Feed aggregator

CIA Report Slammed Agency’s Security as “Woefully Lax”

Info Security - Wed, 06/17/2020 - 08:40
CIA Report Slammed Agency’s Security as “Woefully Lax”

A US senator is demanding to know why the CIA is still not following the government’s advice on best practices after he obtained a 2017 report describing the agency’s day-to-day cybersecurity as “woefully lax.”

The internal report was written by the CIA’s WikiLeaks Task Force in the wake of the Vault 7 disclosures to the whistleblowing site, which amounted to the “largest data loss” in its history.

At least 180GB and potentially as much as 32TB of information, including data on a range of cyber-weapons, was stolen by an insider in 2016. The CIA said it didn’t know how much data was taken because there were no safeguards such as user monitoring on the Center for Cyber Intelligence software development network (CCI DevLAN), where much of it was stored.

Democrat senator Ron Wyden on Tuesday wrote to the director of national intelligence, John Ratcliffe, warning that the agency was still lagging behind on implementing even basic cybersecurity used widely elsewhere in federal government.

This includes DMARC to help prevent phishing and email impersonation, and multi-factor authentication for the CIA’s .gov domains and the Joint Worldwide Intel Communications System (JWICS), which is used for top secret comms in the US intelligence community.

According to the report, the CCI had for many years “prioritized building cyber-weapons at the expense of securing their own systems.

“Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls and historical data was available to users indefinitely,” it continued.

“CCI focused on building cyber-weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over the years that too often prioritized creativity and collaboration at the expense of security.”

The irony, said Wyden, is that the intelligence community was not formally required to implement specific security policies mandated to other federal agencies by the Department of Homeland Security (DHS), as it was assumed that it would go “above and beyond.”

Fausto Oliveira, principal security architect at Acceptto, argued that the Department of National Intelligence budget runs into the tens of billions, which should allow the CIA to address the concerns raised by Wyden.

“Based on the findings of the report, it appears that there was a lack of IT and cybersecurity governance that led to a lax adoption of security controls,” he added.

“It is not an operational matter, it is a matter of the agency's management not setting the right goals to manage the risks associated with operating an organization, specifically an organization that is a desirable target for all kinds of attackers.”

Categories: Cyber Risk News

Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices

Info Security - Tue, 06/16/2020 - 17:06
Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices

Zero-day vulnerabilities have been discovered that could impact millions of IoT devices found in data centers, power grids, and elsewhere.

The flaws, dubbed Ripple20, were detected by the JSOF research lab in a widely used low-level TCP/IP software library developed by Treck, Inc. In research published today, JSOF said Ripple20 includes multiple remote code execution vulnerabilities and affects "hundreds of millions of devices (or more)."

Researchers named the vulnerabilities Ripple20 to reflect the widespread impact they have had as a natural consequence of the supply chain "ripple-effect" that has seen the widespread dissemination of the software library and its internal flaws.

"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," wrote researchers.

Ripple20 reached critical IoT devices involving a diverse group of vendors from a wide range of industries. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter.

Researchers said many other major international vendors are suspected of being vulnerable in the medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries. 

"The risks inherent in this situation are high," wrote researchers. "Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction." 

By exploiting the flaws, an attacker could hide malicious code within embedded devices for years. One potential risk scenario is that a threat actor could broadcast an attack capable of taking over all impacted devices in the network simultaneously. 

"This is a classic case of finding critical vulnerabilities in embedded IoT devices that were designed years ago and may now be impossible or impractical to patch," commented Phil Neray, VP of IoT & industrial cybersecurity at CyberX.

"The best strategy is to implement compensating controls such as network segmentation to make it harder for adversaries to connect to these devices, plus Network Traffic Analysis (NTA) with Security Orchestration, Automation, and Response (SOAR) to quickly spot anomalous behavior—and stop it—before they cause a safety incident, shut down production, or steal intellectual property."

Categories: Cyber Risk News

Wiggle Investigates Cyber-Attack

Info Security - Tue, 06/16/2020 - 16:24
Wiggle Investigates Cyber-Attack

Online sports retailer Wiggle is investigating a suspected cyber-attack after receiving a series of complaints from customers.

Concerns were raised after customers received emails confirming orders for items from Wiggle that they had not placed. The suspicious orders were set to be delivered to addresses that the confused customers did not recognize. 

The idea that Wiggle had been hit by a possible cyber-attack was first mooted on June 12. One customer reached out to cycling news site Road.cc after failing to illicit a response from Wiggle regarding a £30 order charged to his account that he said was not made by him.

Another Wiggle customer, Kobi Omenaka, took to Twitter to complain that he had received no response from the retailer after informing them that an imposter had used his account to purchase a £237.50 skin-tight cycling suit in dark steel blue. 

Along with an attachment of the order confirmation, Omenaka posted "@Wiggle_Sport someone broke into my account and ordered this. I told customer services as it happened but no one has come back to me."

Twitter user George Slokoski responded to Omenaka's tweet, saying that he had also experienced issues with his Wiggle account.

"Mine also hacked this AM," wrote Slokoski. "Got an email saying my email address has changed to kikogtx+40@gmail.com and shortly after I had a charge for £5."

Another user, Harry Holmes, tweeted, "The same happened to me!" and asked Omenaka if his fake order was also being sent to an address in Twickenham, London.

On June 14, another customer, who uses the handle @hayleybadger on Twitter, tweeted the store: "@Wiggle_Sport Are you under cyber attack? I've received an email to say someone's changed my account to their email address and I can’t access your website."

Wiggle responded to the tweet above with an invitation to discuss the matter over live chat. 

Twitter user @Omidpyc claims Wiggle has been aware of a cybersecurity breach for over ten days but has not gone public with the news.

Earlier today he tweeted: "Just had a call from Ross Clemmons. He says Wiggle are going to put out an announcement (Crossed fingers) and apologized for their dire response over the weekend."

According to @Omidpyc, Clemmons "agreed customer account flow was insecure and it’s been reported to ICO."

Categories: Cyber Risk News

eBay Executives Charged With Cyber-Stalking Critics

Info Security - Tue, 06/16/2020 - 15:47
eBay Executives Charged With Cyber-Stalking Critics

Six senior eBay employees have been charged with intimidating and cyber-stalking the couple behind an online newsletter whose media coverage they didn't like.

The executives, who no longer work for the online marketplace, allegedly sent a stream of terrifying deliveries to the homes of the newsletter's editor and publisher and their neighbor. Sinister deliveries received by the couple over a period of weeks included a bloody pig mask, a wreath of funeral flowers, and live spiders and cockroaches. 

Pornographic magazines with the husband's name on them were sent to the house of one of the couple's neighbors in Natick, Massachusetts. In addition, officials said that a plot had been hatched by the executives to break into the garage of the alleged victims and fit a GPS tracking device to their vehicle. 

The former executives allegedly launched their prolonged campaign of terror after a newsletter run by the couple published a piece concerning some litigation in which eBay was embroiled. 

It is further alleged that the executives created fake social media accounts that they used to send the couple a series of threatening messages and post about phony events happening at the couple's home address. 

“This was a determined, systematic effort by senior employees of a major company to destroy the lives of a couple in Natick all because they published content that company executives didn’t like," said Massachusetts US attorney Andrew Lelling.

"For a while they succeeded, psychologically devastating these victims for weeks as they desperately tried to figure out what was going on and stop it."

Court documents reveal that one member of eBay's executive team directed the company's former senior director of safety and security, James Baugh, to "take her down," referring to the newsletter's editor. 

San Jose, California, resident Baugh, along with eBay’s former director of global resiliency, David Harville, of New York City, are charged with conspiracy to tamper with witnesses and conspiracy to commit cyber-stalking. 

Other former eBay employees charged in relation to the alleged cyber-stalking are Stephanie Popp, former senior manager of global intelligence; Stephanie Stockwell, former manager of eBay’s Global Intelligence Center; Brian Gilbert, former senior manager of special operations for eBay’s Global Security Team; and Veronica Zea, a former eBay contractor who worked as an intelligence analyst in the Global Intelligence Center.

Categories: Cyber Risk News

ESET CTO: AI Can Work With Correct Human Intervention

Info Security - Tue, 06/16/2020 - 15:06
ESET CTO: AI Can Work With Correct Human Intervention

AI and machine learning technologies need training and human intervention to work as expected.

Speaking as part of ESET’s Virtual World event, CTO Juraj Malcho said there are perceptions that AI is evil or mysterious, but “it is not magic, not self-aware and it is invented and programmed by humans; it doesn’t have any obscure intentions” and it relies on inputs.

“There are some companies out there that claim they have magic solutions, but that is not the case,” he said. “I like to say it is advanced computer assisted automation.” He admitted whilst that made it sound uninteresting, “it is a beautiful thing if you look under the hood,” as we didn’t have computers and technology to utilize machine learning capabilities for many decades, but we have other ways to apply them now.

Citing an how automation can be used in malware detection, Malcho said unique clusters of malware samples are often classified by common traits. In one example, he referred to a case where 7.7 million Emotet attacks had been detected by ESET, and as the company was able to classify using machine learning of a single DNA detection, three million attacks were discovered “thanks to us seeing common traits of a family.”

Malcho admitted that machine learning is not accurate but it is a fast way to detect, and “accuracy is best when you have a human involved and work hand in hand.” However, machine learning also comes with challenges, he added, such as when you feed it with data “you may find you don’t have the capacity of your computing systems to process all of the data.”

This requires a hybrid approach, where you pre-select the samples and train your models. “The trick here is to have it balanced, as if the model is imbalanced and not representing the real world properly, you are basically getting junk in and the result is junk out,” he said.

Consideration also has to be made regarding the malicious use of automation too, he continued, and malicious usage can include generating and distributing spam and phishing, and Malcho said automation is also commonly used in language translation.

He also claimed that attackers can detect intruders in their infrastructure, identify patterns in generated content, create false flags and choose the best target and attack methods.

Concluding, Malcho said that AI “is far from 'Skynet' and trying to control us, it is just a tool that we have at our disposal” and it depends on how well you are able to use it.

He said: “AI without data is just beautiful math, and data without AI is basically just a bunch of ones and zeros. One doesn’t exist without the other. So when the perfect combination of these elements is achieved and properly validated data is fed into the properly-designed systems, a euphoric moment is created.”

Categories: Cyber Risk News

46% of SMEs Sharing Confidential Files by Email During Lockdown

Info Security - Tue, 06/16/2020 - 14:16
46% of SMEs Sharing Confidential Files by Email During Lockdown

Nearly half (46%) of small and medium-sized enterprises (SMEs) regularly share confidential files via email, including financial and employee data in spreadsheets, according to a new study from the Lanop Accountancy Group. This is despite the fact that 60% have not upgraded their organizations’ cybersecurity capabilities since shifting to remote working during COVID-19.

In a survey of 100 company owners of SMEs based in London, UK, which focused on their security habits during the pandemic, 59% revealed they had received an increase in phishing emails since lockdown began.  

Cybersecurity expert Tim Sadler, CEO of Tessian, said: “Protecting people on email has to be a priority in this new hybrid world where employees can work from anywhere. All it takes is one simple mistake or typo for sensitive and confidential files to land in the wrong inbox and for a company to suffer a significant data breach.”

SMEs also outlined IT difficulties they have faced as a result of moving to a remote working model. A quarter said they share a Zoom account with another company, and one in five have been forced to cancel a meeting due to conference systems crashing. Meanwhile, 30% reported purchasing additional laptops, mobiles and tablets to manage remote working.

In addition, one third of company owners don’t believe they have the IT systems to continue remote working for a further three months, while 28% said their staff lack the digital skills to work from home.

Lanop also found nearly half (45%) plan to increase their IT spending in the near future, while 23% will not renew their office lease beyond the crisis.

Sridhar Iyengar, managing director of Zoho Europe, added: “The COVID-19 crisis has forced the majority of business owners to quickly implement remote working systems in order to continue trading despite strict lockdown measures. For many companies, successfully managing urgent projects, team meetings and company finances online against the backdrop of economic turmoil has brought with it a myriad of delays.”

A survey published last month by Bitglass found that most organizations are not sufficiently prepared to securely support remote working, even though 84% intend to continue this practice beyond the crisis.

Categories: Cyber Risk News

New Fake Ad Alert System Launched to Fight Online Scams

Info Security - Tue, 06/16/2020 - 12:15
New Fake Ad Alert System Launched to Fight Online Scams

A new system to detect and remove scam adverts from the internet has been launched in the UK.

As reported by ITV, the UK Scam Ad Alert tool – set up by the Advertising Standards Authority (ASA) and the Internet Advertising Bureau (IAB) with support from digital ad platforms and tech giants – will allow people to report scam ads which appear in paid-for spaces online.

The ASA will then circulate details of the ads, remove them and suspend the advertiser’s account where possible. The ASA said that the system has been launched in response to concerning growing trends around online fraud and the financial harm it can cause.

ASA chief executive Guy Parker said: “The overwhelming majority of ads responsibly inform and entertain their audience, but a small minority are published with criminal intent.

“Our Scam Ad Alert system will play an important part in helping detect and disrupt these types of scams. By working closely with our partners such as Google and Facebook we can act quickly to have problem ads taken down as part of our ongoing work to better protect consumers online.”

However, Jake Moore, cybersecurity specialist at ESET, pointed out that, whilst such alert systems can help fight online scams, user awareness also plays a big part in detecting and stopping scams from being successful.

“Users need all the help they can get in a space where scam adverts are rife. However, a scam alert system only works when people correctly identify a misleading advert and they are taken down quickly enough before others are unfortunate enough to click into them. Similar to reporting abuse on social media, the efficiency of such systems is all down to the speed in which they can be effective.

“This is at the very least a step in the right direction, but the best approach is to teach the users about awareness and how to spot a fraudulent advert. Such clues lie in poor stylistics, bad grammar and strange looking links when hovering over the advert or long clicking on it.”

Categories: Cyber Risk News

Global DDoS Attack Dismissed as T-Mobile Misconfiguration

Info Security - Tue, 06/16/2020 - 10:35
Global DDoS Attack Dismissed as T-Mobile Misconfiguration

Claims of a global DDoS attack have been dismissed, with evidence showing it was caused by a misconfiguration.

The issue was apparently caused by a misconfiguration at T-Mobile in the USA. Mike Sievert, CEO of T-Mobile, claimed in a statement published at 845pm PT that it had “been experiencing a voice and text issue that has intermittently impacted customers in markets across the US” which started just after 12pm EDT, and continued through the day.

“This is an IP traffic-related issue that has created significant capacity issues in the network core throughout the day,” Sievert said. “Data services have been working throughout the day and customers have been using services like FaceTime, iMessage, Google Meet, Google Duo, Zoom, Skype and others to connect.

“I can assure you that we have hundreds of our engineers and vendor partner staff working to resolve this issue and our team will be working through the night as needed to get the network fully operational.”

T-Mobile claimed on Twitter that it was a “widespread routing issue affecting voice & text” and this affected customers around the country.

Despite regular updates and clarifications, claims that there was a global DDoS attack taking place were seen. Some claimed that brands including Sprint, AT&T, Verizon, Comcast, Fortnite, Instagram and Chase Bank were affected, while this map appeared to show a large flow of attack traffic coming from the US.

However, Cloudflare CEO Matthew Prince dismissed claims of a DDoS attack, saying in a Twitter thread that he saw the issue with T-Mobile “making some changes to their network configurations today” and “unfortunately, it went badly” as the result was six hours “of cascading failures for their users.”

Prince added: “This is no massive DDoS attack. First, traffic from WARP to supposedly impacted services is normal and has no increase in errors. Second, there is no spike in traffic to any of the major internet exchanges, which you do see during actual DDoS attacks and definitely would see during one allegedly this disruptive.”

Categories: Cyber Risk News

IT Pros Feel #COVID19 Pressure as 66% Cite Increased Security Risks

Info Security - Tue, 06/16/2020 - 10:20
IT Pros Feel #COVID19 Pressure as 66% Cite Increased Security Risks

IT professionals have been placed under extreme pressure to support mass home working over the past few months, with two-thirds reporting an increase in security issues, according to Ivanti.

The endpoint security firm polled 1600 global IT professionals to better understand their changing workload during recent government-mandated lockdowns.

Of those who cited security challenges, malicious emails (58%), non-compliant employee behavior (45%) and an increase in software vulnerabilities (31%) came out top.

Yet the bigger picture is that IT teams have been stretched on an almost unprecedented scale due to the demands of a newly distributed workforce.

For 63% of those interviewed, IT workloads increased 37% since remote working began. The most common requests include VPN issues (74%), video conferencing (56%), bandwidth constraints (48%), password resets (47%) and messaging issues (47%).

Specifically, they have been forced to do things like increase VPN access to more employees (70%), source, set up and distribute extra devices (54%) and create more “how to” articles for staff (52%).

Against this backdrop, a lack of communication was cited as a top challenge by 20% of respondents.

This extra workload is somewhat understandable, given that respondents have seen a 93% increase on average in remote workers. More than a third of respondents said 100% of employees are now working from outside the office.

“Responding to the COVID-19 pandemic has indeed placed an unprecedented demand on IT teams as they work to balance security and user productivity for the new remote workforce,” said Phil Richards, chief security officer at Ivanti.

“It’s a shift we see first-hand at Ivanti. To ease the new IT workload, we found that by employing more IT service automation and asset management optimization our IT staff are better equipped to support users’ needs, while also taking necessary actions to mitigate security risk. As a result, we are able to ensure employees can remain both productive and safe.”

Despite the extra lockdown-related workload, IT professionals pointed to the lack of a commute (44%) and more flexible working hours (19%) as benefits, and 16% said they have been more productive.

Categories: Cyber Risk News

Magecart Attackers Target Retail Brands Under Lockdown

Info Security - Tue, 06/16/2020 - 09:20
Magecart Attackers Target Retail Brands Under Lockdown

Magecart attackers have been busy again, installing digital skimming code onto the websites of several popular retailers over recent weeks.

The first brand affected was US accessories provider Claire’s. Security company Sansec spotted an unknown third party registering the “claires-assets” domain back in March, just after the chain decided to shut all of its stores.

“For the next four weeks, Sansec did not observe suspicious activity, but in the last week of April, malicious code was added to the online stores of Claire’s and its sister brand Icing,” it continued.

“The injected code would intercept any customer information that was entered during checkout, and send it to the claires-assets.com server. The malware was present until June 13.”

Unlike many Magecart efforts which compromise sites by attacking their digital supply chain partners, this was a direct attack with the hackers gaining write access to code.

However, the root cause of the compromise is not yet known: Sansec hypothesized that leaked admin credentials, spear-phishing of staff and/or a compromised internal network may have been to blame.

The firm responded quickly to Sansec’s private disclosure of the incident, and urged online shoppers to monitor their bank statements.

“Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process,” it said in a statement sent to Sansec.

“We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals. Cards used in our retail stores were not affected by this issue.”

Also on Monday, security firm ESET warned that online shoppers in the Balkans may have had their card details stolen from Intersport stores. It claimed that the popular sports retailer fixed the issue “within several hours” after the firm sounded the alarm. Consumers in Croatia, Serbia, Slovenia, Montenegro and Bosnia and Herzegovina were affected.

Worryingly for the brands affected, research from SiteLock late last year found that a third of consumers never again shop with a retailer their information is stolen from.

Categories: Cyber Risk News

NHS: 100+ Email Accounts Hijacked in Phishing Campaign

Info Security - Tue, 06/16/2020 - 08:25
NHS: 100+ Email Accounts Hijacked in Phishing Campaign

The NHS has confirmed that 113 internal email accounts were compromised and used to send malicious spam outside the health service around two weeks ago.

A brief NHS Digital statement issued on Friday revealed that the incident occurred between Saturday May 30 and Monday June 1 2020.

It claimed the security snafu affected a “very small proportion” of NHS email accounts, around 0.008% of the 1.4 million total, and was linked to a wider campaign designed to steal victims’ log-ins.

“There is currently no evidence to suggest that patient records have been accessed. We are working closely with the National Cyber Security Centre (NCSC), who are investigating a widespread phishing campaign against a broad range of organizations across the UK,” it added.

In fact, the NCSC first raised the alarm about the campaign back in October last year, claiming that automated attacks designed to harvest credentials had been active since at least July 2018 and were spreading “indiscriminately” across multiple verticals.

“In this campaign, the user receives a phishing email from a legitimate and known email account which has been compromised. Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility for the user to trust the email,” it explained.

“More recently, the subject lines include the compromised user’s address-book entry for the recipient of the phishing email. This could be in the recipient’s name, the email address or may just be blank.”

Clicking on a link in the email would take the user to a fake log-in page featuring their organization’s logo and their email, the NCSC said.

All those affected by the latest NHS-based attacks will have been notified by today, NHS Digital claimed. It argued that since implementing a “new password approach” there has actually been a 94% decrease in phishing emails sent to NHSmail accounts over the past year.

“We are investigating this issue and have taken the precaution of asking all mailboxes that have a similar configuration to the compromised accounts to change their passwords with immediate effect,” NHS Digital concluded.

“We have worked with the organizations involved to isolate affected accounts, supported them to make any necessary changes and have advised affected individuals.”

Categories: Cyber Risk News

Philippines Convicts Rappler Founder of Cyber-libel

Info Security - Mon, 06/15/2020 - 18:13
Philippines Convicts Rappler Founder of Cyber-libel

The founder and executive director of social news website Rappler was today found guilty of cyber-libel by a court in the Philippines.

Maria Ressa and former Rappler reporter Reynaldo Santos Jr. each face up to six years in jail after becoming the first two journalists to be convicted of cyber-libel in the country. 

Judge Rainelda Estacio-Montesa permitted Santos and Ressa to post bail, pending an appeal. Should their convictions be upheld, each will serve a minimum custodial sentence of six months and one day. 

The cyber-libel case against the pair stemmed from a 2017 complaint filed over a Rappler story that was published in 2012, before the cybercrime law was passed.

The businessman who lodged a complaint against the Rappler duo sought damages of approximately $1m. The judge ruled that the complainant should receive the equivalent of $8,000 in local currency for moral and exemplary damages. 

Ressa has vowed to fight the judgment made against her over a case that she described in the press conference that followed her conviction "was meant to be a cautionary tale."

"It is a blow to us. But it is also not unexpected," said Ressa. "I appeal to you, the journalists in this room, the Filipinos who are listening, to protect your rights. We are meant to be a cautionary tale. We are meant to make you afraid. But don't be afraid. Because if you don't use your rights, you will lose them."

The case against Ressa and Santos was seen by many as a touchstone to indicate what freedom the press will be allowed in the Philippines under the administration of President Rodrigo Duterte. 

It's the first of eight active cases filed against Ressa and Rappler since Duterte ascended to power in 2016.

Ressa reminded her fellow Filipinos of the inherent danger of allowing a free press to be silenced.  

"Freedom of the press is the foundation of every single right you have as a Filipino citizen. If we can't hold power to account, we can't do anything," said Ressa.

"The verdict basically kills freedom of speech and of the press," the National Union of Journalists of the Philippines said, while the Foreign Correspondents Association of the Philippines termed the verdict "a menacing blow to press freedom."

Categories: Cyber Risk News

Mobile Threats Delivered by Adult Content Double

Info Security - Mon, 06/15/2020 - 16:57
Mobile Threats Delivered by Adult Content Double

Threat actors hiding malware in adult content are targeting mobile users over those who turn to their PCs to get turned on. 

Research published by Kaspersky found that while PC threats masquerading as pornography fell by 40% in 2019, attacks on mobile users increased. 

Kaspersky's review of 2019 threat activity discovered that the number of mobile users attacked by threats disguised as pornographic content grew two-fold in 2019, reaching 42,973 users, compared to the 19,699 targeted in 2018.

By contrast, the number of PC users affected by malicious adult content fell from 135,780 users attacked in 2018 to 106,928 in 2019. 

To further their understanding of the attacks waged against mobile users, researchers checked all files disguised as pornographic videos or adult content–related installation packages for Android and ran 200 popular porn category tags against this database. 

"The analysis showed results for 105 tags in 2018 and for 99 tags in 2019, demonstrating that not all porn is used by cybercriminals to target their victims," wrote researchers.

Additional analysis demonstrated that pornographic content that could be rated as violent was rarely ever used by threat actors for spreading malware.

Advertising software that shows users unwanted content or redirects them to unwanted advertising pages was the most prominent mobile threat both in variety and in the number of attacked users. Out of the top 10 porn-related threats for mobile users in 2019, seven belonged to this class of threat.

An advertisement application detected as AdWare.AndroidOS.Agent.f hit 35.18% of mobile users targeted by malicious pornographic content in 2019. Typically, this type of threat is distributed through various affiliate programs that target victims with malicious applications or generate money per installation.

Dmitry Galov, security researcher at Kaspersky, said that the research demonstrated how cybercriminals adapt their tactics based on social trends. 

“As users are becoming more mobile, so are cybercriminals,” said Galov. 

“While we have not witnessed many changes in the techniques used by cybercriminals, statistics show that this topic remains a steady source of threats and users need to be aware of that, taking steps to protect access to the valuable data they keep on their devices."

Categories: Cyber Risk News

Foodora Data Breach Impacts Customers in 14 Countries

Info Security - Mon, 06/15/2020 - 16:19
Foodora Data Breach Impacts Customers in 14 Countries

Online food delivery service Delivery Hero has confirmed a data breach affecting its Foodora brand. 

The cybersecurity incident has exposed the account details of 727,000 customers in 14 different countries. Information exposed in the incident included names, addresses, phone numbers, and hashed passwords.

While no financial data was leaked, customers' geolocation data, accurate to within a couple of inches, was breached. Such data could prove embarrassing to any individuals who have ordered food while pursuing a clandestine affair. 

Data breached in the incident was found online on May 19, posted in a forum where stolen data is wont to show up, according to the Gov Infosecurity website. Whoever posted the data on the forum claims that Foodora was compromised in 2019. 

A spokesperson for Delivery Hero said that the exposed information dated back several years. 

"Unfortunately, we can confirm that a data breach has been identified concerning personal data dating back to 2016," said a Delivery Hero spokesperson. 

"The data originates from some countries across our current and previous markets."

The compromised data appears to belong to Foodora users in Australia, Austria, Canada, France, Germany, Hong Kong, Italy, Liechtenstein, the Netherlands, Norway, Singapore, Spain, and the United Arab Emirates. 

Data breach expert and Have I Been Pwned website creator Troy Hunt said that over 600,000 unique email addresses were among the leaked data. According to Hunt's research, the oldest Australian files exposed in the incident date back to August 2015. 

Delivery Hero was founded in 2011 by Niklas Östberg. The business is based in Berlin, Germany, and operates in over 40 countries internationally in Asia, Europe, Latin America, and the Middle East. 

The company, which has around 22,000 employees, partners with more than 500,000 restaurants globally to deliver over 3 million food orders per day. 

Delivery Hero is not yet sure how the breach occurred but is taking steps to find out. 

A spokesperson said the company has "started a thorough internal investigation" and is "working closely with our security and data protection teams, as well as local authorities, to identify what caused the breach and inform the affected parties."

The spokesperson added that the "relevant authorities" have been informed of the data breach.

Categories: Cyber Risk News

Poor Password Practices and Growing Acceptance of Biometrics in Financial Accounts

Info Security - Mon, 06/15/2020 - 16:00
Poor Password Practices and Growing Acceptance of Biometrics in Financial Accounts

Only 40% of UK citizens use separate passwords across each of their financial accounts. This is according to the FICO Consumer Digital Banking Study, which showed a large proportion of people do not undertake recommended practices regarding logins and passwords in their financial accounts. The findings are particularly concerning in light of the substantial rise in eCommerce during the COVID-19 pandemic.

The research also found that more than a fifth of British people have just two to five passwords, which they re-use across all their financial accounts. Interestingly, the 55+ age category was the group most likely to have separate passwords between accounts (41%), in line with recommendations.

Additionally, 18% of those surveyed stated they write their passwords down, which is widely seen as a security weakness, while only 18% use recommended password management software.

Just under half (42%) claimed to be able to remember their passwords and almost a quarter (24%) revealed that they have abandoned an online purchase because of forgetting their username or password.

More positively, there was a high rate of acceptance recorded for the use of biometric security methods (71%) in online banking. For logging into a banking app, 48% said they would be happy to use a fingerprint scan, 25% a facial image and 23% a voiceprint.

“Whilst our research was conducted just before the COVID-19 lockdown, the findings send a very clear message that UK consumers understand the greater security benefits of biometrics over passwords,” said Sarah Rutherford, identity solutions expert, FICO. “Since face-to-face interactions are likely to be reduced for some time to come, it is crucial for consumers and financial institutions to have mutual respect for the benefits biometrics deliver – not just for security but in terms of removing the delay and friction from financial transactions.

“Consumers don’t generally manage their passwords well, so biometrics offers a far more simple and secure way to verify a person’s ID.”

The huge rise in remote working in recent months is another reason why it is becoming increasingly important for people to improve their password practices, and this may serve to accelerate moves towards biometric-based systems of authentication across all sectors.

Categories: Cyber Risk News

Exposed Cloud Databases Attacked 18 Times Per Day

Info Security - Mon, 06/15/2020 - 11:00
Exposed Cloud Databases Attacked 18 Times Per Day

Exposed cloud databases are probed within just hours of being set up, according to new research from Comparitech.

The firm’s security research team, headed by Bob Diachenko, has written many times of Elasticsearch servers left online but unsecured by organizations, putting them at risk of discovery by cyber-criminals.

However, to find out just how widespread black hat scanning for such exposed instances is, Comparitech decided to build a honeypot.

It left a database filled with fake data on an Elasticsearch instance, completely unsecured, for 11 days in May.

During that time it detected 175 unauthorized requests, which averages out to 18 attacks per day. The first one came just eight-and-a-half hours after deployment, days before the database was even indexed by popular IoT search engines Shodan and BinaryEdge. This illustrates how many hackers use proactive scanning tools, Comparitech said.

However, the largest number of attacks (22) on any one day came just after the instance was indexed by Shodan. In fact, two attacks came in just a minute after it was indexed.

Attacks came mainly from the US, Romania and China, and most were looking for more information about the database and its settings.

Some sought to exploit Elasticsearch vulnerabilities from 2015 to install cryptocurrency mining software, steal passwords and change the configuration of the server with a view to stealing and deleting all data.

A few days after the research concluded, the still-exposed honeypot was attacked by a malicious bot that deleted the contents of the database and replaced it with a ransom message.

Boris Cipot, senior security engineer at Synopsys, argued the research highlights just how little time organizations have to find and remediate any configuration errors in the cloud.

“We see often that insecure steps are made when deploying instances in the cloud environment. Insecure security settings lead to exploitable systems and devices,” he added.

“I recommend that companies have procedures around provisioning resources and hold to them much like a pilot’s check list in preparation for take-off. This then leads to two important things: first, the creation of security policies and procedures and secondly, a check list that does not allow room for mistakes.”

Categories: Cyber Risk News

Twitter Shutters 32,000 State-Linked Accounts

Info Security - Mon, 06/15/2020 - 10:15
Twitter Shutters 32,000 State-Linked Accounts

Twitter has added a further 32,242 accounts to the many already removed from the platform for links to state-backed influence operations.

Working with the Australian Strategic Policy Institute (ASPI) and Stanford Internet Observatory (SIO), the social network found and removed all content associated with the accounts, which are linked to three campaigns by the Chinese, Russian and Turkish governments.

The vast majority (23,750) have been linked to Beijing’s efforts to promote narratives favorable to the Chinese Communist Party (CCP) “while continuing to push deceptive narratives about the political dynamics in Hong Kong.”

Although these were caught before being able to amass large numbers of followers, around 150,000 additional accounts were detected acting as “amplifiers” of the content produced by this core of 23,000.

“Based on feedback from researchers on our prior disclosures that we need to better refine the disclosure process to enable efficient investigation of the core activity, we have not included the 150,000 amplifier accounts in the public archive,” Twitter explained.

The firm also shut down 1152 accounts linked to Current Policy, a media website promoting “state-backed political propaganda” in Russia, attacking dissidents and favoring Putin’s United Russia party.

The final campaign spotted and shut down by Twitter was detected in early 2020 and featured fake and compromised accounts promoting political narratives favorable to the ruling AK Parti of President Tayyip Erdogan.

Some 7340 accounts were closed, several of which were associated with organizations critical of the government and Erdogan.

“These compromised accounts have been repeated targets of account hacking and takeover efforts by the state actors identified above,” said Twitter. “The broader network was also used for commercial activities, such as cryptocurrency-related spam.”

Categories: Cyber Risk News

Live Event Manufacturer Reveals Employee Data Breach

Info Security - Mon, 06/15/2020 - 08:51
Live Event Manufacturer Reveals Employee Data Breach

A major manufacturing company for live events has disclosed a data breach affecting the personal and financial information of its employees.

Tait Towers Manufacturing produces rigging, lighting and other equipment for concerts, theatrical performances and the like. It claims to have worked on many of the highest-grossing concert tours of all time.

The US-headquartered multinational waited nearly two months before last week disclosing an incident which was detected on April 6, but began on February 16. The firm said an unauthorized third party had accessed a server and some employee email accounts.

It has since reset server and email logins to remediate the incident and deployed multi-factor authentication and endpoint monitoring systems to improve safeguards for the future.

Among the compromised information are employee names, addresses, email addresses, dates of birth and Social Security numbers or financial account numbers.

Although the company said it has “no reason to believe that any of the information maintained in the server and email accounts was misused,” the data would be tactically useful for cyber-criminals in developing phishing campaigns and/or follow-on fraud.

Tait has urged clients, employees and vendors to monitor their financial accounts for any unusual activity while it completes its investigation into the incident. It is also offering the usual free credit monitoring to affected employees.

“Many data breaches like the Tait breach are caused by employees and executives opening attachments or clicking links in emails from an unidentified third-party sender,” argued Chris Hauk, consumer privacy champion at Pixel Privacy.

“Educating employees about the risks of indiscriminate link clicking has never been more important than it is in today's always-connected world.”

Categories: Cyber Risk News

Business Owner Receives Death Threats After Racist Hack

Info Security - Fri, 06/12/2020 - 17:27
Business Owner Receives Death Threats After Racist Hack

The life of a Houston business owner has been threatened after cyber-criminals hacked into her company's social media account and posted racist messages.

Founder and CEO of Infinity Diagnostics Center Jessica Hatch said her company's Instagram account was compromised on Thursday afternoon by an unknown malicious hacker. After gaining access to the account, the threat actor uploaded multiple stories designed to paint Hatch and her business as racist.

"Here at Infinity we do not support African Americans. If we kept them picking cotton we wouldn't be having these issues with them," read one of the malicious posts.

Hatch said that the business has employed African Americans on a regular basis and that it, in fact, currently employs an African American massage therapist.  

Another offensive story uploaded to Infinity's Instagram account included the text “We do not employ African American individuals. The things going on right now is a clear example that they do not know how to behave."

As a result of the attack, Hatch received a stream of hateful comments and death threats from misguided Instagram users who believed the vile comments had come from the business owner.

"It's just horrible," Hatch told Click2Houson.com. "Like I feel like I'm literally being attacked."

After learning about the racist posts, a completely mortified Hatch asked Instagram to close down the account. 

Hatch said she personally has not had access to the company's Instagram account for at least six weeks. 

Commenting on who she believes is responsible for the attack, Hatch said she believed the culprit was a former employee whose responsibilities used to include publishing social media posts on behalf of the business. Hatch said that to perform their role, the ex-staffer had access to the company's social media passwords. 

Hatch made the following plea to the former employee: “Just come forth and say, ‘I’m sorry. I did not think it was going to go to this extreme. I was mad at you.’ Let people know that you did it and I did not."

Since the death threats were made, the Houston Police Department has been checking in on Hatch and the business. An investigation into the hack is ongoing.  

Categories: Cyber Risk News

Building of Asia Pacific Submarine Cable Begins

Info Security - Fri, 06/12/2020 - 16:36
Building of Asia Pacific Submarine Cable Begins

A high-performance submarine cable is being built to enhance communications in the Asia Pacific region. 

Stretching 9,400 kilometers, the Asia Direct Cable (ADC) will connect China (Hong Kong SAR and Guangdong Province), Japan, the Philippines, Singapore, Thailand, and Vietnam.

The ADC has been designed to enable vast amounts of data to be transmitted across the East and Southeast Asia regions. Multiple pairs of high-capacity optical fibers will allow the cable to carry over 140 Tbps of traffic. 

Construction of the cable is being carried out by the NEC Corporation and is expected to reach completion in the final quarter of 2022. The ambitious project is being led by the Asia Direct Cable Consortium, composed of leading communications and technology companies, including SoftBank, China Telecom, China Unicom, PLDT Inc., Viettel, CAT, Singtel, and Tata Communications.

A spokesperson for the consortium said: "ADC’s high capacity allows it to support increasingly bandwidth-intensive applications which are driven by technological advancements in 5G, the cloud, the Internet-of-Things (IoT) and Artificial Intelligence (AI). This will further enhance the expansion of communications networks in the region."

The ADC cable landing in Japan will be enabled through SoftBank's Maruyama Cable Landing Station (CLS). Maruyama CLS currently provides landing services for many submarine cables including the Trans-Pacific submarine cable system JUPITER.

JUPITER, which is expected to start operating later this year, is a fiber-optic submarine cable system that will connect Japan, the US, and the Philippines with a total extension of approximately 14,000 km. 

Chang Weiguo, one of the ADC co-chairs from China Telecom, said: “The ADC system provides the highest cable capacity and necessary diversity for Asia’s key information hubs, which will enable carriers and service providers to better plan their networks and services for a sustainable development."

SoftBank's Koji Ishii added: “This new system will contribute to drive the Asian ICT business growth as one of the core infrastructures in the region and to meet the evolving marketplace."

NEC has helped to create multiple submarine cable systems in the Asia Pacific region over the years, including the 9,500-km Japan-Guam-Australia cable system (JGA), the 10,500-km Southeast Asia–Japan 2 consortium (SJC2), and the 16,000-km Bay to Bay Express Cable System (BtoBE).

Categories: Cyber Risk News