An Artificial Intelligence (AI) firm with connections to the 2016 Vote Leave campaign has been awarded seven government contracts in the last 18 months.
According to the Guardian, Faculty, which traded under the name Advanced Skills Initiative during the 2016 referendum on the UK’s membership of the European Union, has won seven contracts totaling around £280,000 of government work.
Faculty chief executive Marc Warren also attended Scientific Advisory Group on Emergencies (SAGE) meetings, whilst his brother, data scientist Ben Warner, was recruited to Downing Street last year for the Conservative Party’s general election campaign, and also attended SAGE meetings to provide advice to ministers on COVID-19.
Faculty is also working at the heart of the government’s response to the COVID-19 pandemic, processing large volumes of confidential UK patient information alongside US firm Palantir.
One tender was a £250,000 cross-government review on the adoption of AI, issued by the Department for Digital, Culture, Media and Sport and Government Digital Service (GDS), a body which promotes the use of digital technology to improve public services, in 2019. Cabinet Office minister Theodore Agnew also reportedly has a £90,000 shareholding in Faculty.
The contract was intended “to identify the most significant opportunities to introduce AI across government with the aim of increasing productivity and improving the quality of public services.”
Another contract was awarded in 2018 for £32,000 to fund fellowships to place data scientists in city governments to help solve local challenges. Faculty was at that time operating under its original name, Advanced Skills Initiative.
Other contracts include a £264,000 contract from the Department for Business, Energy and Industrial Strategy to monitor the impact of the coronavirus on industry, and a £600,000 contract from the Home Office to track terrorist videos online.
Holly Searle, Faculty’s head of PR and communications, told the Guardian: “Faculty has strong governance procedures in place to guard against conflicts of interest when competing for new work. All of its contracts with the government are won through the proper processes and in line with procurement rules.” Infosecurity has reached out to Faculty for further comment.
A government spokesperson said Agnew had had no role in awarding any contracts to Faculty while he had been a minister, and he had followed the appropriate procedures by declaring his shareholding in House of Lords register of interests and under the ministerial code of conduct.
Security experts have discovered old Tesla car parts for sale on eBay still containing user data belonging to the previous owner, in a sign that the firm’s retrofitting service is failing customers on privacy.
A white hat known as GreenTheOnly explained that media control units (MCUs) and autopilot hardware (HW) swapped out of old models by Tesla during upgrades were turning up for sale online.
Even worse, the four he bought contained: the previous owner’s home and work address, all saved Wi-Fi passwords, calendar entries, call lists and address books from paired phones and Netflix and other stored session cookies.
When Tesla agrees to retrofit a customer’s car by upgrading such components, it takes the old units for disposal — customers aren’t usually allowed to keep them. However, the researcher’s discovery means that technicians are either selling them online, or eagle-eyed hunters are going through dumpsters near Tesla service centers, or both, according to InsideEVs.
The car firm has not responded to the title’s request for more comment on its process for disposing of old parts and why it doesn’t erase user data first. However, a source told the publication that technicians were being told merely to hit units with a hammer a few times before throwing them away.
In the meantime, the carmaker appears not to be notifying customers whose data may have been exposed in this way. Users who have had retrofitting are therefore advised to change all relevant passwords on their devices and online accounts.
Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center) argued that the more sophisticated the device, the greater potential for it to contain data that may place user privacy at risk after recycling.
“With cars becoming ever more connected and offering increasing information to drivers and passengers, manufacturers like Tesla, dealer networks supporting any manufacturer and neighborhood mechanics are in a position to access the personal information stored within the multitude of computers within a modern vehicle,” he added.
“Limiting this access, and taking care to ensure stored data is deleted during computer replacement, should be a high priority for the automotive industry as we move closer to a world where connected cars are the norm.”
It remains to be seen whether Tesla's actions attract the attention of Californian data protection regulators.
A misconfigured cloud database has leaked records on tens of millions of users of an adult streaming site, putting them at risk of blackmail and identity theft, according to researchers.
CAM4 is a live streaming website for explicit content, with visitors paying to watch signed-up amateur performers film themselves online.
Security Detectives researchers led by Anurag Sen found an unsecured database containing over 7TB of personal data and production logs dating from March 16 2020. Although CAM4 appears to be owned by Irish company Granity Entertainment, the server was hosted in the Netherlands by Mojohost.
It was found to be leaking almost 11 billion records, including 11 million containing emails and 26.3 million containing password hashes. Millions contained first and last names, country of origin, sexual orientation, usernames, chat and email transcripts from the site, IP addresses, and inter-user conversations.
In addition, a few hundred are said to have revealed full names, credit card types and payment amounts.
It’s not clear whether the data belongs to content producers or viewers, or both. However, the data exposed in the privacy incident could have been highly lucrative for cyber-criminals, enabling follow-on phishing, identity fraud, and – perhaps most damaging – blackmail.
Hackers could also use the exposed Apple, Google and other emails to target cloud storage and other adjacent consumer services to harvest yet more personal information, Security Detectives warned.
“The availability of fraud detection logs enables hackers to better understand how cybersecurity systems have been set up and could be used as an ideal verification tool for malicious hackers, as well as, enabling a greater level of server penetration,” it continued.
“Moreover, website backend data could be harnessed to exploit the website and create threats including ransomware attacks.”
The majority of exposed email records came from US users, followed by Brazil, Italy, France and Germany.
Less than a week ago, Sen and his team discovered a similar incident in which French newspaper Le Figaro leaked over seven billion records including readers’ personal information.
State-sponsored hackers have been targeting UK universities with greater frequency of late in a bid to steal research on developing COVID-19 vaccines, according to a government security agency.
It is thought that Russia, Iran and possibly China have all been probing institutions like Oxford University, which started human clinical trials on a vaccine this week, and scientific facilities.
Although there have reportedly been no successful attacks to date, there’s plenty of opportunity, with dozens of UK organizations working on treatments and tests for the coronavirus.
“Any attack against efforts to combat the coronavirus crisis is utterly reprehensible. We have seen an increased proportion of cyber-attacks related to coronavirus and our experts work around the clock to help organizations targeted,” a spokesperson from the National Cyber Security Centre (NCSC) told the Guardian.
“However, the overall level of cyber-attacks from both criminals and states against the UK has remained stable during the pandemic.”
It is hoped that if the vaccine is successful, the Oxford University researchers will team up with Cambridge-based drug firm AstraZeneca to manufacture and distribute it.
This isn’t the first time the alarm has been sounded over cyber-threats to the UK’s university sector, although the stakes have raised significantly given the current crisis.
The NCSC was forced to issue a report last September highlighting the threat to higher education from both state-sponsored attackers and cyber-criminals.
At the time, the GCHQ body urged universities to improve user security awareness, tighten access controls and revisit network architecture to segment high-value data.
“While it is highly likely that cybercrime will present the most evident difficulties for universities, state-sponsored espionage will likely cause greater long-term damage. This is particularly true for those universities which prize innovation and research partnerships. This damage will extend to the UK’s larger national interest and to those researchers whose work may give others the chance to 'publish first'” the report argued.
New research from IT management and security company Ivanti has revealed that vendor management and contract negotiations are particularly time-consuming endeavors for IT professionals who are struggling with un-unified IT processes.
The firm surveyed more than 1300 IT pros, discovering that 50% work with 11 or more different vendors and 48% can spend weeks, or months, renegotiating vendor contracts each year, with Ivanti noting the greater the number of vendors to manage, the greater the contract negotiation time for IT pros.
What’s more, operations reports are also proving to be time consuming for IT pros. Only 20% spend minutes producing IT operations reports while 52% spend hours, 22% spend days and 6% spend weeks.
These findings highlight the need for more unified IT strategies across businesses, Ivanti claimed.
The majority of respondents agreed that the benefits of more unified IT are compelling, citing the following:
- Consistent data across systems and IT departments: 70%
- Improved user experience: 61%
- Ease of use: 60%
- Consistent and aligned processes across IT departments: 59%
- Cost savings: 58%
The survey also suggested that unified IT strategies will be adopted by respondents as they demonstrate value in helping IT meet priorities and initiatives, including improved patching and security, cutting down time to resolve incidents and improved IT reporting.
“Conflicting initiatives are competing for IT budgets and complicating visibility and reporting processes. This is making it challenging to achieve IT unification,” said Duane Newman, vice-president, product management at Ivanti.
“Compounding the situation is the time IT organizations spend on vendor and contract management. However, by taking a unified approach to the priorities of security, issue resolution and reporting, IT organizations will likely find that they are better able to achieve their highest priorities without added cost or effort.”
Fraudsters are attempting to sell fake vaccines allegedly manufactured using the blood of patients who have recovered from COVID-19.
The nonsense vaccines were among a crock of utter dog wings spotted for sale on the dark web by researchers from the Australian National University's Cybercrime Observatory. Researchers were trawling dark net markets for coronavirus-related medical products and supplies for a report released April 30 by the Australian Institute of Criminology.
A survey of 20 underground markets turned up 645 listings of 222 items from 110 unique vendors across 12 sites. The total estimated value of all the items was $369,000.
While scientists around the world strive to create a proven vaccine for COVID-19, the dark net claims to have plenty available. Of the 645 items found by researchers, 6% were products falsely claiming to be effective vaccines against the deadly virus.
"COVID-19 cure vaccine. Keep quiet on this," read one such listing, while another announced "COVID-19 antidote is here from China."
Any victims tricked into buying one of these fake vaccines would have paid on average $AUS575 for their purchase. However, one vaccine, purportedly sourced from China, where the first animal-to-human transmission of COVID-19 took place, was on sale for between $US10K and $15K.
Researchers warned that the dangers of fake vaccines go beyond individual victims' being ripped off financially.
"First, fake vaccines could worsen the spread of the virus because users may behave as if immune but nevertheless become infected. Second, the premature release of vaccines undergoing animal or human trials would also misguide users as to their immunity, but may also impact the success of these crucial clinical trials."
Nearly half of all unique listings and a third of the total listings were composed of personal protective equipment (PPE), such as masks, gowns, sanitizers, and gloves. One listing offered 10,000 "good quality lab tested face mask for corona" for the sum of $17,952.
Most vendors claimed to be shipping from the United States.
Happily, researchers came across one dark net marketplace where the sale of COVID-related products has been banned for ethical reasons. On the site was posted the message: "You do not, under any circumstances, use COVID-19 as a marketing tool. No magical cures, no silly f***ing mask selling, toilet paper selling. None of that bullsh*t. We have class here."
Police in the Northern Irish capital city of Belfast have issued a warning over a recent rise in cybercrime.
A senior police officer said businesses had experienced a "surge" in cyber-attacks since the outbreak of the novel coronavirus. Many of the attacks are scams concocted by fraudsters seeking to exploit the health pandemic.
Police Service of Northern Ireland (PSNI) assistant chief constable Alan Todd advised businesses to ensure their IT security systems are fully up to date. He also urged businesses to be extra wary of any unusual communications.
“It is very clear that from a strategic level through the National Crime Agency, through the global level, there is a real surge in attempts, at all levels, from individual members of the public right through to business ransomware," said Todd, addressing an online seminar of Northern Irish business leaders organized by the Institute of Directors.
“All of the usual methods of attack have been ramped up at this time, and therefore the risk arising out of this for businesses and indeed householders is higher than it was."
Todd said that the tragic growth in cybercrime related to the outbreak of COVID-19 was expected.
“It was predicted before the start of this, and we are certainly seeing evidence of that.”
According to the officer in charge of the police force's coronavirus response, much of the fresh wave of cybercrime is low-level in terms of impact but could target a high volume of victims. He added that unfamiliarity with new resources, such as grants given to businesses struggling to stay afloat since lockdown measures were imposed, made employees more vulnerable to cyber-threats.
Addressing the seminar, the officer said: “Your staff may be involved in transactions and conversations around schemes that they have no familiarity with. Of course, when you put staff into that position the potential for that to be exploited by fraudsters and others in the cybercrime world is even higher.”
While lockdown measures remain in place in Northern Ireland to slow the spread of COVID-19, Todd said that officers had increased patrols in areas where business premises were closed in a bid to keep crime at bay.
Personal details of 774,000 individuals in Australia's migration system have been exposed in a data breach.
The data was made publicly available via the Home Affairs Department's SkillsSelect platform, which invites skilled workers and entrepreneurs to express interest in moving Down Under.
Partial names, ADUserIDs, and the outcome of applications made by people wishing to migrate to Australia were discovered online by Guardian Australia via a publicly available app hosted on the employment department's domain. Other information uncovered by the newspaper included the age, country of birth, and marital status of applicants.
In total, the breach revealed 774,326 unique user IDs and 189,426 completed expressions of interest, dating back to 2014. By applying filters, the Guardian was able to narrow down an expression of interest to a single entry, then discover other details relating to that particular applicant.
News of the breach comes as the Australian government is asking people to voluntarily adopt a new contact-tracing app, CovidSafe, to slow the spread of the novel coronavirus. A cybersecurity failure in one government app could make Australians reticent to input their personal information into another.
Australian Privacy Foundation board member Monique Mann told Guardian Australia the breach was “very serious . . . especially at a time where the Australian government is expecting trust.”
Mann described the Australian government as having a "consistently poor track record that shows that we cannot trust them with our personal information,” and went on to call the unnecessary exposure of migrant data "absolutely ludicrous."
Privacy academic, cryptographer, and chief executive of Thinking Cybersecurity Vanessa Teague said she thought that the public availability of ADUserIDs on the SkillsSelect platform “looks like a stuff-up.”
When Guardian Australia contacted the Home Affairs Department and the Employment Department in relation to the data breach, the SkillsSelect platform was taken offline and is now "currently undergoing maintenance."
Mann expressed concern that the data breach had not been identified by the Home Affairs Department.
She said: “What processes of auditing and oversight are occurring within department of home affairs? This department is responsible for policing, border protection and intelligence. You would expect a greater level of information security than this.”
President Trump has declared another national emergency: this time over the threat of foreign adversaries launching crippling cyber-attacks against the US power grid.
A new executive order issued on Friday noted that attacks on “bulk power” equipment could have a devastating impact on national defense, emergency services, critical infrastructure and the economy.
It has therefore prohibited the ongoing acquisition and installation of any equipment “in which any foreign country or a national thereof has any interest.
“The unrestricted acquisition or use in the United States of bulk-power system electric equipment designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in bulk-power system electric equipment, with potentially catastrophic effects,” it read.
The order also empowers the energy secretary to find existing systems which have been bought in from abroad and are exposed to cyber-sabotage, and “develop recommendations on ways to identify, isolate, monitor, or replace such items as soon as practicable, taking into consideration overall risk to the bulk-power system.”
A new Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security will include secretaries of defense, commerce, homeland security, the interior and directors of national intelligence and the Office of Management and Budget. It will be set up to develop new procurement policies and make additional recommendations.
Although not named directly, the order is likely to be aimed at Russia and China. Kremlin-backed hackers, such as the Dragonfly and Energetic Bear APT groups, have been probing US energy infrastructure for years, prompting occasional alerts from the intelligence agencies.
An annual Worldwide Threat Assessment report published by the US Senate Intelligence Committee last year warned that the US electric grid could suffer the same fate as Ukrainian energy companies in 2015 and 2016, when Russian attacks left many without power.
“Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage,” it warned.
Asian e-commerce giant Tokopedia is investigating a potentially major data breach after researchers revealed that 91 million user records are up for sale on the dark web.
Breach monitoring service Under the Breach posted screenshots over the weekend that revealed a malicious actor selling records of 15 million users apparently stemming from a March 2020 incident.
According to the post, the database contained emails, password hashes, names and “much more things.” The user said they acquired a copy of the data dump but that crucially it didn’t include the salt needed to crack the hashes.
Unfortunately, the same actor was subsequently found to be selling a much larger data trove containing a purported 91 million records for just $5000. There appears to have been at least two buyers over the weekend.
“This is really bad, make sure you change your passwords for other services in case you are re-using passwords,” advised Under the Breach.
According to reports, Tokopedia is investigating the incident and reiterated in the meantime that passwords are safe.
Backed by the SoftBank Vision Fund and Chinese web giant Alibaba, the Indonesian e-commerce player is said to be looking to raise $1bn or more in pre-IPO funding ahead of plans to go public in the next three years.
The firm claims to have over 90 million monthly active users and more than seven million merchants signed-up to its Amazon-like platform.
“We have detected an attempt to steal data belonging to Tokopedia users. However, we have made sure that our users’ personal information, such as passwords, remain protected,” the company said in a statement to local media.
“Although passwords and other crucial user data remain encrypted, we still encourage Tokopedia users to change their passwords periodically to ensure their safety and security.”
The UK’s National Cyber Security Centre (NCSC) has updated some of the terminology on its website in a bid to “stamp out racism” in the industry.
The GCHQ body’s head of advice and guidance, Emma W, revealed in a blog post that the decision was made after being contacted by a customer, who was concerned over the continued use of the words “blacklist” and “whitelist.”
The terms are commonly used in cybersecurity to denote elements such as applications, passwords or domain names that are either allowed (whitelist) or blocked (blacklist).
“However, there's an issue with the terminology. It only makes sense if you equate white with ‘good, permitted, safe’ and black with ‘bad, dangerous, forbidden’. There are some obvious problems with this,” she explained.
“So in the name of helping to stamp out racism in cybersecurity, we will avoid this casually pejorative wording on our website in the future. No, it's not the biggest issue in the world — but to borrow a slogan from elsewhere: every little helps.”
The NCSC is now using “allow list” and “deny list” on its website, and says the new terminology is also clearer and less ambiguous for readers.
“You may not see why this matters. If you're not adversely affected by racial stereotyping yourself, then please count yourself lucky. For some of your colleagues (and potential future colleagues), this really is a change worth making,” concluded Emma W.
“Finally, a word from the NCSC’s technical director Ian Levy (supported by the full NCSC management board): ‘If you’re thinking about getting in touch saying this is political correctness gone mad, don’t bother.’”
A white supremacist from Florida who felt threatened by an African American man announcing his candidacy for city council has pleaded guilty to cyber-stalking and interfering with an election.
Daniel McMahon admitted to using social media platform Gab to threaten a man identified in court as D.G. after learning in January 2019 that D.G. planned to announce his candidacy for Charlottesville City Council in Virginia.
Hiding behind fake online pseudonyms “Jack Corbin,” “Pale Horse,” “Restore Silent Sam,” and “Dakota Stone,” cowardly McMahon posted on Gab his support for violent attacks conducted against people whose skin color differs from his own. He also posted tired old racist stereotypes and slurs in an unoriginal effort to intimidate D.G.
McMahon pleaded guilty yesterday in federal court in the Western District of Virginia to one count of threatening a council candidate because of his race and the fact that he was running for office.
The 31-year-old also admitted using Facebook Messenger to cyber-stalk a female political activist described in court documents as victim 2. Classless act McMahon threatened to sexually assault her daughter—a minor with autism—because victim 2 had taken action to counter white nationalist rallies in her community.
The defendant admitted that over a 12-day period he sent victim 2 a stream of messages in which he threatened her and her daughter and tried to extort information from victim 2 regarding other activists.
In a revealing glimpse into his squalid character, McMahon admitted around the same time that he sent these messages, he used the internet to search for content relating to sexual contact with girls who have autism.
McMahon will be sentenced on July 23, 2020. He faces a maximum sentence of one year in prison for threatening D.G. and five years in prison for cyber-stalking Victim 2.
“Although the First Amendment protects, without qualification, an individual’s right to hold and express abhorrent political views, it does not license threats of violence,” said US Attorney Thomas T. Cullen for the Western District of Virginia.
“The Department of Justice is committed to investigating and prosecuting those who weaponize social media to harm others.”
The finding emerged from the recent COVID-19 Study in which more than 3,700 IT audit, governance, and cybersecurity professionals from 123 countries were questioned about the impact of the global health crisis on their organizations and their own jobs.
Only 51 percent of technology professionals and leaders surveyed said they were "highly confident" that their cybersecurity teams were ready to detect and respond to the surge in cybersecurity attacks that has accompanied the spread of the novel coronavirus.
Just 41 percent said that their cybersecurity teams had the necessary tools and resources at home to perform their jobs effectively.
The survey, which was conducted in mid-April, found that the rapid mass transition to remote working triggered by lockdown measures imposed to slow the spread of COVID-19 has made businesses more vulnerable to cybersecurity threats.
While 80 percent of organizations shared cyber-risk best practices for working at home as shelter-in-place orders began, 87 percent of respondents said the rapid transition to remote work had increased data protection and privacy risk.
This presents a problem, as 58 percent of respondents say threat actors are taking advantage of the pandemic to disrupt organizations, and 92 percent say cyber-attacks on individuals are increasing.
“Organizations are rapidly and aggressively moving toward new ways of doing business during this time, which is a very positive thing, but it can also lead to making compromises that can leave them vulnerable to threats,” said ISACA CEO David Samuelson.
“A surge in the number of remote workers means there is a greater attack surface. Remote work is critically important right now, so security has to be at the forefront along with employee education. ISACA professionals have an especially critical role to play in protecting their enterprises, customers and stakeholders during this pandemic.”
Questioned over the security of their jobs, 10 percent of respondents feared that they may be fired as a result of the health pandemic, and 1 percent of respondents had been furloughed.
On a positive note, the majority of respondents predicted normal business operations to resume by Q3 2020.
Independent IT and business consulting services firm CGI has been awarded a lucrative contract by the United States government to improve cybersecurity at more than 75 federal agencies.
CGI announced yesterday that it had won a six-year contract to provide cybersecurity consulting services under the US Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) Program for CDM's Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) Group F federal agencies.
The contract, worth $267m, was awarded via the US General Services Administration's Alliant 2 government-wide acquisition contract through an acquisition conducted by GSA FEDSIM.
Under the terms of the contract, CGI will create a shared services platform for the DHS's Cybersecurity and Infrastructure Security Agency (CISA) to deliver CDM cybersecurity capabilities to more than 75 non–Chief Financial Officer (CFO) Act agencies.
CGI will also provide a shared services catalog (SSC) of services and capabilities and meet CDM program goals. The SSC will be designed to grow and evolve with the ever-changing threat and technology landscape. This vital resource will enable CGI to develop innovative solutions that focus primarily on cloud native and hosted service solutions.
With 78,000 consultants and other professionals scattered across the globe, CGI Inc. has grown into one of the largest independent IT and business consulting services firms in the world. The business, founded in 1976, reported revenue of C$12.1bn in fiscal year 2019.
"CGI has played a strategic role and been a trusted partner to CISA, for the past four years, though our work on Credential Management and DEFEND Group C," said CGI senior vice president Stephanie Mango.
"In partnership with CISA we have worked across many agencies to identify and address cybersecurity challenges. We look forward to continuing our support of this critical cross-agency initiative and leveraging our wealth of cybersecurity and shared services expertise to help DHS achieve its ultimate objectives."
CGI began working with the CDM program in 2016 after being awarded a contract for identity management services through the Credential Management Task Order, providing design and implementation services to 26 federal agencies.
An online cyber-school has been launched today by the UK government to help develop a new generation of cybersecurity professionals. The free virtual program provides teenagers with the opportunity to learn vital cybersecurity skills at home as schools remain closed due to the COVID-19 lockdown.
Enrolled students will progress through a game play scenario as a cyber-agent, learning how to crack codes, fix security flaws and dissect criminals’ digital trails in the process. There will also be free weekly webinars run by cybersecurity experts covering areas such as digital forensics, cryptography and operating systems.
It is hoped the initiative will provide youngsters with useful skills for future employment as well as encourage interest in pursuing a career in the cybersecurity sector, which is set to become even more vital as the world becomes increasingly digitalized.
UK digital infrastructure minister Matt Warman said: “This new initiative will give teenagers something fun and educational to do from home and provide them with a glimpse into the life of a cybersecurity professional. We have a world-leading cyber-sector which plays a crucial role protecting the country and our digital economy, so it is absolutely vital we continue to inspire the next generation of tech talent to help maintain the UK’s strong position.”
Other steps to enable children to learn these types of skills virtually are also being taken. This includes making the National Cyber Security Centre’s (NCSC) CyberFirst summer courses online this year. Also, this week the National Crime Agency (NCA) and Cyber Security Challenge UK will announce that teenagers can access the online cyber-skills platform CyberLand for free during the coming months.
“Technology is helping us all cope with the coronavirus crisis and is playing an essential role in keeping our businesses moving and our society connected,” added NCSC chief executive officer, Ciaran Martin. “It has never been more important for our young people to keep engaged and learn how to protect our digital world, and I’m delighted to see our instructor-led CyberFirst summer courses made available online.”
The average sum paid by enterprises to ransomware attackers surged by 33% quarter-on-quarter in the first three months of the year, as victim organizations struggled to mitigate remote working threats, according to Coveware.
The security vendor analyzed ransomware cases handled by its own incident response team during the period to compile its latest findings.
It revealed the average enterprise ransomware payment rose to over $111,000 in the quarter, although the median remained at around $44,000, reflecting the fact that most demands from online attackers are more modest.
Sodinokibi (27%), Ryuk (20%) and Phobos (8%) remained the top three most common variants in Q1 2020, although prevalence of Mamba ransomware, which features a boot-locker program and full disk encryption via commercial software, increased significantly.
Poorly secured RDP endpoints continued to be the number one vector for attacks, more popular than phishing emails or exploitation of software vulnerabilities.
“RDP credentials to an enterprise IP address can be purchased for as little as $20 on dark marketplaces. Combined with cheap ransomware kits, the costs to carry out attacks on machines with open RDP were too economically lucrative for criminals to resist,” said Coveware.
“Until the economics of carrying out ransomware balance (by either bringing the monetization success rates down or by making attacks prohibitively expensive) ransomware and cyber extortion will continue to gain prevalence.”
Interestingly, only 8.7% of cases investigated by the vendor involved data exfiltration, although it became much more popular during the quarter. Maze, Sodinokibi, DopplePaymer, Mespinoza, Netwalker, CLoP, and Nephilim were all highlighted as likely to steal data.
Coveware also pointed out that, although the trend of “big game hunting” has been widely publicized, ransomware is more likely to affect smaller firms. The average number of employees in ransomware victims was 625 in Q1, with the median a much smaller 62.
On average, victim organizations suffered 15 days of downtime.
Security researchers have warned of a new Android-based banking Trojan that works across 200 financial applications popular in Europe and the US.
First discovered in March, the EventBot malware abuses Android’s accessibility features to steal financial data, bypass two-factor authentication and read and steal SMS messages.
Among the banking and cryptocurrency exchange apps targeted by EventBot are Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase and paysafecard.
This represents a serious risk to organizations, according to Cybereason Nocturnus.
“Once this malware has successfully installed, it will collect personal data, passwords, keystrokes, banking information and more. This information can give the attacker access to personal and business bank accounts, personal and business data, and more,” the firm explained.
“Letting an attacker get access to this kind of data can have severe consequences; 60% of devices containing or accessing enterprise data are mobile. Giving an attacker access to a mobile device can have severe business consequences, especially if the end user is using their mobile device to discuss sensitive business topics or access enterprise financial information. This can result in brand degradation, loss of individual reputation, or loss of consumer trust.”
Although it’s unclear who’s behind the malware, IT security teams have been urged to keep an eye on EventBot as it continues to evolve rapidly.
“This malware appears to be newly developed with code that differs significantly from previously known Android malware,” said Cybereason. “EventBot is under active development and is evolving rapidly; new versions are released every few days with improvements and new capabilities.”
Businesses are advised to ensure employee devices are up-to-date, with Google Play Protect and third-party AV installed/switched on, and that users are prevented from downloading apps from unofficial stores.
Users should also think twice about granting requested permissions from apps, and if unsure about an application, should check the APK signature and hash in sources like VirusTotal before installing it, Cybereason said.
New data from Absolute has revealed the extent to which heavy device usage has grown across enterprise and education due to the COVID-19 pandemic, whilst also highlighting the rise in security violations and risks as a result.
According to Absolute, heavy device usage is up 49% (enterprise) and 62% (education) compared to pre-COVID-19 levels, despite gaps in device security and an alarming number of Windows 10 devices not being patched.
In fact, the average Windows 10 enterprise device was 90 days behind patching, according to Absolute’s Remote Work and Distance Learning Insights Center, with nearly three in four Windows 10 devices having versions more than a year old. What’s more, one in four enterprise endpoint devices were found to have critical security applications (anti-malware, encryption, VPN or client management) missing, inactive or out-of-date.
Christy Wyatt, president and CEO of Absolute, said: “COVID-19 marks the beginning of a new era where we believe the nature of work will be forever changed.
“As this crisis took hold, we saw our customers mobilize quickly to get devices into the hands of students and employees and navigate the challenges of standing up remote work and distance learning programs. What has become resoundingly clear is there has never been a more critical time for having undeletable endpoint resilience.”
Newspaper Le Figaro has become the latest big name humbled by a human error-based data leak, after a cloud server was found to have exposed 7.4 billion records including readers’ personal information.
Researchers at Security Detectives led by Anurag Sen found the 8TB Elasticsearch database, hosted by a firm called Dedibox, wide open with no password protection.
Although the database belonged to Le Figaro, the server on which it was hosted was owned by Poney Telecom, which the researchers claimed “has a reputation for shady, unethical hosting practices and security issues, and is notorious for many online attacks that seem to originate from within its network of servers.”
The database contained API logs for the past three months, although it was built in March 2019. These logs contained records of new subscribers and previously subscribed users logging in during the period.
Exposed PII data included full names, emails, home addresses, countries of residence and post codes, IP addresses, server access tokens and passwords for new users both in cleartext and hashed with the unreliable MD5 algorithm.
This could provide hackers with a trove of information to launch follow-on phishing or identity fraud attempts. Users’ emails and passwords could also be used in credential stuffing attacks to access other online accounts.
An unspecified number of emails and names of reporters and employees were apparently also exposed in the privacy snafu
Security Detectives estimates at least 42,000 new users were affected by the leak.
The data trove may also have exposed the newspaper to further attacks, according to the researchers.
“The exposed database was an excellent asset for anyone trying to attack Le Figaro’s backend systems,” they said. “It could be leveraged in further cyber-attacks against the company, or to expose other flaws in their system, which could put both the company and its users at risk.”
The CTO of Fairfax County Public Schools has resigned after the district's repeated failure to successfully roll out remote learning during the COVID-19–related school closures.
Fairfax County has twice attempted unsuccessfully to implement a distance learning app that would allow its nearly 200,000 students to access education remotely.
In the midst of the debacle, Maribeth Luftglass, who has served as assistant superintendent of information technology for the district since 1999, tendered her resignation.
Lucy Caldwell, a spokesperson for the school district, said that Fairfax County plans to name an interim chief technology officer soon and is currently searching nationwide for a permanent replacement.
The district began offering remote instruction in partnership with technology platform Blackboard four weeks after shuttering schools on March 13. Almost immediately, students and parents complained of being unable to log on and of experiencing technical glitches, including poor audio and frozen video.
Those who were able to access the system during its April 14 debut encountered inappropriate conduct from students, such as the posting of anonymous hateful messages in chat groups.
According to the Washington Post, Fairfax canceled school for the rest of the week, and school employees bemoaned the district's inadequate preparation for privacy protocol and technology updates.
While students waited for a system that works, Blackboard and district officials have reportedly bickered over who is to blame for the inadequacy of Fairfax County's distance learning solution.
According to Education Week, Blackboard Chief Product Officer Tim Tomlinson said during a recent school board meeting that Fairfax officials had neglected to implement necessary features and updates, while Luftglass said the company hadn't informed her team of those requirements.
After two failed attempts to offer online learning, the district has now parted ways with Blackboard and temporarily canceled face-to-face virtual instruction.
Caldwell said: “We have now moved on and are offering other options for teachers and students to connect.”
The inability of one of the largest and richest school systems in America to provide online learning to its students has prompted the formation of an advisory panel of external technology experts.
The district announced last week that it has retained a law firm to conduct an independent review of the flopped rollout.