Feed aggregator

Spectrum Healthcare Latest to Issue Breach Notice

Info Security - Fri, 03/15/2019 - 16:47
Spectrum Healthcare Latest to Issue Breach Notice

The data breach at Wolverine Solutions Group (WSG) continues to plague the healthcare industry, with more organizations, including Spectrum Healthcare, sending security notices to customers.

As was the case for many organizations who have already issued security notices, Spectrum said it has no reason to believe its systems or customer information may have been compromised.

“WSG’s expert could not find evidence that Spectrum Health Lakeland patient information was removed from its system as a result of the attack. However, WSG also told us that they cannot be 100 percent sure that patient information was not affected. Therefore, we have reported the incident to regulators as a data breach and will be sending a letter to all patients whose information may have been a part of this cyberattack,” Spectrum wrote in a letter to thousands of its customers.

Upwards of 600,000 individuals may have had their health records compromised, according to a warning issued earlier this week by the Michigan’s attorney general (AG) Dana Nessel and the department of insurance and financial services (DIFS) director Anita G. Fox. The AG’s office warned Michigan residents to take extra precautions to safeguard their data.

Several companies have issued security notices to their customers, including “Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health, and North Ottawa Community Health System. Wolverine Solutions Group says it has mailed letters to all impacted individuals,” the AG’s office said in a press release.

“Wolverine is offering two levels of identity protection to individuals affected by the breach,” said Fox. "If you receive a letter from the company, we urge you to read it carefully and consider enrolling in the free credit monitoring service.”

“The healthcare industry must realize that risk never sleeps and change the frequency and processes for how third-party vendors are assessed, managed and remediated from once a year to real time and continuous,” said Ed Gaudet, CEO, Censinet.

Categories: Cyber Risk News

NAO Criticizes UK’s Failing National Cyber Program

Info Security - Fri, 03/15/2019 - 11:05
NAO Criticizes UK’s Failing National Cyber Program

Parliamentary auditors have criticized the government for failing to build a clear business case for the UK’s National Cyber Security Programme at inception and ongoing management weaknesses, meaning it’s unclear if it provides value for money.

The National Audit Office (NAO) review of the 2016-21 program highlighted multiple failings on the part of the Cabinet Office, which is leading the strategy.

It claimed that the lack of an initial business case meant there was no way to assess whether the £1.9bn of funding was ever sufficient to meet its 12 strategic objectives. The program was also “reprofiled” in its first two years, with over a third (37%) of funding transferred to other national security activities like counter-terrorism.

However, during this reprofiling, the Cabinet Office failed to develop a “robust performance framework,” only getting around to it in 2018. This means it currently doesn’t have enough evidence to effectively prioritize funding on the objectives “likely to deliver the biggest impact, address the greatest needs and deliver best value for money,” the NAO warned.

In fact, the Cabinet Office only has “high confidence” in meeting one of its 12 strategic outcomes by 2021, incident management, with a lack of quality evidence hampering accurate assessments elsewhere.

These ongoing program management weaknesses will likely continue to 2021, making it difficult to deliver effectively, the NAO said.

After this time, it recommended the Cabinet Office refocus its efforts on understanding which areas are having the greatest impact or are most important to address. The NAO also urged it to engage with other departments to understand their cybersecurity priorities, which could enable them to contribute to a future strategy and facilitate more accurate costing.

Despite the doom and gloom there were some bright spots. The Cabinet Office was praised for successfully establishing the National Cyber Security Centre (NCSC), while it was claimed that its Active Cyber Defence program has already reduced the UK’s vulnerability to some attacks.

The latter was one of the few areas where the Cabinet Office has enough evidence to understand its impact, and has increased funding as a result of its success.

“Improving cybersecurity is vital to ensuring that cyber-attacks don’t undermine the UK’s ability to build a truly digital economy and transform public services. The government has demonstrated its commitment to improving cyber security,” said NAO head, Amyas Morse.

“However, it is unclear whether its approach will represent value for money in the short term and how it will prioritise and fund this activity after 2021. Government needs to learn from its mistakes and experiences in order to meet this growing threat.”

Categories: Cyber Risk News

Kathmandu Probes Possible Card Skimming Breach

Info Security - Fri, 03/15/2019 - 10:14
Kathmandu Probes Possible Card Skimming Breach

New Zealand-based outdoor clothing retailer Kathmandu is urgently investigating a potential breach of customer card data harvested from its websites.

In a statement posted to the New Zealand Exchange (NZE), the firm said it was notifying potentially affected customers directly, advising them to contact their banks and card providers.

“Kathmandu has recently become aware that between January 8, 2019 NZDT and February 12, 2019 NZDT, an unidentified third party gained unauthorized access to the Kathmandu website platform,” it said. “During this period, the third party may have captured customer personal information and payment details entered at check-out.”

The firm claimed that its “wider IT environment” including all physical stores are not at risk, and has been working with third-party experts to determine what happened. The authorities have also been notified.

“Whilst the independent forensic investigation is ongoing, we are notifying customers and relevant authorities as soon as practicable. As a company, Kathmandu takes the privacy of customer data extremely seriously and we unreservedly apologize to any customers who may have been impacted,” said CEO Xavier Simonet, in a statement.

Although it’s unclear exactly what happened at this stage, the fact that card data appears to have been taken from customers as details were entered in at check-out chimes with the MO of Magecart-based attacks.

The digital skimming code has been used on a growing number of e-commerce firms, inserted either directly into the sites or by infecting a supply chain partner.

There are thought to be multiple groups using the code to harvest full card details for onward sale on dark web sites. Card details for customers of BA and Newegg were found on underground sites just days after their respective breaches were discovered.

The latest Magecart group was uncovered in January after it infected a French advertising agency to compromise a content delivery network for ads.

Categories: Cyber Risk News

DMSniff POS Malware Uses DGA to Stay Active

Info Security - Fri, 03/15/2019 - 09:59
DMSniff POS Malware Uses DGA to Stay Active

Researchers have discovered a rare strain of POS malware which uses a domain generation algorithm (DGA) to maintain persistence.

Flashpoint’s Jason Reaves and Joshua Platt revealed in a blog post that the DMSniff malware may have been in use undetected for as long as four years, targeting small and mid-sized businesses in the restaurant and entertainment sectors.

DGAs are used to evade detection and takedown by creating large numbers of new C&C domains on an ongoing basis.

The duo said they have found 11 variants of the DGA in DMSniff, claiming such a feature is unusual in POS malware.

It’s also not the only tactic the malware authors have used to protect it from investigators. Another discovered by Reaves and Platt was a simple string encoding routine designed to prevent researchers from understanding the malware’s capabilities.

“Flashpoint analysts believe attackers using DMSniff could be gaining an initial foothold on devices either by using brute-force attacks against SSH connections, or by scanning for vulnerabilities and exploiting those,” they added.

“For the data theft portion of the POS, the bot is simplistic because it comes with an onboard list of process names to avoid; it will use this list while looping through the process tree. Each time it finds an interesting process, it will loop through the memory sections to attempt to find a credit card number. Once a number is found, the bot will take the card data and some of the surrounding memory, packages it, and sends it to the C2.”

The findings highlight the ongoing threat to US businesses from POS malware, despite the growing prevalence of EMV cards and machines across the country, which are designed to thwart these kinds of attack.

It seems malware authors are betting on smaller businesses not having rolled out EMV, or misconfiguring it.

Back in February, restaurant chain Huddle House revealed it had been the victim of a major POS breach, while later that month a POS solutions provider was hacked, leading to malware being installed on a range of its clients’ systems.

Categories: Cyber Risk News

Fraudsters Band Together, Shift to Bot Attacks

Info Security - Thu, 03/14/2019 - 18:10
Fraudsters Band Together, Shift to Bot Attacks

Fraudsters are joining together to create fraud rings, sharing knowledge with each other and leveraging automation to attack at scale, according to a new report from Forter.

Forter’s latest Fraud Attack Index found that attackers have been increasingly targeting e-commerce businesses with bot attacks resulting in an increase in fraud for the second year in a row. The year saw a 26% increase in fraud rings among bad actors, who are increasingly banding together to commit fraud. In addition, fraudsters are shifting from one-off attacks toward the use of bots, with which they are able to run automated scams, such as mass logins, performing upwards of 100 attacks per second. 

The rate of increase differs by sector, with the food and beverage industry seeing the greatest spike. According to the report fraud in food and beverage e-commerce grew by 60% in total for 2017, but in Q4 2018, fraud increased to 79%.

“In general, the popularity of this industry with criminals is due to its use as a payment testing zone – fraudsters testing out cards or wallets to see if they can get away with the purchase. Once successful, they know it is worth trying for a higher ticket order elsewhere,” the report said.

Additional spikes in fraud were noted in the electronics industry, which was up 79%, as well as apparel and accessories, which increased by 47%. “Apparel remains popular with fraudsters because it is easy to resell, and attempts to buy in bulk are not suspicious as is the case in many other industries,” the report said.

Interestingly, the report also found that cyber-criminals are not actually using all the data that has been stolen in breaches. The air travel industry surprisingly saw fraud attack rates decrease 29% between Q4 2017 and Q4 2018, indicating that data from the 2018 breaches in the sector hasn’t yet been used to scam merchants and customers, according to the report.

Categories: Cyber Risk News

Pakistani Gov. Site under the Eye of Attackers

Info Security - Thu, 03/14/2019 - 16:18
Pakistani Gov. Site under the Eye of Attackers

Malicious actors who breached a Pakistani government site and delivered the ScanBox Framework payload have been tracking users who visit the site to check the status of their passport applications, according to research from Trustwave.

Since attackers compromised the site, visitors to the subdomain (tracking.dgip.gov[.]pk) of the Pakistani government website's Directorate General of Immigration & Passport load the ScanBox Framework, a JavaScript reconnaissance tool linked to many advanced persistent threat (APT) groups that not only collects critical information about visitors’ machines but also captures keystrokes, SpiderLabs researchers wrote in today's blog post.

Historically, ScanBox Framework has been popular with more serious APTs, and this instance could signal the beginning of a potentially more elaborate attack, according to researchers.

“In this version that we observed, Scanbox also tried to detect whether the visitor has any of a list of 77 endpoint products installed, most of these are security products, with a few decompression and virtualization tools,” researchers wrote. 

Researchers detected ScanBox on the compromised site in early March 2019 and noted that in a single day the tool was able to collect information from at least 70 unique site visitors. In roughly a third of those cases, attackers were able to record credentials.

“We contacted the Pakistani government site regarding this infection, but as of the time of publishing this blog post have received no response and the site remains compromised. As mentioned above, the Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will,” researchers wrote.

Categories: Cyber Risk News

Pakistani Gov. Site under the Eye of Attackers

Info Security - Thu, 03/14/2019 - 16:18
Pakistani Gov. Site under the Eye of Attackers

Malicious actors who breached a Pakistani government site and delivered the ScanBox Framework payload have been tracking users who visit the site to check the status of their passport applications, according to research from Trustwave.

Since attackers compromised the site, visitors to the subdomain (tracking.dgip.gov[.]pk) of the Pakistani government website's Directorate General of Immigration & Passport load the ScanBox Framework, a JavaScript reconnaissance tool linked to many advanced persistent threat (APT) groups that not only collects critical information about visitors’ machines but also captures keystrokes, SpiderLabs researchers wrote in today's blog post.

Historically, ScanBox Framework has been popular with more serious APTs, and this instance could signal the beginning of a potentially more elaborate attack, according to researchers.

“In this version that we observed, Scanbox also tried to detect whether the visitor has any of a list of 77 endpoint products installed, most of these are security products, with a few decompression and virtualization tools,” researchers wrote. 

Researchers detected ScanBox on the compromised site in early March 2019 and noted that in a single day the tool was able to collect information from at least 70 unique site visitors. In roughly a third of those cases, attackers were able to record credentials.

“We contacted the Pakistani government site regarding this infection, but as of the time of publishing this blog post have received no response and the site remains compromised. As mentioned above, the Scanbox server currently appears inactive, but the infection indicates that the attack has some level of access to the site, and so it’s likely that the server could return to activity or be replaced with a different piece of malicious code at the attacker’s will,” researchers wrote.

Categories: Cyber Risk News

Orgs Say Yes to AI Use But Ask “What Is It?”

Info Security - Thu, 03/14/2019 - 15:52
Orgs Say Yes to AI Use But Ask “What Is It?”

Organizations across the US and Japan have plans to increase their use of artificial intelligence (AI) and machine learning (ML) this year, yet many don't really understand the technology, according to a new report from Webroot.

A survey of 400 IT professionals from businesses across the US and Japan, conducted by LEWIS between November 26 and December 5, 2018, asked participants whether they plan to implement AI and ML. The results, published today in the global report, Knowledge Gaps: AI and Machine Learning in Cybersecurity, revealed that the vast majority (71%) said yes; however, more than half (58%) of those respondents said they are not exactly sure what the technology really does.

Equally notable was the survey finding that 76% of respondents said they don’t care if their companies leverage the technologies, yet an overwhelming number (86%) of IT professionals believe cyber-criminals are using AI/ML tools to attack public and private organizations.

While 83% of IT professionals are confident their organization has everything it needs to defend against advanced AI- and ML-based cyber-attacks, 36% reported their organization has suffered a damaging cyber-attack within the last 12 months despite their having used AI/ML security tools.

"AI and ML continue to present a troubling knowledge gap, particularly given the amount of confusing hype in the cybersecurity industry. A company cannot properly defend against advanced AI and ML attacks when less than half of its IT professionals are comfortable using the tools needed to defend against those attacks,” said Hal Lonas, CTO, Webroot.

“To level the playing field, organizations need to partner with vendors that have the historical data and skilled staff required to deliver the highest level of efficacy and automation to their customers. And even though 70 percent of professionals in the survey say it's very important that vendors mention the use of AI and ML in their advertising, advertisements should be validated by quality data."

Categories: Cyber Risk News

Orgs Say Yes to AI Use But Ask 'What Is It?'

Info Security - Thu, 03/14/2019 - 15:52
Orgs Say Yes to AI Use But Ask 'What Is It?'

Organizations across the US and Japan have plans to increase their use of artificial intelligence (AI) and machine learning (ML) this year, yet many don't really understand the technology, according to a new report from Webroot.

A survey of 400 IT professionals from businesses across the US and Japan, conducted by LEWIS between November 26 and December 5, 2018, asked participants whether they plan to implement AI and ML. The results, published today in the global report, Knowledge Gaps: AI and Machine Learning in Cybersecurity, revealed that the vast majority (71%) said yes; however, more than half (58%) of those respondents said they are not exactly sure what the technology really does.

Equally notable was the survey finding that 76% of respondents said they don’t care if their companies leverage the technologies, yet an overwhelming number (86%) of IT professionals believe cyber-criminals are using AI/ML tools to attack public and private organizations.

While 83% of IT professionals are confident their organization has everything it needs to defend against advanced AI- and ML-based cyber-attacks, 36% reported their organization has suffered a damaging cyber-attack within the last 12 months despite their having used AI/ML security tools.

"AI and ML continue to present a troubling knowledge gap, particularly given the amount of confusing hype in the cybersecurity industry. A company cannot properly defend against advanced AI and ML attacks when less than half of its IT professionals are comfortable using the tools needed to defend against those attacks,” said Hal Lonas, CTO, Webroot.

“To level the playing field, organizations need to partner with vendors that have the historical data and skilled staff required to deliver the highest level of efficacy and automation to their customers. And even though 70 percent of professionals in the survey say it's very important that vendors mention the use of AI and ML in their advertising, advertisements should be validated by quality data."

Categories: Cyber Risk News

US Lawmakers Call for Senate Breach Alerts

Info Security - Thu, 03/14/2019 - 11:34
US Lawmakers Call for Senate Breach Alerts

Two senior lawmakers have called on the US Senate to provide greater transparency on cyber-attacks, with a view to improving oversight of online threats to the legislature.

Senators Rony Wyden and Tom Cotton signed an open letter to the institution’s sergeant at arms, Michael Stenger, arguing that senators shouldn’t be kept in the dark over cyber threats, given how big a target the Senate is for hackers.

Congressional computers belonging to Frank Wolf’s office are known to have been hacked in 2006, while three years later senator Bill Nelson revealed that his machines had been “invaded” several times, they said.

However, 2009 was apparently the last publicly disclosed breach of congressional computers.

Unlike private US companies and even executive agencies, Congress has no legal obligation to reveal incidents and breaches, and so it has remained largely silent, the senators claimed.

“We believe that the lack of data regarding successful cyber-attacks against the Congress has contributed to the absence of debate regarding congressional cybersecurity—this must change,” Wyden and Cotton wrote.

“Each US senator deserves to know, and has a responsibility to know, if and how many times Senate computers have been hacked, and whether the Senate’s existing cybersecurity measures are sufficient to protect both the integrity of this institution and the sensitive data with which it has been entrusted.”

Although the details surrounding individual incidents may need to be kept secret, senators should be given aggregate stats about successful attacks on senate computers and data, the two argued.

They also called for a new policy whereby all Senate leaders and members of committees on rules and intelligence are notified of any breach within five days of discovery.

The two are right to be anxious about the lack of transparency of cyber-attacks on the Senate. Just last year, Russian state hackers were observed setting up phishing sites designed to mimic the chamber’s ADFS (Active Directory Federation Services).

Categories: Cyber Risk News

Elasticsearch Crypto-Miner Sinkholes the Competition

Info Security - Thu, 03/14/2019 - 10:26
Elasticsearch Crypto-Miner Sinkholes the Competition

Researchers have discovered a new crypto-mining campaign targeting Elasticsearch instances which contains sinkholing capabilities to squash any competing miners.

The aptly named “CryptoSink” malware campaign exploits an Elasticsearch vulnerability from 2014 (CVE-2014-3120) to mine cryptocurrency in Windows and Linux environments, according to F5’s Andrey Shalnev and Maxim Zavodchik.

At the time of the research, just one of the three hard-coded C&C domains was operational, resolving to a server located in China.

However, most interesting was the way it finds and kills any competing crypto-mining malware on the same host.

Typically, attackers do this by scanning running processes to find known malware names, or else looking to see which processes are consuming the most CPU.

“In this case, the malware dropper introduces a more sophisticated tactic to paralyze competitors who survive the initial purge. We’ve called it ‘CryptoSink’ because it sinkholes the outgoing traffic that is normally directed at popular cryptocurrency pools and redirects it to localhost (127.0.0.1) instead,” F5 explained.

“It achieves this by writing the target pools’ domains to the ‘/etc/hosts’ file. In doing so, the competitors’ miners are not able to connect to those cryptocurrency pools and fail to start the mining process, which frees up system resources on the infected machine.”

The malware has another trick up its sleeve, this time to achieve persistence. It renames the original rm binary relating to the Linux “remove” command, to “rmm” and replaces it with a malicious file named “rm”, downloaded from its C&C server.

“Now, each time the user executes the rm command, the forged rm file will randomly decide if it should additionally execute a malicious code, and only then will it call the real rm command (that is, execute the file now that’s now named rmm). The malicious code in the rm binary will check if the cronjob exists and if not, it will be added again,” F5 explained.

“The irony is that even if the infected server’s administrator were to detect the other malicious files and try to remove them, she would probably use the rm command which, in turn, would reinstall the malware.”

Categories: Cyber Risk News

ICO Raids Nuisance Call Firms

Info Security - Thu, 03/14/2019 - 10:01
ICO Raids Nuisance Call Firms

The Information Commissioner’s Office (ICO) has raided the offices of two companies suspected of making millions of nuisance calls.

The UK’s privacy watchdog said this week that the execution of search warrants in Birmingham and Brighton were part of a year-long campaign launched after it received over 600 complaints about the firms.

The companies are said to have breached the Privacy and Electronic Communications Regulations (PECR) 2003 as recipients were unable to identify who the calls were from or opt out. The calls themselves typically focused on road traffic accidents, personal injury claims and insurance for household goods, the ICO said.

“Today’s searches will fire a clear warning shot to business owners who operate outside the law by making nuisance marketing calls to people who have no wish to receive them,” said Andy Curry, head of the ICO’s anti-nuisance call team.

“The evidence seized will help us identify any illegal business activities and assist us to take enforcement action, which may include action against the directors, on behalf of the victims who have turned to us for help.”

The ICO has issued a string of big-name fines to nuisance call companies, although until recently it was hampered by a legal loophole which allowed the directors of such businesses to declare bankruptcy, escape paying and start a new business.

That came to an end in December last year after it was finally granted legal power to fine directors directly up to £500,000 for their part in any activities that break the PECR.

In February, the directors of two nuisance call companies were handed multi-year directorship bans as part of the ICO’s ongoing efforts to crack down on the practice.

Global spam calls climbed by 325% over 2018 to hit 85 billion worldwide, according to findings from Hiya released last month.

Categories: Cyber Risk News

#DPI19: Data Regulators Reflect on First Months of GDPR

Info Security - Thu, 03/14/2019 - 09:15
#DPI19: Data Regulators Reflect on First Months of GDPR

Speaking at the IAPP Data Protection Intensive 2019 conference in London, a panel discussion on the first year of GDPR and “What Actions Have Been Taken?” explored how over €55m has been handed out in fines, although the majority of that was the €50m levied at Google. The last year has also seen data protection authorities more than double their head counts.

Moderator Vivienne Artz, chief policy officer of Refinitiv, reflected on data relating to investigations, reports and financial penalties since GDPR came into force. She said that in the UK, 206,326 total cases had been reported, of which 94,000 were complaints and 64,000 were data breach notifications. Of these, 52% had been concluded.

Artz went on to ask the panelists how they had adapted to life under GDPR. Stephen Eckersley, director of investigations at the UK Information Commissioner’s Office, said that the ICO had increased staff numbers from 380 to 700, while Jay Fedorak, information commissioner of the Jersey Channel Islands, added that staff had increased from four to nine people.

Eckerlsey explained that teams were added to deal with “the cyber problem” of breaches and state sponsored attacks, while teams were investigating “criminal breaches of the Data Protection Act and Freedom of Information Act” and regulating the NIS Directive.

Fedorak, who was formerly an assistant to current UK information commissioner Elizabeth Denham, said that there were ambitions of growing beyond 60 people for the 110,000+ population of the Channel Islands.

Eckersley said that a lot of the work since May 25 2018 had been on “legacy cases” and he acknowledged that issuing fines was “not only way to regulate,” but it was investigating: gathering evidence, reacting quickly and dealing with reports from data controllers and from the media.

Explaining how an investigation comes together, he said that an investigating team finds evidence and speaks to the data controller, looks for policy and procedures and it “all ends up in the same place – enforcement action.” This team then pulls the case together, which goes to the delegated authority, and a regulatory panel determines the size of the fine.

He said: “There were five bands under the 1998 DPA, and we are considering our options of continuing that approach or working with our colleagues in The Netherlands and Norway, and harmonizing the calculation of fines.”

Looking at the first year under the GDPR, Eckersley said: “There is a lot of work to be done, but we’ve got established processes,” he said. “It’s quite an exciting time to work at the ICO.”

Appearing via video link, Mathias Moulin, director of rights protection and sanctions directorate at the Commission nationale de l'informatique et des libertés, said that prioritization with colleagues was important, and regulation was pushing that as it was a “natural” expectation of GDPR to prioritize European cooperation for complaints “as we have a limited time limit to handle complaints.”

Commenting on the shift from data loss to other types of privacy breach (94,000 to 64,000), Moulin said that there is “still room to improve the processes of contact.”

Asked by an audience member if there is a problem of over reporting, Ecklersley said that the ICO recognized that it needed a dedicated team and in the first month of GDPR, 1700 breaches were reported and while it has levelled to 380-400 a month, “it more and more clarifies what GDPR is saying.”

Categories: Cyber Risk News

No More Nugs after Telegrass Drug Bust

Info Security - Wed, 03/13/2019 - 18:28
No More Nugs after Telegrass Drug Bust

After months of investigating what was believed to be the largest online drug trafficking ring in the past decade, Israeli police, in conjunction with officers of the Security Service of Ukraine (SBU), have arrested 42 suspects, including the alleged leader.

According to SBU, “On March 12, Ukrainian law enforcers basing on the motion about international assistance, detained the head of the drug cartel in Kyiv, where he arrived to create ‘business communication’ with representatives of local criminal circles. Currently, the foreigner has been transferred to the National Police of Ukraine for the organization of his extradition to the native country.”

“The announcement came a day after Prime Minister Benjamin Netanyahu said he was looking into the possibility of legalizing recreational cannabis use, in an apparent reaction to the surge in polls of a rival right-wing candidate who has made the issue a central plank of his platform,” the Times of Israel reported.

The alleged drug trafficking group has reportedly been using Telegrass, an app developed by Amos Dov Silver, who was identified as the leader of the drug trafficking network by the Israeli and Ukrainian police.

Estimated to have more than 150,000 members from countries around the world, including the United States, Ukraine and Germany, the group has referred to itself as "like Uber but for weed" and is managed through the encrypted messaging app Telegraph.

“This app connects thousands of weed smokers with black market dealers,” the Herb’s Madison Margolin wrote in a product review of the Telegrass app.

As part of her review, Margolin shared a detailed history of how Silver came to develop Telegrass, noting that “his guiding philosophy is that everyone in the world should have access to cannabis, never mind what the local law may be. And that’s served as the inspiration for his company Telegrass.”

It’s also likely what inspired the covert operation of law enforcement. On March 12, the months-long undercover investigation culminated in dozens of arrests. According to the Times of Israel, “People were taken for questioning under caution on suspicion of managing and funding a criminal organization, trading and providing dangerous drugs, brokering drug deals, money laundering, disrupting court proceedings, conspiring to commit a crime, tax offenses and more.”

Categories: Cyber Risk News

Source Code Error in Swiss Post E-Voting System

Info Security - Wed, 03/13/2019 - 16:02
Source Code Error in Swiss Post E-Voting System

A group of international researchers at the University of Melbourne discovered a flaw in the Swiss Post e-voting system that had also been independently discovered by Thomas Haines of NTNU and by Rolf Haenni of Bern University of Applied Sciences.

According to the research, the vote verification process is flawed. Researchers revealed there was a significant gap in the source code of the shuffle proof in the universal verifiability mechanism used to secure and authenticate the votes.

The disclosure has sparked interest among Twitter cryptographers and those concerned with voter fraud.

“The problem occurs because the voting system implements a series of sophisticated cryptographic zero-knowledge proofs, in order to keep votes encrypted and untraceable while also preserving election integrity. At a critical place, one of the proofs is flawed,” Matthew Green, cryptographer and professor at Johns Hopkins University, tweeted.

Originally discovered in 2017, the flaw in the source code is not new; however, it was not fully corrected by the technology partner Scytl, which is responsible for the source code, according to Swiss Post.

“Swiss Post regrets this and has asked Scytl to make the correction in full immediately, which they have done. The modified source code will be applied with the next regular release.

“The e-voting system currently being used in the cantons of Thurgau, Neuchâtel, Fribourg and Basel-Stadt is not affected by this gap in the source code. It exclusively affects the system with universal verifiability provided for the intrusion test, which has never been used for a real vote.”

In a statement shared with Infosecurity, a Swiss Post spokesperson said that the error is the code was corrected immediately and the modified source code will be applied with the next regular released.

“The error exclusively affects the system with universal verifiability provided for the intrusion test, which has never been used for a real vote,” the spokesperson said. In addition, Swiss Post is conducting a public intrusion test (PIT) from February 25 through March 24, 2019, on its e-voting system, wherein hackers are invited to find vulnerabilities in the system.

Categories: Cyber Risk News

#DPI19: Open Banking and Data Sharing Will Benefit Consumers

Info Security - Wed, 03/13/2019 - 15:25
#DPI19: Open Banking and Data Sharing Will Benefit Consumers

Speaking at the IAPP Data Protection Intensive 2019 conference in London on 'How Privacy & Data Protection are Impacted by Competition Considerations,' Helena Koning, senior managing counsel and data protection officer at Mastercard, said that new rules on open banking are permitting more sharing and reuse “of different types of data whilst respecting the privacy and benefit of consumers.”

Saying that data “is not the new oil, but is an infrastructure,” Koning explained that data can be used “without loss of quality and competitive edge.”

Looking at new initiatives on sharing data and open banking, she said that competition laws are “beefing up with new privacy initiatives,” one of which is new payment data standard PSD2 which has “created a new playing field” and has created a change in the policy markets, and this has caused a new way of thinking.

She added: “We see privacy, consumer and European laws moving together to enable choice, and enable innovation.” This was predicted to form API-based sharing from the banks into personal applications, which will allow them to become third party data providers. “We will see more ‘forced’ data portability, and this is good for consumers,” she said.

Looking at trends around data sharing, competition strategies and data sharing instruments, Merel Schwaanhuyser, senior compliance and ethics counsel and global data privacy at Accenture, said that these will enable companies to work better together, and boost each other. “All regulations will be based on human rights and freedoms,” she said.

Categories: Cyber Risk News

Block in Russia Unjustified, Says ProtonMail

Info Security - Wed, 03/13/2019 - 14:54
Block in Russia Unjustified, Says ProtonMail

Claiming that it had received multiple bomb threats via email messages, the Russian government restricted internet access, which resulting in blocking ProtonMail email servers, according to PortSwigger.

In a March 12 blog post authored by Andy Yen, ProtonMail founder, Yen called the block "unjustified" and promised to restore full service to users in Russia. “The Russian government has ordered a partial block of ProtonMail, preventing some Russian mail servers from reaching us. We have managed to restore services at this time,” ProtonMail tweeted.

According to Yen, the Federal Security Service of the Russian Federation (FSB) issued a letter on February 25 in which the FSB issued a block on two internet service providers in the aftermath of what it called fake terror threats. The blocks on MTS and Rostelecom prevented traffic from Russia going to ProtonMail’s mail servers, which effectively blocked communication with ProtonMail.

“However, the method of the block (preventing messages from being sent to ProtonMail, as opposed to blocking delivery of messages from ProtonMail) seems inconsistent with that claim. Due to the timing of the block, some ProtonMail users in Russia suspect that the block may be related to the mass protests this past weekend in Russia where 15,000 people took to the streets to protest for more online freedom."

The block came after thousands of protesters in Russia flocked to the streets on March 10 to express their outrage at a cybersecurity bill that tightened restrictions on the internet, according to the BBC.

“If there is indeed a legitimate legal complaint, we encourage the Russian government to reconsider their position and solve problems by following established international law and legal procedures, rather than attempting to deny millions of Russian citizens access to better email security and privacy,” Yen said.

The Russian government recently passed additional legislation restricting using the internet to speak out against the government or to spread of "fake news."

Categories: Cyber Risk News

Ruling offers guidance on liquidated damages clauses for delay

Outlaw.com - Wed, 03/13/2019 - 14:14
A ruling by the Court of Appeal earlier this month has highlighted the importance of ensuring IT contracts are clear about how liquidated damages apply in cases where technology suppliers are late in delivering a project, an expert in IT disputes has said.
Categories: Cyber Risk News

#DPI19: Privacy Playbooks Can Help Navigate Data Protection Act Rules

Info Security - Wed, 03/13/2019 - 13:45
#DPI19: Privacy Playbooks Can Help Navigate Data Protection Act Rules

Speaking at the IAPP Data Protection Intensive 2019 conference in London, panel moderator Kabir Barday, CEO of OneTrust, asked “How the UK’s Data Protection Act 2018 Impacts Your GDPR Programme.”

Julie Varcoe-Cocks, head of ethics, regulatory and compliance and data protection officer of Serco, said that the new Data Protection Act (DPA) has “more focus on the rights of the individual” as well details on control of data, and the Information Commissioner’s Office has instructed that businesses should be ready for audits.

She went on to talk about gathering data and understanding exemptions, and said that “having consistency is a challenge,” so one way to achieve this is to have a playbook in order to refine your processes and to demonstrate the way a company operates and what exemptions it applies.

Kasey Chappelle, DPO of GoCardless, added that a playbook can help lay out what you do, and you should base it on what the law requires and the requirements of the DPA. “Write it down and make sure people understand it,” she said.

Speaking to Infosecurity, Chappelle said that the first step in building a playbook is to look at what the company does, and it should be tailored to the company “to answer the questions that they are asking and builds it into their documentation, procedures and handbooks and it is all pulled together in our portal so it is easy to find.”

In terms of a first step for building a playbook, Chappelle said that it is important to figure out what you’re doing, and what your company’s documentation is. “We have an obligation to meet privacy by design and if I built a process that followed that privacy by design process, I guarantee you that my product design team would completely ignore it,” she said. “So I started the other way around: how do we develop products in this organization, what are the documentations that are provided, what are the decisions that are made, how do I understand how I insert myself into those points to understand those decisions and help where necessary?”

The panel also covered the role of the ICO, and how its capability to take away your ability to do data processing was often a greater threat than that of the monetary penalty, while to “intentionally re-identify” was also a new criminal act.

Categories: Cyber Risk News

MAGA App Dev Mad After Security Snafu

Info Security - Wed, 03/13/2019 - 11:55
MAGA App Dev Mad After Security Snafu

The developer of an app for US conservatives has hit out at a researcher who exposed fundamental security shortcomings that put users at risk.

The individual, who goes by the name Elliot Alderson on Twitter and claims to be a French security researcher, was quick to take down the 63red Safe app launched over the weekend.

The Yelp-like app makes promises about “keeping conservatives safe” by showing listings for shops and restaurants which are supposedly MAGA-friendly.

However, the app itself was found to be far from safe for its users.

Anderson revealed that the developer hard-coded his credentials into its code, and added no authentication to the APIs used to retrieve data from its server.

This meant the researcher was able to retrieve information on all users who had signed up, including profile picture, username, ID and email address. He claimed that just 4466 people had signed up, as of Tuesday.

By exploiting the same exposed APIs the researcher was able to perform other tasks like blocking users.

However, the app’s developer and founder Scott Wallace has reacted badly to this public security disclosure.

“We see this person’s illegal and failed attempts to access our database servers as a politically-motivated attack, and will be reporting it to the FBI later today,” he said in a blog post.

“We hope that, just as in the case of many other politically-motivated internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law. We log all activity against all our servers, and will present those logs as evidence of a crime.”

For the record, Alderson, which is the same name as the fictional character from TV show Mr Robot, has previously exposed security issues with right-wing mobile apps.

Back in October he revealed how the Donald Daters app had leaked its entire database of users on launching.

Categories: Cyber Risk News

Pages