vulnerability, called PortSmash, was discovered by researchers Billy Bob Brumley, Cesar Pereida García, Sohaib ul Hassan and Nicola Tuveri from the Tampere University of Technology in Finland and Alejandro Cabrera Aldaya from the Universidad Tecnológica de la Habana.

According to the proof of concept, the only prerequisite to exploit the vulnerability, identified as CVE-2018-5407, is a CPU featuring simultaneous multithreading (SMT), such as Intel’s hyper-threading. An attacker uses a timing attack to steal information from other processes running in the same CPU core with hyper-threading.

Because it is a local attack, in order to steal the private decryption keys, the attacker and victim must be running on the same physical core, such as an OpenSSL.

“News of a side-channel vulnerability should be very concerning for security and IT professionals alike,” said Justin Jett, director of audit and compliance for Plixer. “Malicious actors can take these newly generated keys and decrypt any conversation that would otherwise have been protected by the key.

“Additionally, because the malware writer is already on the machine, they have a better understanding of where these keys may be used (for example, were the keys then moved to a specific folder that is being used by an application installed on the machine).”

Similar to other processor vulnerabilities, like Meltdown and Spectre, PortSmash is a reminder that we have to rotate the keys and certificates that serve as machine identities, much more frequently than we do, according to Kevin Bocek, VP of security strategy and threat intelligence at Venafi.

“Our machine identities are kept around for years, and it’s crazy to think machine that they won’t be attacked. This is especially true a cloud and microservices environments, where these kinds of vulnerabilities are most dangerous.

“Security and IT teams know we have to change passwords regularly and why. But we haven’t applied the same logic to machine identities, even though they provide even higher levels of access than most passwords. The reality is that most keys and certificates aren’t changed often, and a surprising number are never changed. These are the machine identities that are most at risk from PortSmash.”

Categories: Cyber Risk News

SCOTUS Refuses to Hear Appeal of Net Neutrality

Tue, 11/06/2018 - 12:44
SCOTUS Refuses to Hear Appeal of Net Neutrality

With no explanation, the Supreme Court declined to hear an appeal of the net neutrality case, according to The Hill.  Justice Kavanaugh and Chief Justice John Roberts recused themselves from the vote. 

In opting not to hear the case, SCOTUS leaves in place the existing high court ruling that the FCC has the authority to regulate broadband like a public utility, which supporters of the 2015 Net Neutrality regulations, established by the Obama administration, saw as a win.

The appeal came from USTelecom, a trade group that represents internet service providers (ISPs). In conjunction with the Trump administration, USTelecom requested that the ruling from the US Court of Appeals for the District of Columbia Circuit be overturned on the basis that the Federal Communications Commission has no congressional authority to impose common-carrier obligations on broadband internet access service, The Hill said.

As a result of the existing high court ruling, ISPs cannot block or throttle web content, nor can they create fast lanes for pay.

"We’re grateful that a majority of the justices saw through the flimsy arguments made by AT&T and Comcast lobbyists," said Matt Wood, the policy director at Free Press, in a statement. "The ISPs went all out to push FCC Chairman Ajit Pai to repeal the agency’s net neutrality rules – and then ran to the Supreme Court looking for a do-over on earlier cases that rightly upheld those rules. There was absolutely no reason for the Supreme Court to take this case, and today’s denial puts to bed the chances of upending the correct appellate-court decisions."

Despite the Supreme Court decision to not hear the case, Republicans remain hopeful that the FCC’s vote last December to repeal net neutrality rules will be upheld, though that decision is being challenged before the DC Circuit.

At issue is which body has the power to determine broadband as an information service. Jonathan Spalter, CEO of USTelecom, and other supporters of the Restoring Internet Freedom order, which negated net neutrality, believe broadband is an information service.

"[The Restoring Internet Freedom order] remains the law of the land and is essential to an open internet that protects consumers and advances innovation," Spalter reported said in a statement.

Categories: Cyber Risk News

Fake Telegram Apps Used to Spy on Iranian Users

Tue, 11/06/2018 - 12:04
Fake Telegram Apps Used to Spy on Iranian Users

Security researchers have uncovered several Iranian state-sponsored campaigns which they suspect are used to spy on domestic users of the banned Telegram and Instagram apps.

Cisco Talos explained that the campaigns “vary in complexity, resource needs and methods” but use three main vectors: fake apps, phishing pages, and BGP hijacking.

The apps capitalize on a latent demand for Telegram and Instagram apps given they are banned in the Islamic Republic. Telegram is estimated to have as many as 40 million users in the country and has been used in the past to organize popular protests against the authoritarian government.

“Once installed, some of these Telegram ‘clones’ have access to mobile devices' full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to back-end servers, which allows the attacker to take full control of the account in use,” Cisco explained.

However, the apps are only classified as greyware or PUPs, because they do still carry out legitimate functions such as sending messages. This makes it more difficult for researchers to detect them.

“We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps,” said Cisco. “Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country.”

Also discovered were classic phishing attacks spoofing Telegram log-in pages with domains which Cisco linked to the state-sponsored Charming Kitten group.

Finally, the researchers observed BGP hijacking activity involving an Iranian telco, which could have been used to compromise communications. Cisco branded it “a deliberate act targeting Telegram-based services in the region.”

The firm stopped short of providing a solid link between the three attack types aside from their focus on Telegram, and admitted they could be used by any malicious actor, state-sponsored or not.

However, given the history of how the app is used in the repressive state, and the link to Charming Kitten, it would be understandable to assume Tehran has a hand in them.

Categories: Cyber Risk News

UK Government Warns Telcos of 5G Security Review

Tue, 11/06/2018 - 11:02
UK Government Warns Telcos of 5G Security Review

The UK government has reminded 5G network providers to ensure their suppliers are heavily vetted for security, in what could signal a change of approach to a major Chinese telecoms player.

The 5G supply chain of several UK telecoms firms may be impacted by a review of the UK’s infrastructure launched in July, according to a letter penned to the firms by DCMS head of digital, Matthew Gould, and National Cyber Security Centre (NCSC) boss, Ciaran Martin.

Although Huawei was not named, the letter stated that the “outcome of the review may lead to changes in the current rules,” according to the FT.

That could be bad news for the Shenzhen giant, which has already been blocked from competition in 5G by the US and Australian governments on national security fears.

Those fears were further stoked by a report in The Australian over the weekend citing a national security source that claimed Huawei staff helped Chinese intelligence “get access codes to infiltrate a foreign network.” It’s a story the telecoms kit maker has strenuously denied.

Even before this, there were signs of a changing relationship with Huawei in the UK, which has historically been more friendly to the firm.

In July, the Huawei Cyber Security Evaluation Centre (HCSEC), overseen by GCHQ, highlighted significant shortcomings in the firm’s processes that “exposed new risks in UK telecoms networks.”

The report concluded that the HCSEC has “only limited assurance” that Huawei equipment poses no threat to national security.

BT and Three are both said to be working with Huawei on 5G networks.

The move comes as new data reveals the effect of growing US-China tensions on Huawei’s Shenzhen rival ZTE.

The number of ZTE smartphones on prepaid operator shelves fell 48% from June 2018 to September 2018 as carriers backed away from the firm following political pressure, according to GlobalData.

Washington banned US suppliers from selling to it, after it broke an agreement not to sell handsets to Iran and then lied about it.

ZTE has already been labelled a national security risk by GCHQ.

Categories: Cyber Risk News

National Guard on Standby for Midterm Election Day

Tue, 11/06/2018 - 10:28
National Guard on Standby for Midterm Election Day

Cyber units from the National Guard have been supporting several states in the run up to the mid-term elections and are standing by in the event of any incident today, according to reports.

Wisconsin, Washington and Illinois have been confirmed as using the reserves to help improve cyber resilience, but there are likely to be more states doing the same.

In the north-west, the Washington Air National Guard has been supporting the state's Office of the Secretary of State in what has been dubbed a “great partnership” of “outstanding cooperation” by Kenneth Borchers, commander of the 252nd Cyberspace Operation Group, according to Guard News.

The initiative began with a two-week assessment of the relevant IT networks, followed by a similar time frame devoted to making system improvements, and finally a search for any deeper problems.

"We call it the hunt mission. Now that we have situational awareness, we've secured terrain, we're going to do a deep dive and see what we can find,” said Thomas Pries, commander of the 262nd Cyberspace Operations Squadron.

On Friday it was revealed that Wisconsin National Guard cyber-response teams had been put on standby by the governor Scott Walker to assist if any serious incidents arise on election day.

As part-timers, National Guard troops have jobs outside of their role with the reserve military, which means cybersecurity skill levels can sometimes be higher than in parts of the regular forces.

In fact, lawmakers introduced a bipartisan bill last year designed to give the Department of Defense greater visibility into cybersecurity skills capabilities in the National Guard, in case it needs to draw upon this reserve in times of crisis.

“Our National Guard is uniquely positioned to recruit and retain some of our best cyber warriors, and this bill would help make sure that our military is taking advantage of this extraordinary talent,” said report co-sponsor, senator Kirsten Gillibrand, at the time.

Categories: Cyber Risk News

Veracode Acquired by Thoma Bravo and Splits from CA After Broadcom Deal

Mon, 11/05/2018 - 17:09
Veracode Acquired by Thoma Bravo and Splits from CA After Broadcom Deal

Private equity investment firm Thoma Bravo has agreed to acquire Veracode for $950 million, on the same day that its parent CA Technologies were acquired by Broadcom for a reported $18.9 billion.

Veracode were acquired by CA Technologies in March 2017 for $614m. Today’s Thoma Bravo announcement is expected to close in Q4 of 2018.

“In today’s digital economy practically every company is turning into a software company through their own digital transformation,” said Chip Virnig, a partner at Thoma Bravo.

“As these companies continue to build complex applications, many of which contain sensitive data, the applications themselves increasingly become the target of more sophisticated and omnipresent cyber-attacks. As such, applications need to be built with security in mind day one, and we see a significant, growing market opportunity for Veracode’s product offerings.”

Broadcom is a designer, developer and supplier of products based on analog and digital semi-conductor technologies. The acquisition will see CA Technologies operate as a wholly owned subsidiary of Broadcom.

Sam King, current senior vice president and general manager of Veracode, will become the CEO of Veracode following the close of the transaction. She said that partnering with Thoma Bravo, a proven security software investor, is expected to extend its market reach “and further fuel our innovation so that we can offer the broadest software security platform and empower us to accelerate growth — all to allow us to transform the way companies achieve their software security goals.”

The announcement follow’s last month’s announcement that Thoma Bravo had acquired Imperva for around $2.1 billion.

“As long-term investors in cybersecurity software, we are impressed with the speed and quality of innovation at Veracode,” said Seth Boro, a managing partner at Thoma Bravo.

Categories: Cyber Risk News

Magecart Strikes Again, and Kitronik Is Latest Victim

Mon, 11/05/2018 - 16:08
Magecart Strikes Again, and Kitronik Is Latest Victim

Magecart, the payment-card–skimming malware, has taken another victim, Kitronik, a leading supplier of electronic project kits in the UK. According to recent news from The Register, the company was the latest victim of Magecart’s global payment-card–skimming malware.

Kitronik suffered a data breach that may have exposed names, email addresses, card numbers, expiry dates, CVV security codes and postal addresses. The Register reported having seen an email written by Geoff Hampson, resident electronics expert for Kitronik, in which he told customers that the malware had been discovered.

"Anyone that has followed the news in recent months will be aware of the malicious software ‘Magecart’ that has been recording customer’s key presses on such high profile websites as British Airways and Ticketmaster. The malicious software records key presses at the checkout stage, to capture sensitive details. From some point early in August until mid-September the same malicious software has been present on the Kitronik website," Hampson wrote.

It is believed that the details were swiped at the checkout stage, and Hampson added that customer accounts established prior to August would not have been impacted, though he was not able to confirm how many customers might have been affected.  

“Payment-card–skimming malware continues to be a security challenge for retailers around the globe,” said Rich Campagna, CMO, Bitglass. “British Airways, Newegg, and now Kitronik have all been victims of Magecart’s malware, highlighting the need for security solutions which monitor for vulnerabilities and threats, across all devices and applications, in real time.

With these capabilities, retailers can be proactive in detecting and thwarting breaches before they happen, ensuring that their customers’ sensitive information is protected.”

Magecart is a known malware that has proven successful in attacking other major companies very recently, and Kitronik had protections in place to monitor fraud. In his email to customers, Hampson noted, “Although we have a mechanism in place to alert us if the code on the website changes, this attack was very sophisticated and bypassed that code by making changes to the website database.”

Categories: Cyber Risk News

Stolen Data Valued at Less Than $50 on Dark Web

Mon, 11/05/2018 - 15:43
Stolen Data Valued at Less Than $50 on Dark Web

Cyber-criminals could sell someone’s complete digital life – including social media accounts, banking details, app data, gaming accounts and even remote access to servers or desktops – for less than $50 on the dark web, according to a new study from Kaspersky Lab.

The research is based on an investigation of dark web markets, revealing that the price paid for a single breached account is even lower – at about $1 each. Many criminals sell accounts in bulk and some even offer a “lifetime warranty,” so if an account a buyer has purchased stops working, they receive a new one for free.

Although the resale value of stolen data is low, cyber-criminals can still use it in many ways, from stealing money to committing crimes under the disguise of someone else’s identity.

What started as an inquiry into how much our lives are worth, David Jacoby, senior security researcher at Kaspersky Lab, set out to understand the dollar value placed on our stolen data. Jacoby not only considered our personal possessions but also factored in the private information we share on social media, our medical history and even aspects of our childhood. The research found that our identities can be stolen for mere pittance.

In largely rudimentary but effective attacks, hackers are stealing data from popular services like Uber, Netflix and Spotify.

Credit: Kaspersky Lab

In one dark web forum, Jacoby found a Swedish passport for sale to the tune of $4000, and the vendor was reportedly offering up passports for almost every country in Europe. Even utility bills and fake invoices were up for grabs.

“It is clear that data hacking is a major threat to us all at both an individual and societal level, because stolen data can be used for many nefarious activities,” said Jacoby in a press release.

“Fortunately, there are steps that we can take to prevent this, such as using cybersecurity software and being aware of how much data we are giving away for free – particularly on publicly available social media profiles.”

Categories: Cyber Risk News

Kemp Investigates Dems, Not the Reported Vulnerability

Mon, 11/05/2018 - 14:58
Kemp Investigates Dems, Not the Reported Vulnerability

When a registered voter in the state of Georgia discovered a major vulnerability in the state’s My Voter Page, he brought it directly to the attention of lawyer David Cross, partner at Morrison & Foerster, who represented the Curling plaintiffs in the recent Georgia election security lawsuit. Cross said he alerted the FBI and Georgia Secretary of State Brian Kemp and his legal team.

What has ensued since then, according to Cross, is not an investigation into the vulnerabilities that threaten voter integrity or an effort to contact the reporting voter whose information was provided.

“From everything we’ve seen, instead of investigate, Kemp decided to politicize the issue and claim hacking by the Democratic Party,” Cross said, adding that the voter who brought the vulnerability to his attention is not affiliated with the Democratic Party.

The registered voter, whose name was not disclosed, went onto Georgia’s My Voter Page to look up his own information, said Cross. When he tried to update his information, he realized he was able to pull his information back but the system never confirmed that it was being pulled back.

“When he looked at the query, he noticed that he could potentially pull back any information just by changing the voter identification number. He didn’t confirm that,” said Cross, but brought the information to Morrison & Foerster, who brought it to the FBI and Kemp.

“We expected they would investigate, but as of this morning, the vulnerability is still there and they still had not contacted this voter. That’s the starting point for any investigation, but they are not doing that,” Cross said.

While Kemp has launched an investigation into the Democratic Party, alleging that it attempted to hack the voter system, the reported vulnerabilities remain unfixed, which Cross said is the real issue.

“Georgia voters need to check their voter registration information before tomorrow because right now there are potentially thousands of voters who could show up to vote tomorrow and not be able to because their information has been changed,” Cross said.

On Sunday’s State of the Union with Jake Tapper, Stacey Abrams, Democratic candidate for governor in Georgia, said of Kemp’s allegations, “This is a desperate attempt on the part of my opponent to distract people from the fact that two different federal judges found him derelict of his duties and have forced him to allow absentee ballots to be counted and those who are being held captive by the exact map system to be allowed to vote.

“He is desperate to turn the conversation away from his failures, from his refusal to honor his commitments and from the fact that he is part of a nationwide system of voter suppression that will not work in this election.”

Categories: Cyber Risk News

Equifax Set to Share More PII with Experian

Mon, 11/05/2018 - 11:52
Equifax Set to Share More PII with Experian

Under-fire credit agency Equifax has turned to competitor Experian to extend credit monitoring to customers affected by a major breach in 2017, although this will mean sharing even more information with the third-party unless they opt-out.

The news came in an email Equifax is sending those who enrolled on its TrustedID Premier service following the catastrophic breach of 148 million users last year.

The firm is now offering a further year of credit monitoring via Experian’s IDnotify service.

Experian is already using Equifax customers’ names, addresses, dates of birth and Social Security numbers in order to provide file monitoring as part of TrustedID Premier. However, the new deal will involve the company also getting hold of their phone numbers and email addresses, unless they opt-out.

“Experian will only use the information Equifax is sharing to confirm your identity and securely enroll you in the Experian product, and will not use it for marketing or solicitation,” the note reads, according to Krebs on Security.

However, some may feel uneasy about sharing yet more information with a third-party — especially one which itself has suffered a major data breach in the past. Around 15 million US consumers had their details exposed in a 2015 incident.

Paul Bischoff, privacy advocate with Comparitech, argued that the decision to share this contact info “mainly serves the credit bureaus and not breach victims.”

“Without consent, Equifax unilaterally made a decision to share contact info of people who signed up for its TrustedID program — many of whom registered out of fear of consequences from Equifax's own catastrophe,” he added. “If TrustedID users take no action, their personal information is shared with a third party and they receive no benefit. Users must either affirmatively opt-out of the data sharing or enroll in Experian's similar credit monitoring program, IDnotify.”

What’s more, credit monitoring will not help those affected by the Equifax breach prevent identity theft taking place. Instead, it only notifies once a fraudster has already stolen one’s identity, according to experts.

“A better solution would be to put a credit freeze on your credit report, but doing so cuts into the credit bureaus' bottom lines,” said Bischoff. “A credit freeze blocks creditors from viewing your credit report, a service that creditors pay credit bureaus for.”

Categories: Cyber Risk News

Dozens of Spies Killed Thanks to Flawed CIA Comms

Mon, 11/05/2018 - 10:52
Dozens of Spies Killed Thanks to Flawed CIA Comms

A flawed online communications system developed by the CIA was exposed to Google’s web crawlers, ultimately leading to the execution of dozens of spies, according to a new report.

The unnamed platform was cracked by Iranian intelligence after a tip-off by a double agent revealed the website they used to communicate with their CIA handlers. Google searches allowed them to locate other secret CIA websites and, from there, start to pick apart the entire spy network, according to Yahoo News.

This all started in 2009 after Tehran went looking for US moles following the announcement by the Obama administration of the discovery of a secret underground enrichment facility.

However, the impact was felt globally, most probably after Iran shared its intelligence with China, a move which ultimately led to an estimated 30 CIA spies being executed by Beijing and the collapse of its network there.

This “catastrophic” chain of events led to 70% of the CIA’s spy network potentially exposed to compromise at one point between 2009-13, according to the report.

The after-effects are apparently still being felt today.

The problem stemmed from over-confidence among US officials in the use of the platform in hostile states like Iran and China where rigorous state monitoring makes it difficult to communicate in secret.

“It was never meant to be used long term for people to talk to sources,” said one former official. “The issue was that it was working well for too long, with too many people. But it was an elementary system.”

Another issue highlighted by the report was the lack of accountability for the failure in the intelligence services, and the sacking of a whistleblower who first brought the problem out into the open back in 2011.

“Our biggest insider threat is our own institution,” remarked a former official.

Categories: Cyber Risk News

Over 80,000 Facebook User Accounts Compromised

Mon, 11/05/2018 - 10:11
Over 80,000 Facebook User Accounts Compromised

Malicious browser extensions could be behind a compromise of at least 81,000 Facebook accounts which were put up for sale on the dark web, according to reports.

Those behind the attack told the BBC Russian Service that they had access to 120 million accounts, although this has been branded “unlikely” by Digital Shadows, whose researchers were called in to investigate.

In fact, the seller, “FBSaler,” provided a total dataset to reporters of around 257,000 profiles. Just 81,000 are certain to have been compromised, as private messages were included. The remaining 176,000 may have simply had profile information like names, addresses, contact numbers, and interests taken because accounts were left wide open by users.

The accounts are not thought to be linked to the Cambridge Analytica scandal, or the more recent breach of 30 million accounts which occurred after attackers obtained access tokens.

“The method used to obtain the accounts remains unconfirmed, though Facebook believe malicious browser extensions could have been used. Facebook have still not been definitive about this, though it said it had contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores,” said Digital Shadows.

“A rogue survey application as used by Kogan is known to have worked in the past; however, account takeovers achieved through credential harvesters, for example, are also a possibility. While a variety of separate breaches may have been used to compile the dataset, it is more likely a single approach was used given the consistency of the data in the dump.”

The largest number of profiles (30%) are Ukrainian, followed by Russia (9%), although users from the US, UK and Brazil are also said to be represented.

“Regardless of attribution, motives and the method of collection, the exposure of private messages where people share information they would not usually post publicly on their Facebook feeds is a potentially worrying development,” the firm warned. “Sensitive information may be used for extortion of identity fraud, while it’s not unheard of for individuals to share financial information such as banking details over private messages.”

The accounts were originally for sale for around $0.10 each on the BlackHat SEO forum, although the report claimed the advert has since been taken down, according to the BBC.

Categories: Cyber Risk News