Researchers found two vulnerabilities that could impact popular wireless access points and compromise enterprise networks if exploited, according to TechCrunch.
The pair of bugs were reportedly found in chips built by Texas Instruments. Networking device makers such as Aruba, Cisco and Meraki commonly build the Bluetooth Low Energy chips into their line-up of enterprise wireless access points. While the two bugs are distinctly different from each other in the range of models they target, researchers said that both could allow an attacker to take over an access point and break into an enterprise network or jump over the virtual walls that separate networks, according toTechCrunch.
“As the researchers point out, the vulnerability is not in the protocol but rather in the way the protocol has been implemented on the affected chipsets,” said Nick Murison, managing consultant, Synopsys Inc. “This underscores the importance for vendors to test that their implementations not only adhere to the protocol specification but also respond in a secure manner when presented with malformed traffic.”
Taking proactive steps throughout the entire development life cycle can thwart these types of bugs, minimizing their ability to survive all the way through to production, Murison said. “Using static code analysis during development can identify unsafe use of buffers, integer overflows and many other similar types of issues. Unit and integration test suites can be written to not only execute positive functional tests but also perform negative and boundary testing.
“Most companies that do any significant level of software development these days will be leveraging continuous integration pipelines to automatically build and test software from a quality perspective; such pipelines can easily be adapted to also include security-specific testing, such as static analysis and fuzzing.”
Developers also need to understand the repercussions of such implementation bugs, which should come from enterprise training that begins in at the design phase, according to Murison. “As part of the design phase, companies should also be looking at threat modeling or architecture risk analysis to identify potential security weak spots, and look for opportunities to make the overall solution secure by design.”
A new Consumer Data Protection Act was proposed on October 31 by Senator Ron Wyden from Oregon. The senator has long been an advocate of cybersecurity and privacy issues, and his new bill proposes strict penalties – including fines and prison time – for companies that violate consumer privacy, according to a press release.
The draft proposes amending the Federal Trade Commission Act to hold entities that use, store and share personal information more responsible for the data they collect and would apply to companies with more than $50 million in revenue and personal information on more than 1 million people. The act excludes data brokers or commercial entities that, “as a substantial part of their business, collects, assembles or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.”
Presumably, small to medium-sized businesses (SMBs) would fall outside the scope of this legislation, and Colin Bastable, CEO of Lucy Security, said that would bode well for SMBs. “These are the businesses that struggle to afford advanced security technology. They lack the people and the skills to defend their customers’ confidential data from hackers. Therefore, in addition to legislation, we must encourage all organizations, employees and consumers to prepare for the inevitability of successful attacks – teach, train and test, continuously."
This newest proposed legislation adds to the growing collection of data privacy acts already pending on Capitol Hill, including another Consumer Data Protection Act (this one introduced in 2017 by Sen. Robert Menendez), the Data Breach Prevention and Compensation Act (DBPCA), CLOUD Act and the ENCRYPT Act.
“Recent events like the Equifax data breach, Cambridge Analytica, Facebook and more have fueled the fire and will enable these to gather substantial support on both sides of the aisle as cybersecurity and data privacy issues remain front and center to everyone’s constituent needs,” said Pravin Kothari, CEO of CipherCloud.
“The congestion on Capitol Hill will tell you that these bills will likely be rolled up as one, most likely before they leave the Senate. Legislation is likely to be omnibus and then will replace the myriad of conflicting state efforts to provide similar legislation.”
Certainly data privacy has gained broad-level awareness, and Brian Vecci, technical evangelist at Varonis, said that even if Sen. Wyden's proposed privacy bill doesn’t become law right away, it’s clear that the tide is shifting in favor of privacy.
“Companies may really be forced to think of their data like their dollars and could face penalties if information is mishandled and exposed as part of a breach. Privacy is becoming top of mind for consumers and voters, and companies that have taken steps to meet the obligations of other privacy frameworks like the GDPR are clearly going to be ahead of everyone else.”
The Information Commissioner's Office (ICO) has been in action again, this time fining two nuisance call companies who tried to sell home security services specifically to individuals who’d opted out.
The UK’s privacy watchdog issued the fines under the Privacy and Electronic Communications Regulations (PECR), which governs nuisance marketing. The maximum penalty possible is £500,000.
Individuals who sign-up to the Telephone Preference Service (TPS) do so to avoid unsolicited marketing calls.
However, ACT Response of Middlesbrough was behind 496,455 marketing calls to TPS subscribers and was fined £140,000, while Secure Home Systems (SHS) of Bilston, West Midlands, was fined £80,000 for making calls to 84,347 TPS-registered numbers.
The ICO claimed the latter used call lists bought from third parties without screening them first. Interestingly, the two companies called individuals “live” rather than using automated systems. The script used by ACT Response even asked people whether they were registered with the TPS, according to the ICO.
The two garnered hundreds of complaints to the watchdog, with SHS calls dating as far back as two years.
“These fines should set alarm bells ringing and deter marketing companies across all sectors that are contacting people without their consent. It is a company’s responsibility to make sure that it has valid consent to make these calls,” said ICO group enforcement manager, Andy Curry.
“The TPS is there for a reason – to protect people’s privacy and ensure that marketing companies obey the law. Marketing companies failing to take the basic step of checking TPS can expect robust enforcement.”
However, the directors behind these firms often try to escape punishment by declaring bankruptcy, only to set up new businesses. That’s why a leading consumer rights group campaigned in August for government action.
According to Which? the government agreed two years ago that from spring 2017, directors of firms responsible for nuisance calls could each be fined up to £500,000 by the ICO if they breached the PECR. Yet so far it has failed to introduce such measures.
Radisson Hotel Group has become the latest big brand in the sector to suffer a data breach, after admitting that a "small percentage" of loyalty club members had their personal information accessed by an unauthorized person.
The notification statement is worded in such a way as to hint that the attacker may have gained access first to staff accounts, which in turn exposed the customer data.
“Upon identifying this issue Radisson Rewards immediately revoked access to the unauthorized person(s). All impacted member accounts have been secured and flagged to monitor for any potential unauthorized behavior,” it noted.
Although the breach didn’t affect credit card or password information, it did expose Radisson Rewards member names, addresses, email address, and in some cases, company names, phone numbers, Radisson Rewards member numbers and frequent flyer numbers.
That could be useful for “specific, low incidence, criminal use cases” according to Ross Rustici, senior director of intelligence services at Cybereason.
“Unlike a large-scale credit card breach, the most likely way this information is to be monetized is through enhancing a pattern of like analysis on particular individuals, either high net worth or people with specific access to something,” he continued. “This type of information is far more useful for an intelligence targeting package than for large-scale monetization."
Given that the chain operates under numerous brands with 1400 hotels all over the world, the GDPR is likely to come into play here.
That could spell trouble, given the firm said it identified the incident on October 1, almost a month before notifying.
“Like the British Airways hack earlier this year, each major company that suffers an incident is going to be a test bed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations,” said Rustici.
The perils of SIM swap fraud have been highlighted again after an undercover film crew revealed O2 and Vodafone employees apparently handing over replacement cards without carrying out proper identity checks.
Secret filming showed two Vodafone staff failing to follow strict security policies to check the identity of the person requesting the replacement SIM card in-store, according to The BBC’s Watchdog Live.
Meanwhile, O2 staff failed to check photo ID, which is policy for all monthly contract SIMs. The firm told the program that it also sends an authorization code to any Pay As You Go customers alerting them if someone is trying to use their number, but this was not received during the filming.
SIM swap fraud is sometimes used by scammers to spend large sums on premium rate numbers they run, but increasingly it can also be used to intercept two-factor authentication codes sent by banks so that customers can ‘securely’ access their accounts.
It’s made more prevalent not only if telco store employees fail to carry out the proper checks, but also thanks to the large volume of identity data on the dark web which fraudsters can use to impersonate legitimate customers.
“From a financial institution standpoint, many have already started to make the switch to mobile PUSH notifications, which are inherently more secure than SMS. Mobile PUSH notifications have the added benefit of being able to be protected with application shielding technology and give banks a stronger interface for doing business with their customers,” explained Will LaSala, director of security solutions at OneSpan.
“Consumers should check to see if their bank already offers a mobile app and then enable PUSH two-factor authentication as soon as possible while disabling SMS two-factor authentication. SMS is a good method for notifying users of account notifications, such as account modifications and transactions, but it should not be used to allow privileged access.”
SIM swap fraud could also come as a result of malicious insiders working with criminal gangs.
In August, a US entrepreneur and cryptocurrency investor filed a $223m lawsuit against AT&T after a store employee allegedly facilitated SIM swap fraud, allowing criminals to transfer millions from his bank account.
Emails continue to be cyber-criminals' vector of choice for distributing malware and phishing, according to a report released today by Proofpoint.
The Quarterly Threat Report Q3 2018 found that the frequency of email fraud attacks and the number of individuals targeted per organization are continuing to rise. Credential-stealing banking Trojans comprised 94% of malicious payloads, and the number of malicious URLs grew, making it a more common attack vector than malicious attachments.
Emails attempting to steal corporate credentials increased over 300% between the second and third quarters of 2018.
In addition, the research indicated that social media platforms have done an excellent job of combating phishing links, resulting in a 90% decrease in attacks year-over-year. However, phishing attempts that leverage social-media-support fraud, which relies on fake customer service accounts to fool people into handing over their personal data, reached its highest level ever in September.
The report also noted that this type of angler phishing increased 486% year-over-year.
While banking Trojans made up 46% of all malicious payloads, a whopping 90% of those were Emotet and Panda Banker (also known as Zeus Panda). Emotet was consistently used in large, almost daily campaigns by an actor researchers have identified as TA542.
Though ransomware has someone dissipated, dropping 10% points from Q2 and comprising only 1% of the overall malicious messages, the report warned that it might not be forgotten just yet.
“We observed a return of ransomware, albeit at much lower levels than we saw in 2017. However, this spike appeared to be a ‘testing of the waters’ since ransomware message volumes dropped. This suggests that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale,” the report said.
In place of ransomware, attackers have shifted to downloaders and stealers, which accounted for 48% of all malicious payloads in Q3. Researchers identified three new downloaders, suggesting a trend towards the distribution of small-footprint malware that is a bit more stealthy and able to do more reconnaissance.
While there was a reduction in the number of spoofed sender identities - a significant 68% drop - an average of 27 people were targeted per attack, representing a 96% increase in target victims year over year. The report indicated that attacks continue to have success exploiting the human factor.
According to a new report published by Vectra, there is a key distinction between attacks that probe IT networks for information about critical infrastructure and those attacks that actually target industrial control systems (ICSs). The 2018 Spotlight Report on Energy and Utilities found that most cyber-attacks against energy and utilities firms occur and succeed inside enterprise IT networks, not in the critical infrastructure.
Given these findings, detecting hidden threat behaviors inside enterprise IT networks before attackers have a chance to spy, spread and steal becomes all the more critical, according to the report. Attackers are taking their time and carefully orchestrating attack campaigns so that they occur over the course of several months.
Analyzing specific attacker behaviors in recent campaigns used to steal vital ICS information, the report found that “in multiple instances, threat actors accessed workstations and servers on a corporate network that contained data output from the ICS inside energy generation facilities. This involved suspicious admin and suspicious Kerberos account behaviors.”
Often lasting several months, these slow, quiet reconnaissance missions involve observing operator behaviors and building a unique plan of attack. Remote attackers typically gain a foothold in energy and utilities networks by staging malware and spear-phishing to steal administrative credentials, the study found. Once inside, they use administrative connections and protocols to perform reconnaissance and spread laterally in search of confidential data about industrial control systems.
“The covert abuse of administrative credentials provides attackers with unconstrained access to critical infrastructure systems and data,” said David Monahan, managing research director of security and risk management at Enterprise Management Associates. “This is one of the most crucial risk areas in the cyber-attack life cycle.”
The report, based on observations and data from the 2018 Black Hat Conference Edition of the Attacker Behavior Industry Report, also found that during the command-and-control phase of attack, 194 malicious external remote access behaviors were detected per 10,000 host devices and workloads. Also in every 10,000 host devices and workloads, 314 lateral movement attack behaviors were detected. And during the final stage of the attack life cycle, the exfiltration phase, 293 data smuggler behaviors were detected per 10,000 host devices and workloads.
Using consumer data stolen in data breaches and made available on the dark web, cyber-criminals have launched a sextortion phishing campaign, according to research from Barracuda Networks.
In this month's Threat Spotlight, researchers detail the sextortion scam in which attackers prey on victims by using stolen passwords, threatening that they have a compromising video that will be shared with the victim’s contacts unless the user pays in Bitcoin.
The campaign started in July, and Barracuda Labs said it remains ongoing. Researchers found roughly 24,000 emails reported by customers around the globe since September. The emails reportedly use the stolen password as the subject line, though some might precede it with “your password is.”
Preying on human fear, the attackers know the impact that such a subject will have at the mere suggestion that their account has been hacked. According to the research findings, the email goes on to claim that the user's computer was infected with a remote access Trojan (RAT) from a pornography website. The claim is that all of the explicit videos the user has been watching have been recorded.
“The email also claims that the user’s contacts from email and social networking have been gathered and that unless a sum of money is paid (in Bitcoin, of course), the video of the user watching porn will be sent to those contacts. We also saw examples of the attackers emailing the same address multiple times to up the scare tactics, an approach they are likely taking with most if not all of their intended victims,” wrote Jonathan Tanner in the Threat Spotlight.
Credit: Barracuda Networks
While the attacker does have a legitimate password, which researchers said was likely from a list made public in 2016 of more than 500 million leaked passwords, there is no video, nor has any infection been found on victim computers.
“Whether or not the user has visited any pornographic websites is something only they know, but given that these emails are largely targeting business emails it's unlikely they're doing so on their work computer. For obvious reasons, we didn't send out a survey asking as much, but it seems safe to assume, and thus the other claims in the email must also be false,” Tanner wrote.
Researchers have warned that the SamSam ransomware strain continues to be a major threat to organizations, with 67 targets on the receiving end of attacks this year, according to Symantec.
The security giant claimed that most targets in 2018 have been located in the US, with healthcare accounting for the largest number of attacks, around 24%.
“Why healthcare was a particular focus remains unknown,” it explained. “The attackers may believe that healthcare organizations are easier to infect. Or they may believe that these organizations are more likely to pay the ransom.”
At least one US government organization involved in administering elections was also hit, which is concerning news ahead of the mid-terms next week.
A small number of remaining attacks targeted organizations in Portugal, France, Australia, Ireland and Israel.
A Symantec spokesperson confirmed to Infosecurity that it was not possible to determine how many of the listed attacks were successful, as in some cases "we saw less than a handful of computers infected with SamSam tools, which could suggest failed attacks."
However, SamSam is known to be particularly dangerous as it is typically manually operated, rather than being used in fire-and-forget automated campaigns.
This means those behind it go to greater lengths to hide its activity, encrypting as many machines possible on a network before demanding the ransom.
Its highly targeted nature means attackers often first obtain account credentials on the dark web to access an organization’s remote desktop protocols, and then use tools to elevate privileges and gain domain access rights.
They’ve also been observed using legitimate Windows tools like PsExec and PSInfo to “live off the land” and hide from AV tools, as well as publicly available hacking tools like mimikatz to steal passwords to spread to other servers.
“These tactics are frequently used by espionage groups in order to maintain a low profile on the target’s network. By making their activity appear like legitimate processes, they hope to hide in plain sight,” explained Symantec.
“For example, in one attack that took place in February 2018, more than 48 hours passed between the first evidence of intrusion and the eventual encryption of hundreds of computers in the targeted organization.”
SamSam was responsible for a major attack on the City of Atlanta earlier this year, which is slated to cost $10m to clean up, plus a Colorado Department of Transport outage which also ran into the millions.
Eurostar has forced a password reset for customers after revealing that an undisclosed number of them may have had their accounts accessed by a malicious third party.
It’s unclear whether all Eurostar customers were required to change their passwords or just those affected.
The note sent to customers warned that the train operator had detected an “unauthorized automated attempt” to log-in to some accounts between October 15 and 19.
“Please be reassured that your credit card or payment details haven’t been compromised as we never store such information on eurostar.com accounts,” it continued.
“We’d recommend that you reset your Eurostar password and check for anything unusual on your account. We’d also recommend updating your login details on other websites where you use the same password.”
Ilia Kolochenko, CEO of High-Tech Bridge, warned users to monitor incoming emails, instant messages and phone calls for suspected phishing attempts potentially using the account information accessed by the hackers.
“If personal data was stolen, it can be leveraged in eye-catching spear-phishing attacks, password reuse and identity theft scam,” he explained.
James Romer, chief security architect at SecureAuth, claimed the incident highlights how a reliance on username/password combinations can leave organizations and their customers exposed.
“The transport industry seems to be increasingly under attack from cyber-criminals, who are looking to access the vast amount of highly valuable customer data — including passport details and payment information — held within these organizations,” he added.
“Bad actors can easily purchase stolen credentials on the dark web, which can then be used to attempt to gain access to a secure network. By utilizing advanced techniques such as automation, more accounts can be easily targeted, increasing their chances of success.”
There have been more cyber-attacks against football’s organizing bodies globally and in Europe, with resulting leaks from FIFA expected to be published by the media on Friday, according to reports.
The World Cup organizer confirmed to reporters this week that it had suffered a breach in March, with the European Investigative Collaborations collective of media companies expected to go public with new revelations tomorrow, according to AP.
FIFA released a short statement claiming that it “condemns any attempts to compromise the confidentiality, integrity and availability of data in any organization using unlawful practices.”
It’s not thought that the attack was orchestrated by Russian actors as per the 2016 raid on FIFA which the US Department of Justice recently indicted seven intelligence officers for.
Instead, it’s being linked to the Football Leaks hacktivist group, which has over the past two years sought to expose corruption and illegality in the beautiful game. Its work has in the past led to revelations of tax evasion by leading players in Spain, and details of an NDA signed between Ronaldo’s lawyers and a Las Vegas woman who accused him of sexually assaulting her in 2009.
Although there are no details as yet on how FIFA was breached, European football governing body UEFA officials have been targeted in a phishing campaign, according to reports.
It’s not known if the two incidents are related and the organization hasn’t yet found any evidence of unauthorized intrusion.
Security experts used the news to reiterate the importance of anti-phishing protection, although it’s still not clear how FIFA’s hackers penetrated the organization.
“The best way organizations and individuals can help avoid future attacks is through education programs, understanding the risks and consequences of clicking unknown links and attachments is a critical defense against phishing type attacks,” explained Tripwire EMEA technical director, Paul Edon.
“Regardless of whether you believe the email to be legitimate or not, never click on inbuilt links. Always open your own web browser and log in to your account on the official website. If there is a legitimate requirement for you to update or re-enter information, it should be referenced within your specific account instance.”
Ross Rustici, senior director of intelligence services at Cybereason, put the incident into perspective.
“With the outcome of the bidding for the 2018, 2022, and 2026 World Cups being as contentious as they were, I'm sure football fans across the world will have some interesting gossip to read if the leaks become public,” he argued. “However, at the end of the day, that is likely all this hack is."
In his keynote speech at the Securing the Enterprise 2018 conference in Cambridge, MA, BT Security president Mark Hughes said that when it comes to the threats enterprises and government are facing, the global network is telling us that old strategies don’t work.
In the face of ongoing cyber-attacks, mounting privacy concerns and daily data breach announcements, the current cybersecurity technologies fall short, according to Howard Shrobe, associate director, cybersecurity at MIT Computer Science & Artificial Intelligence Lab (CSAIL), and principal research scientist, MIT CSAIL. In order to effectively move forward in the direction of "where we need to go," the industry needs to develop a more formalized approach that combines design and analysis methods.
“Our approach is based on three key elements,” Shrobe said. “Collaborating closely with industry for input to shape real-world applications and drive impact. Leveraging the breadth and depth of CSAIL security researchers to approach the problem from a multi-disciplinary perspective. And creating a test-bed for our industry partners to implement and test our tools, as well as have our researchers test tools developed by our partners.”
To enable security transformation, enterprises should first assess their structure, said Hughes. “Put the team responsible for delivering change at the forefront of your strategy.” Given that there are lots of threats, those threats turn into risks, which have a very tangible bottom-line impact.
“Those risks are changing rapidly, so much so that in a matter of weeks, the risk profile changes. Using known, well-understood risks and putting those into a cyber context is extremely useful,” Hughes said.
Given that the risks are changing all the time, one key to building an effective security strategy is adaptability. “Prepare to constantly evolve,” Hughes said, but it’s also important to realize that there is no endpoint or perfect solution. When organizations realize that protecting everything all the time is ineffective, many turn to red teaming, which Hughes said yields interesting outcomes that allow organizations to assess and then prepare to evolve.
The next step in enabling security transformation requires internal engagement so that you are building knowledge and advocacy of security at all levels of your organization, said Hughes. From there, the company is well positioned to understand its risk and take the necessary steps to fully assess its security landscape and prioritize and protect the areas that would be most impactful in the event of a security incident.
In a panel focused on securing the enterprise at a conference by the same name hosted by MIT CSAIL and BT Security, moderator Michael Siegel, principal research scientist, management science at MIT Sloan School of Management, talked with panel members about whether their organizations are secure.
“Rather than going out and doing some big review, we started with red teams,” said CIO and CSO of the Commonwealth of Massachusetts, Dennis McDermitt. “That was a revelatory experience. We continue to do them over and over again. We have done eight of them now, and that has really informed our answer to the question of whether we are secure or not.”
As a practitioner and vendor in the space, Debby Briggs, CSO, NETSCOUT, said, “I’m relatively secure, but it gets back to how do you quantify that. Sometimes it’s a challenge from a security perspective when you look at people, process and technology to determine how to have one message that meets everyone’s needs.”
In response to Briggs, Siegel posed to the panel the question of how to approach quantifying whether the organization is secure with the board. "I often find myself in the boardroom,” said Kathy Orner, VP, chief risk officer at Carlson Wagonlit Travel. “The number-one thing with board of directors is to educate them. Security is new to them, and the acronyms we use are foreign to them, even something like an IP address.
“We bring in experts from the outside and inside and give them briefings. I would encourage boards to listen, to speak to the experts in their group, and to really try to understand the basics,” said Orner.
So what is the information that goes to the boards? McDermitt said the conversation needs to change. “Security is not a problem of risk transfer. Cybersecurity is akin to competition in a business. Cybersecurity is attack and defense, attack and defense, and it’s something they need to pursue actively.”
Yet some boards are having more risk-based conversations around cybersecurity. “The boards I have worked with are capable of seeing that it is a spectrum, so you can talk about how much risk are you willing to take. It’s an uncomfortable decision, but once you’ve had that conversation, it gets easier,” said Andrew Stanley, CISO, Mars.
At today’s Securing the Enterprise Cybersecurity Conference hosted by MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) and BT Security in Cambridge, MA, industry experts joined together to discuss the challenges of the changing threat landscape.
Moderator Andy Ellis, CSO, Akamai Technologies, noted that the things attackers do today are not fundamentally different from what they were doing two decades ago. Given that, Ellis asked panel members what advice they would give themselves now after their years of experience in the industry.
“I was in data analytics and usability engineering when I started out in IT,” said Michael Figueroa, executive director at the Advanced Cyber Security Center. “One of the things that was most challenging in the past that many are still struggling with is that attacks haven’t changed much, but we often think that if we don’t solve ‘that’ problem today, the sky is going to fall. History has shown us that the sky isn’t falling.
“The advice I would give myself is to keep a strategic mindset of the problem of today within a broader perspective and don’t panic.”
The panel agreed that while attackers are smart and adaptive, the attacks themselves have not really changed. “We can put up huge barriers, but attackers don’t have to overcome that barrier. They can go around,” said Dr. Hamed Okhravi, senior staff, cyber analytics and decision systems, MIT Lincoln Laboratory.
“We are just shifting one threat to another, but we need to understand how much gain we will have and how much we are shifting the landscape and the adversary, then look at whether it is the right type of shift.”
That not every single threat is a phenomenon seemed to be the pervading theme in response to the question. In large part, defenders can benefit from seeing their work as a game, Okhravi said.
FBI special agent Scott McGaunn said that he sees cybersecurity as a game as well, ”a very important game. The crime is all the same. We still have bank robberies, we still have wire fraud. We have ransomware instead of ransom.
“Human nature is the same, and the need to commit criminal acts is the same, but the distance to be able to reach out and touch someone has changed. Instead of nation-states and spies, they get online and leverage the internet,” McGaunn said.
In recalling a conversation with her colleague about the ways in which her own approaches have evolved, Jen Andre, senior director, orchestration and automation at Rapid7, said, “I remember my colleague saying, ‘Once Windows fixes all the bugs, we will all be out of work.’” The absurdity of the statement evoked laughter from the audience, but to Andre’s point, that was the thinking years ago. The advice she offered after having gained experience is not to focus on fixing things one at a time.
The US authorities have continued to step-up the pressure on China with the indictment of two intelligence officers, two insiders and six hackers, most of whom were allegedly involved in a conspiracy to steal aviation secrets.
Two intelligence officers, Zha Rong and Chai Meng, and a team of five hackers are said to have worked for the Jiangsu Province Ministry of State Security (JSSD), headquartered in Nanjing.
They allegedly took part in a five-year conspiracy beginning in January 2010 to obtain key technology used in commercial airliners in the US and Europe: namely a turbofan jet engine. A Chinese state-owned aerospace company was said to be working on a similar engine at the time for its own use.
JSSD hackers Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei and Ma Zhiqi are alleged to have conducted intrusions into suppliers that manufactured parts for the turbofan engine, including aerospace companies based in Arizona, Massachusetts and Oregon.
Their work included classic techniques such as spear-phishing, info-stealing malware and watering hole attacks. For example, LA-based gas turbine manufacturer Capstone Turbine suffered data loss and had its website seeded with malware to infect others.
However, the conspiracy went even further, with the JSSD convincing Tian Xi and Gu Gen, two insiders at the targeted French aerospace company who worked at its office in Suzhou, Jiangsu province.
Gen was the company’s head of IT and security in Suzhou, showing the alleged extent of the conspiracy. He is said to have tipped off the officers when foreign police notified the company of the existence of malware on its systems, malware that Tian had apparently installed at the direction of the JSSD.
A separate conspiracy involved Zhang Zhang-Gui and Chinese national Li Xiao, who are alleged to have used the JSSD malware developed to hack Capston Turbine to repeatedly attack a San Diego-based tech company for more than a year-and-a-half, causing thousands of dollars in damage.
Unlike the alleged MSS officer recently extradited to the US to face charges related to another conspiracy to steal aviation secrets, none of those indicted in this case are thought to be on US soil, making this more of a PR exercise.
However, given the alleged insider activity at the aerospace firm’s China office, it will be yet another compelling reason for foreign firms to start extricating key facilities from the country.
A report from CrowdStrike earlier this month identified China as the most prolific nation state threat actor during the first half of 2018.
UK lawyers are preparing a class action suit against Cathay Pacific, claiming that the firm is liable for compensation “under the relevant data protection laws.”
SPG Law, which claims to draw on some of America’s top class action lawyers, has already registered the cathaydatabreach.com domain and is inviting those affected to get in touch.
Explaining that its sister law firm in the US has already won over $1bn in compensation in similar cases, the firm claimed that passengers hit by the Cathay Pacific breach earlier this year could be in line for “significant compensation in the thousands, or possibly tens of thousands, depending on circumstances.”
“The breach is even more serious than that committed by BA in September 2018 in that Cathay Pacific customers like you have suffered from far more substantial personal data being leaked,” a statement on the site noted.
“You have a right to compensation from Cathay Pacific for this data leak in accordance with data protection laws. You can be compensated for inconvenience, distress and annoyance associated with the data leak. It is time to stand up to them and take action.”
However, there’s no mention of the GDPR on the site, despite previous reports claiming the firm had cited Article 82 of the new data protection law as key.
The Hong Kong carrier has been widely criticized for its handling of the breach, which it said affected 9.4 million customers. However, the incident's timing appears to fall before the introduction of the GDPR on May 25.
The firm is said to have first noticed suspicious activity in March but confirmed data had been accessed in early May.
Either way, the new action is another reminder of the potential legal costs for firms that suffer a major breach.
Researchers are warning that the development of cutting-edge brain implants designed to enhance key memory functions is at risk due to multiple vulnerabilities which could allow attackers to interfere.
In a piece of forward-looking threat research, Kaspersky Lab and the University of Oxford Functional Neurosurgery Group explained that development of implantable pulse generators (IPGs) or neuro-stimulators is accelerating fast. Such devices apparently target parts of the brain with electrical impulses to help treat things like Parkinson's disease, depression and obsessive–compulsive disorder.
However, both software and hardware linked to these devices is at risk, the vendor warned.
Specifically, it found one major vulnerability and several misconfigurations in an online management platform used by surgeons, which could provide hackers with access to data on treatment procedures.
Data transferred between implant, programming software and networks was found to be sent unencrypted, enabling interference by malicious third-parties. Kaspersky Lab also warned that because doctors may need quick access to implants in emergencies, they need to be fitted with a software backdoor and easy-to-guess passwords, further exposing them.
Finally, the security vendor documented insecure behavior by medical staff, such as use of default passwords.
With the first commercial IPGs potentially ready in as little as 10 years’ time, Kaspersky Lab is warning that attackers could exploit vulnerabilities to implant, erase or steal memories, or even to hold individuals to ransom by threatening to do so.
“Current vulnerabilities matter because the technology that exists today is the foundation for what will exist in the future. Although no attacks targeting neuro-stimulators have been observed in the wild, points of weakness exist that will not be hard to exploit,” explained Dmitry Galov, junior security researcher in the vendor’s Global Research and Analysis Team.
“We need to bring together healthcare professionals, the cybersecurity industry and manufacturers to investigate and mitigate all potential vulnerabilities, both the ones we see today and the ones that will emerge in the coming years.”
Laurie Pycroft, a doctoral researcher in the University of Oxford Functional Neurosurgery Group, added that what sounds like science fiction is fast becoming fact.
“Memory prostheses are only a question of time,” she added. “Collaborating to understand and address emerging risks and vulnerabilities, and doing so while this technology is still relatively new, will pay off in the future.”
A new technique to escape malware detection has been used in a malicious campaign targeting smartphones, according to The Media Trust.
In today’s blog post, Michael Bittner, digital security and operations manager at The Media Trust, revealed that the campaign involved third-party code that enabled smart malware delivery. The malware, dubbed JuiceChecker-3PC by The Media Trust's digital security and operations (DSO) team, was able to bypass scanning using Base64 and has been seen in millions of page views over the last three weeks.
After bypassing the scanning, the malware checked to see whether the user agent was mobile specific, whether the battery level ranged between 20–76% and whether the referrer was specified. If these conditions were met, the malware triggered a redirect in which the ad viewer was delivered to a malicious site.
The targets included three global demand-side platform (DSP) providers, all of which traditionally see checks for similar conditions, with the exception of the battery-level range.
“In this incident, the malware was inserted into creative posing as a legitimate ad for one of the largest department store retailers in the US. The Media Trust digital security and operations (DSO) team was able to identify the malicious code and work with the DSPs to shut down the malware sources," Bittner wrote.
“Given this malware’s level of encoding, most blockers and conventional scanning techniques continue to let the malware pass through and impact millions of site and mobile app users. Nipping the attacks in the bud is particularly important given the explosion of malicious ads in the digital ad supply chain and the millions of shoppers who use their devices to browse and make transactions online."
Whether those attacks can be mitigated is questionable, though, according to a recent post on Cell Phone Security and Heads of State by Bruce Schneier. Using malware to attack the phone itself is one of two ways to eavesdrop, a technique that is favored by nation-state actors with less-sophisticated intelligence capabilities, Schneier explained.
“These attacks generally involve downloading malware onto a smartphone that then records calls, text messages, and other user activities, and forwards them to some central controller. Here, it matters which phone is being targeted,” Schneier wrote.
“Unfortunately, there's not much you can do to improve the security of your cell phone. Unlike computer networks, for which you can buy antivirus software, network firewalls, and the like, your phone is largely controlled by others. You're at the mercy of the company that makes your phone, the company that provides your cellular service, and the communications protocols developed when none of this was a problem. If one of those companies doesn't want to bother with security, you're vulnerable.
“This is why the current debate about phone privacy, with the FBI on one side wanting the ability to eavesdrop on communications and unlock devices, and users on the other side wanting secure devices, is so important.”