Info Security

Subscribe to Info Security  feed
Updated: 51 min 48 sec ago

US Cybersecurity Firm to Create 52 Jobs in Ireland

Wed, 09/18/2019 - 15:16
US Cybersecurity Firm to Create 52 Jobs in Ireland

An American cybersecurity consulting firm has opened its first overseas site in the southern Irish city of Kilkenny.

The new office in the Republic of Ireland will become the European Headquarters and Security Operations Centre (SOC) for growing company Security Risk Advisors (SRA). SOC's current staff of three will grow to seven by mid-October and is expected to swell to 52 over the next five years. 

Having an office in Europe allows SRA to offer around-the-clock system monitoring to its US-based clients. It will also help the company support its growing European clientele and is likely to attract new customers east of the Atlantic. 

SRA's managing director, Tim Wainwright, said: "The proximity to top colleges and industry-leading companies, in addition to the quality of life in the South East region, made the decision to open our first international office in Kilkenny an easy one."

Wainwright has already chosen his favorite local watering hole, and the honor goes to Cleere’s Bar & Theatre in Kilkenny’s Irishtown. 

Support for SRA's international expansion is being provided by Ireland's inward investment promotion agency, the IDA

"The IDA walked us through incentives and hosted our initial visit. They introduced us to local stakeholders and helped us fill out paperwork. They have continued to work with us in support of setting up our office," said SRA’s Amanda Larsen. 

Irish minister of state at the Department of Housing, Planning, and Local Government, John Paul Phelan TD, said: "The decision to locate their office here is testament to Kilkenny’s highly skilled workforce, as well as its strong network of nearby educational institutions like Waterford IT and Carlow IT, which provide companies like SRA with the talent they need to succeed and grow.

"This announcement is a great boost for the city, and I wish SRA every success in Kilkenny."

SRA was founded as a virtual organization in Pennsylvania's largest city, Philadelphia, back in 2010, by a home-grown team of four Philly locals. Since then, the company has grown 20% on average every year and now employs around 140 people.

The company's growth strategy of mentoring a large number of university hires was so successful that in 2017 SRA opened a physical office on the city's Market Street. 

Two years of success followed, causing SRA to outgrow its original space. In June of this year the company announced the expansion of its office in Philadelphia to accommodate 25 additional employees, together with the opening of a new site in Rochester, New York.

Indicating that SRA plans to implement a similar growth strategy at their new European HQ, Larsen said: "We will be working closely with the Waterford Institute of Technology and Institute of Technology Carlow. The South East region has such a great amount of tech talent."

Categories: Cyber Risk News

Government Report Warns of AI Policing Bias

Wed, 09/18/2019 - 11:05
Government Report Warns of AI Policing Bias

A new government-backed report has warned that the growing use of automation and machine learning algorithms in policing could be amplifying bias, in the absence of consistent guidelines.

Commissioned by the Centre for Data Ethics and Innovation (CDEI), which sits in the Culture Department, the report from noted think tank the Royal United Services Institute (RUSI) will lead to formal recommendations in March 2020.

It’s based on interviews with civil society organizations, academics, legal experts and police themselves, many of whom are already trialing technology such as controversial AI-powered facial recognition.

The report claimed that use of such tools, and those used in predictive crime mapping and individual risk assessments, can actually amplify discrimination if they’re based on flawed data containing bias.

This could include over-policing of certain areas and a greater frequency of stop and search targeting the black community.

It also warned that the emerging technology is currently being used without any clear over-arching guidance or transparency, meaning key processes for scrutiny, regulation and enforcement are missing.

RUSI claimed that police forces need to carefully consider how algorithmic bias may result in them policing certain areas more heavily, and warned against over-reliance on technology which could reduce the role of case-by-case discretion. It also said that discrimination cases could be brought by individuals unfairly “scored” by algorithms.

“Interviews conducted to date evidence a desire for clearer national guidance and leadership in the area of data analytics, and widespread recognition and appreciation of the need for legality, consistency, scientific validity and oversight,” the report concluded.

“It is also apparent that systematic investigation of claimed benefits and drawbacks is required before moving ahead with full-scale deployment of new technology.”

OpenText head of AI and analytics, Zach Jarvinen, argued that the best way of avoiding bias in AI is to implement “ethical code” at the data collection phase.

“This must begin with a large enough sample of data to yield trustworthy insights and minimize subjectivity. Thus, a robust system capable of collecting and processing the richest and most complex sets of information, including both structured data and unstructured, and textual content, is necessary to generate the most accurate insights,” he added.

“Data collection principles should be overseen by teams representing a rich blend of views, backgrounds, and characteristics (race, gender, etc.). In addition, organizations should consider having an HR or ethics specialist working in tandem with data scientists to ensure that AI recommendations align with the organization’s cultural values.”

Categories: Cyber Risk News

Third of Brits Concerned About Election Interference

Wed, 09/18/2019 - 09:55
Third of Brits Concerned About Election Interference

A third of British adults are concerned about hackers interfering in future general elections or referendums, according to new research from SANS Institute.

The global IT training organization polled over 2000 individuals to better understand their concerns about the impact of cyber-related issues on society.

It found that 34% believe cyber-attackers could influence the democratic process in future.

A long-awaited parliamentary committee report issued earlier this year claimed that while it was difficult to say definitively if there was "successful" interference in the 2016 EU referendum, “there is, however, strong evidence that points to hostile state actors influencing democratic processes.”

Russia in particular came under scrutiny for the pro-leave propaganda circulated by its state-backed media outlets RT and Sputnik.

Election interference can also be more insidious: a senate report out in July argued that Russian hackers likely compromised voting infrastructure in all 50 states ahead of the 2016 Presidential election.

Just a fifth of UK adults responding to the SANS Institute poll said they thought the UK is well prepared to defend itself against future cyber issues, and nearly half (45%) claimed there’s not enough security experts in the workforce to protect the country from attack.

However, less than one in 10 (6%) said they thought being a cybersecurity professional was an important job in society, highlighting the major PR challenge facing the industry in trying to get more people to consider a career in the sector.

Skills shortages currently stand at nearly three million globally, including 142,000 in EMEA, according to (ISC)².

SANS Institute CTO, James Lyne, argued that it is the role of government, industry and parents and teachers to emphasize the important role cybersecurity professionals play in defending democracy and economic growth.

“The findings of the poll demonstrate a lack of awareness of what cybersecurity practitioners do to protect our national interests, economy and personal finances,” he added. “The UK will only be prepared to cope with the evolving geopolitical cyber-frontier if we can educate and nurture greater numbers of cyber-defenders and instil a sense of urgency in that new generation of cybersecurity professionals.”

The research was conducted to promote the beginning of the latest annual Cyber Discovery program, which aims to educate and inspire 13-18-year-olds in the UK to be the cybersecurity stars of tomorrow.

Categories: Cyber Risk News

US Government Sues Edward Snowden Over Book

Wed, 09/18/2019 - 08:45
US Government Sues Edward Snowden Over Book

The US government is suing Edward Snowden for violating a non-disclosure agreement (NDA) in the publication of a new book.

The civil suit alleges that the former government contractor published the book, Permanent Record, without first submitting it to the CIA and NSA for review, as per the agreements he signed. It alleges Snowden has also discussed intelligence matters in public speeches, further violating the NDA.

Yet despite its allegations, the US government doesn’t want to prevent publication of the book; instead it wants to seize all proceeds, naming his publishers as co-defendants so that no money can be transferred to the whistleblower.

“Edward Snowden has violated an obligation he undertook to the United States when he signed agreements as part of his employment by the CIA and as an NSA contractor,” said assistant attorney general Jody Hunt of the Department of Justice’s Civil Division.

“The United States’ ability to protect sensitive national security information depends on employees’ and contractors’ compliance with their non-disclosure agreements, including their pre-publication review obligations. This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust. We will not permit individuals to enrich themselves, at the expense of the United States, without complying with their pre-publication review obligations.”

However, Snowden’s attorney and director of the American Civil Liberties Union (ACLU), Ben Wizer, has hit back, arguing that the book contains no information that hasn’t already been published by “respected news organizations.”

“Had Mr Snowden believed that the government would review his book in good faith, he would have submitted it for review. But the government continues to insist that facts that are known and discussed throughout the world are still somehow classified,” he added.

“Mr Snowden wrote this book to continue a global conversation about mass surveillance and free societies that his actions helped inspire. He hopes that today’s lawsuit by the United States government will bring the book to the attention of more readers throughout the world.”

Categories: Cyber Risk News

New Banking Regs Increase Cyber-Attack Risk

Tue, 09/17/2019 - 17:09
New Banking Regs Increase Cyber-Attack Risk

report released today by Trend Micro has found that new European open-banking rules could leave financial services organizations and their customers more susceptible to cyber-attacks.

The European Union’s Revised Payment Services Directive (PSD2) is designed to give users greater control over their financial data and the option to carry out open banking via a new breed of innovative fintech firms. According to Trend Micro's research, that increased control could come at a heavy cost. 

Vulnerabilities that could be exploited as a result of the EU's PSD2 include public APIs that allow approved third parties to access users' banking data and mobile apps that contain transactional data that could make users targets for phishing attacks.

Another concern raised by the report pertained to financial technology (fintech) firms that have no record on data protection and lack the resources of big banks.

In a quick survey of open-banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professionals. The report suggests that such setups make these fintechs ideal targets for attackers and raise concerns over security gaps in their mobile apps, APIs, data-sharing techniques, and security modules that could be incorrectly implemented.

Bharat Mistry, principal security strategist at Trend Micro, told Infosecurity Magazine: "The worst-case scenario here is that cyber-criminals could very easily develop malicious fake apps, especially for mobile smartphone devices where the App Store provider hasn’t taken sufficient measures to validate the source of the application. Then, using phishing campaigns, hackers could direct users to download and use malicious apps, thereby exposing banking credentials to prying eyes."

Open banking comes with the additional challenge of how and to whom blame should be ascribed when cybercrimes do inevitably occur.   

Mistry said: "Another aspect of this evolving open-banking world is the increasing complexity of proving responsibility when a fraudulent transaction occurs. The fault can potentially lie with the bank, the user, or the third-party provider; how smoothly will communication between these three parties go to resolve any such incident?"

Wherever the blame may lie, Mistry expects customers of financial services providers will expect their providers to shoulder the responsibility of maintaining cybersecurity. 

He said: "Cyber insurance is proving to be popular with organizations who want to offset their cyber liabilities; unfortunately, I cannot see individuals taking out such policies as most people are reluctant to pay for something that they think the service provider or bank should be taking care of."

Categories: Cyber Risk News

Vulnerabilities in IoT Devices Have Doubled Since 2013

Tue, 09/17/2019 - 16:55
Vulnerabilities in IoT Devices Have Doubled Since 2013

A follow-up study into the security of IoT devices has revealed more than twice the number of vulnerabilities as were detected six years ago. 

In the 2013 study SOHOpelessly Broken 1.0, researchers at Independent Security Evaluators (ISE) highlighted 52 vulnerabilities across 13 SOHO wireless routers and network-attached storage (NAS) devices made by vendors including Asus and Belkin.

An examination of routers and NAS products by ISE published yesterday has flagged 125 common vulnerabilities or exposures (CVEs). The vulnerabilities captured by the new research, dubbed SOHOpelessly Broken 2.0, could affect millions of IoT devices.

For their latest study, ISE tested 13 contemporary IoT devices created by a range of manufacturers. Modern versions of several devices tested in the original 2013 study were also studied to determine whether manufacturers had upped their security game.

The results were fairly disappointing, with researchers able to obtain remote root-level access to 12 of the 13 devices tested. Among the weaknesses identified were buffer overflow issues, command injection security flaws, and cross-site scripting (XSS) errors.

"We were expecting to find issues in the devices; however, the number and severity of the issues exceeded those expectations. Our first reaction to a lot of our findings was: 'It can't really be this easy, right?'" said ISE researcher Joshua Meyer. 

Conducting the study has changed how Meyer uses IoT devices. He said: "I will be more selective of any IoT devices I purchase for personal use. I am also more aware of the features provided by my devices and disable all of the ones that aren't necessary to its security."

After completing the study, ISE sent vulnerability reports and proof-of-concept (PoC) codes to affected vendors. While the majority of companies acknowledged the reports, TOTOLINK and Buffalo have not yet responded.  

"Netgear and Drobo only responded to us after we continuously messaged them about the critical security issues in their products," said Rick Ramgattie, lead researcher at ISE.

Asked if any plans were afoot for a SOHOpelessly Broken 3.0, Ramgattie said the team is looking into starting a new IoT/Embedded Device research project mid-2020.

Ramgattie elaborated: "We aren't sure if it is going to be the same format as SOHO 1.0 and SOHO 2.0. We might mix things up and pick a smaller set of manufacturers and narrow in on new attack surfaces we have been wanting to dive into for a long time. 

"We might also research more enterprise devices, different protocols, and more complex data-processing workflows."

Categories: Cyber Risk News

Nevada Students Top First Official National Cyber League College Rankings

Tue, 09/17/2019 - 15:32
Nevada Students Top First Official National Cyber League College Rankings

America's National Cyber League (NCL) has published official college rankings for the very first time, and the University of Nevada has come out on top. 

Cyber-savvy students at the Reno-based university prevailed against 5,026 students from 419 schools across the nation to achieve victory in the NCL's spring 2019 season. This impressive win contributed heavily to Nevada's securing the pole position on the inaugural NCL leaderboard published last week.

In second place was the University of Hawaii at Manoa, followed by California State University at Chico, which took third. Lingering at the bottom of the board in 100th place was Grossmont College, a community college in California.  

The NCL has been challenging high school and college students to demonstrate their cybersecurity skills by taking part in two cybersecurity competitions staged annually since 2011. Entrants step onto a virtual field of competition to solve a series of puzzles based on real-world scenarios. 

Previous challenges included identifying hackers from forensic data, breaking into simulated bank websites, and staging a recovery from a ransomware attack. The University of Nevada's winning team, the Nevada Cyber Club, completed all the challenges set in this year's spring season with 99.26% accuracy. 

Club member and computer science and engineering major Bryson Lingenfelter, speaking after his team's unequivocal victory, said: "I've learned a tremendous amount in three seasons of competing in NCL, and it's a major inspiration for my plans going forward with Cyber Club. NCL is how many of us got started with the club, and I hope to expand our use of competitions as learning tools in the future to engage even more people with cybersecurity." 

Competing in the NCL does more for students than simply give them a chance to vaunt their talent and learn new skills. Thanks to industry-leading cybersecurity skills-evaluation technology from Cyber Skyline, NCL competitors can obtain scouting reports of their performance, which they can use for hiring purposes.

"Cyber competitions like NCL provide a way for cybersecurity students to demonstrate their skills to employers, especially with many entry-level jobs requiring experience," said Franz Payer, CEO of Cyber Skyline.

"The new Cyber Power Rankings highlight the top schools producing new cybersecurity professionals. We're excited for what competitions can do to help address the cyber talent shortage.

Categories: Cyber Risk News

New Test Service Launched to Gauge Tech Skills of Job Candidates

Tue, 09/17/2019 - 12:00
New Test Service Launched to Gauge Tech Skills of Job Candidates

A new testing service has been launched with the aim of gauging and ranking job candidates based on their technical skillsets.

TechRank, created by Pioneer Labs, is run by tech consultants and sources, tests and objectively ranks tech talent, helping companies hire the best and most capable person for tech-based roles. TechRank seeks to eliminate the subjectivity of personality and interview charm and to ensure that jobs are offered based on genuine skillsets.

Candidates take the TechRank test online, opting for the specific area relevant to their skills. Candidates are then logged in the TechRank system and alerted if a suitable job is advertised. Employers can sort candidates by their skill level quicker and more accurately than reading through large numbers of CVs.

TechRank was co-founded by Gurvinder Singh, Co-CEO, Pioneer Labs, and he explained how TechRank was born out of frustration.

“We were finding it highly time-consuming and difficult to find great tech talent. It was a constant problem. So, we asked ourselves what needed to change and how this could be facilitated – the answer was clearly testing. It’s great for both the candidate and the employer. We trailed the system in our own business and found that it worked really well. It made a huge difference to Pioneer Labs so we decided to create a version that other businesses could use – and TechRank was born.”

Speaking to Infosecurity, Singh said: “We are looking to disrupt tech recruitment. We believe tech recruitment has been broken for far too long. It’s been very difficult for employers to be sure they are hiring people with the right skills; skills that are suitable for the specific job they are being asked to do. Some people look great on paper, perform brilliantly at interview, but simply don’t have the level of knowledge required for the job on offer.

“In the future, I believe CVs will become obsolete in the tech industry. Skills matter more than words and finding the best skilled people is where companies, which are trying to build or maintain market share via technology, will be competing most vigorously.”

Categories: Cyber Risk News

Webcam Security Snafus Expose 15,000 Devices

Tue, 09/17/2019 - 11:00
Webcam Security Snafus Expose 15,000 Devices

Researchers have discovered 15,000 private webcams around the globe which could be accessed by anyone with an internet connection, raising serious security and privacy concerns.

Working for Wizcase, white hat Avishai Efrat located the exposed devices from multiple manufacturers including: AXIS net cameras; Cisco Linksys webcam; IP Camera Logo Server; IP WebCam; IQ Invision web camera; Mega-Pixel IP Camera; Mobotix; WebCamXP 5 and Yawcam.

They appear to have been installed by both home users and businesses in multiple countries across Europe, the Americas and Asia.

By failing to put in place even cursory protection on the devices, these owners are exposing not only the webcam streams themselves but also, in some cases where admin access is possible, user information and approximate geolocation. In these cases, Efrat was also theoretically able to remotely control the device view and angle.

Control of such feeds and personal info could allow attackers to rob the premises being monitored, blackmail users, and even steal PII for identity fraud.

The problem lies with the cameras’ remote access functionality. In some cases UPnP was enabled without additional protections like password authentication or IP/MAC address whitelisting, whilst in others unsecured P2P networking was used.

“Web cameras manufacturers strive to use technologies which make the device installation as seamless as possible but this sometimes results in open ports with no authentication mechanism set up. Many devices aren’t put behind firewalls, VPNs, or whitelisted IP access – any of which would deny scanners and arbitrary connections,” explained Wizcase web security expert, Chase Williams.

“If these devices have open network services, then they could be exposed.”

Wizcase urged webcam operators to change the default configuration of their device in order to: whitelist specific IP & MAC addresses to access the web camera, add strong password authentication and disable UPnP if P2P networking is being used.

It also advised users to configure a home VPN network so the webcam would no longer be exposed to the public-facing internet.

Categories: Cyber Risk News

Emotet is Back and Spamming Again

Tue, 09/17/2019 - 09:45
Emotet is Back and Spamming Again

A notorious botnet has begun sending out spam again after a several month hiatus, which could spend bad news for organizations around the world.

Emotet has been dormant for around four months, but starting pumping out spam on Monday morning, with phishing emails sent in German, Polish, English and Italian, according to Malwarebytes.

The firm said that an uptick in command-and-control (C2) server activity forewarned it of a return to the front line for the infamous botnet.

In this new campaign, users are tricked into opening an attached document and enabling macros, triggering a PowerShell command which will try to download Emotet from compromised sites, often those running WordPress.

“Once installed on the endpoint, Emotet attempts to spread laterally, in addition to stealing passwords from installed applications. Perhaps the biggest threat, though, is that Emotet serves as a delivery vector for more dangerous payloads, such as ransomware,” warned Malwarebytes.

“Compromised machines can lay in a dormant state until operators decide to hand off the job to other criminal groups that will attempt to extort large sums of money from their victims. In the past, we’ve seen the infamous Ryuk ransomware being deployed that way.”

Linked to the North Korean Lazarus Group, Ryuk is thought to have made almost $3.8m for its operators in the six months to January 2019.

Like Trickbot, Emotet was originally a banking Trojan that was re-written to function as a malware loader. Its operators sell access to the botnet for clients to use as a malware distribution network.

According to Malwarebytes, Emotet malware was detected and removed over 1.5 million times between January and September 2018 alone. In July last year, the threat became so serious that the US-CERT was forced to release an alert about Emotet and its capabilities.

Categories: Cyber Risk News

Most Port Vulnerabilities Are Found in Three Ports

Tue, 09/17/2019 - 09:03
Most Port Vulnerabilities Are Found in Three Ports

The vast majority of vulnerabilities in ports are found in just three, making it theoretically easier for organizations to defend them against attack, according to Alert Logic.

The security vendor analyzed 1.3 petabytes of security data, over 2.8 billion IDS events, 8.2 million verified incidents, and common vulnerabilities for more than 700 SMB customers, in order to compile its Critical Watch Report for 2019.

It claimed that 65% of vulnerabilities it found in Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are linked to SSH (22/TCP), HTTPS (443/TCP) and HTTP (80/TCP).

RDP/TCP comes in fourth place, which is no surprise as it has already been patched several times by Microsoft, including one for the Bluekeep bug which Redmond warned could provide attackers with WannaCry-like “wormable” capabilities.

The number of vulnerabilities in a port is a good indication of its popularity and it’s no surprise that the top three ports for flaws are also ones exposed to the public-facing internet, Alert Logic said.

However, the findings may provide useful intel for security teams in smaller companies to help them reduce their attack surface quickly and easily.

“As basic guidance, security across all network ports should include defense-in-depth. Ports that are not in use should be closed and organizations should install a firewall on every host as well as monitor and filter port traffic,” the report advised.

“Regular port scans and penetration testing are also best practices to help ensure there are no unchecked vulnerabilities.”

Alert Logic also urged IT security teams to patch and harden any device, software or service connected to ports and to tackle any new vulnerabilities as they appear, as well as changing all default setting and passwords and running regular configuration checks.

The report found that most unpatched vulnerabilities in the SMB space are over a year old, and that misconfigurations, weak encryption and unsupported Windows versions also represent serious risks.

Categories: Cyber Risk News

City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

Mon, 09/16/2019 - 18:46
City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

Officials in the Tennessee city of Germantown have restricted the email account of an alderman who refuses to undergo cybersecurity training. 

Insurance specialist and married father of one Dean Massey was elected to the position of alderman in 2016. His official DMassey@germantown-tn.gov email account was restricted earlier this month after Massey failed to complete a cybersecurity training course.

According to the Commercial Appeal website, all Germantown officials and city employees were asked to complete the 45-minute course by a specific date and were warned that failure to comply would result in their email access being restricted. However, Massey told Infosecurity Magazine that "there was no policy that mandated the cyber training for elected officials."

Explaining why he refused to complete the cybersecurity training after being instructed to do so by the city's IT Director, Massey said: "I was not aware of any alderman having to take the cyber training in the past, so I thought it was unusual for a city employee to suddenly claim the authority to demand that elected officials click a link to take the training this year. 

"I simply disregarded the emails with the training links until I received a notice from the IT Director advising me that he intended to restrict my government email account."

Massey responded to the imposed restriction by setting up a personal email account—dmassey.cityofgermantown@gmail.com—to handle his official city business. Conducting public business from a personal email address does not violate any Tennessee state laws or ethics guidelines. 

Massey's refusal comes in the wake of a July 2019 ransomware attack on the neighboring city of Collierville, which compromised the town's internal servers. 

Commenting on Massey's argument cited by Commercial Appeal that an elected official shouldn't have to comply with a directive from an unelected official, fellow Germantown alderman Rocky Janda told Infosecurity Magazine: "Mr. Massey came up with that reason for not taking the training. This was a city administrator/mayor decision to make it mandatory for all employees and elected officials due to recent local threats. Staff does not make these kinds of decisions on their own." 

Janda, who himself became a victim of cyber-crime when hackers targeted his company with ransomware, added "Mr. Massey just needs to take the training. It's 45 minutes..."

Massey responded to Janda's comments by stating: "All the elected officials have used and/or currently use personal electronic devices and personal emails addresses for government correspondence."

According to Commercial Appeal, Janda has asked the city administration to discuss a potential censure of Massey's actions to encourage a discussion around cybersecurity issues. Massey has also asked for cybersecurity to be added to the administration's agenda for the next meeting, which will take place on September 23.  

Massey, who has never personally been a victim of a cyber-crime, said: "In my experience the threat of hackers and dangers of cybercrime are probably greater than what is reported in the media, but cities should not get a false sense of security by having city employees and elected officials click a link that provides 45 minutes of generic instruction on how to avoid cyber-crimes."

He added: "I think it would be appropriate and more beneficial for a cyber security specialist to give the entire Board of Mayor and Alderman a presentation on cyber security and allow aldermen to discuss whether more should be done."

Categories: Cyber Risk News

Data of Virtually All Ecuadoreans Leaked Online

Mon, 09/16/2019 - 17:00
Data of Virtually All Ecuadoreans Leaked Online

The personal data of almost every citizen of Ecuador has been leaked online in a catastrophic data breach. 

The names, phone numbers, and financial information of approximately 20 million Ecuadoreans were found on an unsecured cloud server by researchers working on a web-mapping project at security company vpnMentor.

The enormous 18GB cache of data included personal information relating to individuals who were deceased as well as to the country's living population of approximately 17 million. Personal information relating to 6.7 million Ecuadorean children was among the data leaked.

Exposed files revealed a large amount of sensitive personally identifiable information, such as family records, marriage dates, education histories, employment records, and official ten-digit government ID numbers called cédulas de identidad.

"This data breach is particularly serious simply because of how much information was revealed about each individual," wrote Noam Rotem and Ran Locar from vpnMentor. "Scammers could use this information to establish trust and trick individuals into exposing more information." 

Tax records and financial records revealing the account balances of customers of a large Ecuadorean bank were among the data breached. 

Rotem and Locar wrote, "Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank."

A simple search of the leaked data would enable anyone to put together a list of wealthy Ecuadoreans that would be the envy of kidnappers everywhere. Taken as a whole, the data revealed not just who had large amounts of money in the bank but also where they lived, if they were married, if they had children, what cars they drove, and the license plates of their vehicles. 

Within the leaked records researchers also found an entry and national identification number for WikiLeaks founder Julian Assange, who was granted political asylum by Ecuador in 2012. 

Rotem and Locar found the exposed data in a number of files saved on a server located in Miami, Florida, which was set up and maintained by Ecuadorian marketing and analytics company Novaestrat

After discovering the data cache, vpnMentor contacted Novaestrat. The Ecuador Computer Emergency Security Team restricted access to the unsecured server on September 11, 2019. 

The breach follows a similar incident that took place recently in another South American country. Last month, a server was found that exposed the voter records of 80% of Chile's 14.3 million citizens.

Categories: Cyber Risk News

Chicago Broker Fined $1.5m for Inadequate Cybersecurity

Mon, 09/16/2019 - 15:57
Chicago Broker Fined $1.5m for Inadequate Cybersecurity

A US futures and securities clearing broker has been slapped with a $1.5m fine for failing to implement and enforce adequate cybersecurity measures. 

An investigation into Phillip Capital Incorporated (PCI) by the US Commodity Futures Trading Commission (CFTC) revealed a culture in which employees were not monitored to ensure that the cybersecurity of the business was protected and maintained.

Inadequate cybersecurity measures put in place within the Chicago-based company were found to be partially responsible for a data breach and the theft by cyber-criminals of $1m in PCI customer funds. 

The theft occurred when one of the company's IT engineers fell victim to a phishing email. The CFTC criticized PCI for taking too long to report the crime to customers after it happened in early 2018.  

On September 12, 2019, the CFTC issued an order that filed and simultaneously settled charges against PCI "for allowing cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds," and also for failing to disclose the breach to its customers "in a timely manner."

In a statement published on its website, the CFTC said that "the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements."

PCI was issued a civil monetary penalty of $500,000 and ordered to pay $1m in restitution. The broker was credited with the $1m restitution "based on its prompt reimbursement of the customer funds when the fraud was discovered."

The commission's investigation into PCI may be over, but the CFTC plans to keep an eye on the registered futures commission merchant's cybersecurity practices. The order filed by the CFTC requires PCI to provide reports to the commission on its remediation efforts. 

"Cybercrime is a real and growing threat in our markets," said CFTC director of enforcement James McDonald. "While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place—and follow those procedures—to protect their customers and their accounts from potential harm."

Categories: Cyber Risk News

Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Mon, 09/16/2019 - 11:01
Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Israeli police have arrested several employees of a domestic company that makes cyber-surveillance tools and raided its offices over the weekend, according to local reports.

Although a court order has prevented many details of the case from making it into the public domain, including the identity of the suspects, the arrests were apparently made under charges of fraud, smuggling and money-laundering.

The individuals are thought to be staff at Ability Computer & Software Industries and Ability Security Systems, subsidiaries of Ability, which markets itself as providing interception technology for mobile cellular and satellite communications.

Founded in 1994 by “military and communication experts,” Ability claims to count governments, military, law enforcement and border control agencies as its customers.

However, there are suspicions that the firm may have broken Israeli laws around the export of specific security-related technologies, according to Haaretz.

The Israeli defense ministry is said to have suspended Ability subsidiaries from its official list of registered defense export companies after it exported geolocation systems without a license.

The firm is also facing a backlash from US regulator the SEC over an anti-fraud investigation dating back to 2017 about its 2015 merger with shelf company Cambridge Capital Acquisition Corporation.

Ability also paid out $3m last year to settle out-of-court with investors who said they’d been misled about the state of the firm’s finances.

The police investigation is being undertaken by the International Crime Investigations unit alongside the Director of Security of the Defense Establishment, according to the report.

The news comes just weeks after the Israeli government made moves to ease the process for exporting cyber-weapons to certain countries, despite warnings from the UN and others that such tools are being used by despotic governments to crack down on dissent.

Categories: Cyber Risk News

US Slaps Sanctions on Three North Korean Cyber Groups

Mon, 09/16/2019 - 09:45
US Slaps Sanctions on Three North Korean Cyber Groups

The US Treasury has finally announced sanctions on three notorious North Korean state hacking groups, which it accused of attacks designed to generate money for the country’s illegal weapons program.

The Office of Foreign Assets Control (OFAC) said on Friday that the sanctions would apply to Lazarus Group, Bluenoroff and Andariel. It effectively demanded that global banks block any transactions related to the groups.

All three entities have been pegged as under the control of the Reconnaissance General Bureau (RGB), Pyongyang’s primary intelligence agency.

Lazarus Group is the largest and best known, having been blamed for the destructive malware attack on Sony Pictures Entertainment and WannaCry. Along with Bluenoroff hackers it is also said to have launched the daring $80m cyber-heist on Bangladesh Bank.

While Lazarus Group targets range far and wide — including government, military, financial, manufacturing, publishing, media, entertainment, international shipping and critical infrastructure — Bluenoroff was apparently set up explicitly with the aim of making money to overcome global sanctions on North Korea.

Andariel, meanwhile, is apparently focused on hacking ATMs, stealing customer information to sell on the dark web, and stealing from online gambling sites, as well as hacking South Korean military systems to gather intelligence.

The groups’ efforts also focused on cryptocurrency exchanges in a bid to generate more funds for Pyongyang’s missile and nuclear weapons programs, the Treasury claimed.

This chimes with allegations from the UN, denied by North Korea, that the hermit nation had amassed a trove of $2bn from “at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activity” across 17 countries.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber-attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury under secretary for terrorism and financial intelligence. 

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

Categories: Cyber Risk News

UK’s Environmental Agencies Lose Hundreds of Devices

Mon, 09/16/2019 - 08:40
UK’s Environmental Agencies Lose Hundreds of Devices

The UK government is in hot water again after Freedom of Information (FOI) requests revealed its Environment Department has misplaced hundreds of laptops and mobile devices over recent years.

Security vendor Absolute Software sent requests for info to the Department for Environment, Food, and Rural Affairs (DEFRA) and non-departmental public body the Environment Agency, which it sponsors.

They revealed that the two organizations lost a combined 540 devices over the past three financial years: DEFRA accounting for 100 of these and the Environment Agency reporting a total of 440.

Mobile phone losses were most common, with the Environment Agency again losing the lion’s share (363) and DEFRA just 63.

The Environment Agency misplaced 59 laptops over the period, with just 35 going missing from DEFRA, while only 21 tablet computers were lost in total – three from DEFRA and 18 from the Environment Agency.

Yet despite the headline stats, it’s the Environment Agency which appears to be improving its device security processes. It recorded an overall decrease of 24% in lost IT kit over the three-year period, while DEFRA witnessed a 43% increase.

A spokesperson from the Environment Agency played down the findings, claiming they should be seen in the context of the public body’s 10,000+ nationwide staff.

“Due to the nature of our work, we have operational staff working in the field to protect the environment and support our incident response capabilities,” the statement noted.

“Because of this there is always a risk that exposure to threats concerning mobile technology will be increased. All staff are required to work in accordance with our IT and security policies so that we continue to work toward minimizing losses, and risk associated with losses.”

Absolute Software vice-president, Andy Harcup was less forgiving, branding the losses “unbelievable.”

“Every single lost device is a potential goldmine of confidential information and should be properly secured so that if stolen it can be tracked, frozen and recovered,” he argued.

“It’s also critical that government agencies have capabilities in place so that when mobile devices are exposed to threats outside of their control, they are able to locate the devices whether they are on or off the network, and wipe the data on the devices in order to comply with critical regulations like GDPR.”

These are just the latest two government bodies to have had their device security policies scrutinized: the Ministry of Defence recorded a 300% increase in losses of both devices and sensitive data over the past two financial years, according to Absolute Software.

Categories: Cyber Risk News

Symantec Axes Hundreds of US Jobs

Fri, 09/13/2019 - 18:08
Symantec Axes Hundreds of US Jobs

American software giant Symantec is cutting hundreds of jobs at four different sites across the US as part of a $100 million restructuring program.

Government filings of notices made by the company in August under the Worker Adjustment and Retraining Notification (WARN) Act indicate that the roles of 230 Symantec employees will be terminated on October 15, 2019.  

The company's Californian headquarters at Mountain View will bear the brunt of the losses, with 152 job cuts expected. In San Francisco 18 jobs will go, and a further 24 will be axed from the company's site in Springfield, Oregon. In Culver City, Los Angeles County, 36 positions will be scrapped. Employees were notified in early August. 

The cuts will affect many different job classifications but most of the roles targeted were primarily related to tech work. According to the Employment Development Department (EDD) filings made by Symantec in California, many software engineer and software development engineer jobs are to go along with a raft of middle-management positions.

In a letter which accompanied the filings, Symantec wrote: “Layoffs are expected to be permanent," before stating, "None of the affected employees are represented by a union, and no bumping rights exist."

Symantec, which supplies 50 million people with Norton antivirus software and LifeLock identity theft protection, has over 11,000 employees globally. The US job cuts are part of a planned 7% reduction in Symantec's international workforce announced last month alongside news of the company's $10.7 billion sale of its enterprise division to San Jose chipmaker Broadcom.

News of the cuts come amid rumors that Symantec has received interest from two private-equity suitors who, according to the Wall Street Journal, are seeking to buy the cybersecurity firm for more than $16 billion.

The Journal reported that "Permira and Advent International Corp. recently approached Symantec proposing a takeover deal valuing Symantec at $26 to $27 a share that would hand them the company’s consumer operation while preserving the sale of its enterprise business to Broadcom Inc." 

With the sale of its enterprise arm to Broadcom pending, it's not clear how the proposed deal would work if it was to go ahead.

Categories: Cyber Risk News

Cybersecurity Firm Employees Charged with Burglary of Courthouse Client

Fri, 09/13/2019 - 17:05
Cybersecurity Firm Employees Charged with Burglary of Courthouse Client

Two employees of a Colorado cybersecurity firm hired to test the security of an Iowa courthouse have been charged with burglary after allegedly breaking into the building.  

Gary Edward Demercurio, 43, of Seattle, Wash., and Justin Lawson Wynn, 29, of Naples, Fla., were arrested at approximately 1 a.m. on Wednesday morning after being found inside the Dallas County Courthouse in possession of burglary tools. 

Dallas County deputy sheriffs arrived at the scene after an alarm at the courthouse at 908 Court Street in Adel was tripped.

Demercurio and Wynn, who both work for global cybersecurity firm Coalfire, have been charged with third-degree burglary and possession of burglary tools. 

At the time of their arrest, Demercurio and Wynn told Dallas County deputy sheriffs that "they were contracted to break into the building for Iowa courts to check the security of the building."

In a press release issued later that day, Iowa Judicial Branch confirmed that while the state court administration had hired cybersecurity firm Coalfire to carry out security testing, the midnight shenanigans allegedly committed by Wynn and Demercurio were not exactly what it had in mind. 

While the administration had asked Coalfire to test vulnerabilities in the the state’s electronic records system, it "did not intend, or anticipate, those efforts to include the forced entry into a building."

"It’s a strange case," said Dallas County Sheriff Chad Leonard on Wednesday. "We’re still investigating this thing."

When contacted for comment, Coalfire replied with the following statement: "Coalfire is a global cybersecurity firm that has conducted over 10,000 security assessments since 2001. We have performed hundreds of assessments for similar government agencies, and our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client. 

"However, we cannot comment on this situation or any specific client engagements due to the confidential nature of our work and various security and privacy laws. Additionally, we cannot comment on this specific case as it is an active legal matter." 

Demercurio was released from Dallas County Jail after posting a $57,000 bond. Wynn was likewise released after posting a bond of $50,000. Both men are scheduled to appear before Dallas County District Court for a preliminary hearing on September 23.

Categories: Cyber Risk News

MSOE Opens Cyber-Learning Center Built with $34m Alumnus Donation

Fri, 09/13/2019 - 16:14
MSOE Opens Cyber-Learning Center Built with $34m Alumnus Donation

A Wisconsin university today celebrated the grand opening of a new cyber-learning facility funded by a $34 million donation from a former student and his wife. 

Dwight Diercks graduated from the Milwaukee School of Engineering (MSOE) in 1990 with a degree in computer science and engineering. Now senior vice president of software engineering at California-based technology company NVIDIA, Diercks today serves as a regent of the university, which awarded him an honorary engineering doctorate in 2014.

A day-long program of events was held to mark the opening of the Dwight and Dian Diercks Computational Science Hall, which included a keynote address by Jensen Huang, founder, president, and CEO of NVIDIA.

According to the MSOE website, "Diercks Hall—and the courses taught within—position MSOE at the educational forefront in artificial intelligence (AI), deep learning, cyber security, robotics, cloud computing and other next-generation technologies."

The four-floor building features seven contemporary classrooms, nine innovative teaching laboratories, 25 offices for staff, and a 256-seat auditorium. At the heart of the hall is a state-of-the-art data center with an NVIDIA GPU-accelerated AI supercomputer, which is named Rosie after the women known as Rosies who programmed one of the earliest computers, the ENIAC. Rosie is also the name of Dierck's mother, who passed away in 2006.

On the building's third floor, the Caspian Cyber Security Laboratory will allow students to conduct real-world cybersecurity experiments and test defensive mechanisms in a professional and controlled environment. The room is grounded with special shielding paint and an electromagnetic field to prevent computer viruses that students are working on from spreading to the rest of campus through the wireless network.

The substantial donation given by Diercks and his wife, Dian, was bolstered with an additional $4 million contributed by several individuals and corporations to support long-term operations and maintenance of the facility. 

Speaking at today's live-streamed opening ceremony, held in the new hall's atrium, the mayor of Milwaukee, Tom Barrett, quipped, "When I first heard the words artificial intelligence I thought someone had heard I had inflated my SAT scores," before declaring Friday, September 13, 2019, to be Dwight and Dian Diercks Day throughout the entire city of Milwaukee.

After Diercks and his wife cut a red ribbon with a giant pair of scissors to officially open the hall, he shared with the crowd his pleasure at learning that the addition of an external staircase to the building had increased the facility's final size to a square footage of 65,536, which is the number of different values representable in a number of 16 bits.

Categories: Cyber Risk News

Pages