Info Security

Subscribe to Info Security  feed
Updated: 2 hours 31 min ago

Man Pleads Guilty to $3m Tech Support Scam

Fri, 03/22/2019 - 10:16
Man Pleads Guilty to $3m Tech Support Scam

A North Carolina man has pleaded guilty to his part in a global tech support scam conspiracy which netted over $3 million in profits from unsuspected computer users.

Bishap Mittal, 24, from Charlotte, worked with an unnamed individual who owns Capstone Technologies, a firm which appears to have been set up with the scam in mind.

They purchased and distributed adware to users’ machines, according to the Department of Justice. These caused fake pop-ups to appear, warning the victim that their PC was suffering serious technical issues that they must call a number for Capstone Technologies immediately to resolve.

The number routed to a call center in India operated by Mittal and his partner and set up specifically to handle tech support scams.

Once on the phone, the victim would be persuaded to download a remote access tool (RAT).

“Once in control of the computers, the scammers identified various fictitious causes for the victims’ purported computer malfunction, including the presence of malware or computer viruses, and induced victims to pay for virus clean-up or other tech support services,” the DoJ notice explained.

“The co-conspirators then charged victims between $200 and $2400 to make computers operable again.”

The number of tech support scam victims has actually fallen in recent years, but not by much, according to Microsoft.

A report from the computing giant last year revealed that 63% of consumers globally experienced a tech support scam, down from 68% in 2016, while those who lost money fell from 6% to 3%.

The report said that fewer pop-up ads and windows have reduced consumer exposure to the scams. However, in the UK, 62% said they’d experienced a scam, with 6% losing money — an increase from 2% in 2016.

Categories: Cyber Risk News

UK Police Federation Hit by Ransomware

Thu, 03/21/2019 - 19:22
UK Police Federation Hit by Ransomware

The UK’s Police Federation of England and Whales (PFEW) was the victim of a malware attack, according to two different tweets posted by the National Cyber Security Center (NCSC) UK and the PFEW.

According to the Police Federation, the attack on the PFEW, which represents 119,000 police officers across the 43 forces in England and Wales, was first noticed on March 9. Upon learning of the ransomware attack through a system alert, PFEW responded quickly and was able to isolate the malware before it spread to additional branches, the announcement said.

Though the full extent of the damage remains undisclosed, the FAQs section of the announcement noted that “a number of databases and systems were affected. Back up data has been deleted and has been encrypted and became inaccessible. Email services were disabled and files were inaccessible.”

The investigation remains ongoing, but the PFEW tweeted, “All indications are that the malware did not spread any further than they systems based at our Surrey headquarters, with none of the 43 branches being directly affected.”

The initial announcement suggests that the attack was not targeted, though ransomware generally is not a targeted campaign, according to Matt Walmsley, EMEA director at Vectra. Walmsley added that ransomware is more opportunistic in nature, and its actions create a lot of noise, making it comparatively easier to spot than more stealthy targeted or advance attacks.  

“Whether they had a regulatory or legal need to inform the ICO isn’t clear – particularly if there has been no data breach. The launch of a criminal investigation may help salve anger and frustration but is unlikely to result in accurate attribution, never mind a conviction, even if they’ve called in their friends from the National Computer Crime Unit. However, their transparent reporting, even if it’s a number of days after the instance, should be commended for its candor. Defenses are imperfect, always,” Walmsley said.

The PFEW reported that it is continuing to work with experts to restore systems and minimize damage, which is the goal in the aftermath of a successful ransomware attack, according to Tim Erlin, VP of product management and strategy at Tripwire.

“Every organization should have a plan in place for a successful ransomware attack. While prevention is preferred, the reality is that no security control is perfect. The key to responding to a ransomware attack is to detect quickly, limit the spread and restore systems back to a trusted state. Functional backups are key to recovery, but so is a clear understanding of how systems are configured. Finally, restoring from backups is only useful if you can close the attack vector that allowed the ransomware to gain a foothold in the first place.”

Categories: Cyber Risk News

Cyber Expert Hosts 'Savvy Cyber Kids' Talk in MA

Thu, 03/21/2019 - 18:40
Cyber Expert Hosts 'Savvy Cyber Kids' Talk in MA

Middle schoolers in Massachusetts welcomed the opportunity to learn about cybersecurity with a visit from Ben Halpert, founder of the Atlanta, Georgia–based nonprofit Savvy Cyber Kids Inc.

According to the Center for Digital Education, Halpert visited with more than 1,000 seventh graders at different schools, including the Consentino School in Haverhill, Massachusetts, earlier this week. During his presentation students learned what really happens when they take a picture on their phones.

“Those images are, and mostly without their knowledge, uploaded to 'the cloud,' which he explained are centers that store massive amounts of digital data,” wrote Mike LaBella of The Eagle-Tribune.

Halpert, who currently serves as VP of risk and corporate security for Ionic Security, founded Savvy Cyber Kids in 2007 and has been touring schools around the country for more than a decade.

“My positions over the years in cybersecurity and risk management have exposed me to the threats that not only organizations face but also those that impact the world's children,” Halbert said.

“I decided to take my expertise and founded the nonprofit Savvy Cyber Kids in 2007 to create and deliver cybersecurity and cyber-ethics materials and content to students of all ages (3–18) to make sure students today have a better understanding of the impact of their actions when using technology. I have had the pleasure of conducting workshops with students from preschool to elementary and middle school and through high school since 2002 (before I started the nonprofit).”

Commenting on his recent experience with the students in the Haverhill School District sessions, where he talked about online privacy and images, as well as appropriate online behaviors and bullying, Halpert said, “I had great student participation that showed their thoughtfulness, inquisitiveness and desire to learn more about what is really happening with all the technology they use in their daily lives.”

Categories: Cyber Risk News

Facebook Left Millions of Passwords Unhashed

Thu, 03/21/2019 - 18:06
Facebook Left Millions of Passwords Unhashed

During a routine security review in January 2019, Facebook discovered that some user passwords had been stored in plain text on its internal data storage systems, an issue that raised concerns given that the company’s login system is supposed to mask passwords, according to the Facebook newsroom.

The security flaw has reportedly been fixed, and Facebook said it will be notifying everyone whose passwords were unencrypted, which it said could be hundreds of millions of Facebook users in addition to tens of thousands of Instagram users.

The social media platform did emphasize in its news release that “these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

According to Facebook's security policy, user passwords are supposed to be hashed and salted at the time an account is created, which makes them unreadable. However, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords,” an unidentified Facebook source told KrebsonSecurity.

“The longer we go into this analysis the more comfortable the legal people [at Facebook] are going with the lower bounds” of affected users, the source told Krebs. “Right now they’re working on an effort to reduce that number even more by only counting things we have currently in our data warehouse.”

Unfortunately for Facebook, each new headline seems to chip away at what is left of public trust, according to Terence Jackson, chief information security officer (CISO) at Thycotic.

“Another day, another Facebook breach of trust,” Jackson said. “As a CISO, the first question that comes to mind is, was this a flaw in the system or an accepted risk? Assuming they are following an SSDLC, this should have definitely been a core protection built into the system.  

"Because there is no evidence that anyone external to Facebook had access to the unencrypted passwords is not reassuring. As a Facebook user, I question why would an internal employee need access to my unencrypted password. Ultimately it’s still up to the consumer to govern data shared with services like these. This won’t likely be the last of Facebook’s trust failures.”

Categories: Cyber Risk News

Russian State Hackers Phish Euro Governments Ahead of Elections

Thu, 03/21/2019 - 11:15
Russian State Hackers Phish Euro Governments Ahead of Elections

State-sponsored Russian hackers are targeting NATO members and European governments ahead of the upcoming European Parliament elections, according to new FireEye intelligence.

The security vendor claimed to have detected spear-phishing activity from the prolific Kremlin-linked APT28 and Sandworm Team groups.

The idea is to harvest passwords by sending the victim to a fake log-in page. To increase their chances of success, the groups are spoofing real government website portals, registering domains similar to trusted destinations and displaying the sender of these phishing emails as a trusted entity.

“The groups could be trying to gain access to the targeted networks in order to gather information that will allow Russia to make more informed political decisions, or it could be gearing up to leak data that would be damaging for a particular political party or candidate ahead of the European elections,” said Benjamin Read, senior manager of cyber espionage analysis at FireEye.

“The link between this activity and the European elections is yet to be confirmed, but the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers.”

Although FireEye claimed the two groups’ activity appears to be coordinated, they use different tools and tactics. The Sandworm Team tends to use publicly available tools, while APT28 uses expensive customized tools, and has deployed zero-day exploits in the past, it said.

This is not the first alert to be issued about Russian hacking activity ahead of the upcoming European elections.

In February, Microsoft claimed to have spotted APT28 targeting NGOs, think tanks and other government-linked organizations. It said 104 accounts across Belgium, France, Germany, Poland, Romania and Serbia had come under attack.

The infamous APT28 group (aka Fancy Bear) has been blamed for the 2016 phishing attacks on the Democratic National Committee (DNC) which many believe helped Donald Trump to power.

Categories: Cyber Risk News

Tech Duo Stung for $122m by BEC Attacker

Thu, 03/21/2019 - 10:12
Tech Duo Stung for $122m by BEC Attacker

A Lithuanian man has pleaded guilty to an audacious Business Email Compromise (BEC) scam which tricked Google and Facebook employees into wiring him $122m.

Evaldas Rimasauskas, 50, of Vilnius, pleaded guilty to one count of wire fraud, which carries a maximum sentence of 30 years in prison, it was announced yesterday.

His whaling scheme involved the registration of a company in Latvia with the same name as a data centre hardware manufacturer both Google and Facebook did business with, named Quanta Computer. He also opened bank accounts in the firm’s name in Latvia and Cyprus, according to court documents.

Rimasauskas then sent emails to both tech giants spoofed to appear as if sent from Quanta and demanding payment for non-existent goods and services rendered.

Once he received the funds, reportedly $99m from Facebook and $23m from Google, he quickly transferred them to a variety of different accounts across the globe, in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.

Rimasauskas even forged invoices, contracts, and letters including fake corporate stamps on behalf of Facebook and Google to deceive the banks the fraudulently obtained funds were initially wired to.

He was arrested in Lithuania in March 2017 and subsequently extradited to the US in March 2017, according to the DoJ.

Google and Facebook aren’t the first firms to have been caught out by BEC tactics. The CEO of an Austrian aerospace manufacturer was sacked after such a scam cost the firm €50 million ($55.8m).

The FBI reported total estimated worldwide losses from BEC to have exceeded $12.5bn between October 2013 and May 2018.

Categories: Cyber Risk News

NCSC Backs New Group to Help Boards’ Cyber Risk Efforts

Thu, 03/21/2019 - 10:09
NCSC Backs New Group to Help Boards’ Cyber Risk Efforts

A group of academics, government experts, charities and others has come together to help UK boards better assess cyber risk.

The Cyber Readiness for Boards initiative is being funded by the National Cyber Security Centre (NCSC) and charity the Lloyd’s Register Foundation, but will also benefit from input from University College London (UCL), the University of ReadingCoventry University, the Research Institute in Science of Cyber Security (RISCS), and training provider RESILIA.

It will look at the factors that shape board approaches to cyber risk and provide guidance to help them do so more effectively in the future.

The project will work first with six multinationals who are at an elevated risk of attack, before expanding to cover more firms including both large enterprises and SMBs early next year.

It will specifically focus on investigating four areas: board-level training; how boards evaluate cyber risk; the significance of board accountability, responsibility and composition; and the impact of investor pressure on decision-making.

According to government figures from last year, 43% of UK businesses had experienced a security breach or cyber-attack in the previous 12 months.

“We believe that cybersecurity is now a mainstream business risk. So corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks,” argued NCSC deputy director, Sarah Lyons.

"We have taken an evidence-based approach to developing our own board toolkit, and welcome new research into how UK boards make decisions around cyber risk. This research will help us refine and develop targeted guidance for business leaders, helping to make the UK the safest place to live and work online."

The new initiative was broadly welcomed by industry experts.

“Never before has there been such an urgent need for boards and executive teams to be ready for cyber-attacks,” said Osborne Clarke partner, Ashley Hurst. “The NCSC has a bird’s eye view on the most serious attacks taking place across the country and so it’s great to see it feeding back this knowledge and experience.”

Categories: Cyber Risk News

Nation-States Have Right to Hack Back, Survey Says

Wed, 03/20/2019 - 18:14
Nation-States Have Right to Hack Back, Survey Says

Security professionals who attended RSA 2019 believe that the world is in the midst of cyber-war, according to a survey conducted by Venafi.

While 87% of the 517 IT security professionals surveyed believe that cyber-war is a current reality rather than a future threat, 72% of respondents said that nation-states should be able to "hack back" when their infrastructure are targeted by cyber-criminals.

The Venafi survey sought feedback from IT professionals on the Active Cyber Defense Certainty (ACDC) Act, which was introduced in October 2018, while keeping in mind the current prohibition on retaliatory cyber-defense methods established in the Computer Fraud and Abuse Act.

““We’re always interested in the intersection of regulation (often by politicians that don’t appear to have a basic understanding of security) and security imperatives (as perceived by the people in the trenches)," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

"We’ve been seeing more stories on hacking back and thought it would be interesting to understand if most security pros really think their organization should be able to do this. We felt this was particularly interesting in light of the controversy surrounding ACDC, and the mixed results that are likely to result for offensive hacking.” 

"Cyber-war" as a term, though, is often used too loosely, according to Alex Hamerstone, GRC practice lead at TrustedSec. “War has a specific definition that involves a declaration. People often conflate offensive operations with war when they don’t really cross that line. However, infrastructure is different. Infrastructure is 100% a red line that you cannot cross without expectations of a significant response.

“I’m a bit surprised that only 72% say nations should be able to hack back. I think it’s a given that a country has the right to defend itself when it’s under attack. An attack on infrastructure can easily cross the line from digital to kinetic, putting human lives at risk both directly and indirectly."

Because the potential impact on critical services like power, transportation and healthcare are so enormous, security needs to plan for both robust deterrence and response. "The capacity of the response is the primary deterrence. There is a lot of gray area and complexity here which a nation has to consider when deciding how robustly to respond. It’s easy for a situation to escalate beyond what is necessary. That said, nations should have the ability to 'hack back' to the fullest extent needed in order to defend their infrastructure and assets,” Hamerstone said.

Private entities, though, are not the same as nation-states, a point on which Hamerstone and Jeff Bardin, chief intelligence officer of Treadstone 71, agreed. “I have been in favor of active defense since at least 2010. There should be some sort of capability to strike back at attackers with a viable and capable force,” said Bardin.

“Many organizations are not capable of doing so, nor do they wish to take the risk. I see third-party mercenary-type organizations that would take this onto their 'paid' plates to accept the risk and execute a proportional attack. You cannot win at cybersecurity if all you do is defensive. You can never win a football game if all you do is play defense. Never win a basketball game if the other team is always on offense. You lose by definition.”

Categories: Cyber Risk News

FIN7 Still Active Despite Arrests

Wed, 03/20/2019 - 17:53
FIN7 Still Active Despite Arrests

Researchers have discovered the advanced persistent threat group (APT) FIN7 is using a new attack panel in campaigns that Flashpoint analysts have called Astra.

Despite alleged members of the group being charged with 26 felony counts in August 2018, analysts have found previously unseen malware samples, which are reportedly written in PHP and function as a script-management system. In addition, the new administrative panel, believed to be linked to the group, also has ties to Carbanak.

The group's activity dates back to at least 2015, when FIN7 targeted over 100 companies across the US, Europe and Australia, predominantly those within the hospitality, restaurant, and gaming industries. According to the US Department of Justice (DoJ), suspected members of FIN7 were arrested between January and August 2018.

According to today’s blog post, attackers access targeted machines using phishing emails with malicious attachments. “The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document,” wrote Joshua Platt and Jason Reaves.

The previously unseen malware that drops files and executes SQL scripts on the host system has been called an SQLRat, which unlike traditional malware leaves no evidence behind, analysts said. The SQLRat campaign is, however, similar to traditional phishing campaigns in that it typically involves a lure document. In the cases analyzed, the documents requested the user “Unlock Protected Content.”

“Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with Fin7. The second new malware sample discovered is a multi-protocol backdoor called DNSbot, which is used to exchange commands and push data to and from compromised machines.

“The campaigns maintain persistence on machines by creating two daily scheduled task entries. The code, meanwhile, is still controlled by the Fin7 actors and may be leveraged in future attacks by the group.”

In addition to sharing the indicators of compromise (IoCs) and recommending the security teams look for newly added Windows tasks, Flashpoint also advised monitoring for attempts to delete the Microsoft update service.

Categories: Cyber Risk News

Attacks Target AmEx, NetFlix Users with Phishing

Wed, 03/20/2019 - 17:13
Attacks Target AmEx, NetFlix Users with Phishing

Windows Defender Security Intel has reported two major phishing attacks targeting American Express and NetFlix.

The Office 365 research teams discovered the attacks, which reportedly emerged over the weekend, hitting unsuspecting customers with well-crafted phishing campaigns that attempt to steal credit card information. According to a tweet from Windows Defender Security, “Machine learning and detonation-based protections in Office 365 ATP protect customers in both campaigns.”

Additional tweets warned, "The Netflix campaign lures recipients into giving away credit card and SSN info using a 'Your account is on hold' email and a well-crafted payment form attached to the email."

Phishing emails such as these are not only easy to craft but also easy to deploy. When aimed at unsuspecting users, they are highly successful. “They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen,” said Colin Little, senior threat analyst, Centripetal Networks.

Cyber-criminals continue to employ the social engineering tactics of brevity and urgency, understanding that threatening user accounts or suggesting something may be amiss will evoke action.

In addition to the many places in the phishing kill chain that can keep these malicious emails away from users, Little said, “a security awareness program that trains users on how and why to identify phishing emails is both essential and fundamental. If our users are the broadest attack surface, their preparation for this attack is our best defense.”

When in doubt about whether an email is legitimate or not, an additional safety precaution is to address the potential issue in a separate dialogue. “Start a new email chain (such as to the Netflix help desk, in this example) using an address you obtain from the site,” Little said.

“Address the inquiry in a different media, such as calling their vendor support line. Or the recipient can open the applicable app (if one's available) on their smartphones and check their credit or account status.”

Categories: Cyber Risk News

Attacks Target AmEx, NetFlix Users with Phishing

Wed, 03/20/2019 - 17:13
Attacks Target AmEx, NetFlix Users with Phishing

Windows Defender Security Intel has reported two major phishing attacks targeting American Express and NetFlix.

The Office 365 research teams discovered the attacks, which reportedly emerged over the weekend, hitting unsuspecting customers with well-crafted phishing campaigns that attempt to steal credit card information. According to a tweet from Windows Defender Security, “Machine learning and detonation-based protections in Office 365 ATP protect customers in both campaigns.”

Additional tweets warned, "The Netflix campaign lures recipients into giving away credit card and SSN info using with a 'Your account is on hold' email and a well-crafted payment form attached to the email."

Phishing emails such as these are not only easy to craft but also easy to deploy. When aimed at unsuspecting users, they are highly successful. “They are designed to make us afraid that if we don’t click on that link or open that attachment something bad will happen,” said Colin Little, senior threat analyst, Centripetal Networks.

Cyber-criminals continue to employ the social engineering tactics of brevity and urgency, understanding that threatening user accounts or suggesting something may be amiss will evoke action.

In addition to the many places in the phishing kill chain that can keep these malicious emails away from users, Little said, “a security awareness program that trains users on how and why to identify phishing emails is both essential and fundamental. If our users are the broadest attack surface, their preparation for this attack is our best defense.”

When in doubt about whether an email is legitimate or not, an additional safety precaution is to address the potential issue in a separate dialogue. “Start a new email chain (such as to the Netflix help desk, in this example) using an address you obtain from the site,” Little said.

“Address the inquiry in a different media, such as calling their vendor support line. Or the recipient can open the applicable app (if one's available) on their smartphones and check their credit or account status.”

Categories: Cyber Risk News

BEC Gift Card Scams Go Mobile

Wed, 03/20/2019 - 11:07
BEC Gift Card Scams Go Mobile

Cyber-criminals are evolving their tactics with Business Email Compromise (BEC) attacks by transferring victims from email over to mobile communications channels early on in a scam, according to Agari.

Researcher James Linton described how such an attack typically takes place, with the initial spoofed CEO email containing a request for the recipient’s mobile phone number.

“By moving them over to their cell phone, the scammer is equipping their victim with all the functionality needed to complete the task that is to be given to them,” he explained.

“A mobile device offers instant and direct messaging, the ability (in most cases) to still access email, the ability to take pictures with the phone’s camera, and far greater portability than a laptop, which all increases the chances that the scammer will be successful in achieving their desired outcome once a victim is on the hook.”

If the victim hands over their number, the BEC scammer knows they have a great chance of success. In fact, the extra complexity of moving across two different comms channels may even add extra credibility to the scam, Linton claimed.

The instantaneous communication of mobile-based SMS or IM also makes it less likely that the victim will stop and think about what’s happening.

Temporary numbers can be relatively easily set up for the purpose, and can even be managed from a single desktop environment, making things easier for the scammer.

Linton explained how BEC scammers could use this tactic to trick workers into buying a set of gift cards on their behalf, scratching off the back and taking a photo of the redemption codes with the phone’s camera.

These are then swiftly laundered through online platforms, he added.

The best way of mitigating this new tactic is to check the domain on an incoming email for any red flags.

“If the email address checks out and a number is supplied, insist on a brief call before making purchases on behalf of someone else,” Linton concluded.

“As a final safety net, share concerns with a colleague or friend, especially if pressure is increased in unusual ways. As always, it’s better to be safe than sorry when dealing with these types of emails.”

Categories: Cyber Risk News

Kaspersky Lab Files Antitrust Case Against Apple

Wed, 03/20/2019 - 11:01
Kaspersky Lab Files Antitrust Case Against Apple

Kaspersky Lab has filed an antitrust complaint against Apple in Russia, arguing that the tech giant forced it to remove two key features from one of its apps just as Apple’s released similar functionality.

The issue boils down to Kaspersky Lab’s use of configuration profiles in its Kaspersky Safe Kids app.

Removing this according to Apple’s demands would have meant disabling two “essential” features, app control and Safari browser blocking, the AV vendor claimed.

“The change in Apple’s policy toward our app (as well as toward every other developer of parental control software), notably came on the heels of the Cupertino-based company announcing its own Screen Time feature as part of iOS 12,” it continued.

“This feature allows users to monitor the amount of time they spend using certain apps or on certain websites, and set time restrictions. It is essentially Apple’s own app for parental control.”

This effectively means Apple is abusing its position as platform owner and supervisor for the only official iOS store, Kaspersky Lab argued.

“By setting its own rules for that channel, it extends its power in the market over other, adjacent markets: for example, the parental control software market, where it has only just become a player,” the firm concluded.

“It is precisely in this extension of its leverage through possession of so-called ‘key capacity’ over other segments, leading to restriction and elimination of competition, that we see the essential elements of antitrust law violation, which consist of erecting barriers and discriminating against our software.”

Kaspersky Lab claimed to have repeatedly tried to open dialog with the Cupertino giant, but “no meaningful negotiations have ensued.”

The move comes after Spotify filed a similar complaint against Apple in the EU, which the US firm replied to here.

Categories: Cyber Risk News

Ad Trackers Found on 89% of EU Gov Sites

Wed, 03/20/2019 - 09:57
Ad Trackers Found on 89% of EU Gov Sites

Ad tech companies are extensively tracking EU citizens on government websites, potentially exposing highly sensitive user data to third parties in breach of the GDPR, according to a new report.

Privacy compliance firm Cookiebot scanned 184,683 pages on all EU main government websites to compile its report, Ad Tech Surveillance on the Public Sector Web.

It found a shocking 25 out of 28 official government sites (89%) harbored ad tech trackers, despite these sites being non-ad funded. The largest number of tracking companies were present on the websites of the French (52), Latvian (27), Belgian (19) and Greek (18) governments. The UK was one of eight countries with just one tracking company present, although only Spanish, German and Dutch sites had no commercial trackers.

Health information can be particularly sensitive and there are strict requirements in the GDPR to keep it safe. However, over half (52%) of landing pages with health information were found to harbor ad trackers.

The worst offender was the Irish health service, with 73% of landing pages containing trackers. Information on HIV, abortions, alcoholism and mental illness was being tracked, according to the report.

In total, 112 companies were identified using trackers that send data to a total of 131 third-party tracking domains. Worryingly, 10 of these companies actively mask their identity.

Cookiebot claimed that third-party JavaScript technologies are often used on government sites to power functionality like video players and social sharing widgets. However, it warned that these can also act as a trojan horse “opening backdoors to the website code through which ad tech companies can silently insert their trackers.

“More than nine months into the GDPR, a trillion-dollar industry is continuing to systematically monitor the online activity of EU citizens, often with the unintentional assistance of the very governments that should be regulating it,” said Cookiebot founder, Daniel Johannsen.

“Public sector bodies now have the opportunity to lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites.”

Categories: Cyber Risk News

US Orgs Not Ready to Comply with CCPA

Tue, 03/19/2019 - 16:19
US Orgs Not Ready to Comply with CCPA

Protecting consumer privacy has become a top priority for legislators as candidates launch their 2020 campaigns and try to win over voters. According to research findings revealed in the new CCPA and GDPR Compliance Report, however, US companies haven't made privacy regulations a top priority.

The online survey, conducted by TrustArc, reflects responses from 250 IT professionals who represent a wide spectrum of industries and company sizes. Of all the participating organizations, half were impacted by both General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA), while half were impacted only by CCPA. The report found that 88% of companies need help complying with California’s new privacy regulations.

According to the findings, only 14% of companies are currently compliant with CCPA, despite its deadline being less than 10 months away. Additionally, survey results revealed that 84% of respondents have started the CCPA compliance process, though only 56% have moved forward to the implementation stage.

Even though fewer than half (44%) have not yet started the implementation process, 64% of companies said they need help developing their CCPA privacy plan. However, compliance readiness varied depending on whether companies have already worked on GDPR compliance.

Responses from those companies that were not impacted by GDPR showed that 79% will need to spend more than six figures to comply with CCPA, while only 61% of companies that have worked on GDPR compliance will need to spend as much.

“At TrustArc, we’ve seen a significant increase in the number of customers coming to us for support to comply with CCPA,” said CEO Chris Babel. “Companies that took the steps to comply with GDPR are already ahead of the game and will have an easier path to meet the requirements of CCPA. The companies that did not work on GDPR compliance will be under the gun to implement scalable compliance processes by the January 1, 2020, deadline.”

Categories: Cyber Risk News

Consumers Donate Data with Recycled Electronics

Tue, 03/19/2019 - 14:58
Consumers Donate Data with Recycled Electronics

With the rapid turnover of technology, many consumers willingly trade in, sell or donate their old electronics, often times without ensuring that all of their data has been wiped clean, according to new findings from Rapid7.

In a recent experiment conducted by Rapid7’s Josh Frantz, nearly every device he analyzed contained some form of personally identifiable information (PII) left over from its previous owner. Over the span of six months, Frantz looked at a collection of recycled consumer electronics, including laptops, smartphones and external drives. Even though many thrift shops claimed to wipe devices before reselling them, the devices contained such information as passwords, social security numbers and banking information.

In total, Frantz found 41 social security numbers, 19 credit card numbers and two passport numbers among a trove of additional PII. Additionally, he extracted 147,000 emails and 214,000 images. “I used pyocr to try to identify Social Security numbers, dates of birth, credit card numbers, and phone numbers on images and PDFs. I then used PowerShell to go through all documents, emails, and text files for the same information. You can find the regular expressions I used to identify the personal information here,” Frantz wrote in today’s report.

According to the findings from Frantz’s months-long experiment, not only are the thrift shops not holding up their end of the bargain, but consumers are also turning in devices without wiping them clean, an obvious recipe for disaster. Of the 85 devices analyzed, only two of them were properly erased and a mere three were encrypted.

Given the ease with which these types of data can be accessed and sold, Frantz found that the value of the data itself has dropped to less than $1 per record on the dark web.

“Realistically, unless you physically destroy a device, forensic experts can potentially extract data from it. If you’re worried about potential data exfiltration, it’s best to err on the side of caution and destroy it. However, wiping your device is usually enough, and can be a very easy and relatively painless process,” Frantz said.

Categories: Cyber Risk News

Apple, Microsoft Top Orgs Used in Spear Phishing

Tue, 03/19/2019 - 14:14
Apple, Microsoft Top Orgs Used in Spear Phishing

As spear-phishing tactics continue to evolve, attackers are using these threats with greater frequency and severity, making spear-phishing attacks the top threat vector for many organizations, according to a new report from Barracuda Networks.

Despite increased awareness of the types of threats they face, companies continue to fall victim to spear-phishing campaigns because attacks are becoming more tailored, with malicious actors leveraging social engineering tactics such as urgency and brevity, the report found.

The email threat report analyzed 350,000 spear-phishing emails and discovered that brand impersonation schemes – most notably Apple or Microsoft – account for 83% of spear-phishing attacks. “These types of spear-phishing attacks, designed to impersonate well-known companies and commonly-used business applications, are by far the most popular because they are well designed as an entry point to harvest credentials and carry out account takeover. Brand impersonation attacks are also used to steal personally-identifiable information, such as credit card and Social Security numbers.”

Attackers often exploit zero-day vulnerabilities in brand-impersonation attacks, which makes it easier to bypass traditional email security because they come from reputable senders and are typically hosted on domains that weren’t previously used as part of any malicious attack, the report said.

The attacks are not randomly deployed, as the report found that cyber-criminals carefully time their attacks, with one in five emails delivered on Tuesday. In addition, cyber-criminals also take advantage of the holiday season, knowing that there is a greater likelihood of security weaknesses.

The report found that the week before Christmas saw a 150% spike in spear-phishing attacks.

“Spear phishing attacks are designed to evade traditional email security solutions, and the threat is constantly evolving as attackers find new ways to avoid detection and trick users,” said Asaf Cidon, VP, content security at Barracuda Networks, in a press release. “Staying ahead of these types of attacks requires the right combination of technology and user training, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, brand impersonation, and sextortion.”

Barracuda will discuss findings from this research in the Infosecurity Magazine Online Summit keynote, next Tuesday, 2:30–3:00 pm GMT. Register to attend at

Categories: Cyber Risk News

Half of Global Firms Concerned Over Security Skills Gaps

Tue, 03/19/2019 - 11:08
Half of Global Firms Concerned Over Security Skills Gaps

Nearly half (49%) of global organizations feel more exposed to security breaches because of skills shortages, according to a new Trend Micro study.

The vendor polled 1125 IT decision makers around the world and found that nearly two-thirds (64%) have experienced an increase in attacks over the past year.

The uptick in threats is coming at a bad time, as estimates put the global shortfall of cybersecurity professionals at nearly three million today.

However, AI-based tools could offer new opportunities.

Some 69% of those polled agreed that automating cybersecurity through Artificial Intelligence (AI) could reduce the impact of skills shortages, and a further 63% said they’re actively planning to use such tools.

Trend Micro cybersecurity architect, Ian Heritage, argued that the CISO’s role has never been harder, driving up demand for automated and hosted solutions.

“Protecting the enterprise from cyber-threats is like a game of whack-a-mole,” he added. “Not only do IT and security teams have to maintain constant vigilance of their cyber-defenses, they also have to communicate these risks to business leaders to ensure sufficient budgets, and don their HR hats to recruit the necessary skill sets.”

However, AI is certainly not a silver bullet. A report from 2018 argued that even automated machine learning tools require significant input from skilled practitioners: first to train them what is normal versus unusual activity, and then to interpret the output.

Over half of the IT and security professionals polled (56%) said they believe machines can’t be trained to do tasks performed by humans, while a similar number claimed that security teams are better equipped to catch threats in real time.

Categories: Cyber Risk News

Aluminium Giant Norsk Hydro Suffers Major Cyber-Attack

Tue, 03/19/2019 - 10:26
Aluminium Giant Norsk Hydro Suffers Major Cyber-Attack

One of the world’s biggest aluminium producers has been hit by a major cyber-attack affecting production systems, according to reports.

Norwegian firm, Norsk Hydro, said it had called in national security authorities to help repel the attack, which appears to have started overnight local time.

“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible,” it said in a reported statement. “Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.”

It’s claimed that the attack has affected operations across Europe and the US, with some — such as its extrusion plants — being forced to temporarily shut down.

The disruption comes at a bad time for the aluminium giant, which is struggling to get approval to fully restart its Alunorte plant in Brazil after admitting leaking untreated water during heavy rains there.

It’s unclear at this early stage exactly what kind of cyber-threat the firm is tackling, although its main website was down at the time of writing. It could be a ransomware attack, and/or something designed to tie up IT security staff while sensitive data is stolen.

Company spokesman Halvor Molland has told local reporters that the attacks are “of a magnitude we haven’t seen before” and cover “several areas of our organization.”

Suspicious activity on servers overnight initially tipped off IT workers that something was wrong, but the threat seems to have spread quickly to other parts of the business.

The firm has 35,000 employees and operates in 40 countries around the world.

Back in 2016, German steel giant ThyssenKrupp said it was the victim of a major cyber-attack designed “to steal technological know-how and research” from its steel production and manufacturing plant design divisions.

Categories: Cyber Risk News

Only 28% of Domains Support DMARC

Tue, 03/19/2019 - 09:53
Only 28% of Domains Support DMARC

Only around a quarter of the UK government’s domains have been set up to support an industry best practice email validation system, despite the imminent retirement of a previous public sector domain platform, according to Egress.

The security vendor found that just 28% of domains have enabled Domain-based Message Authentication, Reporting and Conformance (DMARC), which helps to prevent certain spam and phishing attacks.

The vendor ran its tests just a few weeks before the Government Secure Intranet (GSI) platform is to be switched off this month, forcing departments to migrate to the public cloud.

This means the vast majority are not currently following the minimum standards suggested by the UK Government Digital Service (GDS) for email authentication.

Even worse, of the 28% that had enabled DMARC at the time of the study, over half (53%) set a policy to “do nothing” — which would effectively let through Business Email Compromise (BEC) attacks and allow email buffering, while spam and phishing messages would be allowed into recipients’ inboxes.

This means that in reality, only 14% of government domains are using DMARC effectively to stop phishing attacks, Egress warned.

“It’s quite startling to see that so many public sector organizations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks,” commented Egress CTO, Neil Larkins. “With [not long] before the GSI framework is retired, it’s critical that organizations heed the advice laid out by GDS.”

The government took a bold step back in September 2016 when the Cabinet Office mandated the strongest DMARC policy (“p=reject”) be set as the default for all email services from October 1.

However, progress has been slow in other areas. It was revealed in 2017 that 98% of NHS organizations were unprotected by DMARC, and that many English councils were also failing.

DMARC has played a crucial role in the NCSC’s successful Active Cyber Defence program over the past couple of years.

Categories: Cyber Risk News