Aviation Security Identity Cards (ASICs) are intended to prevent criminals and terrorists from gaining access to restricted areas in airports, as well as to airplanes, but Australian-based Aviation ID, a company that issues ASICs, has been hacked.
The company, which services regional and rural airports throughout Australia, reportedly received emails alerting it to the possibility that the ASIC application had been stolen. As is now required under Australia’s new privacy act, which went into effect in February 2018, Aviation ID notified hundreds of people who had applied for or renewed their ID cards that their information might have been compromised.
Reported yesterday by Australian Broadcast (ABC), the hack of the third-party supplier isn't necessarily big in number, but it's serious in terms of airport security, as airports are part of Australia’s critical infrastructure.
“A localized portion of our website has been intentionally accessed by an unauthorized entity,” Aviation ID managing director Ian Barker told the ABC.
"Unfortunately, we cannot confirm exactly what information has been accessed; however, personal information that may have been breached includes name, street address, birth certificate number, drivers licence number, Medicare card number and ASIC number," said Barker.
Australian Federal Police (AFP) confirmed that it is investigating the hack and declined to comment on any details. Commentators have speculated about the motives of such an attack. “The attackers may have accessed the database for the cards that are created and used to authenticate authorized personnel on the airport grounds,” said Pravin Kothari, founder and CEO of CipherCloud.
“Did the cyber-attackers also steal the graphics files and images necessary to reproduce and clone these ID cards?" Kothari continued. "Beyond the security risks, the data to produce the ID cards seems to have included names of the airport personnel, addresses, birth certificate numbers, driver's license numbers, Medicare card numbers and more. This comprehensive data could enable ID theft and even worse, financial fraud.”
Within two days of news that GandCrab 4.0 ransomware was being distributed by compromising websites disguised as download sites for cracked applications, a newer version (v4.1) was found using the same method, according to Fortinet’s FortiGuard Labs.
A distinction not observed in the previous version is that GandCrab now includes an additional network communication tactic, as well as an unusually long hard-coded list of compromised websites to which it connects. “We found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab,” researchers wrote.
One binary reportedly has the ability to include almost a thousand unique hosts that have been compromised. Upon connecting to a URL, the malware then sends encrypted data of its victims, some of which included IP address, user name, computer name, network domain and a list of installed AVs .
“Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes," said the researchers. "With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humor."
Concerning reports from this week that alleged an “SMB exploit spreader” threat prompted researchers – who did not observe this functionality in their previous analysis – to return to their analysis, particularly since rumor suggested that this new version of GandCrab malware could self-propagate.
In the aftermath of global ransomware attacks, security experts fear such a threat. Their investigation found “a module that is now being called 'network f**ker' is supposed to be responsible for performing the said exploit...we could not find any actual function that resembles the reported exploit capability."
"We have provided this analysis to help prevent the possibility of unnecessary panic in the community," they wrote. "It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab’s SMB exploit propagation as only being speculative."
E-commerce sites in the US and Western Europe are estimated to lose a whopping $18.6bn this year through fraud, according to a new Forrester report.
The market analyst compiled its figures from LexisNexis estimates that in 2017 the cost of fraud was just over 2% of revenue for e-tailers, and that the regions are expected to generate $859bn in revenues this year.
In response to the growing losses, it claimed that the fraud management solutions market would grow from $5bn last year to reach $10.4bn by 2023; a CAGR of 12.9%.
Although traditional enterprise solutions are expensive — typically ranging from $750,000 to $1.2m, with implementation adding another 40-50% in costs — they can automate and improve the accuracy of risk scoring, reducing false positives, the report claimed.
This can in turn reduce the investment needed in fraud personnel to review transactions.
However, customer friction remains a key differentiator for effective modern fraud prevention platforms, argued Forrester.
The report claimed that technological advances like AI will help to drive improvements in the accuracy and effectiveness of solutions going forward.
“It’s time consuming for fraud and risk management professionals to continually update fraud models, and it’s increasingly difficult to identify fraud across multiple channels including mobile,” it said. To combat these threats, fraud management solution vendors are incorporating artificial intelligence tools, such as supervised and unsupervised machine learning, into their products.”
It also pointed to Blockchain as “the next evolution in fraud management.”
“Blockchain is a distributed and secure database, making it a trusted repository for device ID and known fraudster blacklists. Blockchain already secures payments and can be extended to enterprise fraud management,” the report claimed.
The importance of fraud prevention was highlighted recently by PayPal’s $120m acquisition of Simility, a pioneer in friction-free anti-fraud technology featuring machine learning.
Reports are emerging of a new sextortion campaign in which victims are asked to pay thousands of dollars in Bitcoin to keep quiet a supposed webcam video of them watching porn.
The unsolicited email attempts to trick the user into believing the extorter as it opens by revealing a genuine password linked to the recipient’s email address.
It then proceeds as follows:
“Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!)”
The victim is then required to make a massive Bitcoin payment — sometimes as high as $2900 — to stop the blackmailer sharing the ‘video’ with their contacts.
Several recipients of the email contacted KrebsonSecurity, claiming the password was correct but nearly a decade old. The credentials most likely have been obtained from a historic data breach or dark web site.
Back in December 2016 the National Crime Agency (NCA) was forced to launch an awareness-raising campaign around online extortion, claiming thousands may be falling victim to webcam-based attacks every year.
It claimed that at least four suicides in the UK have been linked to sextortion, with the nature of the crime meaning it is likely being vastly under-reported.
The number of global organizations affected by crypto-mining malware more than doubled from the second half of 2017 to the first six months of this year, according to new data from Check Point.
The security vendor claimed in its Cyber Attack Trends: 2018 Mid-Year Report that the figure rose from just under 21% in the second half of last year to 42% in H1 2018, with cyber-criminals making an estimated $2.5bn over the past six months.
Those behind the trend are getting more sophisticated in how they spread crypto-mining malware, according to the report.
Where once the main threat vector was a simple website compromise, today infections could come via Facebook Messenger, YouTube ads or Google Play apps.
“Crypto-miners today target anything that could be perceived as being in their way. As a result, we have witnessed crypto-miners targeting SQL Databases, industrial systems, a Russian nuclear plant, and even cloud infrastructure. Crypto-miners have also highly evolved recently to exploit high-profile vulnerabilities and to evade sandboxes and security products in order to expand their infection rates,” the report claimed.
“The mobile arena was not deprived of crypto-mining attacks either. Last April, an Android Cryptominer dubbed HiddenMiner targeted numerous devices, continuously mining Monero until the devices’ resources were drained.”
Perhaps unsurprisingly, the top three most common malware variants spotted in H1 2018 were all crypto-miners.
Check Point also revealed that hackers are increasingly turning their attention to cloud storage and infrastructure, both in crypto-mining attacks and data theft.
Organizations are doing themselves no favors here by using weak passwords for their cloud accounts or even leaving credentials freely available on public source code repositories, the vendor added.
It claimed that 51% of organizations worldwide have experienced cloud-based attacks over the past year.
The report also pointed to an uptick in cross-platform malware, thanks to the rise in the number of consumer-connected devices and the growing market share of non-Windows operating systems.
Researchers from Masaryk University in the Czech Republic and Maryland Cybersecurity Center (MCC) monitored suspicious organizations and identified four that sold Microsoft Authenticode certificates to anonymous buyers. The same research team also collected a trove of Windows-targeted malware carrying valid digital signatures.
“Recent measurements of the Windows code signing certificate ecosystem have highlighted various forms of abuse that allow malware authors to produce malicious code carrying valid digital signatures,” researchers wrote. In their work, the researchers also discovered several cases of potentially unwanted programs (PUPs), revealing that along with their ability to sign malicious code, bad actors are also able to control a range of Authenticode certificates.
Gaining this type of unauthorized access has traditionally been easy for attackers using drive-by downloads and phishing, according to Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies. “And while endpoint security achieved some increases in efficacy over the last five years with the evolution of end point protection platforms, we only ever treated the symptom – and the not cause – of permissive access," Gumbs said.
“If an attacker can use a trusted signed certificate to install malware, then the malware will use the access rights granted to that user or the access rights left behind in the form of NTLM hashes to further penetrate the network," he continued. "While this development is a worrying one, applying a least access privilege model would reduce the threat greatly.”
Because the value of stolen data will more than make up for the cost of a stolen certificate, malicious actors are inclined to pay for certificates in order to fly under the radar of most protection tools so that they can hide in plain sight as authorized software. “Malware purveyors seem focused on deep technical things until you see their real focus is actually a core business concept: ROI. Criminals are in it for the revenue, and they understand you have to spend money to make money," added Jonathan Sander, chief technology officer at STEALTHbits Technologies.
The underground economy is growing because many organizations are rapidly expanding their use of code signing certificates. “They are foundational components in many applications and DevOps environments. Unfortunately, in many cases code signing certificates are secured by unsuspecting teams that are focused on delivering code quickly, which allows attackers to intercept them,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Organizations must have full control over every code signing certificate they use, especially during the software development pipeline and signing process,” Bocek said.
"While the data showed the gender pay gap in cybersecurity (-8%) is lower than the national average for all industries, this gap magnified when considering the average salary for a U.S.-based cybersecurity practitioner exceeds $100,000," the study wrote.
Despite the fact that women make up 47% of the workforce and hold more than half of all bachelor’s and advance degrees, women still earn less than their male counterparts and comprise only 11% of the cybersecurity workforce, according to the 2017 Global Information Security Workforce Study.
Women hold fewer senior positions, as well, despite their higher levels of education. “This statistic has not changed since 2013, suggesting the industry needs to take a new approach to recruiting female cybersecurity practitioners if it intends to fill today’s 300,000 vacant cybersecurity positions,” InfoSec Institute wrote.
The study found that female students who commit to a career in cybersecurity confront challenges in the workplace that make them feel disenfranchised regardless of the certifications they hold. It states, “To analyze how much gender bias impacts women practitioners at a variety of certification levels, we pulled compensation and demographic data for 15 various IT and security certifications.”
Using data from PayScale.com, InfoSec Institute reported that on average women earn $103,052, while men who hold the same certificates earn $111,183. The InfoSec Institute report found that much needs to change in terms of gender pay disparity, but there is also good news.
Women in cybersecurity have the potential to earn far higher salaries than in other roles – doubling and sometimes tripling the national average for women in other industries. And with 300,000 open cybersecurity positions today and another 2 million projected openings by 2019, the industry needs all qualified candidates.
Hacks, breaches and security intrusions are in the headlines on a day-to-day basis, but these hacks aren’t all created equal. According to new analysis from HackerOne, the kind of intrusion differs by industry and breach type.
The Hacker-Powered Security Report 2018 compiled comprehensive analysis on the hacker-powered security environment, including a deep dive into different types of hacks across a wide variety of industries. The report also looked at the prevalence of each attack and found that cross-site scripting (XSS) vulnerabilities were the most common across every industry.
The report data was derived from the hacker community and from HackerOne’s platform data from May 2017 to April 2018. The company analyzed 78,275 of the security vulnerability reports it received in 2017. It’s worth noting that ethical hackers reported those vulnerabilities to over 1,000 organizations through HackerOne.
The total number of critical vulnerabilities reported increased by 26% over 2017. There were 38 times more insecure storage vulnerabilities reported in 2017 than in 2016. Many of these insecure storage vulnerabilities resulted in major breaches.
For healthcare and technology industries, of the top 15 vulnerability types reported, nearly 8,000 were related to information disclosure. The results of the analysis suggested that organizations are “vastly underprepared for effective discovery, communication, remediation and disclosure of vulnerabilities as 93% of the Forbes Global 2000 list do not have a policy to receive, respond and resolve critical bug reports submitted by the outside world. It means we are less safe as a society.”
In contrast, the analysis suggests that hackers and enterprises have much reason to be optimistic. The potential to earn a living as a hacker has grown substantially, with hackers in over 100 countries taking home $31m. Top earners brought home 2.7 times the median salary of a software engineer in their home country, with some reportedly earning up to 16 times more.
Other key findings that bode well for hackers is that governments are paving the way for widespread adoption of bug bounty programs and many enterprises are adopting vulnerability disclosure policies (VDPs).
“Latin America had the largest uptake of VDPs and bug bounty programs, with an increase of 143% year over year. North America and the Asia Pacific region each increased 37%, and Europe, the Middle East, and Africa saw a combined 26% increase in the past year,” the report wrote.
Unknown and unsecure domains continue to be a problem for businesses.
According to RiskIQ’s The Anatomy of an Attack Surface: Five Ways Hackers are Cashing In report, the five ways were determined to be:
- Modern websites are made up of plug-ins, third party applications and many can be vulnerable to common vulnerabilities and exposures
- Shadow IT and M&A activity creates a monolith of unmanaged pages, domains and servers
- Phishing domains pretending to be recognized websites
- Mobile app stores continue to offer blacklisted apps
- Cryptomining software is prevalent on websites
RiskIQ mapped the global internet attack surface over a two week period and found that 3,495,267 new domains were created (249,662 per day) and 77,252,098 new hosts, and these included 1,713,556 Wordpress plug-ins and 1,814,997 CMS instances overall. Of the Alexa top 10,000 domains, 3390 were running one potentially vulnerable web component; 1,036,657 potentially vulnerable web components were found overall.
Fabian Libeau, VP of EMEA at RiskIQ, said that most attacks are still about making money. “People underestimate the complexity of the business,” he told Infosecurity. “A lot of focus was put on policy audits, like data center access controls, and financial services generally understood it but they do e-commerce with their customers and a lot of the issues are not about being focused.”
The second finding determined that organizations lack a complete view of their internet assets, with RiskIQ claiming that new customers typically find 30% more assets than they thought they had. Its research on the FTSE30 found each has: 9896 dormant websites, four websites with expired certificates, 616 websites collecting PII and 120 websites with a potential critical score CVE.
Libeau added that 50 websites studied were running the Private Web Server function of Windows 2000. He said: “Maybe they don’t think they are doing anything wrong if no-one knows about it?”
In Q1 of 2018, RiskIQ found 26,671 phishing domains impersonating 299 unique brands. Regarding cryptomining, an average of 495 new hosts were running miners each week in Q1, while 11 instances of cryptomining were found on FTSE30 websites.
“Some of the cryptomining scripts we found have been active for over 160 days, suggesting that organizations are failing to detect them,” the report said.
RiskIQ said that a takedown of a rogue domain can often be done in minutes, but often the attacker reappears with new domains after they have found new IP addresses.
Jay Huff, EMEA marketing director at RiskIQ, told Infosecurity that one of the problems is that “lots of companies don’t have external threat recognition, they have endpoint and network security but are lacking in an external firewall.”
Sensitive military documents detailing restricted information on tanks and drones have been discovered for sale on the dark web, after they were stolen by exploiting known vulnerabilities.
In June, Recorded Future made contact with an individual attempting to sell a cache of information including maintenance books and lists of airmen assigned to the MQ-9 Reaper drone.
The materials are not technically classified but could be of interest to a foreign power, the firm said.
More worrying was how the hacker managed to access the information.
“Utilizing Shodan’s popular search engine, the actors scanned large segments of the internet for high-profile misconfigured routers that use a standard port 21 to hijack all valuable documents from compromised machines,” the firm revealed.
The flaw in question was first revealed in Netgear routers in 2016 and can be locked down by changing the default FTP authentication credentials. However, Recorded Future claimed to have identified over 4000 routers still exposed to this kind of attack.
“Utilizing the above-mentioned method, the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents,” it added. “The captain whose computer was compromised recently completed the Cyber Awareness Challenge and should have been aware of the required actions to prevent unauthorized access. In this case, setting the FTP password.”
Recorded Future then observed the same cyber-criminal attempting to sell information which appeared to have been stolen from the US military or a Pentagon official.
This included “a dozen various training manuals describe improvised explosive device defeat tactics, an M1 ABRAMS tank operation manual, a crewman training and survival manual, and tank platoon tactics.”
The incident should serve as something of a wake-up call to the US military in that it highlights what a “single hacker with moderate technical skills” was able to achieve in just a week.
Breached online firm Timehop has revealed more details about a security incident which affected 21 million people, which will be an interesting test case for GDPR regulators.
The firm originally said it discovered a network intrusion on July 4 resulting in the compromise of names, email addresses and phone numbers.
However, in an update on Wednesday it claimed the breached data also included dates of birth, gender of customers and country codes.
It provided a handy breakdown of which breached records were in scope for the GDPR: including 2.9 million name and email address combinations and 2.2 million name, email address and DOB records.
The firm admitted “messing up” with its incident response.
“In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything,” it said.
“With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear that there was more information in the tables than we had originally disclosed.”
It will be interesting to see whether Timehop’s efforts at transparency appease regulators, given that it was incapable of spotting the initial unauthorized use of one of its admin’s credentials to log-in to a third-party cloud platform on December 19 2017.
After creating a new admin account, the hacker logged in on three separate occasions looking for PII, according to Timehop. By the time of a fourth log-in at the end of June, PII had unwittingly been moved into the cloud environment. The attacker then waited until the July 4 holiday before logging in again and stealing the database.
The ICO has said in the past that “those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”
The Information Commissioner’s Office (ICO) is set to levy the maximum fine under the old data protection regime against Facebook for failings linked to the Cambridge Analytica scandal.
The privacy regulator issued a new report on Wednesday detailing its wide-ranging investigation into the use of data analytics for political campaigning.
It claimed to have issued a Notice of Intent to the social network for a monetary penalty of £500,000 “for lack of transparency and security issues relating to the harvesting of data constituting breaches of the first and seventh data protection principles under the Data Protection Act 1998.”
Facebook has time to appeal later this month.
The ICO is also investigating data protection irregularities between Leave.eu and Aaron Banks’ Eldon Insurance company, the relationship between the Cambridge Analytica-linked AggregateIQ and leave campaigns, the role of data brokers in political campaigns, and more.
The regulator has sent warning letters to all 11 political parties with MPs in the Commons that they will be audited later this year.
“We have concluded that there are risks in relation to the processing of personal data by many political parties,” it said. “Particular concerns include: the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing, and use of third party data analytics companies with insufficient checks around consent.”
A separate ICO report on the policy implications of its findings called for an “ethical pause” in digital political campaigning to allow key stakeholders to “reflect on their responsibilities” when using personal data to target voters.
It called on all third-party platforms to urgently roll out transparency features related to political advertising and said it would work closely with the government to draw up a new statutory code of practice in line with the GDPR/DPA18 to regulate the use of personal data in political campaigns.
A new report, Cyber Board Communications & Metrics – Challenging Questions from the Boardroom, conducted by Kudelski Security in conjunction with its Client Advisory Council (CAC) found that despite improved communication methods to better inform nontechnical executive leaders, CISOs continue to struggle in conveying cyber risk to their boards of directors.
Board awareness has long been identified as a need across all industries. Boards need to better understand the cyber challenges their organizations face, which demands that they have confidence in their CISOs. Yet the CAC research confirmed its hypothesis that CISOs need to better communicate so that what they convey to both their counterparts and their boards about programs and initiatives is meaningful.
CISOs spend an average of 10-20 hours preparing their responses to the often asked question, “Are we secure?” The report found that time spend does not translate to conveying information clearly, so it also sets forth ways to help CISOs measure and report on security priorities and increase organizational support for security initiatives by looking at the top questions CISOs face.
"Working together we conducted extensive research to present the opinions and experiences of CISOs from organizations of all types to help the broader industry. Our belief is that we can all benefit from the shared experiences of proven leaders and learn how we can challenge the status quo to impact real change in our industry. We thank each of our council members for their tireless support," Rich Fennessy, CEO, Kudelski Security, said in a press release.
“Get to know your board members, their backgrounds, the current boards they serve on...the more you understand the board members, the better you’ll be able to communicate with them,” the report said.
Additional tips include creating a presentation that resonates with the board that should both educate and engage. CISOs should keep the focus on context, the report advised, conveying stories with business relevance and providing examples that reveal the bigger picture.
“Tell the board the story the way they want to hear it,” the report said. “The most productive board interactions happen when presentations become conversations.”
FBI special agent Eric M. Proudfoot filed a criminal complaint on 9 July charging former Apple employee Xiaolang Shang with the crime of stealing trade secrets from the tech giant.
Zhang, who began working for Apple at the end of 2015, was a hardware engineer working on Apple's autonomous vehicle development team. Details of the company's autonomous vehicle project have remained secret, with the company revealing little more than hints of project development to the press.
Because it was required in his role, Zhang had access to Apple's intellectual property, including confidential databases. Shortly after Zhang returned from paternity leave on 30 April 2018, he submitted his resignation to his immediate supervisor, explaining that he was moving back to China to work for XMotors, an intelligent electric vehicle startup.
Zhang was reportedly asked to return all of his corporate devices before being escorted off campus. "Apple security then immediately disabled Zhang's remote network access, badge privileges, network access and other employee accesses," according to the affidavit filed with the US District Court for the Northern District of California.
Prior to involving the FBI, an internal Apple team reviewed Zhang's network activity and building access activity across the Apple campus. The internal team found that only days before his return on 30 April, Zhang's network activity had "increased exponentially" compared to the entirety of his employment.
The anomalous activity prompted Apple to contact Zhang as part of a deeper investigation, which led to the company also contacting the FBI. During his investigation, Proudfoot conducted interviews and reviewed documentation including file listings, closed-circuit television images, physical-access-badge history and employee agreements, all of which led to his determination that there is probable cause to believe that Zhang had stolen trade secrets.
XMotors reportedly terminated Zhang and contended that Zhang did not pass along any of Apple's trade secrets, according to Reuters.
Cases of insider threats are not uncommon. According to 2018 Insider Threat Intelligence Report from Dtex Systems, 38% of the assessments run as part of the report found evidence of employees who were exhibiting flight-risk behaviors.
“The criminal complaint filed in this case is not only evidence of what the former Apple employee may have done, it is also proof of how easy it is for anyone with privileged access rights to steal confidential data from their employers,” said Dtex Systems CEO Christy Wyatt.
“Apple, Tesla, Waymo and the litany of other organizations that have been victimized by insiders lately shows that companies are doing a great job of piecing together wrongdoing after the fact," said Wyatt. "It also shows that business needs to be more aware of activities taking place as they happen.”
A bug finder recently discovered that Thomas Cook Airlines had a security vulnerability for years, making it possible for hackers to systematically download hundreds of thousands of passenger flight details and personal data going back as far as 2013.
The issue, rated a medium to high severity level, leaked personal and travel information but is reportedly now fixed, according to a 9 July blog post by Roy Solberg. After booking his vacation, Solberg reportedly received an email from Thomas Cook Airlines with a suspicious link to airshoppen.com.
“I never downloaded a lot of data as I don’t want anyone to question my motives, but I do like to get an idea of the scope of the data leak, so I did a few tests to see if I could see how many bookings this was affecting,” Solberg wrote. In his tests, Solberg found Ving bookings from as far back as 2013, with the most recent one from 2019.
Using only a booking number, it was possible to retrieve all names on the travel booking along with the email address of the person registering the booking. Also included in the data was departure and arrival dates with airport and flight number information. After nearly two weeks of attempting to disclose the vulnerability, Solberg reportedly received little more than frustrating exchanges before never hearing from Thomas Cook Airlines again.
Three days after he went to the press, the vulnerability was reportedly fixed. This vulnerability, known as an Insecure Direct Object Reference (IDOR) is not only a commonly encountered problem on poorly designed web applications, but it's also easy for an attacker to exploit. The issue raises concerns for both privacy and phishing attacks.
“We take any breach of our customer data extremely seriously. After being alerted to this unauthorized access to our online duty free shopping website in Norway, we closed the loophole and took responsible actions in line with the law," a Thomas Cook spokesperson wrote in an email.
“Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities. For the same reasons we have not contacted the customers affected.
The company also wrote that it regularly tests its systems using third-party agents and since becoming aware of the incident it has taken further steps across its IT systems to ensure that it doesn't have a similar loophole elsewhere.
"This is bad news for Thomas Cook, but it highlights the fact that the travel industry has been slow to wake up to the challenges of information security,” said Stephen Gailey, solutions architect at Exabeam. “We've recently seen issues with aircraft boarding passes giving all-too-easy access to passenger data, as well as concerns over the aircraft being open to hacks – concerns that now include luxury yachts and possibly even some cruise ships."
“Why is it that we seem to have to fight the same old battles for every industry, one company at a time?" said Gailey. "Cybersecurity issues affect us all; it’s time we started learning from others’ mistakes."
Microsoft has patched over half a century of vulnerabilities yet again this month, with the majority of critical bugs affecting the browser.
Patch Tuesday saw the Redmond giant issue a “moderate” update load according to most experts, with 17 critical flaws to fix.
These include vulnerabilities in the Chakra Scripting Engine, Edge browser, Scripting Engine and PowerShell Editor Services.
Recorded Future senior solutions architect, Allan Liska, said the latter was particularly dangerous “because PowerShell Editor Services are primarily used by network administrators, so an attacker who exploits this vulnerability would most likely do so with administrative access.”
Qualys director of product management, Jimmy Graham, urged admins to focus on the 16 CVEs covering browsers for all workstation-type devices.
Although there are no zero-days to fix this month, three vulnerabilities have been publicly disclosed: “two privilege escalation vulnerabilities in Windows and a spoofing vulnerability in Edge whereby a user could be tricked into believing a malicious website is legitimate,” according to Rapid7 senior security researcher, Greg Wiseman.
Not to be outdone, Adobe released four patches for Flash, Adobe Reader, Experience Manager, and Adobe Connect which fix over 100 CVEs.
The Adobe Flash patch addresses just two flaws, according to Dustin Childs of Trend Micro’s Zero Day Initiative.
“The first is a type confusion bug submitted through the ZDI program that could lead to remote code execution. The other bug is a less severe information disclosure vulnerability due to an out-of-bounds read,” he explained. “The patch for Experience Manager fixes three information disclosure bugs. The Connect patch also fixes three bugs, with two being authentication bypasses and one being an insecure library load.”
However, the update for Acrobat fixes a whopping 107 CVEs including out-of-bounds reads, out-of-bounds writes, heap overflows, type confusions, and use-after-frees, Childs added. There are over 50 critical CVEs to fix in Acrobat and Reader.
The average cost of a data breach in the UK rose by 8% over the past year to reach nearly £2.7m, according to the latest IBM report.
The 2018 Cost of a Data Breach Study put the UK sum slightly lower than the global average of $3.9m (£3m) — in fact, US companies experienced the highest cost of a breach at £6m, followed by those in the Middle East (£4m).
However, the report highlighted that there’s much work still to be done by organizations, with mean time to identify a breach dropping just five days to stand at 163 days. Meantime to contain a breach decreased just three days to reach 64 days.
These stats are important because the longer a breach takes to spot and contain, the more damage can be done and the more expensive it will be to remediate.
IBM claimed that firms able to contain a breach in under 30 days managed to save over £755,000 compared to those who that took more than 30 days.
Incident response and extensive use of encryption also helped to reduce the cost per compromised record by £13 and £12, respectively.
While malicious outsiders caused half of all breaches, organizations should be aware that human error (26%) and system glitches (24%) were responsible for the other half. Although the latter two types of breach were quicker to spot, with better staff training and IT monitoring they remain highly preventable.
IBM breaks down costs into four specific areas: detection and escalation; notification; breach response; and lost business stemming from downtime, damaged reputation and lost customers.
In this regard the indirect costs of a breach (£58 per record) outweighed the direct costs (£50) again this year.
The Ticketmaster UK ‘breach’ is far more extensive than at first thought — part of a single operation by a threat group affecting over 800 e-commerce sites around the globe, according to new intelligence.
Security firm Risk IQ said it has been tracking the Magecart group since 2015. Its latest modus operandi is to use a kind of digital card skimmer, malicious code, which is injected into code from third-party providers in a kind of supply chain attack.
That’s what happened to Ticketmaster UK, after supplier Inbenta Technologies was compromised and the malicious code was injected into legitimate script destined for the Ticketmaster site.
The revelations mean that the Ticketmaster breach is more extensive than at first thought, as suppliers other than Inbenta were also compromised in the same way. The Ticketmaster Germany, Australia and International brands were compromised via breached supplier SocialPlus between December 2017 and January 2018, Risk IQ claimed.
By targeting suppliers in this way, the group can access tens of thousands of victims in one fell swoop. The report claimed that one single campaign hit 100 “top-tier victims” which comprised the e-commerce sites of some of the biggest brands in the world.
Other compromised suppliers include analytics firms PushAssist and Annex Cloud, and marketing firm Clarity Connect.
LogRhythm EMEA MD, Ross Brewer, claimed that third-party data breaches are a growing problem for businesses.
“Hackers are persistent, clever people who have wised up to the fact that going after the big guys who have an array of sophisticated security tools in place is no easy feat. Instead, they’re redirecting their attention to smaller, third-party suppliers that can act as a gateway to more lucrative targets,” he added.
“As the saying goes, you’re only as strong as your weakest link, which means if one of your third-party partners doesn’t have the same commitment to data protection, any tools you have in place are essentially rendered useless.”
In an effort to expand its security solutions to small and medium-sized businesses (SMBs), global communications, media and entertainment and technology company AT&T has announced that it will acquire California-based security solutions company AlienVault.
Combining AlienVault's threat intelligence offerings with its existing portfolio of cybersecurity solutions, AT&T hopes to deliver a unified security management platform for its business customers. This acquisition will hopefully benefit AT&T’s SMB customers, as SMBs are increasingly the target of attacks. A 2017 Ponemon Institute study found that more than 61% of SMBs had been breached, an increase of six points since 2016.
“Regardless of size or industry, businesses today need cyber threat detection and response technologies and services,” said Thaddeus Arroyo, CEO, AT&T Business, in a press release. “The current threat landscape has shifted this from a luxury for some, to a requirement for all."
“AlienVault’s expertise in threat intelligence will improve our ability to help organizations detect and respond to cybersecurity attacks," Arroyo continued. "Together, with our enterprise-grade detection, response and remediation capabilities, we’re providing scalable, intelligent, affordable security for business customers of all sizes.”
Commenting on why the acquisition matters, Danessa Lambdin, VP of cybersecurity solutions, AT&T said, "Threat intelligence relies on real-time analysis of vast amounts of data; identifying abnormalities is key to a business’s ability to respond to a cyber-attack. Small to midsize business will have access to the same types of security tools and services that large enterprise companies have adopted in recent years."
According to recent research from Mimecast, 90% of organizations have experienced an increase in phishing attacks; however, only 11% continuously train employees about how to spot cyber-attacks.
“Cybersecurity awareness training has traditionally been viewed as a check the box action for compliance purposes, boring videos with PhDs rambling about security or even less than effective gamification which just doesn’t work,” said Peter Bauer, CEO and founder of Mimecast in a press release. "As cyberattacks continue to find new ways to bypass traditional threat detection methods, it’s essential to educate your employees in a way that changes behavior."
Additional acquisitions in the cybersecurity industry were announced today with Bomgar acquiring Avecto to augment its identity and access management solutions. In today’s blog post announcing the news, Bomgar credited Gartner in recognizing “privileged access threat landscape is growing with a higher risk of enabling cyberattacks and severe consequences.”
Businesses have gotten into the habit of collecting lots of data, but the mounting data they’ve compiled surpasses its usefulness. Nearly half of all companies having no idea where their sensitive data is stored, according to a new survey from Gemalto.
The fifth annual Data Security Confidence Index surveyed 1,050 IT decision makers and 10,500 consumers worldwide, revealing that 46% of companies don’t know where all of their sensitive data is stored and a majority of companies are unable to analyze all the data they collect.
The research found that for most businesses, the ability to analyze the data they collect changes depending on geography. In India, for example, 55% of businesses are able to effectively analyze the data they collect, yet only 47% of businesses in Australia can.
India and Australia rank best at using the data they collect. While 89% of global organizations said analyzing data effectively gives them a competitive edge, only one in five Benelux (20%) and British (19%) companies report that they are actually able to do so.
Two-thirds of respondents said their organizations are failing to carry out all procedures in line with data protection laws, suggesting a decline in confidence when it comes to businesses securing customers’ data.
“If businesses can’t analyze all of the data they collect, they can’t understand the value of it – and that means they won’t know how to apply the appropriate security controls to that data,” says Jason Hart, vice president and CTO for data protection at Gemalto.
“Whether it’s selling it on the dark web, manipulating it for financial gain or to damage reputations, unsecured data is a goldmine for hackers. You only need to look at the recent hacks on the World Anti-Doping Agency and International Luge Federation to see the damage that can be done. What’s more, data manipulation can take years to discover, and with data informing everything from business strategy to sales and product development, its value and integrity cannot be underestimated.”