Nation state threat actors, including Russia and China, are using multiple techniques to effectively ‘hack’ public opinion around the world, according to Renée DiResta. DiResta expressed her views in a keynote session at the Black Hat USA 2020 virtual conference.
DiResta works at the Stanford Internet Observatory and has been actively researching how different nation states have attempted to influence policies and individuals. She explained how, over the last decade, state actors have recognized that they can advance their geopolitical goals with different types of misinformation, propaganda and influence campaigns that make use of social media platforms.
“As we move from just the idea of influence to the idea of information operations specifically, what you start to see is it goes from shaping public opinion to what we’re going to call hacking public opinion – using manipulative, misleading tactics,” DiResta said.
Distract, Persuade, Entrench and Divide
There are four primary approaches that nation state threat actors typically take to hack public opinion efforts including distraction, persuasion, entrenchment and division.
DiResta said a common goal is to have a distraction campaign, which is trying to make a target audience pay attention to something else. Another model is a persuasion campaign, which is trying to convince people to believe a certain fact, or feel a certain way. Entrenchment is another approach, and it is where the attackers create groups dedicated to particular types of identities in an attempt to advance a given position. Nation states are also often trying to highlight divisions between different groups of people, amplifying existing social fissures.
The process by which nation states achieve their public opinion influencing goals is relatively well-understood. DiResta explained that the first step is often just the creation of personas; that is fake social media profiles for different types of individuals. Those fake personas then create content, designed to achieve a particular goal. The content is then posted to various social media platforms and promoted to a target audience, via different means. The most successful efforts end up being shared organically by real users that unknowingly share messages created by the fake personas.
China and COVID-19
DiResta specifically outlined how China has attempted to hack public opinion, on a number of issues, including the democracy protests in Hong Kong as well as the COVID-19 pandemic. In August 2019, Twitter and Facebook suspended nearly 1000 user accounts that were associated with nation state sponsored disinformation campaigns.
“The Hong Kong protests attracted worldwide attention, and what you began to see was as Western media and others began to talk about them, these Twitter accounts would kind of come out of the woodwork to respond to the journalists to tell them they had it wrong,” DiResta said.
She noted that the same type of activities have now been happening in 2020 with China attempting to influence global opinion on its role in the COVID-19 pandemic. DiResta said that it’s clear that China has a committed strategy to influencing opinion online and it will continue to evolve its tactics.
Russia and the Hack and Leak Model
Russia has also been particularly effective in its attempts to hack public opinion, according to DiResta. One of the approaches that has worked well for Russia is a hack and leak approach, that makes use of network intrusion techniques as well social media influencing tactics.
“The hack and leak operations provide extraordinary collateral for driving the influence operations,” DiResta said.
Agents working on behalf of the Russian government hack into a site with confidential information and then transmit the collateral to one of their fake personas. The fake persona in turn pitches the leak to journalists, who then are used to help spread the information. That’s what happened in the Guccifer case back in 2016 that was tied to emails connected to the Democratic and Republican political parties in the US.
DiResta suggested that there are a variety of actions that can be taken to help mitigate the risk of nation state public opinion hacking. For one, she said that security professionals should be proactively thinking about the social medial ecosystem to identify what types of manipulation is possible.
“We need to increase communication between infosec professionals and information operations researchers with the goal of developing better understanding of how social network manipulation intersects with network infiltration,” she concluded.
More than half (55%) of all cyber-attacks targeted organizations’ applications in 2019, which is a substantial increase compared to the previous few years, when these types of attacks made up around 30% of the total number.
This is according to data outlined in NTT’s Monthly Threat Report for August, which found that the apps most attacked globally in 2019 primarily related to supporting organizations’ web presence. About a third (33%) of all attacks were aimed at Joomla! (17%) and Apache products (16%) while 19% targeted other content management systems and supporting technologies.
Speaking to Infosecurity , Matt Gyde, CEO of the Security Division at NTT, said: “Since late 2018, there have been a number of significant vulnerabilities exposed in popular web frameworks and applications commonly used to develop and support an organization’s web presence. There was not a significant increase of new vulnerabilities, but there were new, exploitable vulnerabilities (we are seeing the re-activation of vulnerabilities that we thought were no longer in use), in some popular content management systems and related supporting technology.”
The report also revealed that in June 2020, attacks against networking products, such as Zyxel, Netis, Netcore, Netgear, Linksys, D-link and Cisco, accounted for 32% of all attacks, many of which were brute force or authentication attacks.
Another finding was that the amount of actual vulnerabilities being actively exploited is quite narrow, with the top 10 most attacked vulnerabilities in 2019 making up 84% of all attacks observed, while the top 20 most attacked vulnerabilities accounted for nearly 91% of all attacks. This indicates that threat actors are focusing on vulnerabilities that are known to give them success.
Additionally, just eight technologies made 41% of all attacks in June 2020, according to the report. These findings suggest that by focusing on the patching of a fairly narrow range of vulnerabilities, organizations can significantly lower the risk of attack.
Gyde added: “Many organizations simply do not have the appropriate infrastructure to track and manage vulnerabilities in an efficient manner, and are struggling to identify what priorities have the largest return on investment for their efforts.
“While many organizations would like to have an active patch management program, operational concerns, staff skills and priorities end up meaning that not everything gets patched all the time. The transitioning of security away from hardware to as-a-service and cloud-enabled has the potential to modernize systems which will allow for more consistent patching.”
A report published yesterday by Synopsys found that nearly half (48%) of organizations regularly push vulnerable code into production in their application security programs due to time pressures.
A judicial candidate in Louisiana has been charged with hacking into state computers and sharing confidential court documents with a friend.
Attorney Trina Chu allegedly committed the offenses while working as a law clerk to now retired Chief Judge Henry Brown in 2018.
According to a statement released by Caddo Parish sheriff Steve Prator, Chu copied sensitive court documents from the Louisiana 2nd Circuit Court of Appeals onto a USB flash drive.
Chu allegedly sent three confidential documents relating to a judgement made against her friend Hanh Williams from the drive to her own personal email account in July 2018. These documents were then forwarded directly to Williams.
At the time of the alleged crimes, three judges were considering Williams' appeal from a district court's ruling against her.
"The documents concerned a case under consideration by the 2nd Circuit involving a judgement against her close friend Hanh Williams for over $460,000," said Prator.
The court had ruled that financial adviser Williams owed $460,605 to the estate of a Caddo Parish man to whom she had been a financial adviser.
In his will, Williams' client, Fred Houston, had named her as his executor. Williams' administration of the Fred L. Houston Inter Vivos Trust was then challenged by the will's chief beneficiary, Louisiana State University's veterinary school.
“The jury charged Ms. Williams with $1.1 million in damages for breach of duty to the Trust and determined she was liable to the Estate for $460,605,” according to the 2nd Circuit opinion handed down August 15, 2018.
The sheriff said that Chu's alleged criminal activity was exposed "after a thorough investigation involving search warrants served to email providers, digital forensic examinations, and in person interviews."
Forty-six-year-old Chu was arrested on Tuesday by members of the CPSO Warrants Unit on two felony charges—offense against intellectual property and trespass against state computers. She was released the same day after paying bonds of $10,000 issued for each count.
According to online records for Louisiana's secretary of state, Chu is currently challenging 2nd Circuit Court of Appeal Judge Jeanette Garrett in an election scheduled to take place on November 3.
On election campaign website chuforjudge.com, Chu is touted as a “hardworking” person who stands for “fairness, equality and justice for all.” Chu had pledged to donate 75% of her judicial salary to four Louisiana nonprofit groups if elected.
An investigation is under way into a data breach that impacted an online examination tool used by educational establishments around the world.
The breach affected users of software made by American company ProctorU to provide live and automated online proctoring services for academic institutions and professional organizations.
According to Honi Soit, a database of 440,000 ProctorU user records was published by hacker group ShinyHunters over the past week along with hundreds of millions of other user records. ProctorU user data exposed includes usernames, unencrypted passwords, legal names, and full residential addresses.
Among the records are email addresses belonging to the University of Sydney, the University of New South Wales, the University of Melbourne, the University of Queensland, the University of Tasmania, James Cook University, Swinburne University of Technology, the University of Western Australia, Curtin University, and Adelaide University.
A spokesperson for the University of Sydney said that ProctorU had confirmed on Thursday that an investigation into the confidential data breach had been launched.
According to the spokesperson, the data exposed relates to ProctorU users who registered on or before 2014.
"We met with ProctorU’s CEO and compliance officer today, who confirmed they are investigating a breach of confidential data relating to users of their service," said the spokesperson.
"Any breach of security and privacy of this type is of course deeply concerning, and we will continue to work with ProctorU to understand the circumstances of the breach and determine whether any follow-up actions are required on our part."
The University of Sydney doesn't believe any current students are affected by the data breach, as the university only began using ProctorU's services in 2020 in response to the COVID-19 pandemic. However, after learning about the breach, the establishment will be "reviewing our experience of online exams and proctoring this year to inform our approach to assessments in 2021."
A spokesperson for Swinburne University of Technology in Victoria said that it has launched its own investigation into the breach, which has impacted a small number of its students.
Two California cybersecurity companies have joined forces to help protect healthcare networks from cyber-threats.
Ben Denkers, CynergisTek SVP of security and privacy services, said the partnership was conceived after the outbreak of COVID-19 changed the medical world's working practices.
“As America’s hospitals scrambled to respond to the pandemic, the entire threat landscape and the associated attack surface completely changed, placing America’s hospitals squarely in the cross hairs for adversarial activity," said Denkers.
"New vulnerabilities from telemedicine combined with an increased network footprint due to work-from-home employees means we have a perfect storm for increased cyber-attacks."
As part of the partnership, both companies are "assembling the best minds in networking, machine learning, data science, cybersecurity, privacy, and compliance to help healthcare organizations get a more complete view and understanding of their potential attack surface, including every user, medical device, and application on the network."
The aim is to enable hospitals to track every asset in their network, whether it's moved on-premises or by remote users working in the cloud. Assistance will be given to help healthcare organizations identify high-risk incidents and compromised entities without the need for agents, manual configuration, or complex integrations.
"This partnership allows us to identify adversarial activity including reconnaissance in its early stages, allowing organizations to re-baseline their security posture as they return to normal operations,” said Denkers.
The new compromise assessment will be powered by Awake Security's network detection and response technology and offered to CynergisTek's customer base of more than 1,000 healthcare organizations.
“Sensitive healthcare data is extremely valuable to hackers, and we know they aren’t sitting on the sidelines during the pandemic but are in fact attacking both hospitals and pharmaceutical companies during this volatile time,” said Rahul Kashyap, CEO of Awake Security.
"In times like this, we’re excited to help healthcare entities for this ‘all-hands-on-deck’ moment to bolster their defenses and prevent crises from emerging and impacting patients.”
Nearly half (48%) of organizations regularly push vulnerable code into production in their application security programs due to time pressures, while 31% do so occasionally, according to a new report published by Synopsys entitled Modern Application Development Security.
As a result, 60% have reported production applications exploited by OWASP top-10 vulnerabilities in the past 12 months.
This is despite the fact most organizations believe their security programs are very good, with an average rating of 7.92 out of 10 given by 378 IT, cybersecurity and application development professionals surveyed by the Enterprise Strategy Group (ESG). More than two-thirds (69%) rated their security program as eight or above.
The study was commissioned to look at the convergence of application security tools, which is becoming increasingly complex, with 72% of organizations stating that they now utilize more than 10 of these tools.
As such, it was found that 43% of organizations believe that DevOps integration is the most important aspect of improving application security programs. Yet 23% of respondents said that poor integration with development/DevOps tools is a common challenge to achieving this, while 26% identified difficulty or lack of integration between different application security vendor tools.
Dave Gruber, senior ESG analyst, said: “DevSecOps has moved security front and center in the world of modern development; however, security and development teams are driven by different metrics, making objective alignment challenging.”
The biggest challenge highlighted was a lack of knowledge in mitigating issues identified on the part of developers (29%). This suggests there is currently insufficient developer security training taking place, and 35% of organizations revealed that less than half of their development teams are participating in formal training.
Speaking to Infosecurity, Patrick Carey, director of product marketing at Synopsys, commented: “As high velocity application development continues to grow in popularity through methodologies such as DevOps, it is critically important to ensure that security is considered throughout the software development lifecycle.
“That way, if the decision is consciously made to push vulnerable code due to time pressures, critical and high-risk vulnerabilities will have been resolved beforehand. By educating organizations on how to apply a holistic software security program and guiding them in their journey to implement DevSecOps cultures, we’ll see the prevalence of knowingly pushing vulnerable code drop. Enabling developers with security tools and training resources that in no way slow down their momentum is a highly beneficial step in that process.”
In a session at the Black Hat USA 2020 virtual conference on August 5, Kevin Perlow, technical intelligence team lead for one of the largest banks in the US, explained how cyber-attackers are using public standards for financial transactions to enable multiple forms of fraud.
One of the key standards used every day by all financial institutions around the world is ISO 8583, which defines how credit card transaction messages are sent and received. Perlow explained that anytime an individual goes to a bank machine or uses a point of sale device at a grocery store to do a self-checkout, ISO 8583 messages are created as part of the transaction.
“ISO 8583 is a standardized set of fields for transmitting the data from your card and for sending your transaction over to a payment switch and then from that payment switch to a bank to approve or reject the transaction that’s happening,” Perlow said.
The payment switch is a device that handles incoming messages from different types of payment devices, such as ATMs and POS devices, like those at a grocery store. The payment switch processes the messages and decides what to do with them. The payment switch is also a key target for attackers, as they look to take advantage of ISO 8583 with ‘FASTcash’ as well as other forms of malware.
How FASTCash Uses ISO 8583
The so-called FASTCash malware was first publicly disclosed back in 2018 and has remained active in the years since. Perlow noted that FASTCash is a subset of malware created and executed by threat actors from North Korea, sometimes referred to as the Lazarus Group.
The way that FASTCash works is it is injected by the attackers into a payment switch and fraudulently approves what appear to be legitimate ISO 8583 messages from the attackers sitting at bank machines, allowing them to withdraw money. During his presentation, Perlow described how ISO 8583 messages are constructed in a way that the FASTCash attackers have been able to emulate.
Perlow emphasized that, in order to create and properly execute the ISO 8583 messages, a lot of things need to go right for the attackers, since there is a lot of complexity. That’s why FASTCash has embedded logging information, to help monitor and adjust in order to execute its malicious payload.
ISO 8583 Isn’t the Real Problem
Given that attackers are making use of the ISO 8583 standard, it begs to reason that perhaps there is something wrong with the standard that should be changed – but that’s not the case, according to Perlow. He said that he would never recommend changing the ISO 8583 standard, and it would also be impossible to do so, even if he thought it was a good idea.
“The ISO 8583 standard is the card payment standard for absolutely everything,” he emphasized.
That said, he noted that there are different ways to do credit card transactions that could randomize the data. By randomizing, he explained that the goal would be to make it less predictable to know what message is supposed to be going back to a bank machine.
“Ultimately, what’s happening here is that the payment switch is compromised and there’s nothing wrong at all with the payment standard being used,” he said. “The ATMs are working the way they’re supposed to in a very real sense and they’re processing the messages.”
There are multiple ways the FASTCash attackers are getting onto the payment switches, including using rogue PowerShell scripts. Perlow suggested that the attack vectors involve things that IT professionals should be looking for as part of their endpoint detection activities.
“By the time it gets to the payment switch and as cash outs happens, you’ll know because all your ATMs will be empty all of a sudden,” Perlow concluded. “The idea is to stop it before it gets to that point.”
There has been no shortage of Bluetooth related attacks disclosed in recent years, including BlueBorne and BadBlueTooth among numerous others. At the Black Hat USA 2020 virtual event on August 5, a new attack was added to the list of Bluetooth vulnerabilities, with the public disclosure of BlueRepli.
Security researchers Sourcell Xu and Xin Xin described the BlueRepli attack as a way to bypass Bluetooth authentication on Android phones, without detection. In a series of recorded demos, the researchers demonstrated how, with limited or no user interaction, they were able to abuse Bluetooth to steal a target device’s phone book as well as all of the SMS text messages it had received.
For reasons, not fully shared by the researchers, the BlueRepli attack does currently not work on Apple iOS devices. Additionally, the researchers noted that they had disclosed the issues to Google and the Android Open Source Project (AOSP), but according to them, to date the issue has not been patched.
At the core of the BlueRepli attack is an abuse of what are known as Bluetooth Profiles. Xu explained that Bluetooth Profiles detail specific application scenarios that can be used to enable connectivity. For example, there is the Phone Book Access Profile (PBAP) to enable access to a user’s phone book, while the Message Access Profile (MAP) provides access to text messages.
Xu noted that a Bluetooth vulnerability disclosed in 2019 dubbed “BadBlueTooth” also took advantage of Bluetooth Profiles. Although in that attack scenario, the victim needed to install a malicious app, whereas with BadRepli, nothing needs to be installed. Any Android device within Bluetooth range can potentially be at risk from the BadRepli attack.
To help demonstrate the attack and allow others to test, the researchers created a software project called BlueRepli Plus that is set to be demonstrated during the Black Hat Arsenal tools demonstration on Augusrt 6.
How BlueRepli Works
Xu explained that there are several typical Bluetooth pairing scenarios that users are familiar with. Among the most common is when a user is presented with a yes/no dialog box to accept a connection, or gets a six digit series of numbers that needs to be entered.
There is, however, another option that is defined in the Bluetooth specification, known as ‘just works’ which, when triggered, can bypass the need for user interaction to enable a connection. With BlueRepli, the researchers claimed that it was possible to bypass the authentication in several ways including making use of the just works option.
Xu explained that in a deception-based attack, the attacker first gets the victim’s Bluetooth address by simple scanning. The attacker pretends to be a Bluetooth device and a well-known application name like Skype (for example) and requests the victim’s Android phone for a phone book or short messages. After the victim grants the attacker permission due to deception, the attacker can get the data.
The other attack that Xu described is a vulnerability-based attack where the attacker first obtains two Bluetooth device addresses by scanning. The first address is the victim’s Bluetooth address, while the second is an address that has obtained the access permission of the victim, like Bluetooth headsets that belong to the victim. The attacker changes his address to the second address, and then directly requests data (phone book and SMS) from the victim.
“Data will be passed back to the attacker without the victim’s knowledge,” Xu said.
Cybercrime is growing at an “alarming pace” as a result of the ongoing COVID-19 crisis and is expected to accelerate even further, a new report from INTERPOL has found.
It revealed the extent to which cyber-criminals are taking advantage of the increasing reliance on digital technology over recent months. This includes the rapid shift to home working undertaken by many organizations, which has involved the deployment of remote systems and networks, often insecurely.
Based on feedback from member countries, INTERPOL said that during the COVID-19 period, there has been a particularly large increase in malicious domains (22%), malware/ransomware (36%), phishing scams/fraud (59%) and fake news (14%).
Threat actors have revised their usual online scams and phishing schemes so that they are COVID-themed, playing on people’s economic and health fears.
The report also found that cyber-criminals have significantly shifted their targets away from individuals and small businesses to major corporations, governments and critical infrastructure.
Jürgen Stock, INTERPOL secretary general, said: “Cyber-criminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.
“The increased online dependency for people around the world is also creating new opportunities, with many businesses and individuals not ensuring their cyber-defenses are up-to-date.”
The study added that “a further increase in cybercrime is highly likely in the future.” This is primarily due to vulnerabilities related to remote working, a continued focus on COVID-themed online scams and, if and when a vaccination becomes available, another spike in phishing related to medical products.
Responding to the findings, Brian Honan, CEO of BH Consulting, said: “The COVID-19 pandemic is providing criminals with many opportunities as outlined in the INTERPOL report. Indeed, many organizations may be at increased risk of ransomware attacks due to having opened up remote access solutions, such as VPNS, to support remote working.
“These remote access points may not be properly configured and secured or, due to IT teams operating remotely, may not have the latest patches installed. In addition, staff may have had to use their own personal devices from home to work remotely which in turn poses challenges from a security point of view with regards to how to ensure those devices are secure.”
Jonathan Miles, head of strategic intelligence and security research at Mimecast, added: “It is important that organizations migrate away from a ‘keeping the lights on’ mentality and prioritize cybersecurity, especially at a time when threats aimed at a dispersed workforce are increasing. Failing to do so can lead to issues such as organizational downtime, data loss and a negative impact on employee productivity.”
A cyber-attack on Redcar & Cleveland Borough Council earlier this year has reportedly cost around £10m in recovery costs.
The attack, which took place in February, caused online public services to be unavailable for 135,000 locals for over a week. According to Teesside live, the local authority stated a figure of £10.4m in a budget update report provided to members of its cabinet.
Specifically, costs required for infrastructure and system recovery or replacement cost £2.4m, while the cost to individual council directorates was the worst hit, and accounted for £3.4m. There was also a cost impact of just under £1m as a result of a reduction in enforcement income and lower collection levels for both council tax and business rates towards the end of the 2019/20 financial year, caused by computer systems being out of action for a period.
The report also claimed the council acted quickly and effectively, working extremely hard to mitigate the effects on key services and most vulnerable residents, whilst it “permeated almost all functions of the council and the required response and consequential impact had an inevitable bearing on its finances.”
Whilst the council had industry standard tools deployed to secure its computer network at the time of the attack, which it said had been configured to provide optimum protection, it has since made additional improvements to its cyber-defenses, with further upgrades planned.
“We are also on the list of pilot authorities to enroll on a National Cyber Security Center (NCSC) scheme which will provide threat intelligence information exchange between the council and NCSC,” the report said. “The result of all of this is that the council’s cyber-defenses will be far more advanced than most peers in local government.”
Jake Moore, cybersecurity specialist at ESET, said that even though this was not confirmed to be ransomware, it is a persistent threat to businesses and organizations of all sizes, “yet some forget the importance of securing systems and protecting data from the inevitability of an attack.”
He added: “Regardless of its simplicity, this malware can cost millions, but when organizations are bailed out from either insurers or government, I fear the ever-needed lesson just won’t sink in. There are multiple ways to reduce the risks of attacks like this, such as cold storage backups and reduced user access – but complacently seems to remain in place for many.
“Despite huge emphasis on cybersecurity, large corporations still fail to secure the perimeter and in failing to do so many lose millions of pounds. It seems it is easier for organizations to find money when they are forced to get back up and running, rather than asking for much less in preparation and prevention.”
Javvad Malik, security awareness advocate at KnowBe4, said: “With most organizations heavily reliant on digital systems, the impact of even a minor incident cannot be underestimated. Ransomware attacks are particularly devastating as they render all systems and data unusable, giving organizations few choices.
“Even if backups are available, there are costs associated with wiping systems, restoring them from backups, reporting to regulators, customers, and partners, and having alternate processes in place.
“It’s therefore more important to have strong and layered security controls in place that can prevent attacks from being successful in the first place, or to be able to quickly detect and respond where they have been able to get into systems. Only then can organizations minimize the economic impact of cyber-attacks to a manageable level.”
The Black Hat USA 2020 virtual conference kicked off on August 5 with a keynote session exploring the challenges of modern election security in the US and the impact of the COVID-19 pandemic.
The keynote was delivered by Matt Blaze, McDevitt chair in computer science and law at Georgetown University in Washington DC. He is also the co-founder of the Voting Village at the DEFCON security conference that follows Black Hat. Blaze began his remarks but stating that technology and elections in the US are very heavily interrelated today, but that wasn’t always the case. In fact, he noted that early elections in the US had very little technology and relied on the simplicity of a paper ballot.
According to Blaze, the paper ballot approach works pretty well and voters can be confident that their vote is counted as it was cast. That is, as long as that ballot box didn’t get tampered with and the counting process had high integrity.
“It’s very important that we trust, not only the people who are involved in elections, but also the technology that we depend on for those elections to be secure, to have high integrity and to be genuinely reflective of how we voted,” Blaze said.
The Complexity of US Elections
Among the challenges of election security in the US is the fact that the elections themselves are exceedingly complicated.
Blaze explained that in practice, each state sets its own rules and requirements for the elections that are conducted in that state. In total, he noted that there are over 5000 different government entities that handle different aspects of elections and the whole process is a very decentralized operation.
“I don't think I’ve ever encountered a problem that is harder than the security and integrity of civil elections,” Blaze said. “It’s fundamentally orders of magnitude more difficult and more complex than almost anything else you can imagine.”
Technology to the Rescue?
Prior to the 2016 election, Blaze said that election officials had not really considered the impact of foreign state adversaries for election interference.
Technology can be used to both help as well as prevent potential mischief by those that might want to interfere in an election, according to Blaze. Fundamentally, modern elections have largely relied on technology, which means that technology needs to be trusted and secured, which is no easy task.
“The integrity of the election results depends on the integrity of software and hardware,” Blaze explained. “So the correctness of any software you’re depending on for that purpose is critically important.”
Blaze highlighted recent developments that can make a big difference in validating the integrity of election technology. One of them is the concept of software independence, which has been advocated by cryptographer Ron Rivest.
“This [software independence] is essentially a requirement for voting systems that you should design your voting system in a way that an undetected change or error in the software can’t cause an undetectable change or error in the election outcome,” Blaze said. “It doesn’t say you can’t use software, it says, you shouldn’t depend on software for the outcome in ways that you can’t detect.”
Thanks to the adoption of the software independence approach for voting systems, as well as enhanced scrutiny throughout the process, Blaze noted that there is reason for optimism. He added that if he were giving his keynote in February, he would end the presentation on that positive note. The reality though is different now, with the COVID-19 pandemic raising a new set of issues.
The Pandemic Election
There are already multiple mechanisms in the US election system that allow for elections to occur during times of disruption. Blaze outlined the absentee, mail-in ballot system used in the US and the various steps it integrates to help ensure authenticity.
A big challenge however is scaling that system for the current crisis when tens of millions more Americans will want to make use of the mail-in ballot system than ever before. Whether or not there will be enough printed ballots, systems to scan those ballots or the personnel needed to enable the process, are questions that will need to be answered.
“Time is really short and the election is less than 100 days away,” Blaze said. “For many of these problems, the logistical aspects of this are familiar to computing specialists.”
In Blaze’s view, there is a lot that the IT and the cybersecurity community can do to help local election officials with the challenges of running an election during a pandemic. He advocated for the Black Hat community to engage on this issue, contact election officials and find out how to help, whether it’s a need for poll workers, IT expertise or otherwise.
“I think we can do this but we have to want to and we have to all take responsibility for this,” Blaze concluded.
North Dakota has suffered fewer data breaches than any other American state over the past 15 years.
Analysis of data breaches that have occurred in the United States since 2005 revealed California to be the state hit by the highest number of breaches. The Sunshine State was also found to have exposed the largest number of records, with 5.6 billion records compromised in 1,777 breaches.
At the lowest end of the results table, the Peace Garden State suffered just 19 data breaches over the same period, exposing a total of 440,698 records.
The analysis was carried out by tech research company Comparitech and published today. In total, researchers found that since 2005, 12,098 data breaches have occurred across the US involving more than 11.1 billion records.
2017 was the worst year for breaches, with 1,683 taking place during this 12-month period. However, more records were compromised in 2016, when a total of 4.6 billion records were exposed.
While Oregon had a relatively low number of data breaches at just 182, the Beaver State was found to have exposed the second-highest number of records. Analysts said that the vast majority of the 1.37 billion records leaked came from one source, River City Media.
"The company’s breach in 2017 exposed 1.34 billion email accounts, representing one of the largest data breaches of all time. River City Media collected information on millions of individuals without their consent as part of its spam operation, and then failed to protect that data," wrote the analysts.
Data exposed in the River City Media breach included email accounts, full names, IP addresses, and physical addresses.
Driving up the total number of exposed records in Maryland was the 2018 Marriott International breach that accounted for 383 million of the 388 million records exposed in the state over the last decade.
California had over twice as many breaches as New York, the nearest runner up with 863 breaches experienced. The Empire State was closely followed by Texas, where 819 breaches have occurred since 2005.
Other states where breaches were found to have been relatively rare were South Dakota, Wyoming, and West Virginia, where 21, 22, and 30 breaches have taken place respectively.
The US has charged two men for allegedly making millions of dollars by selling hundreds of thousands of opioid pills on the darknet.
Costa Rican pharmacist Jose Luis Fung Hou and dual Costa Rican and American citizen David Brian Pate were indicted by a federal grand jury on Tuesday. The pair are accused of trafficking drugs including Oxycontin and morphine and laundering payments in the form of Bitcoin and international wire transfers.
The indictment alleges that 44-year-old Pate illegally purchased pills from 38-year-old Fung, then sold the narcotics on multiple underground websites, including AlphaBay and the notorious marketplace Silk Road.
Using various online monikers including “buyersclub” on darknet markets, online forums, and Bitcoin exchanges, Pate allegedly advertised that he was selling the “old formula” of Oxycontin. This version of the drug does not contain tamper-resistant features such as a crush-proof outside that prevents a user from inhaling or injecting the pills after pulverizing them.
Pate is accused of hiding the pills in tourist souvenirs such as maracas that were sent in bulk from Costa Rica to co-conspirator re-shippers in the United States. Re-shippers were then sent a list of customer orders to fill along with the customers' names, shipping addresses, and how many pills they wanted.
Once the shipments were received by the customers, the darknet market would release funds in Bitcoin, which were held in escrow until the transaction was completed, into Pate’s account on the darknet market. Customers reputedly paid Pate over 23,903 Bitcoin for these darknet market sales.
The seven-count indictment charges Pate and Fung with counts of conspiring with persons to distribute controlled substances, distribution of controlled substances, conspiring with persons to import controlled substances, conspiring to launder money, and laundering of monetary instruments.
“Today’s case is a great example of how the DEA has infiltrated the darknet and, together with our law enforcement partners, proven that every criminal attempting to sell these deadly drugs is within the reach of the law,” said Special Agent in Charge Jesse R. Fong of the US Drug Enforcement Administration’s (DEA) Washington Field Division.
The number of commodity malware campaigns exploiting machine identities doubled between 2018 and 2019, according to new research.
The rapid increase in this particular type of cyber-scourge was unearthed by threat analysts at Venafi, who gathered data on the misuse of machine identities by analyzing security incidents and third-party reports in the public domain.
Among the attacks encountered by Venafi's Threat Intelligence Team were several high-profile campaigns, including TrickBot, Skidmap, Kerberods, and CryptoSink.
Overall, malware attacks utilizing machine identities were found to have grown eightfold during the last 10 years. Within the last five years, the number of attacks was found to have increased more rapidly.
The findings are part of an ongoing threat research program focused on mapping the security risks connected with unprotected machine identities.
Campaigns exploiting machine identities were once the preserve of large-scale cyber-criminal operations but are now being used in off-the-shelf malware, according to Yana Blachman, threat intelligence researcher at Venafi.
“In the past, machine identity capabilities were reserved for high-profile and nation-state actors, but today we’re seeing a ‘trickle-down’ effect,” said Blachman. “Machine identity capabilities have become commoditized and are being added to off-the-shelf malware, making it more sophisticated and harder to detect.”
Blachman said these deceptively simple campaigns are far more dangerous than they appear.
“Massive botnet campaigns abuse machine identities to get an initial foothold into a network and then move laterally to infect further targets,” said Blachman.
“In many recorded cases, bots download crypto-mining malware that hijacks a target’s resources and shuts down services. When successful, these seemingly simple and non-advanced attacks can inflict serious damage on an organization and its reputation.”
The millions of applications and billions of devices that exist in the world use machine identities made from cryptographic keys and digital certificates to authenticate themselves to each other so they can communicate securely.
“To protect our global economy, we need to provide machine identity management at machine speed and cloud scale,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“Every organization needs to ensure they have full visibility and comprehensive intelligence over every authorized machine they are using in order to defend themselves against the rising tide of attacks.”
Just under half of businesses have experienced at least one “business impacting cyber-attack” related to COVID-19 as of April 2020.
According to research of 416 security and 425 business executives by Forrester Consulting and Tenable, 41% of respondents reported the statistic related to COVID-19, whilst 94% of executives say their firms have experienced a business-impacting cyber-attack or compromise within the past 12 months. “That is, one resulting in a loss of customer, employee or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft and/or theft of intellectual property,” the research said.
Also, 78% of respondents said they expect an increase in cyber-attacks over the next two years while 47% reported experiencing five or more attacks. In an email to Infosecurity, Bryan Becker, product manager at WhiteHat Security, said: “There is no reason to expect this trend to ever reverse, so we are only likely to see more and more attacks in the future.
“Businesses can and should be investing in application security teams, as well as regular training for all members of the organization. CEOs and executive teams absolutely should be viewing at least quarterly briefs from the security team to understand the outcome of their investment, as well as the current state of affairs.”
On the impact of the COVID-19-related attacks, Tom Pendergast, chief learning officer at MediaPro, said while COVID-19 may have changed the subject and scale of attacks, “the target of most of those attacks hasn’t changed.
“They’re going after employees, who in this time of anxiety and uncertainty are more vulnerable than ever,” he said. “Preparing your employees to defend themselves and the company means teaching them to be highly skeptical and resistant to attempts to obtain information and access. Take, for example, the recent Twitter hack, perpetrated by a criminal who knew enough about an employee to break down their defenses.”
Rod Holmes, director and vCISO at the Crypsis Group, said threat actors always look to capitalize on emotion, disaster and chaos, and individuals, corporate IT systems and ICS systems (OT systems) have all been targeted. In particular, the research found that 65% of attacks involved operational technology assets, and 63% of security leaders admit it’s likely their systems suffered an unknown compromise over the past year.
Holmes said: “Organizations that have that special privilege of protecting our nation's critical infrastructure have an especially important role to play in security as nation states look for opportunities to infiltrate critical systems. Nation state actors are very opportunistic, persistent and patient — they will look for opportunities to strike when organizations are resource-strained and focused on maintaining operations during times of change or difficulty.
“COVID has presented nation states the opportunity to fly under the radar and capitalize on chaotic environments where IT personnel are consumed with increasing remote access capacity — even industrial organizations have had significant office personnel working remotely during the crisis. This is especially an issue with organizations that have ICS infrastructure intermingled with IT infrastructure and that do not have each environment separated as recommended by NIST standards.”
The British Dental Association (BDA) has suffered a data breach causing fears that the bank account numbers of a number of UK dentists have been stolen.
The BBC has reported that the professional association emailed its membership to warn them of the breach, telling them it is currently unsure what information has been accessed. The BDA also urged them to be vigilant about any correspondence purporting to be from a bank.
The BBC stated that while the organization does not store its members’ card details, it does hold their account numbers and sort codes in order to collect direct-debit payments.
In the email to members, the BDA reportedly referred to “logs of correspondence and notes of cases” as being among the data it has assumed stolen; this suggests that hackers may also have access to sensitive patient information.
BDA chief executive Martin Woodrow added in the email memo: “Owing to the sophistication of these criminals, we cannot, as yet, confirm the full extent of information that has been accessed.
“We are devastated and apologise unreservedly for this breach.”
The BDAs website is currently offline due to the “sophisticated cyber-attack,” with the company stating that “our IT experts have been working to rebuild our systems since the incident occurred and this is progressing well.”
Commenting on the incident, Jake Moore, cybersecurity specialist at ESET, said: “It doesn’t seem a week goes by without it being necessary to remind people to be vigilant against this recent influx of hacks. However, it remains more important than ever to be cautious.
“It appears a large spread of personal data has been taken, so it is essential to remain on the lookout for any communication requesting further details which may add pieces to the identity theft jigsaw.
“Although the BDA has been magnanimous in making those affected aware of the breach quickly and reporting themselves to the ICO, the problems are far from over.”
Chris Harris, technical director, EMEA at Thales, added: “While being hacked itself is a worry in the first place, it’s concerning that it’s still unclear what information was taken.
“For any business’ security strategy to be successful, protecting their sensitive data through implementing methods like encryption and multi-factor authentication must be at the heart of it. With this in place, companies can rest safe in the knowledge that even if data is taken, it can’t be accessed – protecting them and their customers from further damage down the line through aspects like phishing attacks.”
Just this week it was revealed that hackers published customer data stolen from Havenly on the dark web.
Tanium has partnered with Google Cloud to integrate threat response and Chronicle’s security analytics platform.
The partnership will unite the Tanium unified endpoint management and security platform with Google Cloud’s security analytics and zero-trust initiatives, which the companies claimed would better detect, investigate,and scope advanced persistent threats.
Also, an integration between Tanium and Google Cloud’s BeyondCorp will allow Tanium to support the ability for customers to use endpoint identity, state and compliance data with BeyondCorp remote access.
The companies said the integration between Chronicle’s security analytics and Tanium's unified endpoint security will allow users to proactively hunt threats both live and across an entire year of endpoint activity using telemetry from Tanium combined with analytics and cloud-scale data capacity from Chronicle.
Also with Chronicle, customers can correlate up to one year of data gathered from the Tanium platform’s sophisticated endpoint telemetry and network activity. This enriched dataset enables incident response teams to completely investigate sustained, long-term attacks and take comprehensive remediative action.
“With Tanium and Google Cloud, customers don’t have to make difficult tradeoffs between the quality, breadth, timeliness or storage cost of their security telemetry,” said Sunil Potti, general manager and vice-president of cloud security at Google Cloud.
“Advanced persistent threats require a sophisticated approach to detection and response. That starts at the endpoint, where most compromise activities begin. With telemetry sourced from Tanium’s comprehensive endpoint security approach, customers have the data they need to detect and investigate post-compromise activity to accelerate remediation and prevent future intrusion.”
“This joint solution with Chronicle gives Tanium customers access to massively scalable analytics and investigation capabilities far beyond that of other endpoint detection and response point tools,” said Orion Hindawi, co-founder and CEO of Tanium. “This integration enables our customers to investigate APTs and other threats from the moment of detection back to the moment of compromise for complete response and remediation.”
Digital asset infrastructure company Copper Technologies has announced the appointment Jake Rogers as its new chief information security officer.
Rogers has joined the London-based firm with immediate effect from Amnesty International, where he held the position of head of information security, responsible for the confidentiality and security of 70 offices and 3500 members of staff working on various human rights issues.
At Copper Technologies, Rogers has been charged with strengthening the company’s security as well as developing a market leading and scalable information security function.
Rogers began his career working in network administration before going into penetration testing and general cybersecurity. Prior to Amnesty, he worked at a number of major organizations including merchant bank Close Brothers, security vendor PhishMe and CrossGroup Security.
Dmitry Tokarev, chief executive officer, Copper, said: “I am very pleased to welcome Jake as the newest member of our team. I believe that his strong security credentials and understanding of the direction in which crypto is moving make him a perfect fit for the role. With Copper continuously evolving our product suite and offering, Jake’s expertise will be crucial as we look to ensure that our security continues to set an industry standard.”
Rogers added: “I am thrilled to join Copper as its chief information security officer. In the past few years, there has been a major, fundamental shift in the public’s attitudes toward free and open systems, especially in banking and finance. Crypto is becoming mainstream and with new technology being developed rapidly in this space, it has demonstrated real potential to replace traditional banking and finance with something far freer, more equal and democratic.”
Cloud breaches are likely to increase in “velocity and scale” due to a prevalence of poor cybersecurity practices in cloud configurations that are creating exposures. This is according to the most recent The State of DevSecOps report by Accurics, which assesses cloud configuration practices that lead to breaches.
The study found that 93% of cloud deployments analyzed contained misconfigured services, while 91% of deployments have at least one network exposure where a security group is left wide open. Accurics noted that “these two practices alone have been at the center of over 200 breaches that exposed 30 billion records in the past two years.”
There were also other emerging practices that were observed to be creating exposures. This included the presence of hardcoded private keys in 72% of deployments. Additionally, half of deployments had unprotected credentials stored in container configuration files. The report added that “these keys and credentials could be used by unauthorized users to gain access to sensitive cloud resources.”
Close to a third (31%) of organizations were shown to have unused resources, with the primary cause being that resources are added to a default virtual private cloud (VPC) upon creation if a scope is not defined.
Commenting on the report, Matt Yonkovit, chief experience officer at Percona, said: “The best approach here is to have an audit to check that your best practices are in place and being followed. This can help show where security steps are missing, and you can then put them in place where needed. Over time, you can check that all your responsibilities around data backup, security and management are done correctly.
“It’s less about the department and more about the situation. Security problems can be caused by people who are underqualified, using complex and powerful tools they don’t fully understand or haven’t enough experience with. Easy access to technology can give users a false sense of security, and a misconception that because it is backed by a big name, it must be tested, trusted, and fail-safe.”
Greg Martin, general manager for security at Sumo Logic added: “Increasingly organizations are experiencing serious data breaches due to basic cloud vulnerabilities such as this study highlights. Developers and security teams need to focus on awareness and training for common cloud security issues and more importantly automation to audit and identify gaps and vulnerabilities as they arise. Cloud security is the new frontier and most organizations are significantly lagging behind.”
Last month it was revealed that 260,000 actors had their personal data exposed due to a cloud misconfiguration error on a server belonging to a New Orleans-based casting agency.
Over four in 10 (42%) organizations take disciplinary action against employees who make cybersecurity errors, which puts them at greater risk of attack, according to a new study by CybSafe.
In a survey of UK businesses, it was found that mistakes such as falling for simulated phishing scams are regularly punished. This includes naming and shaming employees (15%), decreasing access privileges (33%) and locking computers until appropriate training has been completed (17%). Additionally, 63% of organizations will inform the employees’ line manager when cyber-mistakes are made.
As part of the research, CybSafe conducted a lab-based experiment to test the impact of these kinds of punishments. It found that doing so has a “highly detrimental” impact on staff, with punishments increasing anxiety levels and reducing productivity. The findings suggest punishments may have a long-term impact on employees’ mental health and actually reduce their cyber-resilience.
Dr John Blythe, head of behavioural science at CybSafe, commented: “People fall for phishing attacks and other cybersecurity mistakes because they’re human and because they have been trained to click links. Bad habits are difficult to shake, especially when today’s phishing attacks can be highly convincing.”
“Formally punishing staff for making cybersecurity slips is, in the vast majority of instances, a problematic approach. It’s unfair and diminishes productivity. It can cause heightened levels of resentment, stress, and scepticism about cybersecurity.”
Blythe added that this kind of approach may make staff more reluctant to report cybersecurity errors quickly, putting organizations in more danger.
Dr Matthew Francis, executive director at CREST, said: “The findings have highlighted how some well-meaning organizations are negatively impacting their cyber-resilience by ‘outing’ or reprimanding individuals and that cybersecurity errors can serve as positive opportunities to educate people, to trigger long-term and sustained changes in security awareness and behavior.”