Info Security

Subscribe to Info Security  feed
Updated: 1 hour 27 min ago

Side-Channel Vulnerability PortSmash Steals Keys

Tue, 11/06/2018 - 13:28
Side-Channel Vulnerability PortSmash Steals Keys

Researchers have found that Intel processors are being impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes.

The new side-channel vulnerability, called PortSmash, was discovered by researchers Billy Bob Brumley, Cesar Pereida García, Sohaib ul Hassan and Nicola Tuveri from the Tampere University of Technology in Finland and Alejandro Cabrera Aldaya from the Universidad Tecnológica de la Habana.

According to the proof of concept, the only prerequisite to exploit the vulnerability, identified as CVE-2018-5407, is a CPU featuring simultaneous multithreading (SMT), such as Intel’s hyper-threading. An attacker uses a timing attack to steal information from other processes running in the same CPU core with hyper-threading.

Because it is a local attack, in order to steal the private decryption keys, the attacker and victim must be running on the same physical core, such as an OpenSSL.

“News of a side-channel vulnerability should be very concerning for security and IT professionals alike,” said Justin Jett, director of audit and compliance for Plixer. “Malicious actors can take these newly generated keys and decrypt any conversation that would otherwise have been protected by the key.

“Additionally, because the malware writer is already on the machine, they have a better understanding of where these keys may be used (for example, were the keys then moved to a specific folder that is being used by an application installed on the machine).”

Similar to other processor vulnerabilities, like Meltdown and Spectre, PortSmash is a reminder that we have to rotate the keys and certificates that serve as machine identities, much more frequently than we do, according to Kevin Bocek, VP of security strategy and threat intelligence at Venafi.

“Our machine identities are kept around for years, and it’s crazy to think machine that they won’t be attacked. This is especially true a cloud and microservices environments, where these kinds of vulnerabilities are most dangerous.

“Security and IT teams know we have to change passwords regularly and why. But we haven’t applied the same logic to machine identities, even though they provide even higher levels of access than most passwords. The reality is that most keys and certificates aren’t changed often, and a surprising number are never changed. These are the machine identities that are most at risk from PortSmash.”

Categories: Cyber Risk News

SCOTUS Refuses to Hear Appeal of Net Neutrality

Tue, 11/06/2018 - 12:44
SCOTUS Refuses to Hear Appeal of Net Neutrality

With no explanation, the Supreme Court declined to hear an appeal of the net neutrality case, according to The Hill.  Justice Kavanaugh and Chief Justice John Roberts recused themselves from the vote. 

In opting not to hear the case, SCOTUS leaves in place the existing high court ruling that the FCC has the authority to regulate broadband like a public utility, which supporters of the 2015 Net Neutrality regulations, established by the Obama administration, saw as a win.

The appeal came from USTelecom, a trade group that represents internet service providers (ISPs). In conjunction with the Trump administration, USTelecom requested that the ruling from the US Court of Appeals for the District of Columbia Circuit be overturned on the basis that the Federal Communications Commission has no congressional authority to impose common-carrier obligations on broadband internet access service, The Hill said.

As a result of the existing high court ruling, ISPs cannot block or throttle web content, nor can they create fast lanes for pay.

"We’re grateful that a majority of the justices saw through the flimsy arguments made by AT&T and Comcast lobbyists," said Matt Wood, the policy director at Free Press, in a statement. "The ISPs went all out to push FCC Chairman Ajit Pai to repeal the agency’s net neutrality rules – and then ran to the Supreme Court looking for a do-over on earlier cases that rightly upheld those rules. There was absolutely no reason for the Supreme Court to take this case, and today’s denial puts to bed the chances of upending the correct appellate-court decisions."

Despite the Supreme Court decision to not hear the case, Republicans remain hopeful that the FCC’s vote last December to repeal net neutrality rules will be upheld, though that decision is being challenged before the DC Circuit.

At issue is which body has the power to determine broadband as an information service. Jonathan Spalter, CEO of USTelecom, and other supporters of the Restoring Internet Freedom order, which negated net neutrality, believe broadband is an information service.

"[The Restoring Internet Freedom order] remains the law of the land and is essential to an open internet that protects consumers and advances innovation," Spalter reported said in a statement.

Categories: Cyber Risk News

Fake Telegram Apps Used to Spy on Iranian Users

Tue, 11/06/2018 - 12:04
Fake Telegram Apps Used to Spy on Iranian Users

Security researchers have uncovered several Iranian state-sponsored campaigns which they suspect are used to spy on domestic users of the banned Telegram and Instagram apps.

Cisco Talos explained that the campaigns “vary in complexity, resource needs and methods” but use three main vectors: fake apps, phishing pages, and BGP hijacking.

The apps capitalize on a latent demand for Telegram and Instagram apps given they are banned in the Islamic Republic. Telegram is estimated to have as many as 40 million users in the country and has been used in the past to organize popular protests against the authoritarian government.

“Once installed, some of these Telegram ‘clones’ have access to mobile devices' full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to back-end servers, which allows the attacker to take full control of the account in use,” Cisco explained.

However, the apps are only classified as greyware or PUPs, because they do still carry out legitimate functions such as sending messages. This makes it more difficult for researchers to detect them.

“We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps,” said Cisco. “Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country.”

Also discovered were classic phishing attacks spoofing Telegram log-in pages with domains which Cisco linked to the state-sponsored Charming Kitten group.

Finally, the researchers observed BGP hijacking activity involving an Iranian telco, which could have been used to compromise communications. Cisco branded it “a deliberate act targeting Telegram-based services in the region.”

The firm stopped short of providing a solid link between the three attack types aside from their focus on Telegram, and admitted they could be used by any malicious actor, state-sponsored or not.

However, given the history of how the app is used in the repressive state, and the link to Charming Kitten, it would be understandable to assume Tehran has a hand in them.

Categories: Cyber Risk News

UK Government Warns Telcos of 5G Security Review

Tue, 11/06/2018 - 11:02
UK Government Warns Telcos of 5G Security Review

The UK government has reminded 5G network providers to ensure their suppliers are heavily vetted for security, in what could signal a change of approach to a major Chinese telecoms player.

The 5G supply chain of several UK telecoms firms may be impacted by a review of the UK’s infrastructure launched in July, according to a letter penned to the firms by DCMS head of digital, Matthew Gould, and National Cyber Security Centre (NCSC) boss, Ciaran Martin.

Although Huawei was not named, the letter stated that the “outcome of the review may lead to changes in the current rules,” according to the FT.

That could be bad news for the Shenzhen giant, which has already been blocked from competition in 5G by the US and Australian governments on national security fears.

Those fears were further stoked by a report in The Australian over the weekend citing a national security source that claimed Huawei staff helped Chinese intelligence “get access codes to infiltrate a foreign network.” It’s a story the telecoms kit maker has strenuously denied.

Even before this, there were signs of a changing relationship with Huawei in the UK, which has historically been more friendly to the firm.

In July, the Huawei Cyber Security Evaluation Centre (HCSEC), overseen by GCHQ, highlighted significant shortcomings in the firm’s processes that “exposed new risks in UK telecoms networks.”

The report concluded that the HCSEC has “only limited assurance” that Huawei equipment poses no threat to national security.

BT and Three are both said to be working with Huawei on 5G networks.

The move comes as new data reveals the effect of growing US-China tensions on Huawei’s Shenzhen rival ZTE.

The number of ZTE smartphones on prepaid operator shelves fell 48% from June 2018 to September 2018 as carriers backed away from the firm following political pressure, according to GlobalData.

Washington banned US suppliers from selling to it, after it broke an agreement not to sell handsets to Iran and then lied about it.

ZTE has already been labelled a national security risk by GCHQ.

Categories: Cyber Risk News

National Guard on Standby for Midterm Election Day

Tue, 11/06/2018 - 10:28
National Guard on Standby for Midterm Election Day

Cyber units from the National Guard have been supporting several states in the run up to the mid-term elections and are standing by in the event of any incident today, according to reports.

Wisconsin, Washington and Illinois have been confirmed as using the reserves to help improve cyber resilience, but there are likely to be more states doing the same.

In the north-west, the Washington Air National Guard has been supporting the state's Office of the Secretary of State in what has been dubbed a “great partnership” of “outstanding cooperation” by Kenneth Borchers, commander of the 252nd Cyberspace Operation Group, according to Guard News.

The initiative began with a two-week assessment of the relevant IT networks, followed by a similar time frame devoted to making system improvements, and finally a search for any deeper problems.

"We call it the hunt mission. Now that we have situational awareness, we've secured terrain, we're going to do a deep dive and see what we can find,” said Thomas Pries, commander of the 262nd Cyberspace Operations Squadron.

On Friday it was revealed that Wisconsin National Guard cyber-response teams had been put on standby by the governor Scott Walker to assist if any serious incidents arise on election day.

As part-timers, National Guard troops have jobs outside of their role with the reserve military, which means cybersecurity skill levels can sometimes be higher than in parts of the regular forces.

In fact, lawmakers introduced a bipartisan bill last year designed to give the Department of Defense greater visibility into cybersecurity skills capabilities in the National Guard, in case it needs to draw upon this reserve in times of crisis.

“Our National Guard is uniquely positioned to recruit and retain some of our best cyber warriors, and this bill would help make sure that our military is taking advantage of this extraordinary talent,” said report co-sponsor, senator Kirsten Gillibrand, at the time.

Categories: Cyber Risk News

Veracode Acquired by Thoma Bravo and Splits from CA After Broadcom Deal

Mon, 11/05/2018 - 17:09
Veracode Acquired by Thoma Bravo and Splits from CA After Broadcom Deal

Private equity investment firm Thoma Bravo has agreed to acquire Veracode for $950 million, on the same day that its parent CA Technologies were acquired by Broadcom for a reported $18.9 billion.

Veracode were acquired by CA Technologies in March 2017 for $614m. Today’s Thoma Bravo announcement is expected to close in Q4 of 2018.

“In today’s digital economy practically every company is turning into a software company through their own digital transformation,” said Chip Virnig, a partner at Thoma Bravo.

“As these companies continue to build complex applications, many of which contain sensitive data, the applications themselves increasingly become the target of more sophisticated and omnipresent cyber-attacks. As such, applications need to be built with security in mind day one, and we see a significant, growing market opportunity for Veracode’s product offerings.”

Broadcom is a designer, developer and supplier of products based on analog and digital semi-conductor technologies. The acquisition will see CA Technologies operate as a wholly owned subsidiary of Broadcom.

Sam King, current senior vice president and general manager of Veracode, will become the CEO of Veracode following the close of the transaction. She said that partnering with Thoma Bravo, a proven security software investor, is expected to extend its market reach “and further fuel our innovation so that we can offer the broadest software security platform and empower us to accelerate growth — all to allow us to transform the way companies achieve their software security goals.”

The announcement follow’s last month’s announcement that Thoma Bravo had acquired Imperva for around $2.1 billion.

“As long-term investors in cybersecurity software, we are impressed with the speed and quality of innovation at Veracode,” said Seth Boro, a managing partner at Thoma Bravo.

Categories: Cyber Risk News

Magecart Strikes Again, and Kitronik Is Latest Victim

Mon, 11/05/2018 - 16:08
Magecart Strikes Again, and Kitronik Is Latest Victim

Magecart, the payment-card–skimming malware, has taken another victim, Kitronik, a leading supplier of electronic project kits in the UK. According to recent news from The Register, the company was the latest victim of Magecart’s global payment-card–skimming malware.

Kitronik suffered a data breach that may have exposed names, email addresses, card numbers, expiry dates, CVV security codes and postal addresses. The Register reported having seen an email written by Geoff Hampson, resident electronics expert for Kitronik, in which he told customers that the malware had been discovered.

"Anyone that has followed the news in recent months will be aware of the malicious software ‘Magecart’ that has been recording customer’s key presses on such high profile websites as British Airways and Ticketmaster. The malicious software records key presses at the checkout stage, to capture sensitive details. From some point early in August until mid-September the same malicious software has been present on the Kitronik website," Hampson wrote.

It is believed that the details were swiped at the checkout stage, and Hampson added that customer accounts established prior to August would not have been impacted, though he was not able to confirm how many customers might have been affected.  

“Payment-card–skimming malware continues to be a security challenge for retailers around the globe,” said Rich Campagna, CMO, Bitglass. “British Airways, Newegg, and now Kitronik have all been victims of Magecart’s malware, highlighting the need for security solutions which monitor for vulnerabilities and threats, across all devices and applications, in real time.

With these capabilities, retailers can be proactive in detecting and thwarting breaches before they happen, ensuring that their customers’ sensitive information is protected.”

Magecart is a known malware that has proven successful in attacking other major companies very recently, and Kitronik had protections in place to monitor fraud. In his email to customers, Hampson noted, “Although we have a mechanism in place to alert us if the code on the website changes, this attack was very sophisticated and bypassed that code by making changes to the website database.”

Categories: Cyber Risk News

Stolen Data Valued at Less Than $50 on Dark Web

Mon, 11/05/2018 - 15:43
Stolen Data Valued at Less Than $50 on Dark Web

Cyber-criminals could sell someone’s complete digital life – including social media accounts, banking details, app data, gaming accounts and even remote access to servers or desktops – for less than $50 on the dark web, according to a new study from Kaspersky Lab.

The research is based on an investigation of dark web markets, revealing that the price paid for a single breached account is even lower – at about $1 each. Many criminals sell accounts in bulk and some even offer a “lifetime warranty,” so if an account a buyer has purchased stops working, they receive a new one for free.

Although the resale value of stolen data is low, cyber-criminals can still use it in many ways, from stealing money to committing crimes under the disguise of someone else’s identity.

What started as an inquiry into how much our lives are worth, David Jacoby, senior security researcher at Kaspersky Lab, set out to understand the dollar value placed on our stolen data. Jacoby not only considered our personal possessions but also factored in the private information we share on social media, our medical history and even aspects of our childhood. The research found that our identities can be stolen for mere pittance.

In largely rudimentary but effective attacks, hackers are stealing data from popular services like Uber, Netflix and Spotify.

Credit: Kaspersky Lab

In one dark web forum, Jacoby found a Swedish passport for sale to the tune of $4000, and the vendor was reportedly offering up passports for almost every country in Europe. Even utility bills and fake invoices were up for grabs.

“It is clear that data hacking is a major threat to us all at both an individual and societal level, because stolen data can be used for many nefarious activities,” said Jacoby in a press release.

“Fortunately, there are steps that we can take to prevent this, such as using cybersecurity software and being aware of how much data we are giving away for free – particularly on publicly available social media profiles.”

Categories: Cyber Risk News

Kemp Investigates Dems, Not the Reported Vulnerability

Mon, 11/05/2018 - 14:58
Kemp Investigates Dems, Not the Reported Vulnerability

When a registered voter in the state of Georgia discovered a major vulnerability in the state’s My Voter Page, he brought it directly to the attention of lawyer David Cross, partner at Morrison & Foerster, who represented the Curling plaintiffs in the recent Georgia election security lawsuit. Cross said he alerted the FBI and Georgia Secretary of State Brian Kemp and his legal team.

What has ensued since then, according to Cross, is not an investigation into the vulnerabilities that threaten voter integrity or an effort to contact the reporting voter whose information was provided.

“From everything we’ve seen, instead of investigate, Kemp decided to politicize the issue and claim hacking by the Democratic Party,” Cross said, adding that the voter who brought the vulnerability to his attention is not affiliated with the Democratic Party.

The registered voter, whose name was not disclosed, went onto Georgia’s My Voter Page to look up his own information, said Cross. When he tried to update his information, he realized he was able to pull his information back but the system never confirmed that it was being pulled back.

“When he looked at the query, he noticed that he could potentially pull back any information just by changing the voter identification number. He didn’t confirm that,” said Cross, but brought the information to Morrison & Foerster, who brought it to the FBI and Kemp.

“We expected they would investigate, but as of this morning, the vulnerability is still there and they still had not contacted this voter. That’s the starting point for any investigation, but they are not doing that,” Cross said.

While Kemp has launched an investigation into the Democratic Party, alleging that it attempted to hack the voter system, the reported vulnerabilities remain unfixed, which Cross said is the real issue.

“Georgia voters need to check their voter registration information before tomorrow because right now there are potentially thousands of voters who could show up to vote tomorrow and not be able to because their information has been changed,” Cross said.

On Sunday’s State of the Union with Jake Tapper, Stacey Abrams, Democratic candidate for governor in Georgia, said of Kemp’s allegations, “This is a desperate attempt on the part of my opponent to distract people from the fact that two different federal judges found him derelict of his duties and have forced him to allow absentee ballots to be counted and those who are being held captive by the exact map system to be allowed to vote.

“He is desperate to turn the conversation away from his failures, from his refusal to honor his commitments and from the fact that he is part of a nationwide system of voter suppression that will not work in this election.”

Categories: Cyber Risk News

Equifax Set to Share More PII with Experian

Mon, 11/05/2018 - 11:52
Equifax Set to Share More PII with Experian

Under-fire credit agency Equifax has turned to competitor Experian to extend credit monitoring to customers affected by a major breach in 2017, although this will mean sharing even more information with the third-party unless they opt-out.

The news came in an email Equifax is sending those who enrolled on its TrustedID Premier service following the catastrophic breach of 148 million users last year.

The firm is now offering a further year of credit monitoring via Experian’s IDnotify service.

Experian is already using Equifax customers’ names, addresses, dates of birth and Social Security numbers in order to provide file monitoring as part of TrustedID Premier. However, the new deal will involve the company also getting hold of their phone numbers and email addresses, unless they opt-out.

“Experian will only use the information Equifax is sharing to confirm your identity and securely enroll you in the Experian product, and will not use it for marketing or solicitation,” the note reads, according to Krebs on Security.

However, some may feel uneasy about sharing yet more information with a third-party — especially one which itself has suffered a major data breach in the past. Around 15 million US consumers had their details exposed in a 2015 incident.

Paul Bischoff, privacy advocate with Comparitech, argued that the decision to share this contact info “mainly serves the credit bureaus and not breach victims.”

“Without consent, Equifax unilaterally made a decision to share contact info of people who signed up for its TrustedID program — many of whom registered out of fear of consequences from Equifax's own catastrophe,” he added. “If TrustedID users take no action, their personal information is shared with a third party and they receive no benefit. Users must either affirmatively opt-out of the data sharing or enroll in Experian's similar credit monitoring program, IDnotify.”

What’s more, credit monitoring will not help those affected by the Equifax breach prevent identity theft taking place. Instead, it only notifies once a fraudster has already stolen one’s identity, according to experts.

“A better solution would be to put a credit freeze on your credit report, but doing so cuts into the credit bureaus' bottom lines,” said Bischoff. “A credit freeze blocks creditors from viewing your credit report, a service that creditors pay credit bureaus for.”

Categories: Cyber Risk News

Dozens of Spies Killed Thanks to Flawed CIA Comms

Mon, 11/05/2018 - 10:52
Dozens of Spies Killed Thanks to Flawed CIA Comms

A flawed online communications system developed by the CIA was exposed to Google’s web crawlers, ultimately leading to the execution of dozens of spies, according to a new report.

The unnamed platform was cracked by Iranian intelligence after a tip-off by a double agent revealed the website they used to communicate with their CIA handlers. Google searches allowed them to locate other secret CIA websites and, from there, start to pick apart the entire spy network, according to Yahoo News.

This all started in 2009 after Tehran went looking for US moles following the announcement by the Obama administration of the discovery of a secret underground enrichment facility.

However, the impact was felt globally, most probably after Iran shared its intelligence with China, a move which ultimately led to an estimated 30 CIA spies being executed by Beijing and the collapse of its network there.

This “catastrophic” chain of events led to 70% of the CIA’s spy network potentially exposed to compromise at one point between 2009-13, according to the report.

The after-effects are apparently still being felt today.

The problem stemmed from over-confidence among US officials in the use of the platform in hostile states like Iran and China where rigorous state monitoring makes it difficult to communicate in secret.

“It was never meant to be used long term for people to talk to sources,” said one former official. “The issue was that it was working well for too long, with too many people. But it was an elementary system.”

Another issue highlighted by the report was the lack of accountability for the failure in the intelligence services, and the sacking of a whistleblower who first brought the problem out into the open back in 2011.

“Our biggest insider threat is our own institution,” remarked a former official.

Categories: Cyber Risk News

Over 80,000 Facebook User Accounts Compromised

Mon, 11/05/2018 - 10:11
Over 80,000 Facebook User Accounts Compromised

Malicious browser extensions could be behind a compromise of at least 81,000 Facebook accounts which were put up for sale on the dark web, according to reports.

Those behind the attack told the BBC Russian Service that they had access to 120 million accounts, although this has been branded “unlikely” by Digital Shadows, whose researchers were called in to investigate.

In fact, the seller, “FBSaler,” provided a total dataset to reporters of around 257,000 profiles. Just 81,000 are certain to have been compromised, as private messages were included. The remaining 176,000 may have simply had profile information like names, addresses, contact numbers, and interests taken because accounts were left wide open by users.

The accounts are not thought to be linked to the Cambridge Analytica scandal, or the more recent breach of 30 million accounts which occurred after attackers obtained access tokens.

“The method used to obtain the accounts remains unconfirmed, though Facebook believe malicious browser extensions could have been used. Facebook have still not been definitive about this, though it said it had contacted browser makers to ensure that known malicious extensions are no longer available to download in their stores,” said Digital Shadows.

“A rogue survey application as used by Kogan is known to have worked in the past; however, account takeovers achieved through credential harvesters, for example, are also a possibility. While a variety of separate breaches may have been used to compile the dataset, it is more likely a single approach was used given the consistency of the data in the dump.”

The largest number of profiles (30%) are Ukrainian, followed by Russia (9%), although users from the US, UK and Brazil are also said to be represented.

“Regardless of attribution, motives and the method of collection, the exposure of private messages where people share information they would not usually post publicly on their Facebook feeds is a potentially worrying development,” the firm warned. “Sensitive information may be used for extortion of identity fraud, while it’s not unheard of for individuals to share financial information such as banking details over private messages.”

The accounts were originally for sale for around $0.10 each on the BlackHat SEO forum, although the report claimed the advert has since been taken down, according to the BBC.

Categories: Cyber Risk News

Stuxnet Returns, Striking Iran with New Variant

Fri, 11/02/2018 - 14:29
Stuxnet Returns, Striking Iran with New Variant

Iran’s critical infrastructure and strategic networks were attacked with what is reportedly a more sophisticated variant of the decade-old Stuxnet attack, according to Reuters. Iran’s head of civil defense agency, Gholamreza Jalali, told reporters that the newly discovered next-generation of Stuxnet that was trying to enter the systems consisted of several parts.

At a live press conference on October 28, Iran’s Supreme Leader Ayatollah Ali Khamenei said, “In the face of sophisticated methods used by enemies’ in their onslaught, the passive defense must be totally vigilant and serious.”

Reports from The Times of Israel raise questions about the attacker’s motivation, noting that news of the attack came hours after Israel said its intelligence agency, Mossad, had thwarted an Iranian murder plot in Denmark.

While no one is pointing the finger of blame in any direction just yet, “the ‘new Stuxnet’ attack is the latest indicator of the cyber-war that many governments are actively engaged in,” said Broderick Perelli-Harris, senior director of professional services at Venafi. “The details are still patchy, but it seems that Israeli intelligence relied on an old attack blueprint here.

“In the initial Stuxnet attack, the US and Israeli governments used stolen machine identities to infect Iranian nuclear centrifuges with the virus. Now, over 22 million pieces of malware use that blueprint to attack organizations and states alike across the world – all the signs point to the same method being used again here. It’s easy for organizations and governments to ignore when it’s used against an adversarial state, but the blueprint remains ‘in the wild’ for cyber-criminals to exploit.”

Given that cyber-weapons are prone to boundless proliferation, Perelli-Harris warned that this new Stuxnet variant should serve as a reminder that governments need to think very carefully when they are creating cyber-arms so that they do not escalate the problem. Once in the wild, they are impossible to control.

As is evidenced by the new generation of Stuxnet, cyber-arms can escalate into more violent, advanced and sophisticated variants. “Considering that subsequent variations on Stuxnet, namely Flame, Duqu, Stars, Shamoon and Nitro Zeus all had different payload delivery methods from their grandparent, it’s entirely plausible that the new generation of Stuxnet does also and that it will continue to evolve,” said Lewis Henderson, vice president of product marketing at Glasswall Solutions.

“With operators of critical national infrastructure unable to progress and update their operational technology at the same pace as their IT counterparts, there are known gaps and weaknesses that simply aren’t getting plugged. We can only hope news of this new version of Stuxnet has reached the highest level of decision making – because we’ve already seen what happens when you use old technology to fight a new adversary.”

Categories: Cyber Risk News

Bluetooth Bugs Speak to Lack of Security in DevOps

Fri, 11/02/2018 - 14:25
Bluetooth Bugs Speak to Lack of Security in DevOps

Researchers found two vulnerabilities that could impact popular wireless access points and compromise enterprise networks if exploited, according to TechCrunch.

The pair of bugs were reportedly found in chips built by Texas Instruments. Networking device makers such as ArubaCisco and Meraki commonly build the Bluetooth Low Energy chips into their line-up of enterprise wireless access points. While the two bugs are distinctly different from each other in the range of models they target, researchers said that both could allow an attacker to take over an access point and break into an enterprise network or jump over the virtual walls that separate networks, according toTechCrunch.

As the researchers point out, the vulnerability is not in the protocol but rather in the way the protocol has been implemented on the affected chipsets,” said Nick Murison, managing consultant, Synopsys Inc. “This underscores the importance for vendors to test that their implementations not only adhere to the protocol specification but also respond in a secure manner when presented with malformed traffic.”

Taking proactive steps throughout the entire development life cycle can thwart these types of bugs, minimizing their ability to survive all the way through to production, Murison said. “Using static code analysis during development can identify unsafe use of buffers, integer overflows and many other similar types of issues. Unit and integration test suites can be written to not only execute positive functional tests but also perform negative and boundary testing.

“Most companies that do any significant level of software development these days will be leveraging continuous integration pipelines to automatically build and test software from a quality perspective; such pipelines can easily be adapted to also include security-specific testing, such as static analysis and fuzzing.”

Developers also need to understand the repercussions of such implementation bugs, which should come from enterprise training that begins in at the design phase, according to Murison. “As part of the design phase, companies should also be looking at threat modeling or architecture risk analysis to identify potential security weak spots, and look for opportunities to make the overall solution secure by design.”

Categories: Cyber Risk News

New Data Protection Act Calls for Jail Time, Fines

Fri, 11/02/2018 - 14:16
New Data Protection Act Calls for Jail Time, Fines

A new Consumer Data Protection Act was proposed on October 31 by Senator Ron Wyden from Oregon. The senator has long been an advocate of cybersecurity and privacy issues, and his new bill proposes strict penalties – including fines and prison time – for companies that violate consumer privacy, according to a press release.

The draft proposes amending the Federal Trade Commission Act to hold entities that use, store and share personal information more responsible for the data they collect and would apply to companies with more than $50 million in revenue and personal information on more than 1 million people. The act excludes data brokers or commercial entities that, “as a substantial part of their business, collects, assembles or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.”

Presumably, small to medium-sized businesses (SMBs) would fall outside the scope of this legislation, and Colin Bastable, CEO of Lucy Security, said that would bode well for SMBs. “These are the businesses that struggle to afford advanced security technology. They lack the people and the skills to defend their customers’ confidential data from hackers. Therefore, in addition to legislation, we must encourage all organizations, employees and consumers to prepare for the inevitability of successful attacks – teach, train and test, continuously."

This newest proposed legislation adds to the growing collection of data privacy acts already pending on Capitol Hill, including another Consumer Data Protection Act (this one introduced in 2017 by Sen. Robert Menendez), the Data Breach Prevention and Compensation Act (DBPCA), CLOUD Act and the ENCRYPT Act.

“Recent events like the Equifax data breach, Cambridge Analytica, Facebook and more have fueled the fire and will enable these to gather substantial support on both sides of the aisle as cybersecurity and data privacy issues remain front and center to everyone’s constituent needs,” said Pravin Kothari, CEO of CipherCloud.

“The congestion on Capitol Hill will tell you that these bills will likely be rolled up as one, most likely before they leave the Senate. Legislation is likely to be omnibus and then will replace the myriad of conflicting state efforts to provide similar legislation.”

Certainly data privacy has gained broad-level awareness, and Brian Vecci, technical evangelist at Varonis, said that even if Sen. Wyden's proposed privacy bill doesn’t become law right away, it’s clear that the tide is shifting in favor of privacy.

“Companies may really be forced to think of their data like their dollars and could face penalties if information is mishandled and exposed as part of a breach. Privacy is becoming top of mind for consumers and voters, and companies that have taken steps to meet the obligations of other privacy frameworks like the GDPR are clearly going to be ahead of everyone else.”

Categories: Cyber Risk News

ICO Fines Nuisance Call Firms £220,000

Fri, 11/02/2018 - 10:49
ICO Fines Nuisance Call Firms £220,000

The Information Commissioner's Office (ICO) has been in action again, this time fining two nuisance call companies who tried to sell home security services specifically to individuals who’d opted out.

The UK’s privacy watchdog issued the fines under the Privacy and Electronic Communications Regulations (PECR), which governs nuisance marketing. The maximum penalty possible is £500,000.

Individuals who sign-up to the Telephone Preference Service (TPS) do so to avoid unsolicited marketing calls.

However, ACT Response of Middlesbrough was behind 496,455 marketing calls to TPS subscribers and was fined £140,000, while Secure Home Systems (SHS) of Bilston, West Midlands, was fined £80,000 for making calls to 84,347 TPS-registered numbers.

The ICO claimed the latter used call lists bought from third parties without screening them first. Interestingly, the two companies called individuals “live” rather than using automated systems. The script used by ACT Response even asked people whether they were registered with the TPS, according to the ICO.

The two garnered hundreds of complaints to the watchdog, with SHS calls dating as far back as two years.

“These fines should set alarm bells ringing and deter marketing companies across all sectors that are contacting people without their consent. It is a company’s responsibility to make sure that it has valid consent to make these calls,” said ICO group enforcement manager, Andy Curry.

“The TPS is there for a reason – to protect people’s privacy and ensure that marketing companies obey the law. Marketing companies failing to take the basic step of checking TPS can expect robust enforcement.”

The ICO has has slapped major fines on companies like Keurboom Communications (£400K), Miss-Sold Products UK (£350K), Your Money Rights (£350K) and more over the past year.

However, the directors behind these firms often try to escape punishment by declaring bankruptcy, only to set up new businesses. That’s why a leading consumer rights group campaigned in August for government action.

According to Which? the government agreed two years ago that from spring 2017, directors of firms responsible for nuisance calls could each be fined up to £500,000 by the ICO if they breached the PECR. Yet so far it has failed to introduce such measures.

Categories: Cyber Risk News

Radisson Hotel Group Spills Customer Data

Fri, 11/02/2018 - 10:17
Radisson Hotel Group Spills Customer Data

Radisson Hotel Group has become the latest big brand in the sector to suffer a data breach, after admitting that a "small percentage" of loyalty club members had their personal information accessed by an unauthorized person.

The notification statement is worded in such a way as to hint that the attacker may have gained access first to staff accounts, which in turn exposed the customer data.

“Upon identifying this issue Radisson Rewards immediately revoked access to the unauthorized person(s). All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior,” it noted.

Although the breach didn’t affect credit card or password information, it did expose Radisson Rewards member names, addresses, email address, and in some cases, company names, phone numbers, Radisson Rewards member numbers and frequent flyer numbers.

That could be useful for “specific, low incidence, criminal use cases” according to Ross Rustici, senior director of intelligence services at Cybereason.

“Unlike a large-scale credit card breach, the most likely way this information is to be monetized is through enhancing a pattern of like analysis on particular individuals, either high net worth or people with specific access to something,” he continued. “This type of information is far more useful for an intelligence targeting package than for large-scale monetization."

Given that the chain operates under numerous brands with 1400 hotels all over the world, the GDPR is likely to come into play here.

That could spell trouble, given the firm said it identified the incident on October 1, almost a month before notifying.

“Like the British Airways hack earlier this year, each major company that suffers an incident is going to be a test bed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations,” said Rustici.

Categories: Cyber Risk News

SIM Swap Danger as Telco Staff Waive ID Checks

Fri, 11/02/2018 - 09:49
SIM Swap Danger as Telco Staff Waive ID Checks

The perils of SIM swap fraud have been highlighted again after an undercover film crew revealed O2 and Vodafone employees apparently handing over replacement cards without carrying out proper identity checks.

Secret filming showed two Vodafone staff failing to follow strict security policies to check the identity of the person requesting the replacement SIM card in-store, according to The BBC’s Watchdog Live.

Meanwhile, O2 staff failed to check photo ID, which is policy for all monthly contract SIMs. The firm told the program that it also sends an authorization code to any Pay As You Go customers alerting them if someone is trying to use their number, but this was not received during the filming.

SIM swap fraud is sometimes used by scammers to spend large sums on premium rate numbers they run, but increasingly it can also be used to intercept two-factor authentication codes sent by banks so that customers can ‘securely’ access their accounts.

It’s made more prevalent not only if telco store employees fail to carry out the proper checks, but also thanks to the large volume of identity data on the dark web which fraudsters can use to impersonate legitimate customers.

“From a financial institution standpoint, many have already started to make the switch to mobile PUSH notifications, which are inherently more secure than SMS. Mobile PUSH notifications have the added benefit of being able to be protected with application shielding technology and give banks a stronger interface for doing business with their customers,” explained Will LaSala, director of security solutions at OneSpan.

“Consumers should check to see if their bank already offers a mobile app and then enable PUSH two-factor authentication as soon as possible while disabling SMS two-factor authentication. SMS is a good method for notifying users of account notifications, such as account modifications and transactions, but it should not be used to allow privileged access.”

SIM swap fraud could also come as a result of malicious insiders working with criminal gangs.

In August, a US entrepreneur and cryptocurrency investor filed a $223m lawsuit against AT&T after a store employee allegedly facilitated SIM swap fraud, allowing criminals to transfer millions from his bank account.

Categories: Cyber Risk News

Email a Top Attack Vector, Users Can't ID a Fake

Thu, 11/01/2018 - 14:24
Email a Top Attack Vector, Users Can't ID a Fake

Emails continue to be cyber-criminals' vector of choice for distributing malware and phishing, according to a report released today by Proofpoint.

The Quarterly Threat Report Q3 2018 found that the frequency of email fraud attacks and the number of individuals targeted per organization are continuing to rise. Credential-stealing banking Trojans comprised 94% of malicious payloads, and the number of malicious URLs grew, making it a more common attack vector than malicious attachments.

Emails attempting to steal corporate credentials increased over 300% between the second and third quarters of 2018.

In addition, the research indicated that social media platforms have done an excellent job of combating phishing links, resulting in a 90% decrease in attacks year-over-year. However, phishing attempts that leverage social-media-support fraud, which relies on fake customer service accounts to fool people into handing over their personal data, reached its highest level ever in September.

The report also noted that this type of angler phishing increased 486% year-over-year.

While banking Trojans made up 46% of all malicious payloads, a whopping 90% of those were Emotet and Panda Banker (also known as Zeus Panda). Emotet was consistently used in large, almost daily campaigns by an actor researchers have identified as TA542.

Though ransomware has someone dissipated, dropping 10% points from Q2 and comprising only 1% of the overall malicious messages, the report warned that it might not be forgotten just yet.

“We observed a return of ransomware, albeit at much lower levels than we saw in 2017. However, this spike appeared to be a ‘testing of the waters’ since ransomware message volumes dropped. This suggests that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale,” the report said.

In place of ransomware, attackers have shifted to downloaders and stealers, which accounted for 48% of all malicious payloads in Q3. Researchers identified three new downloaders, suggesting a trend towards the distribution of small-footprint malware that is a bit more stealthy and able to do more reconnaissance.

While there was a reduction in the number of spoofed sender identities - a significant 68% drop - an average of 27 people were targeted per attack, representing a 96% increase in target victims year over year. The report indicated that attacks continue to have success exploiting the human factor.

Categories: Cyber Risk News

Energy, Utilities Attacks Inside IT Networks Rise

Thu, 11/01/2018 - 14:14
Energy, Utilities Attacks Inside IT Networks Rise

According to a new report published by Vectra, there is a key distinction between attacks that probe IT networks for information about critical infrastructure and those attacks that actually target industrial control systems (ICSs). The 2018 Spotlight Report on Energy and Utilities found that most cyber-attacks against energy and utilities firms occur and succeed inside enterprise IT networks, not in the critical infrastructure.

Given these findings, detecting hidden threat behaviors inside enterprise IT networks before attackers have a chance to spy, spread and steal becomes all the more critical, according to the report. Attackers are taking their time and carefully orchestrating attack campaigns so that they occur over the course of several months.

Analyzing specific attacker behaviors in recent campaigns used to steal vital ICS information, the report found that “in multiple instances, threat actors accessed workstations and servers on a corporate network that contained data output from the ICS inside energy generation facilities. This involved suspicious admin and suspicious Kerberos account behaviors.”

Often lasting several months, these slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack. Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials, the study found. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.

“The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data,” said David Monahan, managing research director of security and risk management at Enterprise Management Associates. “This is one of the most crucial risk areas in the cyber-attack life cycle.”

The report, based on observations and data from the 2018 Black Hat Conference Edition of the Attacker Behavior Industry Report, also found that during the command-and-control phase of attack, 194 malicious external remote access behaviors were detected per 10,000 host devices and workloads. Also in every 10,000 host devices and workloads, 314 lateral movement attack behaviors were detected. And during the final stage of the attack life cycle, the exfiltration phase, 293 data smuggler behaviors were detected per 10,000 host devices and workloads.

Categories: Cyber Risk News