Info Security

Subscribe to Info Security  feed
Updated: 2 hours 34 min ago

US Police Unlock iPhones with Fingerprints of Deceased

Fri, 03/23/2018 - 12:14
US Police Unlock iPhones with Fingerprints of Deceased

According to a report by Forbes, separate sources close to local and federal police investigations in New York and Ohio said it is now relatively common for fingerprints of the deceased to be depressed on the scanner of Apple iPhone devices, which have been wrapped up in increasingly powerful encryption over recent years.

The article highlights that “once a person is deceased, they no longer have a privacy interest in their dead body.” This means that while some might consider it unethical, it is legal for the police to use this technique to gather evidence.

For instance, the technique has been used in overdose cases, said one source. In such instances, the victim's phone could contain information leading directly to the dealer.

Forbes also reported that the police are now looking at how they could use Apple’s Face ID facial recognition technology, which was introduced on the iPhone X.

Marc Rogers, researcher and head of information security at Cloudflare, told Forbes he'd been poking at Face ID in recent months and had discovered it didn't appear to require the visage of a living person to work. Whilst Face ID is supposed to use your attention in combination with natural eye movement, so fake or non-moving eyes can't unlock devices, Rogers found that the tech can be fooled simply using photos of open eyes. That was something also verified by Vietnamese researchers when they claimed to have bypassed Face ID with specially-created masks in November 2017, said Rogers.

Categories: Cyber Risk News

Breaches Missed, Companies Don't Know What They're Looking For

Fri, 03/23/2018 - 11:01
Breaches Missed, Companies Don't Know What They're Looking For

Less than half of IT professionals (48%) would be fully confident knowing a breach had even happened, meaning that more could have taken place without their knowledge.

That's according to the Unknown Network Survey, undertaken in the UK, France, Germany and the US by Balabit, which suggested this deficiency could result in over a quarter of companies being breached in the next six months. 

The research also demonstrates that businesses believe that technology struggles to keep up with security threats (73%), even though the majority think it’s effective. 

“Attacks are becoming more and more sophisticated and every organization is at risk," said Csaba Krasznay, security evangelist, Balabit. “Security is no longer about simply keeping the bad guys out. Security teams must continuously monitor what their own users are doing with their access rights, as part of a comprehensive and cohesive security strategy.

“What’s really alarming, though, is that the majority of businesses know very little about the nature of the security breaches that are happening to them. Many even admit that a security breach could quite feasibly go unnoticed. That’s how loose a grip we’ve got on them, or how little we really understand them. We know about breaches, sure – but we really don’t know enough.”

The report also confirms that senior IT professionals believe that insider data breaches are the biggest threat when it comes to network security, with 80% also stating that educating employees would be the key to securing the network. 

However, Mike Turner, COO of Capgemini's cybersecurity global service line, believed organizations are purely focusing on employee education and not looking at other security weaknesses in the business.

“Companies are relying on user behavior and that's not enough – they need to fall back on a multi-layered approach that focuses on the other elements of the defense.”

Categories: Cyber Risk News

Atlanta City Ransomware Puts Personal Data at Risk

Fri, 03/23/2018 - 10:26
Atlanta City Ransomware Puts Personal Data at Risk

The City of Atlanta’s computer network has suffered a ransomware attack, according to officials. Mayor Keisha Lance Bottoms urged city employees and the public to monitor their bank accounts and to take proactive steps to protect their personal data.

According to a report by Associated Press, City officials learned there was an outage affecting various internal and customer-facing applications at 5:40 am. The outage, which included the encryption of some city data, did not affect the public safety department, water department or Hartsfield-Jackson Atlanta International Airport. 

However, applications that people use to pay bills or access court information were affected. COO, Richard Cox, said: “that investigation will determine whether any personal information has been compromised.”

The city is working with federal agencies, including the FBI and the Department of Homeland Security, as well as private sector partners, to determine the cause of the outage and to fix the problem. When asked if the city would pay a ransom to resolve the issue, Bottoms said the city would seek guidance from federal authorities on the best course of action.

WXIA, the city’s NBC affiliate, reported a screenshot indicated the ransomware was demanding $6800 in bitcoin per computer or $51,000 to “unlock the entire system.”

Yesterday, Symantec’s Annual Threat Report showed that values in ransomware were decreasing.

However, Charles Radcliffe, former head of technology at Deutsche Bank Innovation Labs, said he believed it’s too soon to tell whether ransomware is on it’s way out: "While it's too early to say whether ransomware has had its day, what is clear is that 2017 was the high-water mark so far for such attacks, and high-profile and widespread vulnerabilities such as that caused by WannaCry on the NHS have led to infosec being top of the agenda for CIOs worldwide.”

According to the City of Atlanta’s Outage Alert, its team is working diligently with support from Microsoft to resolve the issue. An article by Microsoft details that “it provides the city with Azure and Azure Government cloud platforms, Power BI data analytics and other MS technologies.” 

Categories: Cyber Risk News

#CSE18: Combining PCI into a GDPR Program

Fri, 03/23/2018 - 09:46
#CSE18: Combining PCI into a GDPR Program

Speaking at Cloud Security Expo 2018 this week Rehan Zaidi, business information security officer at John Lewis, presented a session on how to draw synergies between existing payment card industry (PCI) standards and the forthcoming GDPR to deliver a more holistic information security privacy framework.

Zaidi said that there are five ‘Ws’ that surround GDPR, which are: what, when, why, where and how – but the most challenging to approach is the last: the how.

“We decided early on that we would try to utilize synergies that we had developed in terms of delivering PCI and cybersecurity polices across John Lewis to put us on a strong footing for GDPR,” he added.

Zaidi said by applying the following synergies to its GDPR preparedness John Lewis was able to achieve several compliance benefits:

  • Payment card data is personal data
  • Combining the prioritized approach for personal data
  • Identifying payment card data in the privacy by design requirement of GDPR
  • Data recovery and gap analysis combining all data needs in a questionnaire, interviews or tools
  • Delivering the requirements through information security frameworks and policies
  • Building on and incorporating training and awareness programs
  • Logging and auditing system alignment
  • Maintaining information security policy

“Security and privacy is everybody’s responsibility within an organization,” Zaidi concluded, “and the aim is to achieve an overarching data security and privacy framework that subsumes your GDPR and PCI DSS programs within it.”

Categories: Cyber Risk News

DPO-as-a-Service Options Pop Up as GDPR Deadline Looms

Thu, 03/22/2018 - 16:58
DPO-as-a-Service Options Pop Up as GDPR Deadline Looms

The 25 May deadline for compliance with the EU General Data Protection Regulation (GDPR) is looming large, and many businesses aren’t yet prepared, including for the requirement of implementing a data protection officer (DPO). However, as-a-service options could be a new cottage industry springing up to fill the need.

To that end, ThinkMarble has launched its Virtual Data Protection Officer (VDPO) service, allowing UK businesses to tap an outsourced team of cybersecurity and risk mitigation lawyers that can act as their DPO under the GDPR. The lawyers will work alongside ThinkMarble’s multi-disciplinary team of security analysts, incident responders and penetration testers to provide a bespoke service to each business to help with compliance with UK and EU data protection laws. 

For public bodies and many private businesses, appointing a DPO is a mandatory requirement under the GDPR regardless of the size of the organization or the resources it has. DPO-as-a-service models can thus benefit smaller businesses that may balk at the need to recruit expensive, full-time, in-house compliance staff.

ThinkMarble’s VDPO service will offer companies access to a team of data protection legal and risk specialists who will act as trusted advisers, liaise with the Information Commissioner's Office (ICO) and make sure they comply with legal and contractual data security obligations. They will also act as the main contact point for data subjects, such as employees and customers, and help raise awareness and train staff on the importance of data protection. Another important function is to provide regular, comprehensive reports that advise on appropriate data security measures and risk mitigation at board and management level.

“The role of the DPO is at the heart of this new legal framework and will be an integral cog in any company’s ability to prove that they are not only compliant with the new regulation but also...demonstrating the highest level of accountability should a breach occur,” said Robert Wassall, data protection lawyer and head of legal services at ThinkMarble. “A DPO should be appointed based on their knowledge and expertise in the field of data protection. They must be independent, credible and show integrity – this is difficult for a current employee, whether they are the head of IT or at director level, as this will represent a conflict of interest. Equally, you cannot expect to send an employee on one of the many advertised EU GDPR short courses and expect them to come away as an expert in data protection and law.”

Categories: Cyber Risk News

Cyber-Terrorism Set to Be Top Threat by 2020

Thu, 03/22/2018 - 16:49
Cyber-Terrorism Set to Be Top Threat by 2020

Nation-state–led cyber-terrorism will be a top threat by 2020 – and every organization should prepare.

That’s the word from the Information Security Forum (ISF)’s latest Threat Horizon 2020 report, which postulates that terrorist groups, organized criminals, hacktivists and hackers working in various collaborations and configurations to increasingly weaponize the cyber-domain, launching attacks on critical national infrastructure that cause widespread destruction and chaos. Further, their activities will take no account of land barriers or legislation.

With power, communications and logistics systems down, organisations will lose the basic building blocks needed for doing business; heating, air conditioning, lighting, transport, information, communication and a safe working environment will no longer be taken for granted.

“Over the next two years, business leaders will face regular and complex decisions about protecting their critical information and systems. Existing solutions that have been relied upon for years will be exposed as inadequate,” said Steve Durbin, managing director, ISF. “Only organizations that understand this rapidly changing and complex environment will remain firm and unshakable. Those that are unprepared and incapable of responding quickly will crumble as they defend against an onslaught of potent, day-to-day cyber-attacks.”

Aside from the doomsday-like prediction, the report also predicts that technology will outpace controls. Capabilities that seemed impossible only a short time ago will develop extremely quickly, aiding those who see them coming and hindering those who don’t. Developments in smart technology will create new possibilities for organizations of all kinds – but they will also create opportunities for attackers and adversaries by reducing the effectiveness of existing controls. Previously well-protected information will become vulnerable.

Also, according to the ISF, pressure will skew judgement. Existing controls and methods of managing information risk will be put under severe stress by an avalanche of new technologies, regulations and pressures on employees. Organizations that have a good record of securing information will be at risk of complacency, judging that the way they have always done things will continue to work in the future – a dangerous attitude to take.

“Over the coming years, the very foundations of today’s digital world will shake – violently,” Durbin said. Innovative and determined attackers, along with seismic changes to the way organizations conduct their operations, will combine to threaten even the strongest establishments. Only those with robust preparations will stand tall.”

Categories: Cyber Risk News

IT Faces Challenges with Firewalls in the Cloud

Thu, 03/22/2018 - 16:24
IT Faces Challenges with Firewalls in the Cloud

The cloud is redefining the role of the firewall, and an overwhelming 83% of IT professionals in a recent survey have concerns about deploying traditional firewalls in nontraditional topographies.

According to Barracuda Networks’ Firewalls and the Cloud survey of 600 global IT professionals, challenges include pricing and licensing not being appropriate for the cloud (39%) and a lack of integration that prevents cloud automation (34%).

Still, respondents found value in cloud-specific security capabilities. Three-quarters (74%) of respondents cited integration with cloud management, monitoring and automation capabilities as the most beneficial aspect of firewalls, and 59% cited “easy to deploy and configure by cloud developers” as the second most beneficial capability.

Meanwhile, the report uncovered that DevOps teams also benefit from security automation. Of the organizations that have adopted DevOps, DevSecOps or continuous integration and continuous deployment, 93% have faced challenges integrating security into those practices.

“A few points really stand out based on the information presented from this survey,” said Tim Jefferson, VP of public cloud, Barracuda. “We’re continuing to see questions and concerns around how organizations should be approaching security with their cloud deployments, especially from larger companies. There are a number of reasons for this, but for organizations that are used to operating under traditional data center architecture, moving to the cloud will require a new way of thinking when they approach security. Using security tools specifically designed for the public cloud can actually make a business more secure than they were when they operated purely on-premises.” 

Categories: Cyber Risk News

Windows 10 "Almost Twice as Safe as Windows 7"

Thu, 03/22/2018 - 12:16
Windows 10 "Almost Twice as Safe as Windows 7"

Consumers are adopting Windows 10 quicker than enterprises, who still rely on Windows 7.

According to Webroot's latest Annual Threat Report, almost all the devices that fell victim to the WannaCry ransomware attack were running Windows 7, and the attack alone is estimated to have caused $4 billion in losses to businesses. 

In January 2017, only 20% of observed business computers were running Windows 10; that figure climbed to 32% by the year-end. In contrast, Windows 7 was running on 62% of the systems in January, but had dropped to 54% share by the end of the year. Windows 8 was at 4% in December 2017, down from 5% in January, while Windows Vista (1%) and XP (<1%) both represented minuscule percentages at the end of 2017.

However, "home user" migration to Windows 10 was a lot quicker. By December 2017, almost 72% of home user devices had migrated to Windows 10, up from 65% in January while Windows 7 dropped from 17% in January to 15% in December, and Windows 8 fell from 14% to 11%.

However, the report also found that organizations’ users who deploy not only corporate-owned devices but also their personal smartphones, tablets, etc., are subject to a much higher occurrence of malware per device (0.55 infections per device on average over the year) than business-owned or managed devices (0.42 infections). Even organizations with strong BYOD policies were often unaware of the precise security status of a user-owned device. 

Webroot said: "While Windows 10 won’t solve all security woes, it’s a step in the right direction. Combined with advanced endpoint protection that uses behavioral analysis and machine learning, adopting Windows 10 can greatly reduce enterprises’ vulnerability to cyber-attacks."

Categories: Cyber Risk News

Fresh Cambridge Analytica Revelations on Election Hacking, Facebook Faces FTC Investigation

Thu, 03/22/2018 - 11:01
Fresh Cambridge Analytica Revelations on Election Hacking, Facebook Faces FTC Investigation

According to a new report by the Guardian, Cambridge Analytica was offered politicians’ hacked emails and personal data about the future Nigerian president.

Based on accounts from witnesses, the data analytics firm was offered material from Israeli hackers who had accessed the private emails of two politicians, who are now heads of state. 

The sources have also described how senior directors of the company - including its recently suspended CEO, Alexander Nix - gave staff instructions to handle material provided by the hackers in election campaigns in Nigeria and St Kitts and Nevis.

These further accusations come after a Channel Four News report showed Nix talking about using personal information to trap politicians in elections across the world. 

In the meantime, Facebook’s CEO, Mark Zuckerberg, addressed the public regarding the Cambridge Analytica breach yesterday. In his statement, which he posted from his Facebook, he commented:

“We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it.”

Zuckerberg also announced that “Facebook would investigate all apps that had access to large amounts of information before it changed its platform in 2014, and will conduct a full audit of any app with suspicious activity.”

However, now faces investigation by the Federal Trade Commission (FTC) into whether it violated a consent decree. The decree requires Facebook to ask users for permission before sharing their data. 

If found guilty of violating a consent decree, Facebook could face fines of $40,000 per violation. 

Categories: Cyber Risk News

Ransomware Out, Cryptojacking In

Thu, 03/22/2018 - 10:27
Ransomware Out, Cryptojacking In

Cryptojacking attacks exploded by 8,500% in 2017 resulting from the sudden increase in cryptocurrency values. According to research released by Symantec, UK ranked as the fifth highest country worldwide, with a staggering 44,000% increase in coin-miner detections.

With a low barrier to entry – only requiring a couple lines of code to operate – cyber-criminals are harnessing stolen processing power and cloud CPU usage from consumers and enterprises to mine cryptocurrency. Coin-miners can slow devices, overheat batteries, and in some cases, render devices unusable. For enterprise organizations, coin-miners can put corporate networks at risk of shutdown and inflate cloud CPU usage, adding cost.

Symantec also found a 600% increase in overall IoT attacks in 2017, which means that cyber-criminals could exploit the connected nature of these devices to mine en masse.

“Attackers could be co-opting your phone, computer or IoT device to use them for profit,” said Darren Thomson, CTO and VP EMEA, Symantec. “People need to expand their defences or they will pay the price for someone else using their device.”

The Annual Threat Report also showed that while ransomware was still being used in 2017, there were fewer ransomware families and lower ransom demands. Symantec outlined in its report that “many cyber-criminals may have shifted their focus to coin mining as an alternative to cash in while cryptocurrency values are high” and that “some online banking threats have also experienced a renaissance as established ransomware groups have attempted to diversify.”

Last year, the average ransom demand dropped to $522, less than half the average of the year prior. While the number of ransomware variants increased by 46%, indicating the established criminal groups are still quite productive, the number of ransomware families dropped, suggesting they are innovating less and may have shifted their focus to new, higher value targets.

The report analyzed data from the Symantec Global Intelligence Network, which tracks over 700,000 global adversaries, records events from 98 million attack sensors worldwide and monitors threat activities in over 157 countries and territories.

Threats in the mobile space continued to grow year-over-year, including the number of new mobile malware variants which increased by 54%. According to the report, Symantec blocked an average of 24,000 malicious mobile applications each day last year, citing older operating systems as one of the main causes - only 20% of devices are running the newest version of Android. 

Mobile users also face privacy risks from 'grayware' apps that aren’t completely malicious but can be troublesome - Symantec found that 63% of grayware apps leak the device’s phone number. Unfortunately, with grayware increasing by 20% in 2017, Symantec do not believe this problem will be going away. 

Categories: Cyber Risk News

IoT Security Spending to Top $1.5 Billion This Year

Wed, 03/21/2018 - 19:07
IoT Security Spending to Top $1.5 Billion This Year

Internet of things (IoT)-based attacks continue to make headlines and are becoming more frequent. According to a Gartner survey, nearly one-fifth of organizations have observed at least one IoT-based attack in the past three years. Accordingly, worldwide spending on IoT security will reach $1.5 billion in 2018, the firm said.

That’s a 28% increase from 2017 spending of $1.2 billion. Further out, IoT security spending is expected to reach $3.1 million in 2021.

"In IoT initiatives, organizations often don't have control over the source and nature of the software and hardware being utilized by smart connected devices," said Ruggero Contu, research director at Gartner. "We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing. In addition, organizations will look to increase their understanding of the implications of externalizing network connectivity.”

Despite the steady year-over-year growth in worldwide spending, it could be much more if certain challenges are met: Gartner predicts that through 2020, the biggest inhibitor to growth for IoT security will come from a lack of prioritization and implementation of security best practices and tools in IoT initiative planning. This will hamper the potential spend on IoT security by 80%, the firm said.

"Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed," explained Contu. "However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider's alliances with partners or the core system that the devices are enhancing or replacing."

Also, while basic security patterns have been revealed in many vertical projects, they have not yet been codified into policy or design templates to allow for consistent reuse. As a result, technical standards for specific IoT security components in the industry are only now just starting to be addressed across established IT security standards bodies, consortium organizations and vendor alliances.

Meanwhile, an absence of security-by-design comes from a lack of specific and stringent regulations. Going forward, Gartner expects this trend to change, especially in heavily regulated industries such as healthcare and automotive. In fact, by 2021, Gartner predicts that regulatory compliance will become the prime influencer for IoT security uptake. Industries having to comply with regulations and guidelines aimed at improving critical infrastructure protection are being compelled to increase their focus on security as a result of IoT permeating the industrial world.

"Interest is growing in improving automation in operational processes through the deployment of intelligent connected devices, such as sensors, robots and remote connectivity, often through cloud-based services," said Contu. "This innovation, often described as 'industrial internet of things,' or Industry 4.0, is already impacting security in industry sectors deploying operational technology, such as energy, oil and gas, transportation and manufacturing."

Categories: Cyber Risk News

SOCs Are Overwhelmed and Face Deep Challenges

Wed, 03/21/2018 - 18:42
SOCs Are Overwhelmed and Face Deep Challenges

Even though companies are trying to get their arms around the ever-shifting threat landscape by implementing security operations centers (SOCs), research has revealed that excessive alerts, outdated metrics and limited integration are leading to over-taxed resources within the SOCs.

Fidelis Cybersecurity conducted the study over the span of three months, interviewing security practitioners from enterprise companies in a cross-section of industries: software-as-a-service (SaaS), retail, financial services, healthcare, consumer services and high tech.

“The study findings are only further proof that with…continued constraints on both the availability and bandwidth of well-trained SOC analysts, SOCs are increasingly burdened,” said Tim Roddy, vice president of cybersecurity product strategy at Fidelis. “Organizations need to look at automating common tasks, integrating network visibility with endpoint detection and response, and shifting the focus from identifying signatures and indicators to attacker techniques, tactics and procedures.”

The survey found a number of challenges to be in play within the SOC, not least of which is that 70% of survey respondents said that at least half of their security controls weren’t yet integrated; integration is seen as key for SOC automation, efficiency and effectiveness. This state of affairs impedes not only the speed of investigation but also the speed of remediation and control. The survey results showed a correlation between the companies that achieved a high-alert triaging rate and those that have more integrated security controls.

Also, SOC and incident response (IR) metrics are outdated and ineffective: Every organization interviewed used metrics to measure SOC/IR effectiveness. However, 80% feel that the metrics they are using today are “not effective” or “had room for improvement.”

Meanwhile, threat hunting is an elite operation that exists only in the largest and most sophisticated organizations: Only 17% of organizations have a dedicated threat-hunting team.

Outside of these issues, one of the main hurdles that SOCs face is the sheer volume of events: Analysts are being overwhelmed by the number of alerts and the number of investigations that require their attention. Most SOC analysts (60%) can only handle 7 or 8 investigations in a day. Only 10% of organizations said they can realistically handle 8 to 10 investigations in a day. Overall, 83% of the companies triage less than 50% of the alerts received daily.

In addition to a capacity issue, the report found that SOCs are facing a skills gap/training issue, as many organizations struggled to recruit, train and retain qualified SOC analysts.

Against this backdrop, automation is becoming increasingly important for SOCs, according to Wang.

“Our study uncovered a number of notable findings,” he said. “For organizations that want to operate efficient, highly effective security operations, we recommend following best practices, such as automating Tier 1 and Tier 2 analyst tasks, identifying further opportunities to eliminate manual tasks, and standardizing processes and procedures for threat detection and response.”

Categories: Cyber Risk News

OilRig APT Significantly Evolves in Latest Critical Infrastructure Attacks

Wed, 03/21/2018 - 18:37
OilRig APT Significantly Evolves in Latest Critical Infrastructure Attacks

OilRig APT attacks are back, using a significantly more advanced malware toolkit than has been seen in the wild to date.

An Iran-linked APT group has been using OilRig to compromise critical infrastructure, banks, airlines and government entities since 2015 in a range of countries, including Saudi Arabia, Qatar, United Arab Emirates, Turkey, Kuwait, Israel, Lebanon and the United States. According to fresh analysis by Nyotron, the latest spate of attacks has been focused on a number of organizations across the Middle East and shows that the OilRig group has significantly evolved its tactics, techniques and procedures to include next-generation malware tools and new data exfiltration methods.

Some of the new tools are off-the-shelf, dual-purpose utilities, but others are previously unseen malware using Google Drive and SmartFile, as well as internet server API (ISAPI) filters for compromising Microsoft Internet Information Services (IIS) servers.

Nyotron said that for one, the group has built a sophisticated remote access Trojan (RAT) that uses Google Drive for command-and-control (C&C) purposes. It supports a variety of configuration settings, uses encryption and registers as a service: The malware simply retrieves commands from the attacker’s account on Google Drive and exfiltrates files to it.

Worryingly, at the time of the research, this RAT was not detectable by any antivirus engine that is part of VirusTotal.

The attackers also used a crafted RAT that leverages the public APIs of, a file-sharing and transfer solution, as a C&C. This allows attackers to upload and download files to and from infected machines, as well as to run ad-hoc commands. At the time of the research, this tool generated just 1 out of 68 VirusTotal detections.

As for the ISAPI filters, the group is using them to extend the functionality of IIS servers. An ISAPI filter provides a more covert way to execute commands on a previously compromised machine versus using a web page, allowing the attacker to execute commands by accessing any path on the server. This approach is unique, and the researchers said it avoids detection by most, if not all, security products.

Nyotron said that it believes this is the first time the OilRig group has used ISAPI filters.

These three are the tip of the iceberg, researchers said: In total, the attackers are using about 20 different new tools.

“State attackers and advanced hacking groups are continually finding new approaches to augment previous successful attacks,” said Nir Gaist, founder and CTO of Nyotron. “This latest OilRig evolution serves as a reminder that security leaders need to strengthen their endpoint protection using the defense in-depth approach to safeguard against malware adopting next-generation tools and techniques.”

Categories: Cyber Risk News

Google Adds to its Cloud Security Offering

Wed, 03/21/2018 - 13:31
Google Adds to its Cloud Security Offering

Today, Google has announced more than 20 enhancements to its Cloud Security environment, with the aim to give more control to businesses operating in the Cloud. These announcements follow security announcements for Chrome Enterprise, which the company made last week.

These enhancements include: VPC Service Controls, which Google considers to be the first to deliver virtual security perimeters for API-based services with simplicity, speed and flexibility, Cloud Security Command Center, currently in alpha, and more comprehensive cloud auditing tools.

VPC Service Controls help enterprises keep their sensitive data private while using Google Cloud Platform’s fully managed storage and data processing capabilities. Google believes this product will give admins a greater level of control to prevent data exfiltration from cloud services as a result of breaches or insider threats.

Gerhard Eschelbeck, VP, security & privacy, Google, commented in a blog: “Imagine constructing an invisible border around everything in an app that prevents its data from escaping, and having the power to set up, reconfigure, and tear down these virtual perimeters at will. You can think of [VPC Service Controls] like a firewall for API-based services on GCP.”

Using the managed service, enterprises can configure private communication between cloud resources and hybrid VPC networks. By expanding perimeter security from on-premise networks to data stored in GCP services, enterprises can feel confident running sensitive data workloads in the cloud.

Another product that has been announced is the Cloud Security Command Center. It is a security and data risk platform for GCP that helps enterprises gather data, identify threats, and act on them before they result in business damage or loss.

Cloud Security Command Center gives enterprises consolidated visibility into their cloud assets across App Engine, Compute Engine, Cloud Storage, and Cloud Datastore. People can quickly understand the number of projects they have, what resources are deployed, where sensitive data is located, and how firewall rules are configured. With ongoing discovery scans, enterprises can view the history of their cloud assets to understand exactly what changed in their environment and act on unauthorized modifications. It also provides powerful security insights into cloud resources.

Administrators can identify threats like botnets, cryptocurrency mining, and suspicious network traffic with built-in anomaly detection developed by the Google Security team, as well as integrate insights from vendors such as Cloudflare, CrowdStrike, RedLock, Palo Alto Networks, and Qualys to help detect DDoS attacks, compromised endpoints, compliance policy violations, network intrusions, and instance vulnerabilities and threats. With ongoing security analytics and threat intelligence, enterprises can better assess their overall.

“A strong security posture plays a critical role in helping us fulfill our mission of helping our members navigate the complex personal finance landscape through a predictive, data-driven recommendation system,” says Ryan Graciano, CTO, Credit Karma. “User trust is crucial to our business so security was hugely important when selecting a cloud provider. Google Cloud’s end-to-end approach met our high standards. This enables us to spend more time focusing on building the best products for our customers.”

Categories: Cyber Risk News

Bitcoin's Blockchain Could Be Illegal in 112 countries

Wed, 03/21/2018 - 11:55
Bitcoin's Blockchain Could Be Illegal in 112 countries

Researchers from the RWTH Aachen University and Goethe University, Germany, have uncovered images and links to child pornography in cryptocurrency Bitcoin’s blockchain. The analysis found that certain content, such as illegal pornography, would render the mere possession of a blockchain illegal, with data distributed to all Bitcoin participants.

While blockchain primarily is considered to enable credible accounting of digital activities such as money transfers in cryptocurrencies, it also records arbitrary data. Bitcoin transactions transfer funds between a payer (sender) and a payee (receiver), who are identified by public-private key pairs. Payers announce their transactions to the Bitcoin network. The miners then publish these transactions in new blocks using their computational power in exchange for a fee.

The researchers analysed the risks of arbitrary blockchain content, including copyright violations, malware, privacy violations, politically sensitive content and illegal condemned content. The analysis suggests: “Considering legal texts we anticipate a high potential for illegal blockchain content to jeopardize blockchain-based system such as Bitcoin in the future. Our belief stems from the fact that, child pornography as an extreme case of illegal content, legal texts from countries such as the USA, England, Ireland deem all data illegal that can be converted into a visual representation of illegal content.

“Since all Bitcoin participants maintain a complete local copy of the blockchain (e.g. to ensure correctness of blockchain updates and to bootstrap new users), these desired and vital features put all users at risk when objectionable content is irrevocably stored on the blockchain. This risk potential is exemplified by the (mis)use of Bitcoin’s blockchain as an anonymous and irrevocable content store.”

Categories: Cyber Risk News

Cambridge Analytica Used ProtonMail to Hide Email Paper Trails

Wed, 03/21/2018 - 10:34
Cambridge Analytica Used ProtonMail to Hide Email Paper Trails

Cambridge Analytica faces more accusations following a third expose by Channel 4 News, which filmed recently-suspended CEO, Alexander Nix, discussing the company’s role in the 2016 US Presidential election. The report also featured the CEO talking about how the company used a “secure, secret email system” to cover up correspondence between the company and third parties. 

The email system, ProtonMail, is a Swiss company that provides encrypted email services not accessible by anyone other than the mail sender and the mail recipient. According to the company’s website: “Data is encrypted on the client side using an encryption key that [we] do not have access to. This means [we] don't have the technical ability to decrypt [your] messages, and as a result, [we] are unable to hand your data over to third parties.”

Furthermore, ProtonMail’s website said: “All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO), which offers some of the strongest privacy protection in the world for both individuals and corporations. As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.”

In the report aired by Channel 4 News last night, CA’s Nix explained to the undercover reporter, posing as a political consultant, how the company covers its tracks: “I’d like you to set up a ProtonMail account please because now these are getting quite sensitive.”

When asked whether the consultant should hand over the ProtonMail account, Nix replied: “Well, nobody knows we have it… and secondly, we set out ProtonMail emails with a self-destruct timer. So you send them, and after they’ve been read, two hours later they disappear.

“So then there’s no evidence, there’s no paper trail, there’s nothing.”  

Comparing itself to SnapChat, ProtonMail says that communication with non-ProtonMail users can be secure, saying that encrypted messages can be sent to Gmail, Yahoo, Outlook, and others. The company stopped publishing its transparency reports in February 2017 – the latest update showed that only five user data access requests were granted out of 54. 

Infosecurity has reached out to ProtonMail for comment.

Categories: Cyber Risk News

Orbitz Attack Impacts Hundreds of Thousands of Consumers

Tue, 03/20/2018 - 19:25
Orbitz Attack Impacts Hundreds of Thousands of Consumers

Popular travel-booking site Orbitz has likely been hacked, potentially exposing payment card information for people that bought plane tickets or booked hotel rooms over the course of two years.

The company said that it has uncovered evidence that about 880,000 payment cards were possibly impacted, along with other personal information, like names, payment card information, dates of birth, phone numbers, email addresses, physical and/or billing addresses and gender.

The company said evidence suggests an attacker may have accessed information stored on a legacy e-commerce platform during two periods: 1 January through 22 June 2016 and 1 October to 22 December 2017.

"We determined on March 1, 2018, that there was evidence suggesting that an attacker may have accessed personal information stored on this consumer and business partner platform,” the Expedia-owned site said in a media statement. “We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform. To date, we do not have direct evidence that this personal information was actually taken from the platform. We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners."

Mike Schuricht, vice president of product management at Bitglass, said that the issue may have arisen as an artifact of the acquisition integration. Expedia bought the company in September 2015.

“Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or nonproduction systems,” Schuricht said via email. “As is the case with most audits and postmortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted. It’s always a concern when an organization only becomes aware of a breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes.”

Orbitz is offering customers a year of free credit monitoring; yet Nathan Wenzler, chief security strategist at San Francisco-based security consulting company AsTech, said that more is needed.

“Another day, another breach. And while the attackers show no signs of slowing down, companies really need to do more than just provide users a free year of credit monitoring services and consider their work done,” he said via email. “Legacy systems are common attack points, as they are often neglected, go without updates or patches and are commonly not monitored, which gives criminals an ideal avenue to gain access and steal whatever data may be resident there. In this case, it was nearly 900,000 credit card accounts. Credit monitoring may be a nice PR gesture, but it does not absolve companies from doing their due diligence around securing legacy systems and protecting their customers data, no matter where it lives.”

Categories: Cyber Risk News

Android Banking Trojan Fakebank Adds Vishing Dimension

Tue, 03/20/2018 - 16:20
Android Banking Trojan Fakebank Adds Vishing Dimension

Symantec has warned of a new variant of the Fakebank Android malware family that adds a “vishing” (voice phishing) angle: Once installed, the malware will intercept mobile calls a user attempts to make to a bank, redirecting them to a scammer impersonating an agent working for the bank.

The new version is sneaky too: It displays a fake caller ID to make it appear as though the call is really from the legitimate bank.

Symantec said in a blog that at least 22 fake mobile apps, found in third-party Android markets and some social media sites, are targeting Korean bank clients with the malware. Fakebank typically collects bank SMS messages, records phone calls to banks and displays a fake bank login user interface to victims; the ability to intercept incoming and outgoing calls is a fresh capability.

“The Fakebank Android malware could soon be a model adopted by malware makers in parts of the world outside South Korea,” said Paul Bischoff, privacy advocate at Comparitech, via email.

Even though the attack uses a fairly novel approach to scam users, Android owners can avoid it using the same best practices used to avoid any other type of malware, he added: “First, update Android to the latest stable version. The newest release, Oreo, prevents the caller ID from being spoofed by the malware. Avoid downloading apps and files from unknown sources. Don't trust apps from third-party app stores, and be wary of links in web pages and emails. It’s also important to review and limit the permissions of apps you install and install and run antivirus regularly.”

Categories: Cyber Risk News

FIDO Alliance Expands Authenticator Certifications

Tue, 03/20/2018 - 16:01
FIDO Alliance Expands Authenticator Certifications

The FIDO Alliance has expanded its certification program to include multi-level security certifications for FIDO authenticators (such as physical security keys and biometrics).

With the authenticators, online service providers can choose the security level appropriate for their business, such as requiring higher FIDO certification for financial transactions than for general account information.

FIDO specifications for strong authentication incorporate public key cryptography and simple user experiences to help the world reduce its reliance on passwords. The certifications are available for Level 1 (L1) and Level 2 (L2) authenticators, with additional levels covering a full range of security requirements to be introduced at a later date.

“Our new multi-level evaluation program addresses an increasingly critical market requirement for a more transparent view into the security of FIDO-certified authenticators,” said Brett McDowell, executive director of the FIDO Alliance. “This new certification program, used in combination with the FIDO Metadata service, enables enterprises and online services to make better-informed risk management decisions when registering credentials from FIDO-enabled devices, resulting in more accurate and reliable ‘scores’ on the back end while delivering better user experiences on the front end due to lower instances of intrusive ‘step up authentication’ challenges.”

All FIDO-Certified L1 Authenticators must pass interoperability testing for compliance with the FIDO specifications. They also must pass a design review against FIDO requirements to ensure the authenticator uses the best security practice for the operating system it is running on.

The FIDO L2 Security Certification Requirements mandate that authenticators implement a restricted operating environment (such as a trusted execution environment (TEE) or secure element) to protect biometric data and authentication credentials against operating system compromises that arise from app downloads, malicious website content or similar threats. L2 authenticators also must pass a comprehensive design review by a FIDO-accredited third-party security certification laboratory.

The new program also incorporates traditional FIDO functional certification, which measures compliance and ensures interoperability among products and services that support FIDO specifications.

The FIDO ecosystem includes Intel, Microsoft, Google, PayPal, Bank of America, Amazon and others.

Categories: Cyber Risk News

SpongeBob Has Nothing on Flippy the Burger Bot

Tue, 03/20/2018 - 15:54
SpongeBob Has Nothing on Flippy the Burger Bot

Flippy, a robot designed to, as its name suggests, flip things, was fired from its entry-level burger joint job after just one day on the case at California-based burger chain CaliBurger.

Armed only with a spatula, the robot was a paragon of productivity, managing to cook (and flip) 2,000 burgers in a day. That’s a feat perhaps rivaled only by SpongeBob’s skills over at the Krusty Krab – and therein lies the problem: Its human co-workers couldn’t keep pace.

As Anthony Lomelino, head of technology at CaliBurger, pointed out, Flippy can’t exist in a vacuum: At CaliBurger, humans still sell the food and take your money; they also add condiments and veggies to the burgers, wrap them up in paper and put them in a bag for visitors. The rest of the food delivery chain lagged behind Flippy’s prowess, so Flippy, unfortunately, had to go. For now.

“Mostly it’s the timing,” Lomelino told USA Today. “When you’re in the back, working with people, you talk to each other. With Flippy, you kind of need to work around his schedule. Choreographing the movements of what you do, when and how you do it.”

Perhaps the solution is designing additional robots (hopefully dubbed things like “Lettuce Luke” or “Condiment Cathy”) to fill out the hamburger production chain. Conceivably, an AI could even replace a human manager, optimizing and overseeing the coordination between machines. It’s not too far from reality: At the Philadelphia airport, for example, visitors to in-terminal restaurants may find themselves forced to order their food and beverages via iPad – so the cashier part of this is already partially solved.

But would consumers go for it, after the novelty wears off? Aside from the ick factor of replacing entry-level jobs with machines, there are darker concerns.

Robotic restaurant workers recently made their way into the X-Files earlier in March, in a very Black Mirror-esque episode involving Agents Mulder and Scully being terrorized by robotic helpers, drones and even the digital apps they’ve opted into. They find themselves in this dystopian world after not tipping at an all-robot sushi restaurant; the implication of course is that AI is controlling a vast, self-aware lattice of Things – and that it gets really, really offended when stiffed on the gratuity.

CaliBurger at least has no concern for such things. The company has contracted for Flippies to be installed in 50 locations, and even though Flippy was just too good in the trial, the chain said it’s looking to work out the process kinks in order to stay on track to deploy the $60,000 units by the end of the year.

Categories: Cyber Risk News