The volume of distributed denial of service (DDoS) attacks in the second quarter of 2020 increased three-fold from the same period last year, according to new data from Kaspersky.
The Russian cybersecurity vendor claimed in its Kaspersky Q2 2020 DDoS attacks report that it detected and blocked 217% more DDoS attempts than in Q2 2019.
This appears to run counter to usual seasonal trends, which see DDoS attacks peak at the start of the year and then decline through late spring and summer, it said. The volume of detected attacks fell 39% from Q1 2019 to Q2 2019, for example, and by 34% for the same period in 2018.
However, this year, the volume of detected attacks increased by 30% from the first to the second quarters, according to Kaspersky.
What’s more, the highest number of attacks per day reached nearly 300 in the second quarter (on April 9), while in Q1 2020 the record was 242.
Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team, argued that the uptick in DDoS activity may be tied to the impact of the pandemic on computer users.
“This year, people have not been able to enjoy a normal holiday season as many regions have kept COVID-19 lockdown measures in place. This has left more people than usual still depending on online resources for both personal and work-related activities, making this summer a busy period for online businesses and information resources,” he explained.
“As a result, we saw unprecedented activity in the DDoS market. And so far, there is no reason to predict a decline.”
The firm urged organizations to ensure they have round-the-clock support in place to manage critical web resources, validate agreements and contact info with ISPs to support rapid response, and to choose effective DDoS prevention from a proven provider.
The Australian Microsoft regional director and MVP made the announcement in a blog post on Friday, saying that the decision came as a result of his failed attempt to find a buyer for the site earlier this year.
“The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn't changed; the project cannot be solely dependent on me,” he revealed. “Yet that's where we are today and if I disappear, HIBP quickly withers and dies.”
The move to open source the site will go a long way to allay privacy concerns over how HIBP operates, by enhancing code transparency and demonstrating that data searches aren’t being logged internally, Hunt continued.
However, the main aim is to make the site “a more sustainable, more robustly featured community service.”
Hunt said he is currently in discussions with Azure and .NET experts to transition HIBP from completely closed to completely open. The process will be worked through incrementally but there’s no clear timeline as yet. Hunt will likely remain a major part of the project for some time to come.
As if to emphasize the importance of HIBP to the security industry and breach victims, Hunt revealed that in the past two weeks alone, over 96 million breached records had been added to the site, from 16 separate incidents.
A k-anonymity API, designed by a CloudFlare engineer, means that services provided by the likes of Okta, LastPass, 1Password, Apple and Google can take advantage of the trove of breached data in HIBP to notify customers if their credentials have been compromised.
A Hawaii man has admitted sending over 500 unwanted visitors to the home of a Utah family in a case police have described as "stalking on steroids."
Loren M. Okamura was arrested in December 2019 on charges of cyber-stalking, making interstate threats, and transporting a person over state lines for the purpose of prostitution. The 44-year-old entered a guilty plea in US District Court on July 27.
Okamura admitted sending a string of unwanted service providers to the North Salt Lake home of Walt Gilmore and his family. Unwanted visitors turned away by the Gilmores as a result of Okamura's actions included plumbers, locksmiths, food delivery workers, electricians, and sex workers.
When arranging the unwanted services, Okamura used apps to obscure his identity and phone location data.
The family's stalking experience began in August 2018 when a tow-truck company employee turned up on their doorstep with false instructions to remove a car from the Gilmore's driveway.
For the next seven months, the family turned away up to 20 people a day who had been sent to their house by Okamura under false pretenses.
The arrival of misled service providers at the Gilmore family home became so frequent that the family resorted to erecting a sign in their front yard warning of the hoax.
“This is stalking on steroids. It’s pretty vicious,” North Salt Lake police told the Deseret News in March 2019.
Gilmore said that the family was plagued by unwanted visitors at all hours of the day and night.
"They have police records. Criminals. Felons. Active warrants for their arrests coming to my home. They’re looking for drugs. They’re offering prostitution," Gilmore told the Deseret News.
"These are individuals who come to our home in the middle of the night—10, 11 o’clock, 1, 2, 3 in the morning."
Local police parked a patrol car in the family's driveway to deter people scammed by Okamura from knocking on the front door. Police estimate that the companies Okamura scammed have lost over $20k in staff hours and uncollected service fees.
Walt Gilmore said that his adult daughter had known Okamura at one point but no longer had any contact with the cyber-stalker.
Okamura's sentencing is scheduled for October 5.
A Portuguese computer whiz accused of leaking a series of confidential documents belonging to various soccer clubs has been released from custody.
Rui Pinto has been moved to a safe house in Portugal after spending 18 months behind lock and key while he awaits his trial before a Portuguese court.
The 32-year-old was arrested in Hungary in March 2019 on charges related to hacking, violation of correspondence, computer sabotage, illegitimate access, and attempted extortion. Pinto had been resident in Hungary for four years at the time of his arrest.
Portugal state broadcaster RTP and other media reported that Pinto was released from police custody in Lisbon late Friday.
Pinto's removal to a safe house at the behest of Judge Margarida Alves follows intervention in the defendant's case by Luís Neves, the head of Portugal's Policia Judiciaria.
In a June interview with Diário de Notícias, Neves described Pinto as a young man with serious concerns for society. The police chief then called for a change to the law to protect whistleblowers who cooperate with the justice system to expose organized crime and corruption.
Further support for Pinto's cause came from Albano Pinto, director of the central department of criminal investigation and penal action (DCIAP). In July, Albano Pinto, who is no relation of Rui Pinto, praised the accused for his “total availability and spontaneity to get to the truth.”
The Observador reported that Pinto cooperated with Portuguese police by unlocking access codes for all the electronic devices to which he had access.
Pinto was initially accused by Portugal's Public Ministry of committing 147 crimes, but following his collaboration with DCIAP, some of the charges against Rui Pinto were dropped.
The accused is currently awaiting trial for 90 crimes, including 6 counts of illegitimate access, one count of computer sabotage, 14 counts of violation of correspondence, 68 counts of undue access and one count of attempted extortion.
The prosecutor in Pinto's case disagreed with Judge Alves' decision to release the defendant. According to Observador, the prosecutor fears that by having access to the internet, Pinto "may destroy evidence or even continue criminal activity."
Global law firm Dentons has created a free tool to help users understand their obligations regarding the use of internet cookies across 28 European countries.
The Europe Cookie Law Comparison tool was launched today with the support of the Nextlaw Referral Network. Its authors hope the tool will bring users greater clarity with respect to their legal and data privacy responsibilities in an ever-changing regulatory context.
“Pending the adoption of the new e-Privacy Regulation, various European data protection authorities have decided to take autonomous action on cookies by issuing additional specific local guidelines and measures,” commented Giangiacomo Olivi, Dentons partner and co-head of its Europe Data Privacy and Security team.
"The tool will help to navigate the fragmented regulations across 28 countries in Europe."
Users of the tool are able to compare and contrast the regulations set by up to three countries at a time and immediately share the results with their colleagues via email. The tool has been designed to draw from up-to-the-minute information to keep up with the fast pace of regulatory change.
“We see this tool as the first point of call for the legal and compliance personnel of globally active companies, who need to comply with privacy and other laws applicable to cookies and similar technologies across multiple jurisdictions in Europe,” said Dentons partner and co-head of the firm's Europe Data Privacy and Security team, Marc Elshof.
Dentons lawyers contributed the legal analysis for Belgium, the Czech Republic, France, Germany, Hungary, Italy, Luxembourg, the Netherlands, Poland, Romania, Slovakia, Spain, and the UK. In addition, several law firms from the Nextlaw Referral Network contributed content for specific jurisdictions: CHSH (Austria), Wolf Theiss (Bulgaria), Antoniou McCollum & Co. (Cyprus), Cacic & Partners (Croatia), Lundgrens (Denmark), Derling (Estonia), Krogerus (Finland), Kyriakides Georgopoulos (Greece), LK Shields (Ireland), Kronbergs Čukste Levin (Latvia), Ellex Valiunas (Lithuania), GVZH Advocates (Malta), PLMJ (Portugal), Karanovic & Partners (Slovenia), and Setterwalls (Sweden).
Over half (51%) of UK school teachers are either unsure or disagree that their school is well-equipped to tackle cybersecurity issues, according to a new study published by ESET.
This follows a period in which many schools have provided online classes with most pupils unable to attend in person due to COVID-19 lockdown restrictions which were introduced in the UK since 23 March.
Yet in a survey of 1000 teachers conducted by Internet Matters, just 49% felt that their school had “done enough” to avoid problems. More than a third (36%) said they’ve had no information from schools on cybersecurity in the past year, while just 20% have received training after lockdown began.
Additionally, 31% have not had any training on how to talk to children about data and identity protection issues and more than a quarter (26%) had not been given any guidance on cybersecurity best practice in the past year.
Nearly half (45%) even feel their pupils had a better knowledge of cybersecurity issues than they do.
The findings suggest that there should be a much greater focus on educating teachers about cybersecurity issues – particularly as 96% of those who have received such training found it useful.
Julian Roberts, head of marketing at ESET, said: “Now, more than ever, tackling cybersecurity needs to be a top priority for schools as they may be increasingly forced to turn to the online world to support their pupils and their educational needs.
“Cyber-criminals are constantly evolving their methods and organizations that oversee young people using technology must be fully equipped to not just tackle potential issues but educate as well.
“With education entering the virtual world, whether in the physical classroom or at home, we would advise that cybersecurity training for teachers and pupils is crucial and that teachers are equipped by their school or IT teams with the right tools and advice to provide to parents too.”
ESET and Internet Matters are currently collaborating to provide guidance on the most effective ways of delivering online safety advice to parents and children within the school environment.
Like any other IT environment, there are potential cyber-risks to the International Space Station (ISS), though the station is quite literally like no environment on Earth.
In a session on August 9 at the Aerospace Village within the DEFCON virtual security conference, former NASA astronaut Pamela Melroy outlined the cybersecurity lessons learned from human spaceflight and what still remains a risk. Melroy flew on two space shuttle missions during her tenure at NASA and visited ISS. Hurtling high above the Earth, ISS is loaded full of computing systems designed to control the station, conduct experiments and communicate with the ground.
“Space is incredibly important in our daily lives,” Melroy said.
She noted that GPS, weather tracking and communications are reliant on space-based technology. In Melroy’s view, the space industry has had somewhat of a complacent attitude about satellite security, because physical access was basically impossible once the satellite was launched.
“Now we know that our key infrastructure is at risk on the ground as it is in space, from both physical and cyber-threats,” Melroy stated.
The Real Threats to Space Today
Attacks against space-based infrastructure including satellites are not theoretical either.
Melroy noted that the simplest type of attack is a Denial of Service (DoS) which is essentially a signal jamming activity. She added that it already happens now, sometimes inadvertently, that a space-based signal is blocked. There is also a more limited risk that a data transmission could be intercepted and manipulated by an attacker.
What isn’t particularly likely though is some kind of attack where an adversary attempts to direct one satellite to hit another. That said, Melory said that there could be a risk from misconfiguring a control system that would trigger a satellite to overheat or shut down.
How the ISS Secures its Network
During her presentation, Melroy outlined the many different steps that NASA and its international partners have taken to help secure the IT systems on-board ISS.
The entire network by which NASA controllers at Mission Control communicate with ISS is a private network, operated by NASA. Melroy emphasized that the control does not go over the open internet at any point.
There is also a very rigorous verification system for any commands and data communications that are sent from the ground to ISS. Melroy noted that the primary idea behind the verification is not necessarily about malicious hacking, but rather about limiting the risk of a ground controller sending a bad command to space.
“There’s a very rigorous certification process required for controllers in the International Space Station Mission Control Center (MCC) to allow them to send commands to the space station,” she explained. “In addition there are screening protocols both before a message ever leaves MCC going up to the ISS and once it’s on board ISS, to check and make sure that the command will not inadvertently do some damage to the station.”
Using Twitter in Space
ISS also makes use of a highly distributed architecture such that different sets of systems and networks are isolated from one another.
For station operations, Melroy said that astronauts make use of technology known as Portable Computer Systems (PCS) which are essentially remote terminals to send commands to the station’s primary computing units.
There is also a local area network on the station with support computers used for limited internet access including email and social media like Twitter. While the local ISS network has internet access, it is not directly connected to the public internet.
Melroy explained that there is a proxy computer inside the firewall at the Johnson Space Center, in Houston, Texas, that is connected with ISS. As such, the space station support computers talk to the proxy computer, which then goes out onto the public internet.
“Now of course, just like any computer, it’s still subject potentially to malware,” Melory said. “However, the most important thing is that the station support computers in no way shape or form are networked to the actual commanding of the station, they’re completely separate systems and they don’t talk to each other.”
Areas of Concern for Spaceflight Security
While ISS has multiple layers of security, Melroy commented that there are still some areas of concern for spaceflight and space cybersecurity.
For satellites, she noted that the uplink and downlink to most satellites is encrypted, though the data on-board the satellite often is not. Additionally, she expressed concern about ground-based control systems for satellites. Melroy explained that satellite ground systems have the same cybersecurity risks as any enterprise IT system.
“The most serious problem I think we have in space is complacency, many people in space think that their systems are not vulnerable to cyber-attacks,” Melroy said. “We are going to have to figure out how to insert cybersecurity and an awareness of that into the values and the culture of aerospace, all the way from the beginning in design and through to operations.”
Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go.
PwC announced late last week that it had been appointed join administrators of the currency exchange business.
Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring.
“The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news.
The Sodinokibi (REvil) variant is believed to have struck the firm on New Year’s Eve last year, forcing its website offline and impacting its bricks-and-mortar stores and banking services. It took until January 17 for the firm to get its first customer-facing systems live again in the UK.
Unconfirmed reports at the time suggested that a critical unpatched vulnerability in Pulse Secure VPNs (CVE-2019-11510) may have allowed attackers to remotely execute malicious code. A security researcher said he reached out to the firm in September 2019 to flag the issue but was ignored.
It’s still unclear exactly how much these mistakes ended up costing the firm although reports suggested that the REvil gang was demanding a $6m (£4.6m) ransom in return for the decryption key and deletion of stolen customer data.
Parent company Finablr revealed in March that a combination of the cyber-attack and the hit to business from COVID-19 was predicted to cost the firm £25m in Q1 2020, although it also claimed that cyber-insurance would cover a large part of its outgoings.
PwC remained upbeat about the future of the company, following its £84 million restructuring.
“The completion of this transaction has safeguarded 1802 jobs in the UK and a further 3635 globally, and ensured the continuation of a globally recognized brand,” said joint administrator, Toby Banfield.
TikTik looks set to sue the US government after Presidential Executive Orders issued on Friday effectively banned it and messaging app WeChat in the country.
A statement from the Chinese-owned social media app expressed exasperation at the decision, which it said was made without any “due process or adherence to the law.
“For nearly a year, we have sought to engage with the US government in good faith to provide a constructive solution to the concerns that have been expressed,” it argued.
“What we encountered instead was that the administration paid no attention to facts, dictated terms of an agreement without going through standard legal processes, and tried to insert itself into negotiations between private businesses.”
The Executive Order has been viewed by many as a deliberate attempt to force a sale of TikTok’s US operations to a domestic tech firm. Microsoft currently appears to be in the driving seat although reports suggest Twitter is also interested. Donald Trump has reportedly claimed the US Treasury should get a cut of the sale for helping to enable the deal.
“TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories. This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information — potentially allowing China to track the locations of Federal employees and contractors, build dossiers of personal information for blackmail, and conduct corporate espionage,” the Executive Order alleged.
“TikTok also reportedly censors content that the Chinese Communist Party deems politically sensitive, such as content concerning protests in Hong Kong and China’s treatment of Uyghurs and other Muslim minorities. This mobile application may also be used for disinformation campaigns that benefit the Chinese Communist Party, such as when TikTok videos spread debunked conspiracy theories about the origins of the 2019 Novel Coronavirus.”
TikTok denies having ever censored content or shared data with the Chinese government, and argued that the decision threatens to undermine business trust in America’s commitment to the rule of law.
Reports suggest it could be ready to file a suit against the Trump administration as early as Tuesday.
A separate order was issued on Friday which effectively bans the use of Chinese messaging giant WeChat in the US.
Mishcon de Reya’s cyber-intelligence director, Mark Tibbs, said the orders could spark a significant backlash, both by the Chinese government and among user groups.
“Considering the scale of usage of both apps in the US and globally, these executive orders will undoubtedly cause substantial impacts for both users, communities and in some instances, businesses which rely on the apps to market goods and services, or promote their brands,” he argued.
“The orders may also stimulate the development of various technical workarounds by users to be able to use the apps, and indeed the development of similar apps to fill the niche which will exist. Larger US technology companies will likely see the announcements as an opportunity for future acquisition or launching and promotion of their own alternatives.”
Intel is currently looking into how 20GB of sensitive internal data came to find its way online.
The range of documents — some marked “confidential,” “under NDA” or “restricted secret”— were uploaded to file hosting service MEGA by Swiss Android developer Till Kottmann.
Before his account was suspended by Twitter, Kottmann explained on the site that “most of the things here have not been published anywhere before.”
They include details on chip roadmaps, development and debugging tools, schematics, training videos, process simulator ADKs, sample code, Bringup guides and much more.
Affected platforms include Kaby Lake, Snow Ridge, Elkhart Lake and the unreleased 10nm Tiger Lake architecture.
Kottmann claimed to have received this data from a third party who found it on an unsecured server via a simple nmap scan. Many of the zip files were reportedly protected with easy-to-guess or crack passwords.
However, Intel doesn’t believe the data came from a network breach, and said in a brief statement that it is urgently investigating what may have happened.
“The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access,” it continued. “We believe an individual with access downloaded and shared this data."
Although there appears to have been no personally identifiable information (PII) exposed in the breach, the compromise of so many sensitive internal documents will be ringing alarm bells at the chipmaker’s HQ — especially as more leaks have been promised.
Erich Kron, security awareness advocate at KnowBe4, said the incident highlights supply chain cyber-risk.
“There is always a risk when sharing potentially sensitive information to these business partners, however, this is often an unavoidable part of doing business,” he added.
“Whenever providing intellectual property access to another organization or individual, it is important to log not only who has access, but when and what data they are accessing. Even better, as in this case with Intel, ensuring that you know where the documents have been shared by potentially marking the document itself, can be very valuable when hunting potential misuse as appears to have occurred here."
Biometric authentication, including facial recognition and fingerprint scanners, is increasingly common, but that doesn’t mean they are safe from hackers.
At the DEFCON virtual security conference on August 8, security researcher Yamila Levalle from Dreamlab Technologies outlined how she was able to bypass biometric authentication for a number of different types of fingerprint scanners. During her session, Levalle explained various methods of bypass including using a budget 3D printer, which yielded positive results.
“Biometrics is the science of establishing or determining an identity, based on the physical or behavioral traits of an individual,” Levalle explained. “Biometric systems are essentially pattern recognition systems that read as input biometric data, then extract the feature set from such data, and finally compare it with a template stored in a database.”
Attacks Against Biometric Systems
There are multiple types of attacks that are possible against biometric systems.
There are physical attacks against the sensors and there are presentation and spoofing attacks. Levalle noted that she was focused on the spoofing attacks: attempting to trick a system into believing a fraudulent fingerprint was in fact authentic.
Attacks against biometric systems are not hypothetical either and happen in the real world, which is what inspired Levalle to conduct her research. In her home country of Argentina, six employees of the Aerolineas Argentinas airline were caught in 2019 for falsifying work attendance. The airline employees allegedly used silicon fingerprints to check-in others that were not at work.
Tricking Fingerprint Scanners with 3D Printed Molds
Levalle explained that a fingerprint scanner doesn’t have to find the entire pattern of distinctive features in a human fingerprint in order to work. Rather, she noted it simply has to find a sufficient number of features and patterns that the two prints have in common.
As part of her research to see if it was possible to use a 3D printed fingerprint that can trick the majority of scanners, she said that a UV Resin type 3D printer is needed. For her research, she made use of the budget-friendly Anycubic Photon 3D printer, as it can print to a resolution of 25 microns. Levalle said that the human fingerprint ridges can have a height of between 20 to 60 microns.
The first step in her research was to lift the latent fingerprint with a digital camera that had macro image functionality. The image was then digitally enhanced with an open source python tool to optimize the fingerprint. The next step was to bring the image into a 3D modelling tool, like TinkerCAD, to create the actual model.
The hardest part of the process according to Levalle was configuring the fingerprint length and width to the same size as the original, which was no easy task since she didn’t have a digital microscope to take the measurements. Ultimately, after more than 10 tries, she was successful in 3D printing a fingerprint that could trick scanners.
“It’s not easy to duplicate the fingerprint, it takes time and experience, but it can be done,” she said.
The charity and membership organization for heritage conservation in England, Wales, and Northern Ireland has been contacting volunteers by email to notify them of the breach.
National Trust data exposed as a result of the ransomware attack on Blackbaud belongs to past and present volunteers and applicants for the trust's volunteer program.
Compromised information includes name, date of birth, gender, address, and contact details. The Trust assured its volunteers that while some sensitive information pertaining to equality monitoring was affected, no financial data was exposed.
In an August 7 email to users of its volunteer program, the National Trust's CIO, Jon Townsend, wrote: "Our membership systems and data were not affected."
Townsend said Blackbaud reached out to the Trust in July to inform them about the cyber-attack. The company said that all the data stolen in the attack related to Blackbaud's systems only and has since been destroyed.
The National Trust has reported the incident to the Information Commissioner’s Office, the UK’s regulator for data protection. The organization has set up an email address that any concerned volunteers can contact for more information about the data breach.
In the August 7 breach notification email, Townsend wrote: "On 16 July 2020 we were contacted by Blackbaud, the company that holds some of our volunteering data, to tell us that they’d been the victim of a cyber-attack."
Townsend told Trust volunteers that no action was required from them and apologized for any concern that may have been caused by the breach.
"We take data protection extremely seriously at the National Trust," wrote Townsend. "We’re looking again at the security of how data is managed and working closely with Blackbaud to discover exactly what happened."
The world’s largest online cybersecurity career development platform has released a second installment of free educational courses.
Cybrary made a clutch of courses free in July in a bid to support people who are considering a career in cybersecurity and those impacted professionally by the ongoing COVID-19 pandemic.
A Cybrary spokesperson said: "These free courses aim to encourage continued training and resumé building for current cyber professionals, recent graduates, and those looking to transition into the security and IT industry."
This month, a second wave of free online courses was released that will be available to users until September 1. Courses range in length from one to nine hours and cover topics ranging from cloud architecture foundations to DNSTwist fundamentals.
Newcomers to cybersecurity are catered to with courses on command-line basics and the fundamentals of cybersecurity architecture, while the more advanced might choose to study physical penetration testing.
"As part of our mission to provide opportunity for personal and professional growth—something that has only become more important in the challenging employment landscape we are currently facing—we hope these free course offerings encourage and empower individuals to expand their cyber and IT skill set," said Cybrary co-founder and CEO Ryan Corey.
"These additional free courses help address the current skills gap, while also providing the necessary knowledge and resources for those working toward building future careers in the cybersecurity or IT field."
The seven free courses released by Cybrary last month were Cyber Network Security, Intro to Cyber Threat Intel, Advanced Cyber Threat Intel, Web Defense Fundamentals, Kali Linux Fundamentals, CCSK, and Microsoft 365 Fundamentals.
Corey said that by making the courses free to everyone who can access the internet, Cybrary hoped "to help build a more secure digital world by providing learning opportunities available to everyone.”
Since being founded in 2015, Cybrary has attracted a community of nearly 3 million users, including multiple Fortune 100 companies. The American company is headquartered in College Park, Maryland.
The monthly release of free courses follows the April launch of the Cybrary Scholars Program, which gives participants a free year of Cybrary’s Insider Pro membership, a CompTIA exam voucher, and a year of mentorship with an experienced Cybrary community mentor.
The investigative report Money for Nothing reveals the existence of a sophisticated piracy ecosystem made up of thousands of retailers and wholesalers. This nefarious network steals from creators and circumvents legitimate TV operators to provide illegal subscription services to millions of US households.
According to the report, the most virulent and fastest-growing illegal streaming enterprise is the pirate subscription Internet Protocol Television (PS IPTV) Service. This type of service typically costs just $10 to $15 a month and mimics the practices of legitimate streaming services.
The report found that an estimated 9 million fixed broadband subscribers in the US use a pirate subscription IPTV service. However, the ecosystem relies on legitimate businesses, including hosting services, payment processors, and social media, to market their stolen content.
Researchers noted that the illegal subscription providers sell their wares via "at least 3,500 US-facing storefront websites, social media pages, and stores within online marketplaces that sell services."
Selling illegal subscriptions is highly lucrative since the providers pay nothing for the programming that makes up their core products. Researchers estimated that providers operate with estimated profit margins that range from 56% for retailers to 85% for wholesalers.
While piracy subscriptions alone are a billion-dollar industry, researchers found criminals also make money by selling screen time to advertisers and vending stolen streaming devices used to receive the snatched content.
On the surface, consumers of illegal subscription services might think they are getting a great deal. But the report found that pirates generate revenue by partnering with hackers to install malware within free apps that expose consumers to risk of theft of their personal and financial data, cryptocurrency mining, adware, ransomware, and botnets using computers to perform distributed denial-of-service (DoS) attacks.
“When it comes to piracy, the scope of the risk to consumers, small businesses and others is in direct proportion to the size of the industry, which is why we need to stop the reach and depth of this ecosystem before it grows even bigger,” said Digital Citizens Alliance executive director Tom Galvin.
Clothing retailer Monsoon Accessorize has been using VPN servers that have critical vulnerabilities, putting it at risk of hacking or ransomware attack, according to an analysis by VPNpro.
The researchers discovered that Monsoon has been utilizing unpatched Pulse Connect Secure VPN servers, known to contain vulnerabilities that enable cyber-criminals to see active users on the company’s VPN as well as their plaintext passwords.
This information can then be used to access the servers and attack the companies in various ways.
The biggest threat to organizations which have this vulnerability is having their servers locked down with ransomware, according to VPNpro. It is a similar vulnerability to the one that enabled the attack on global currency exchange business Travelex on New Year’s Eve, which forced the company to take its systems offline as a precautionary measure.
VPNpro said that “our researchers were able to gain access to Monsoon’s internal files, including customer information, sensitive business documents, sales and revenue numbers, and much more.”
Among the data accessed included a sample file containing 10,000 customer records including names, email addresses, phone numbers and mailing and billing addresses.
The cybersecurity firm added it has contacted Monsoon “multiple times” to inform it of the vulnerability, but have received no response as of yet and the vulnerability remains.
VPNpro recommends that Monsoon customers should monitor their data to make sure their personal information has not been leaked.
Hugo van der Toorn, manager offensive security at Outpost24, told Infosecurity: “This showcases the importance of truly understanding your network perimeter and your vulnerabilities therein. It is pivotal that organizations try to minimize their exposure to the internet and to understand and secure that what is exposed. As proven in this research, scanning the entire internet for specific vulnerabilities can be done with relative ease and happens every time a new critical vulnerability becomes known to the public. Scan everything and see where an attacker can get in, this works both defensively and offensively.
“The safest thing is to not expose anything directly to the internet, unless it is needed for performing daily business. A good example is a VPN; those are meant to allow employees to connect back to the office network and access internal resources. It is important for every device/service that is exposed to the internet to have clear visibility of this system: What software is in use, what components, which versions of those, what ports are open and on what hardware is it running.”
Javvad Malik, security awareness advocate at KnowBe4 added: "Attackers will try to leverage any way they can into organisations. In recent times, we've seen criminals try to compromise security software as part of their attack strategy. Because security tools are usually the first point of contact, they run higher privilege and have access to lots of data, they become a very rewarding target. It's why organisations should take care of their security tools, ensure they are patched, and follow the vendors recommended guidance for any known issues, or settings that could be leveraged by criminals to gain access."
New guidance has been produced on cyber insurance to help organizations considering investing in cover.
Published by the National Cyber Security Center (NCSC), the guidance highlights seven key cybersecurity questions for businesses to address to help them make more informed decisions around cyber insurance.
The NCSC said, after calls for expert technical advice on the growing cyber insurance market, it made the decision to offer the following questions for senior leaders within organizations:
- What existing cybersecurity defenses do you already have in place?
- How do you bring expertise together to assess a policy?
- Do you fully understand the potential impacts of a cyber-incident?
- What does the cyber insurance policy cover (or not cover)?
- What cybersecurity services are included in the policy, and do you need them?
- Does the policy include support during (or after) a cybersecurity incident?
- What must be in place to claim against (or renew) your cyber insurance policy?
Sarah Lyons, deputy director for economy and society engagement at the NCSC, said: “Businesses rightly want to be as informed as possible before they invest, but when it comes to cyber insurance, there simply hasn’t been enough information up to now. That’s why it’s so important for the NCSC, as the UK’s leading cyber-authority, to offer its support by providing some clarity on the key issues to consider to ensure cybersecurity.
“Cyber insurance may not be right for everyone and it can never replace basic good security practice, but I would urge businesses to consider our guidance to help make the decision that’s right for them.”
The guidance was welcomed by two UK insurance associations, the British Insurance Brokers’ Association (BIBA), and the Association of British Insurers (ABI), while Andrea García Beltrán, cyber-manager (underwriting) at the UK & International Division of RSA Commercial, said organizations are increasingly considering the purchase of cyber insurance as part of their cyber-risk management approach.
“As a result, the NCSC is frequently asked about cyber insurance by customers, however, they cannot provide advice on insurance solutions or products, so they have decided to create guidance considering a wider approach to cyber-risk management by focusing on the cybersecurity elements of cyber insurance,” she said.
“From our perspective, we welcome the guidance specially because not all buyers are sophisticated and we cannot provide advice either.”
She said this will help organizations to have a better understanding of:
- Actions needed from the risk management point of view prior to transferring the risk to insurers
- What to expect during the insurance purchase process
- Who needs to be involved from the company side; ultimately cyber is an enterprise risk
- Role of the insurance broker or agent
- Overall information needed by insurers to be able to assess the risk
“Last but not least, this guide helps to clarify that cyber insurance is part of a robust cybersecurity resilient strategy and not the only solution to the evolving risk and exposure,” she added.
Steve Durbin, managing director of the Information Security Forum, said: “Cyber-risk is a growing concern for organizations around the world, as data breaches make headlines with increasing frequency and the resulting financial and reputational costs mount. Risk management as an effective way of addressing these concerns is absolutely key for all organizations during these times of pandemic and recession – many of the secure architectures and structures previously adopted may have changed and ensuring that the way of working today has been risk assessed is a key task for security professionals.
“Increasingly we have seen companies turning to insurance as a means of mitigating costs associated with breaches and the rise in ransomware amongst other threats has pushed many boards into considering cyber insurance. However, insurance is no excuse for poor security and focus should first be on ensuring a robust security posture that reflects the needs of the organization before rushing headlong into taking out insurance as a means of mitigating risk.”
Dubrin recommended organizations adopt a robust, scalable and repeatable process to address information risk – obtaining assurance proportionate to the risk faced in which insurance may play a role. “Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling,” he said.
The ‘from’ address field in an email is supposed to identify the person that sent an email, but unfortunately that’s not always the case. In a Black Hat USA 2020 virtual conference session researchers outlined 18 different attacks against email sender authentication systems.
Jianjun Chen, postdoctoral researcher at the International Computer Science Institute (ICSI), explained that the original Simple Mail Transfer Protocol (SMTP) – which is used by the world’s email systems to send email – once had no built-in authentication mechanisms. As such, in the early days of the internet, it was trivially easy for anyone to spoof any identity for the ‘from’ address in an email.
That situation changed with the debut of a trio of sender authentication protocols that have been advanced over the past decade. Among those protocols is Sender Policy Framework (SPF) which verifies the IP address of the sending domain. DomainKeys Identified Mail (DKIM) is a standard that verifies that the email is signed by the sending domain. Finally, Domain Message Authentication, Reporting and Conformance (DMARC), brings SPF and DKIM together into a policy framework approach.
Bypassing Email Sender Authentication
However, in a series of slides revealing specific details, Chen, along with his co-presenters Jian Jiang, senior director of engineering at Shape Security and Vern Paxons, professor at UC Berkeley, outlined how it is possible to get around the enforcement that DMARC is supposed to provide for email sender authentication.
Chen noted that the key idea behind attacks of this nature is to take advantage of inconsistencies between different components of DMARC as well as Mail User Agent (MUA) software, which is what end users use to access email. In one scenario detailed by Chen, an attacker could potentially exploit how SPF and DKIM send results to DMARC, in order to trigger a ‘pass’ for email authentication.
Another scenario can exploit an ambiguity in how a receiving email server shows addresses and how the same address is displayed in an email client. For example, the RFC 5322 specification that defines how email messages should be constructed specifies that messages with multiple ‘from’ headers should be rejected. In practice, the researchers found that 19 out of 29 MUAs in fact accepted multiple ‘from’ addresses.
In summing up the different attacks, Jiang noted that when there are multiple identifiers in the email protocol it is easy to have discrepancies and inconsistencies about which identifier to use. He added that email messages are processed by multiple components and all of the components need to have some kind of agreement on the recognized identifiers in order to accurately enforce email sender authorization policies.
How to Defend Against Email Authentication Bypass
Jiang noted that, generally speaking, when the email authentication protocols are parsing emails they should be set up for strict compliance and reject any kind of suspicious formats.
For end users, Jiang suggested to never blindly trust the email address displayed in an email client, even though it’s typically difficult to verify trust. Jiang commented that the researchers overall found that the user interface of email clients is not sufficient to provide any kind of real security assurance about the authenticity of an email.
“So even for a security professional, it’s not easy for them to use any kind of security indicators to show if an email is trustable or not,” Jiang said. “So there is plenty of space to improve in that direction.”
The opioid crisis in the US has had a devastating toll, impacting tens of thousands of families.
According to Mitchell Parker, CISO at Indiana University Health, a small part of the human suffering could have potentially been alleviated, if there was better control and security for Electronic Medical Record (EMR) systems. Parker presented his views during a session at the Black Hat USA 2020 virtual conference, where he outlined what has gone wrong with EMR systems and what can be done to make them more secure.
One of the drivers of the opioid crisis was the underhanded manipulation of an EMR system, that is intended to be used to assist physicians in prescribing medications. In January 2020, EMR vendor Practice Fusion was fined $145m by the US Department of Justice for receiving kickback cash payments from an opioid vendor to influence physician prescription activities. Practice Fusion provides a cloud-based EMR that is advertisement supported.
“People died and became addicted because of this manipulation and this subversive manipulation we’re talking about is a security issue,” Parker said.
How EMRs Work
Parker explained that an EMR is essentially a digital version of the paper charts found in a doctor’s office, including a patient’s medical treatment history. An EMR allows doctors to track data over time and the system can also be used to identify when preventive screenings and checkups are needed.
In the Practice Fusion case, opioid vendors were buying advertisements to influence physicians, but that’s not the limit of the security risk that exists with EMR systems. Parker noted that while EMR systems need to be certified for use to store patient record data, there are a variety of security holes that certification doesn’t consider.
One risk comes from pretexting attacks, where a criminal claims to be a government regulatory agency or a professional association and calls up medical offices asking staff for information.
“It's not difficult to get personal information using this method,” Parker said.
Parker noted that in his experience many vendors and service providers are doing a reasonably good job protecting against malware and ransomware, but are not protecting against identity theft and manipulation.
How to Improve EMR Security
Among the recommendations that Parker shared to help improve EMR systems is for vendors and users to deploy and enforce two-factor authentication methods for authentication, as well as for prescriptions.
Parker also suggested that medical offices limit access overall to a minimal number of users that can make changes of any type in the EMR. On top of that, he advised EMR vendors to make it easier to provide change reports when changes are made.
Parker noted that smaller medical groups are likely more susceptible to electronic subversion of their critical systems because of a lack of resources. He stated that he wanted to see those smaller groups partner with larger health systems to help manage EMR systems with the right governance and cybersecurity procedures.
“This [Practise Fusion] was a case of a company taking advantage of the fact they knew no one was looking and well, they did what they did with tragic consequences,” Parker said.
Capital One has been fined $80m following its breach last year.
According to a statement from the Office of the Comptroller of the Currency (OCC), these actions were taken against Capital One “based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner”.
The breach occurred in March 2019, when a former employee of Capital One named Paige Thomson exfiltrated the data of 100 million people in the US and six million in Canada, exploiting a weakness in the configuration of perimeter security controls to gain access to sensitive files housed in its cloud storage.
Capital One blamed a “configuration vulnerability” as the customer data was exfiltrated from an AWS S3 data storage service and moved to a Github site. At the time, Capital One said the breached information “included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.”
In taking the financial action, the OCC said it considered the bank’s customer notification and remediation efforts, and while it “encourages responsible innovation” in all banks it supervises, “sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”
Stuart Reed, UK director, Orange Cyberdefense, said: “The fine handed out to Capital One yesterday is another stark reminder of the financial implication of failing to fully assess cybersecurity risk. It is also a reminder of the potential challenges of migrating data from physical IT to the cloud, something that more and more organizations are seeking to do.”
Reed said the case against Capital One “underlines the expectation that organizations demonstrate best security practice at all times” and it is imperative that organizations recognize that the onus is on them to make sure they have done everything they can to protect customer data. “Otherwise, the consequences can be complex and extremely costly,” he said.
Mark Bower, senior vice-president at data security specialist comforte AG, said the fine “mirrors how we’ve seen industry regulators rip into ineffective controls over data protection.
“The signal is very clear: the often referenced shared responsibility cloud model means naught when it’s your data,” he added. “What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenized (credit card and SSN data), and the rest accessible under attack. Had tokenization been applied across the full regulated data set, this breach would have been a non-event.”
Nation state threat actors, including Russia and China, are using multiple techniques to effectively ‘hack’ public opinion around the world, according to Renée DiResta. DiResta expressed her views in a keynote session at the Black Hat USA 2020 virtual conference.
DiResta works at the Stanford Internet Observatory and has been actively researching how different nation states have attempted to influence policies and individuals. She explained how, over the last decade, state actors have recognized that they can advance their geopolitical goals with different types of misinformation, propaganda and influence campaigns that make use of social media platforms.
“As we move from just the idea of influence to the idea of information operations specifically, what you start to see is it goes from shaping public opinion to what we’re going to call hacking public opinion – using manipulative, misleading tactics,” DiResta said.
Distract, Persuade, Entrench and Divide
There are four primary approaches that nation state threat actors typically take to hack public opinion efforts including distraction, persuasion, entrenchment and division.
DiResta said a common goal is to have a distraction campaign, which is trying to make a target audience pay attention to something else. Another model is a persuasion campaign, which is trying to convince people to believe a certain fact, or feel a certain way. Entrenchment is another approach, and it is where the attackers create groups dedicated to particular types of identities in an attempt to advance a given position. Nation states are also often trying to highlight divisions between different groups of people, amplifying existing social fissures.
The process by which nation states achieve their public opinion influencing goals is relatively well-understood. DiResta explained that the first step is often just the creation of personas; that is fake social media profiles for different types of individuals. Those fake personas then create content, designed to achieve a particular goal. The content is then posted to various social media platforms and promoted to a target audience, via different means. The most successful efforts end up being shared organically by real users that unknowingly share messages created by the fake personas.
China and COVID-19
DiResta specifically outlined how China has attempted to hack public opinion, on a number of issues, including the democracy protests in Hong Kong as well as the COVID-19 pandemic. In August 2019, Twitter and Facebook suspended nearly 1000 user accounts that were associated with nation state sponsored disinformation campaigns.
“The Hong Kong protests attracted worldwide attention, and what you began to see was as Western media and others began to talk about them, these Twitter accounts would kind of come out of the woodwork to respond to the journalists to tell them they had it wrong,” DiResta said.
She noted that the same type of activities have now been happening in 2020 with China attempting to influence global opinion on its role in the COVID-19 pandemic. DiResta said that it’s clear that China has a committed strategy to influencing opinion online and it will continue to evolve its tactics.
Russia and the Hack and Leak Model
Russia has also been particularly effective in its attempts to hack public opinion, according to DiResta. One of the approaches that has worked well for Russia is a hack and leak approach, that makes use of network intrusion techniques as well social media influencing tactics.
“The hack and leak operations provide extraordinary collateral for driving the influence operations,” DiResta said.
Agents working on behalf of the Russian government hack into a site with confidential information and then transmit the collateral to one of their fake personas. The fake persona in turn pitches the leak to journalists, who then are used to help spread the information. That’s what happened in the Guccifer case back in 2016 that was tied to emails connected to the Democratic and Republican political parties in the US.
DiResta suggested that there are a variety of actions that can be taken to help mitigate the risk of nation state public opinion hacking. For one, she said that security professionals should be proactively thinking about the social medial ecosystem to identify what types of manipulation is possible.
“We need to increase communication between infosec professionals and information operations researchers with the goal of developing better understanding of how social network manipulation intersects with network infiltration,” she concluded.