Cyber Risk News

Google’s Updated Political Ads Policy Puts Pressure on Facebook

Info Security - 1 hour 41 min ago
Google’s Updated Political Ads Policy Puts Pressure on Facebook

Google has announced plans to restrict political advertising on its platforms ahead of the UK General Election and next year’s US Presidential election, in a move which will further turn the heat up on Facebook.

Although the web giant claimed that it never allows controversial micro-targeting of election ads, it announced a further clarification of its policy on Wednesday to limit election ad targeting to “age, gender, and general location.”

It’s also explicitly banning deep fake content, misleading claims about the election process, and “ads or destinations making demonstrably false claims that could significantly undermine participation or trust in an electoral or democratic process.”

“Whether you’re running for office or selling office furniture, we apply the same ads policies to everyone; there are no carve-outs,” argued Google Ads VP of product management, Scott Spencer.

“It’s against our policies for any advertiser to make a false claim — whether it's a claim about the price of a chair or a claim that you can vote by text message, that election day is postponed, or that a candidate has died.”

That appears to put more distance between Google and Facebook, whose stance is that tech firms should not be the arbiters of what politicians can and can’t say — despite it having strict rules on false advertising elsewhere on its platform.

This position has invited heavy criticism from various quarters as tantamount to allowing politicians to lie — especially after Facebook rejected a request from Presidential hopeful Joe Biden to remove a Trump campaign ad containing misinformation about the former vice president.

“Of course, we recognize that robust political dialogue is an important part of democracy, and no one can sensibly adjudicate every political claim, counterclaim, and insinuation,” Spencer continued.

“So we expect that the number of political ads on which we take action will be very limited — but we will continue to do so for clear violations.”

Twitter has already announced a ban on virtually all political advertising, which will begin today.

The UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have called for urgent legislation to regulate the "wild west" of political advertising, fearing that outside forces could sway elections and that secret micro-targeting of voters undermines the legitimacy of results.

Google has previously blocked political ads two weeks before polling in the Irish referendum and during the entirety of the recent Israeli and Canadian election periods.

Categories: Cyber Risk News

French Hotel Giant Leaks 1TB+ of Client Data

Info Security - 2 hours 34 min ago
French Hotel Giant Leaks 1TB+ of Client Data

A leading European hotel booking platform has leaked over 1TB of data on customers, clients and partners thanks to an unsecured Elasticsearch database, exposing them to account takeover, identity theft and financial fraud.

Researchers at vpnMentor discovered the database in question on an unsecured and unencrypted server. It belonged to French B2B hotel booking firm Gekko Group, which is said to have a client list of 600,000 global hotels and is a subsidiary of Europe’s largest hotel group, AccorHotels.

Despite reaching out to AccorHotels and Gekko Group immediately after discovering the privacy snafu on November 7, it took the former a week to respond and confirm that the leak had been plugged.

The data itself came from multiple different businesses within the Gekko Group and the travel agencies and booking sites they interact with, meaning many customers who had no direct relationship with the B2B giant were affected across Europe — including in the UK, France, Portugal, Spain and the Netherlands, as well as Israel.

The main subsidiaries affected in the leak were Teldar Travel, a B2B booking system for European travel agents, and Infinite Hotels, which handles wholesale inventory and booking data distribution, according to vpnMentor.

External platforms they interact with that were also caught in the incident included Booking.com, Hotelbeds.com, Mondial Assistance and more.

Exposed data included reservation details such as full names and addresses as well as invoices including unencrypted payment data for travel agents and their customers. The researchers were also able to discover plain text passwords for accounts on Gekko Group platforms.

“With these, hackers could enter accounts and charge purchases to virtual credit cards stored within, maxing them out before AccorHotels or Gekko Group can charge clients for reservations, and similar bookings made. This could lead to serious losses for the company,” vpnMentor claimed.

“The contents of the database could also help hackers target the same companies in other ways. Using the information and accesses exposed, they could create effective phishing campaigns, or target companies with various forms of malicious software attacks: malware, spyware, ransomware, and more.”

Hackers could also use the data to target holidaymakers themselves with convincing phishing attacks, the firm argued.

“Enterprise infrastructures are filled with tens of thousands of cloud resources that create opportunities for leakage. In this case, it’s likely that an identity changed the privacy configurations for a legitimate reason for a single Elasticsearch server, exposing more than a terabyte of sensitive data,” explained Balaji Parimi, CEO of CloudKnox Security.

“Because companies struggle so badly with visibility into complex multi-cloud environments, finding these vulnerabilities can be like looking for a needle in a haystack. At this scale, a prevention-first approach is critical.”

Categories: Cyber Risk News

Nominet Tackles Cybercrime with 29,000 .UK Domain Suspensions

Info Security - 3 hours 34 min ago
Nominet Tackles Cybercrime with 29,000 .UK Domain Suspensions

Nominet suspended nearly 29,000 .uk domains over the past year in its ongoing bid to clean up Britain’s domain name space.

The .uk registry said that between November 1, 2018 and October 31, 2019 it took down 28,937 domains as a result of criminal activity.

The figure is down slightly from the previous year’s 32,813 and represents just 0.22% of the more than 13 million .uk domains currently registered, which Nominet claimed was a sign that the current system is working.

“It’s encouraging to see that our efforts, working closely with the law enforcement community, are having a demonstrable impact on the ability of those intent on causing serious mischief online. We will not tolerate .uk domains being used for criminal activity,” said Nominet CEO, Russell Haworth.

“Suspensions have fallen for the first time since 2014 indicating that using collective established processes combined with technology-driven interventions is, it seems, acting as a deterrent.”

This year the registry received requests from five of the 10 organizations it collaborates with on takedowns.

The vast majority (28,606) came from the Police Intellectual Property Crime Unit (PIPCU) which deals with requests relating to IP infringements, followed by the National Fraud Intelligence Bureau (178), Trading Standards (90), the Financial Conduct Authority (48) and the Medicines and Healthcare Products Regulatory Agency (31).

Detective constable Weizmann Jacobs of the City of London Police’s Intellectual Property Crime Unit warned internet users of the dangers of phishing sites and those selling counterfeit goods.

“By collaborative working, we can help protect consumers from the dangers of counterfeit goods and safeguard their personal information when shopping online,” he added.

“In light of the figures Nominet have released, and in the run up to Christmas, we would like to warn online shoppers that there’s more risk when it’s counterfeit. If it looks too good to be true then it probably is; heavily discounted products are often a tell-tale sign that something isn't right.”

The news comes as HMRC this week warned UK taxpayers about an escalation in phishing attempts ahead of the January 31 self-assessment deadline. It claimed to have received nearly 900,000 reports from the public about suspicious contact over the past year — with more than 100,000 of these phone scams, and over 620,000 about bogus tax rebates.

Categories: Cyber Risk News

Remote Islands to Enter Cybersecurity Industry in 2020

Info Security - Thu, 11/21/2019 - 19:50
Remote Islands to Enter Cybersecurity Industry in 2020

The US Commonwealth of the Northern Mariana Islands (CNMI) is to welcome its first ever cybersecurity business next year.

In a statement released today and published in the Marianas Variety, the CNMI Departments of Commerce and Labor announced that an unnamed US-based cybersecurity firm will open its newest Security Operations Center on CNMI's largest island, Saipan, in January 2020.

In addition to placing the CNMI on the cybersecurity industry's map, the new center is expected to create new jobs on the remote Pacific Ocean island. Recruitment is currently underway for 15 information security analysts. 

Applicants must be at least 18 and need to have attained a CompTIA certification through local nonprofit organization The Latte Training Academy (LTA). 

The US firm will be hiring qualified candidates on a full-time basis and will offer career progression, which may require relocation to various client locations throughout the United States and Europe.

"The firm reached out to the Latte Training Academy through its affiliation with CompTIA and began discussions on the ability to support its need for entry level Information Security Analysts. These positions are intended to serve as front line network analysts for the firm’s clients," said the LTA's director, Ed Arriola Jr.

"Given the security concerns of their customer base, the organization has opted to open a CNMI location rather than outsource the work. The need to source a US labor market was a key component to their interest in the CNMI, but our geographic location on the opposite side of the international date line was beneficial as it allows them to provide coverage to supplement their US offices."

Secretary of Labor Vicky Benavente said the arrival of the US firm aligned well with the CNMI's plans to create an apprenticeship program. 

"The Department of Labor Workforce Investment Agency director David Attao has been a key advocate in establishing our apprenticeship strategy and work experience programs. 

"Given the course of the discussion with the firm, he recognized that their training and on-boarding plan was directly in-line with the mission of DOL WIA and the USDOL Apprenticeship State Expansion program. 

"We will continue to work with our partners at the Latte Training Academy to bring this tremendous opportunity to fruition. This effort is exactly the push that this administration has worked so diligently to produce. While we are still in beginning phases, to be able to generate the interest within this industry is extraordinary."

Categories: Cyber Risk News

Dutch Company Launches Private Unprofiled News Tab

Info Security - Thu, 11/21/2019 - 18:44
Dutch Company Launches Private Unprofiled News Tab

Startpage.com has created a private News tab that allows users to search the internet without logging in or sharing any personal information. 

The Dutch company launched the News tab today as an additional feature of its existing private browsing extension. 

The tab allows users to keep up with the latest news stories in complete anonymity, and prevents users from becoming trapped in a limited bubble of search results tailored to their own preferences. 

Anyone using the news tab will receive identical unprofiled search results for their particular query, regardless of their browsing history or demographic profile. 

The News tab is an extension of Startpage’s existing private search engine options of “Web,” “Images,” and “Anonymous View.”

A spokesperson for Startpage.com said: "With the rise of content creation and dispersion of news sources, there’s been a tidal wave of news coverage flowing across the web on a daily basis. Some of this news becomes wide-reaching, being read by millions, while other news goes entirely unnoticed. 

"Furthermore, news outlets’ viewpoints are becoming more extreme to serve niche audiences with divisive opinions versus unbiased reporting." 

Algorithms developed to display curated news and articles based on a reader's individual digital profile result in users' receiving only a narrow slice of information about what's really going on in the world.

Startpage.com was inspired to create the News tab after several months of receiving multiple requests from their users for a "fair, un-personalized, anonymous way to receive their news."

A company spokesperson said: "Most search engines keep an archive of your prior search and browsing history, resulting in a 'filter bubble,'—a tailored internet experience based on your collected data, which traps you in a search bubble built by your own preferences. Startpage’s News tab empowers users to see comprehensive search results beyond the bubble." 

The News tab will showcase the most relevant search results—which can be filtered by date—while guaranteeing a completely unprofiled browsing experience, allowing users to peruse the news free of any search history tracking.

Startpage.com won praise from the Dutch legal protection minister Sander Dekker, who cited the company in a June letter to the House of Representatives regarding privacy. 

Dekker wrote: "It is important that people become more aware of the consequences of sharing personal data. Dutch initiatives such as the search engine Startpage.com, where no personal data is stored, contribute to the protection of the privacy of citizens."

Categories: Cyber Risk News

Cybersecurity Protocol for International Arbitration Published

Info Security - Thu, 11/21/2019 - 17:52
Cybersecurity Protocol for International Arbitration Published

A detailed set of guidelines on what cybersecurity measures to take when handling arbitration was released today as part of New York Arbitration Week.

The Cybersecurity Protocol for International Arbitration (2020) is the culmination of two years of work by a working group on cybersecurity consisting of representatives of the International Council for Commercial Arbitration (ICCA), the New York City Bar Association (City Bar), and the International Institute for Conflict Prevention & Resolution (CPR). 

The protocol was published with the twin goals of providing a framework for determining reasonable information-security measures for individual arbitration matters and increasing awareness about information security in international arbitration.

Cybersecurity is crucial in arbitration, since the credibility and integrity of any dispute-resolution process depends on maintaining a reasonable degree of protection over the data exchanged during the process.

A City Bar representative said: "We are proud that this important work has had its launch during New York Arbitration Week and at the New York International Arbitration Center. New York is one of the most frequently selected locations for international arbitration in the world and the most popular city for arbitration in the United States."

The protocol reviews the importance of cybersecurity in high-stakes international arbitration, which often involves extensive travel and the use of multiple networks. Recommendations include identifying and classifying all information and controlling access to it as appropriate. 

Suggested information security measures for hearings and conferences include implementing procedures for the handling of any transcripts, recordings, or videos that are made and restricting what technology attendees may bring to and use at hearings. 

"The Protocol provides a pathway for the arbitration community to maintain a culture of awareness and effective security so that arbitration will continue to meet users’ expectations," said a City Bar representative. 

The working group published an initial Consultation Draft in April 2018, together with a request for comments that was sent to more than 240 individual consultees representing arbitral institutions, law firm arbitration practice groups, expert witnesses in arbitration proceedings, and non-governmental organizations such as bar associations. 

In the expectation that the protocol will necessarily evolve over time, the working group has appended "2020" to this first edition. Feedback on the Cybersecurity Protocol may be sent to cybersecurity@arbitration-icca.org.

Categories: Cyber Risk News

#InfosecNA: How to Communicate Risk and Security to Executives

Info Security - Thu, 11/21/2019 - 16:15
#InfosecNA: How to Communicate Risk and Security to Executives

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Tony Rock, chief operating officer at Lockpath, discussed the challenges many security departments face in building a business case to communicate their risk management and security programs.

“Our [infosec pros] jobs are hard, when you think about the world that we live in: no resources, changing priorities, no funding, compliance [etc.],” Rock said.

“We need to find a way to communicate the issues we are having within the organization and how we can use those to minimize risk and deliver value.”

Fundamentally, security leaders can become frustrated, Rock admitted, “but at the same time, our business executives are frustrated too, ” and they do not view or understand security and risk in the same way as security professionals. 

Security leaders must understand the business use cases of security strategies to drive more value, he added. “Not being able to communicate effectively is a significant problem, and at the end of the day, the people on the business side control the check books, but they normally don’t quite understand what we do and how we deliver value.”

It’s therefore down to security leaders to align and articulate their needs with the needs of the wider business stakeholders, including:

  • Linking needs to performance metrics
  • Funding business cases
  • Reporting status for action

Security leaders must understand the cost and benefit of their objectives, and frame reporting of results or requests for resources in the context of business executives, Rock continued. He then shared an ‘alignment to value’ diagram (below) that can aid security leaders in achieving this.

“At the end of the day, there are business benefits to [doing] this, because this is what essentially allows us to fund the things that we need to deliver to the organization.”

Categories: Cyber Risk News

#InfosecNA: The Benefits of Training Employees to Hack

Info Security - Thu, 11/21/2019 - 15:00
#InfosecNA: The Benefits of Training Employees to Hack

For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.

“Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals you’re teaching,” said Martel. “The way to do that is to make it engaging, interactive and fun – and unpredictable,” he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.

Martel has developed a fun, and effective way to deal with experienced cyber-workers who don’t take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his ‘victim’s’ credentials. Although it took four months to execute, Martel felt it was worth it after the employee agreed to go to training and he got a good story out of it to share with his colleagues.  

Here are a few of Martel’s key takeaways:

  • Interactive training keeps people engaged
  • If possible, teach the class to hack as part of the training to make what they are learning meaningful
  • Incentivize employees to report phishing with contests and recognition
  • Make monthly training fun. One way to do this is to fill part of the session with short presentations developed by your students

Applying these tactics helped Martel stimulate a 70% increase in reporting of phishing attacks, a 45% reduction in the success rate of phishing attacks, and a 94% positive rating on his course feedback surveys. “I knew things had changed when people started asking me when the next security training session was going to be held,” he concluded.

How to make security awareness training more effective and engaging

For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.

“Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals you’re teaching,” said Martel. “The way to do that is to make it engaging, interactive and fun – and unpredictable,” he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.

Martel has developed a fun, and effective way to deal with experienced cyber-workers who don’t take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his ‘victim’s’ credentials. Although it took four months to execute, Martel felt it was worth it after the employee agreed to go to training and he got a good story out of it to share with his colleagues.  

Here are a few of Martel’s key takeaways:

  • Interactive training keeps people engaged
  • If possible, teach the class to hack as part of the training to make what they are learning meaningful
  • Incentivize employees to report phishing with contests and recognition
  • Make monthly training fun. One way to do this is to fill part of the session with short presentations developed by your students

Applying these tactics helped Martel stimulate a 70% increase in reporting of phishing attacks, a 45% reduction in the success rate of phishing attacks, and a 94% positive rating on his course feedback surveys. “I knew things had changed when people started asking me when the next security training session was going to be held,” he concluded.

Categories: Cyber Risk News

#Irisscon: Ransomware Shifts to use Affiliate Distributors, and Infect via RDP

Info Security - Thu, 11/21/2019 - 13:44
#Irisscon: Ransomware Shifts to use Affiliate Distributors, and Infect via RDP

Speaking at Irisscon in Dublin, McAfee chief scientist Raj Samani said that ransomware has evolved from a one to one “relationship” between the author of the malware and the victim, to using more affiliates to distribute the malware.

Citing the WannaCry ransomware epidemic of 2017, Samani said that was further proof that “cybersecurity is about more than just computers” as people were turned away from hospitals, and the internet was switched off to protect networks in some cases. However we now “live in a world where a nurse can open an email and this leads to a hospital turning away patients” he said, and that anyone can be a cyber-criminal if they have the means to pay.

This has led to ransomware developers outsourcing delivery of files to an affiliate, who can target many more victims. Between 2016 it the operators’ retirement in 2019 retirement, the Gandcrab ransomware allegedly made around $2 billion. He also said that the average ransomware payment in Q4 2018 was $24000, while in Q1 2019 it was $36000 and the price is going up because people are paying.

Samani said that developers and cyber-criminal gangs are actively recruiting affiliates globally, and each infection has a separate form to track the affiliate who infected each victim. “We have not seen this level of accounting and diligence ” he said, having looked at 280 samples. 

Samani went on to talk about the Sodinokobi ransomware, also known as REvil, which he said causes remote desktop protocol (RDP) to be “reborn as a vector” for infection, as in Q1 of 2019 was responsible for 63.5% of all attacks by ransomware, compared to 30.4% over email and 6.1% by using a software vulnerability.

He encouraged delegates to lock down this protocol, “as we believe this is how the successor of Gandcrab is how getting in.” He admitted that this is hard to track though, as a different Bitcoin wallet is allocated to each attack, but one that McAfee was able to track saw that one individual earned $287,000.

“It is no longer some group of individuals sitting in a basement, this is organized crime and they understand how to launder money and outsource attacking organizations,” he said.

Categories: Cyber Risk News

Breaches Hit Over Two Million Gamers and Crypto Wallet Users

Info Security - Thu, 11/21/2019 - 11:10
Breaches Hit Over Two Million Gamers and Crypto Wallet Users

Over two millions users of a gaming company and a cryptocurrency specialist have become the latest "netizens" to have their personal data compromised by attackers.

The haul includes 1.4 million accounts from users of cryptocurrency wallet service GateHub, which were posted to a popular hacking forum, according to the breach notification site HaveIBeenPwned?

The firm had previously acknowledged a June breach, although a “final statement” on the incident it posted a month later claimed that hackers had only been able to gain access tokens for 18,473 encrypted customer accounts.

“After the suspicious API calls were detected, we immediately disabled all access tokens which successfully blocked the perpetrator from gaining access to more accounts,” it said at the time.

“Due to an increased number of cyber-attacks on crypto-exchanges in the recent months, we have decided to take additional steps to safeguard GateHub accounts. As a precaution, we are generating new encryption keys and re-encrypting all sensitive information such as XRP ledger wallets secret keys on all accounts upon next sign-in. Behind the scenes, we are taking other precautions as well.”

It would appear as if the size of this breach was much bigger than at first thought. HaveIBeenPwned said that compromised data included email addresses, mnemonic phrases, wallet hashes and passwords stored as bcrypt hashes.

Data on 817,000 subscribers to RuneScape bot provider EpicBot was uploaded to the same hacking forums from a September breach at the firm. Compromised details included usernames, email and IP addresses and passwords stored as either salted MD5 or bcrypt hashes, according to HaveIBeenPwned.

Jason Kent, hacker-in-residence at Cequence Security, warned users of both sites of follow-on phishing attacks, especially in the run-up to the Black Friday sales weekend.

"A list of cryptocurrency exchange customers means that targeted phishing attacks aimed at account takeover should be expected,” he argued.

“This combined with standard password reset attempts and other account takeover techniques could result in these exchange members losing their cryptocurrency altogether. The richer the data, the more targeted the attack can become.”

Categories: Cyber Risk News

#Irisscon: Ireland Faced 43,000 Incidents So Far in 2019

Info Security - Thu, 11/21/2019 - 10:40
#Irisscon: Ireland Faced 43,000 Incidents So Far in 2019

Opening the 11th Irisscon conference in Dublin, Brian Honan, CEO of BH Consulting and head of the Irish Reporting and Information Security Service (IRISS), said that it is the same issues that continue to be a problem for businesses.

Focusing on statistics gathered by IRISS and from other Computer Emergency Readiness Teams (CERT) around the world which identify compromised systems in Ireland, Honan said that 43,000 incidents were detected from January 1 to today, and majority of the incidents were DDoS attacks against websites hosted in Ireland.

Honan also said that 5,800 phishing sites, 624 outbound hacking incidents, and 30 websites hosting malicious scripts were detected in Ireland.

“We also see this across the industry,” Honan said. “Don’t worry about APTs or zero-days, worry about hijacked cloud based attacks. If you rely on your users to protect you with passwords you run risk of accounts being hijacked.”

This has led to an overall increase in business email compromise and CEO fraud. Honan said that one slide has been in every presentation for 11 years, featuring the root causes of:

  • Poor passwords
  • Missing patches
  • Vulnerabilities – web platforms, out of date software 
  • Out of date anti-virus
  • Lack of monitoring.

Looking forward to the future, Honan said that things will remain the same, with poor passwords and hijacked accounts being a cause of attacks, as “attackers are lazy and will take the easy way and if it works, use it over and over again.”

Saying that security issues are no longer just the worry of “us geeks in the IT department,” but also for “businesses, society and democracy too,” Honan also predicted more ransomware, including extortion were an attacker charges a victim to not put their data on internet than payment to get it back, and attacks on supply chain, industrial control systems and the cloud.

He concluded by encouraging more information and threat sharing, saying that too many businesses and sectors do not share information, as a breach is seen “as a badge of shame, but it is a part of business” and how you deal with it and respond is how you will be judged.

Categories: Cyber Risk News

Microsoft Denies Bluekeep Ransomware Rumors

Info Security - Thu, 11/21/2019 - 10:14
Microsoft Denies Bluekeep Ransomware Rumors

Microsoft has taken the unusual step of issuing a statement to deny what it claims to be misleading reports about a recent ransomware campaign.

Stories emerged earlier this month that a number of organizations in Spain had been infected with the DoppelPaymer ransomware, with some rumors claiming links to Microsoft’s Teams platform and the infamous Bluekeep vulnerability.

However, a statement penned yesterday by senior security program managers at the Microsoft Security Response Center (MSRC), Dan West and Mary Jensen, poured cold water on the rumors.

“There is misleading information circulating about Microsoft Teams, along with references to RDP (BlueKeep), as ways in which this malware spreads,” they noted.

“Our security research teams have investigated and found no evidence to support these claims. In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network.”

The duo claimed that one of the most common ways to spread ransomware continues to be social engineering, where employees are lured into clicking on a phishing email or opening a malicious attachment.

“Security administrators should view this threat as additional motivation to enforce good credential hygiene, least privilege, and network segmentation,” they concluded.

“These best practices can help prevent DopplePaymer operators and other attackers from disabling security tools and using privileged credentials to destroy or steal data or hold it for ransom.”

The attacks in question happened in early November, affecting IT services company Everis and radio company Sociedad Española de Radiodifusión (Cadena SER), although others including Spanish airport operator Aena are said to have taken some services down as a precaution.

Global ransomware attacks soared by over 74% year-on-year in the first half of 2019, according to Bitdefender.

Although there have been reports of attackers trying to use the wormable Bluekeep vulnerability to disseminate crypto-mining malware, there have been no such confirmed efforts to spread ransomware thus far.

Categories: Cyber Risk News

French Hospital Crippled by Ransomware

Info Security - Thu, 11/21/2019 - 09:45
French Hospital Crippled by Ransomware

Patient care at a large hospital in northern France has suffered considerably after a major ransomware attack at the weekend, according to local reports.

The University Hospital Center (CHU) of Rouen was hit by the malware last Friday and severely disrupted all weekend, with national investigators called in.

A communications director from the hospital, which has over 1300 beds and 8000 staff, told AFP that the incident had forced staff back to using pen and paper.

“This resulted in very long delays in care, even if there was no danger to the health of hospitalized patients," he’s reported as adding.

The incident has echoes of the WannaCry attack of 2017 which severely affected the UK’s National Health Service (NHS). An investigation into the outages claimed it led to the cancellation of an estimated 19,000 operations and appointments, affecting around a third of trusts in England.

It is calculated to have cost the NHS £92 million, in lost access to systems and emergency IT support.

“Sadly, the targeting of hospitals with ransomware is a growing trend; earlier this year seven hospitals in Australia were also impacted by ransomware,” argued Cesar Cerrudo, CTO at IOActive.
 

“They are becoming a major target as despite new technology adoption being high, there is often a lack of cybersecurity knowledge, even though health data can be a very lucrative area for cyber-criminals. This makes busy hospital staff the perfect targets.”

RSA Security CTO, Zulfikar Ramzan, argued that digital transformation is another big driver of ransomware.

“While this has brought with it many benefits, organizations have become reliant on these digital technologies; loss of data can be a critical issue, making ransoming that data a much more profitable business,” he said.

“Added to this, systems are much more hyper-connected now than they used to be and one of the evolutions in the ransomware we see today is that it can now spread across different systems, so the possibility of widespread damage is much higher. This wasn’t necessarily the case 15 years ago. Unfortunately, this means we are seeing a lot of hits against organizations where data is critical – such as hospitals – where there is often no option but to pay the ransom, or lives could be put at risk.”

Categories: Cyber Risk News

#InfosecNA: The Impact of AI, IoT and Emerging Tech

Info Security - Wed, 11/20/2019 - 23:45
#InfosecNA: The Impact of AI, IoT and Emerging Tech

The Infosecurity ISACA North America Expo and Conference got off to a suitably heady start today with its opening keynote, given by the noted cybersecurity expert and visionary Theresa Payton. Payton provided a lively analysis of the current state of security, practical advice for coping with threats and predictions for the year ahead.

In between stories about exploring the Dark Web and tracking down cyber-criminals from her kitchen table, Payton shared observations about what she believed to be the top priorities for security professionals.

Firstly, every organization’s incident response playbook needs a new chapter to include IoT-related issues, she said. The technology’s relative immaturity and complex set of threat surfaces represent a new frontier. Payton noted that, at this point in time, every “thing” in the IoT represents a potential vulnerability – including smart lightbulbs. Her suggested priority actions for reducing IoT threats included network segmentation for effective containment of breaches and strategically placed kill switches to disable compromised applications.  

Payton also explained that AI/expert systems are now in common use, but there is no international code of ethics for designing applications to make sure they don’t reflect the designers’ conscious and unconscious biases. A related hazard lies in the fact that most AI engineers don't have a good grasp of the business they are writing the code for, or the clients who will be using it.

According to Payton, one of the simplest but highly effective security measures a CISO can implement is to segment their organization’s identity, creating a completely different one from its public-facing domain name and other services to support financial activities and other critical transactions. This should include a completely different set of email addresses reserved only for people involved in the sensitive activities conducted under the alternate identity.

Payton concluded with several predictions for the 2020-2021 timeframe:

  • The human element remains a major vector for attacks but it will be taking a new turn with the increasingly common use of deep fake voice simulations
  • A surge in ransomware attacks – both in terms of frequency and in maliciousness. Payton predicted that there will be a shift from simple ransom to extortion and that most companies will experience attacks once every 11 seconds by the end of the year
  • In 2015, Payton, predicted the election hacking of 2016, and now she feels that the misinformation tactics used so effectively then will also be used to destroy companies and institutions for financial gain
  • Blockchain technology will be cracked in the near future and AI-powered bots will evolve to become autonomous, and more dangerous
Categories: Cyber Risk News

#InfosecNA: How IoT Gadgets Can Spy on Your Children

Info Security - Wed, 11/20/2019 - 20:40
#InfosecNA: How IoT Gadgets Can Spy on Your Children

At Infosecurity ISACA North America Expo and Conference in New York this week Ken Munroe, CEO of Pen Test Partners, took visitors on what he referred to as a “scary, creepy tour” of IoT-related security issues. Munro explained that a child's doll, marketed as ‘My Friend Cayla,’ is just one example of the growing number of IoT-enabled consumer and commercial products on the market, and the lack of proper security in their designs that leaves many of them vulnerable to attack.

Cayla, for example, is a children’s doll endowed with speech recognition technology that enables it to have a conversation with a child. The big selling point for parents however is Cayla's GPS receiver and wireless module, which allows them to track and listen in on their child. Although Cayla was supposed to be ‘kid-friendly’ and ‘cyber-safe,’ Munroe’s long experience with exploring the vulnerabilities of embedded systems made him suspect otherwise. It wasn't very long before he discovered what he described as “a huge attack surface” that allowed him and his team to bring out another, more sinister, side of Cayla.

Using a simple program that mimicked Cayla's phone app, the Pen Test Partners team were able to access the doll’s web-based portal and change their user status code from 1 to 0, giving them complete administrative access to the doll's features as well as the user information of all the other doll’s owners. From there, they were able to modify the table that prevented Cayla from using 1500 words deemed to be “naughty” which, in Munro's words, “allowed her to swear like a sailor.” Had they chosen to do so, this access would have also allowed them to access other owners’ dolls and listen to or even converse with their children.

Munro noted that the attack he used was only one of Cayla's numerous vulnerabilities, such as poorly-secured wireless links, easily hackable cellular modems, and non-encrypted SIM cards, virtually all of which could be found in a frightening number of “smart” consumer goods, such as thermostats and child tracking devices. There are similar issues with many commercial and industrial products – including web cameras, smart building controllers and other security appliances.

Research conducted by Pen Test Partners has shown that the majority of these problems arise from a handful of highly preventable sources which include:

  • Cut-and-paste use of vendor-provided software and hardware reference designs with little or no review for security issues
  • Extensive use of third-party web-based services without any evaluation of how secure they were or vulnerable to corruption from other vectors
  • Extensive use of offshore vendors throughout the supply chain for engineering, materials, and assembly, without any assessment of their security or integrity

Since we will most likely live in an even more connected future, concluded Munro, manufacturers cannot afford to ignore the need to make their products more resistant to the potential cyber-muggings awaiting them in the IoT.

Categories: Cyber Risk News

Midwest Gets First Cybercrime-Fighting Dog

Info Security - Wed, 11/20/2019 - 20:31
Midwest Gets First Cybercrime-Fighting Dog

Police in Nebraska have recruited a highly trained dog to assist them in the fight against cybercrime.

Two-year-old black Labrador Quinn has joined the Bellevue Police Department as the Midwest's first-ever electronic storage device K-9 officer.

Unlike most sniffer dogs, who are taught to detect drugs, Officer Quinn has been specially trained to sniff out a particular chemical used in electronic devices like SIM cards, cell phones, and micro SD cards. 

"Her sole purpose is electronics detection," said Quinn's partner, cybercrimes detective Roy Howell. 

"We’ve had a couple of cases where I believe we as law enforcement officers may have missed something. A dog who can pick up an odor would be able to say 'hey, there’s something here. You need to look here.'"  

Following a two-week familiarization period in Indianapolis, Indiana, Howell has been working with the highly trained Quinn since November 3. The detective has great expectations regarding the contribution Quinn will make to local law enforcement. 

"After a night with her I thought 'this dog’s unbelievable,'" said Howell. "I want to get her to be that dog that can find something 18 inches under a wall or 18 inches underwater, or something behind a wall, or under the carpet. I’m hoping that she will make a big difference in the state."

When she isn't nosing out electronic storage devices crammed with incriminating evidence and all manner of illegal content, Officer Quinn may be called on to use her affectionate nature to offer emotional support. 

"She’s a very friendly dog. She gets along around other people very well," said Howell. "If we go inside a house and there are families and kids that are upset, we can take her to the kids and they can pet her, which will calm them down."

Quinn is the thirtieth electronic storage device K-9 officer to find employment in the United States. A position was found for her on the Bellevue force as the result of an anonymous donation, which was made through the Bellevue Public Safety Foundation. 

Another electronic storage device K-9 officer named Bear, who was trained at the same facility that put Quinn through her paces, was used in the investigation into ex-Subway spokesman, Jared Fogle.

Bear, who is also a Labrador, found a thumb drive that authorities were unable to locate during an FBI raid at Fogle's Indiana home in 2015. The drive subsequently played a key role in Fogle's arrest.

Categories: Cyber Risk News

100K People Targeted by Spoof IRS Websites

Info Security - Wed, 11/20/2019 - 19:27
100K People Targeted by Spoof IRS Websites

Over 100,000 people were targeted by a large-scale summer threat campaign using fake IRS websites. 

The extensive phishing campaign was discovered by researchers at cloud security solutions provider Akamai.

Akamai's research team recorded threat actors using hundreds of different domains and URLs to impersonate the Internal Revenue Service of the United States over a two-month period beginning in mid-August 2019. 

Users were all directed to the same fake IRS login page, where they were asked to enter sensitive information, including their email address and password. 

In total, the campaign used at least 289 different domains and 832 URLs to target people all over the world. Most remained active for fewer than 20 days.

Most of the activity took place in the second half of August; however, researchers observed new websites being activated periodically over the course of a 47-day period.  

Threat actors appear to have targeted legacy websites, perhaps in an effort to delay detection.

Or Katz, principal lead security researcher at Akamai, told Infosecurity Magazine: "According to our analysis, we suspect that many of the websites that hosted the IRS phishing page are compromised (meaning that they are legit websites that have been taken over or hijacked by criminals). 

"In many cases these are legacy websites with minimal/no maintenance involved. This is what makes them vulnerable in the first place. Moreover, once compromised, it might also take more time to execute remediation of the vulnerability and cleaning of the website content." 

Katz suspects that opting for an August launch date was a calculated decision by the threat actors.

He said: "According to past phishing research I was doing, August is a good time to get more engagement from victims. It might be related to being on vacations and having more time to read personal emails, browse, and use social networks. But scams like this can show up at any time of the year because it is a topic that gets attention and, in some cases, causes fear, leading the victim to take an action such as providing sensitive information, downloading a file, or clicking a malicious link."

Asked why he thought attackers had chosen to impersonate America's Internal Revenue Service, Katz replied: "I haven’t seen many IRS attacks in the past year, and it might be associated with that, as it wouldn't be in victims' attention to be aware of campaigns associated with IRS. 

"The second reason is related to the IRS being trustworthy and an official brand; that can create more engagement from victims."

Categories: Cyber Risk News

Vishing Attacks to Become Commonplace in 2020

Info Security - Wed, 11/20/2019 - 18:29
Vishing Attacks to Become Commonplace in 2020

Cybersecurity experts predict that voicemail phishing attacks, otherwise known as vishing, could become a daily occurrence in 2020. 

Threat research conducted by Mimecast found that malicious voicemail messages were not just on the rise, but were "evolving and more nuanced than ever before." 

In the "Quarterly Threat Intelligence Report: Risk and Resilience Insights" report released by Mimecast today, researchers warned that in 2020, "voicemail will feature more prominently." 

Researchers wrote: "The potential for the addition of complexity and malicious payloads, as well as simple phishing, cannot be overlooked. In addition, because the processes and technology to automate voicemail attacks are already ubiquitous, these forms of voicemail phishing will become commonplace in 2020."

Asked with what regularity vishing attacks might strike next year, Carl Wearn, head of E-Crime at Mimecast, told Infosecurity Magazine: "Potentially daily; this is already being seen in our data."

Wearn predicted a rise in the number of private individuals who will fall victim to vishing in the year ahead. 

"It’s potentially a simple vector, and in its most prevalent and simplistic form, these attacks will be phishing emails that claim a missed message and merely attempt to entice you to click on a link to cause infection or compromise," said Wearn.

According to Wearn, the growth in vishing could result in some significant financial losses.

Wearn said: "The impact will increase as more people are fooled by it. Losses will depend on the sophistication deployed. In the main attacks will be low-sophistication URL link lures, but it is highly likely that specific targeted attacks employing ML (Machine Learning) will cause some high-value losses."

Vishing is believed to have already reached a high level of complexity following reports earlier this year of a manager at a UK energy company being duped out of £200,000 by cyber-criminals who used artificial intelligence to make a spoof voicemail that sounded like it had been left by the manager's boss. 

Predicting how vishing scams are likely to evolve, Wearn said: "The majority of attacks will be low effort and similar to phishing, but, increasingly, ML and (AI) artificial intelligence will be utilized as these technologies mature, and they will be very difficult to detect without similar ML/AI defense mechanisms."

When asked what makes vishing seem so inherently sinister, Wearn painted a chilling picture of the form these attacks may soon take. 

"I think the real sinister aspect pertains to the potential for AI/ML to aggregate speech into wholly electronically constructed fake conversations. The idea that a soulless machine can fool you into thinking you are talking to a real person is inherently disconcerting to anyone and no doubt embarrassing if you fall victim to it."

Categories: Cyber Risk News

#InfosecNA: How to Know If You’ve Been Compromised

Info Security - Wed, 11/20/2019 - 17:25
#InfosecNA: How to Know If You’ve Been Compromised

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Marc Keating, senior sales engineer at Arctic Wolf Networks, outlined steps organizations can take to gauge whether or not they have suffered a data compromise.

Keating said that cyber-threats are evolving quickly: “What we are up against today in this world are people who go to work to break into your company,” he said. “They are being funded by nation states. The most important thing to understand is that cyber-attackers are very organized.”

Therefore, it has never been more important for companies to be able to quickly and accurately detect breaches if they occur.

The first step in successful prevention and detection is understanding the attack vectors cyber-criminals use, Keating added. He cited an ‘attack chain’ of reconnaissance, weaponization, delivery, exploit and install, command and control, and action.

It’s then important to design your defense strategies around a framework. “Start with a framework that will help you understand where you need to go and where your holes are.”

It’s also vital to monitor and scan for threats everywhere in the environment, all the time. “If you monitor everything, you also want to monitor 25/7, 365 days per year.”

What’s more, logging threat information is not enough, Keating explained – the data must be taken and proactively used.

“If you’re going to go that far [monitor and scan environment], please taken action on what you find,” Keating concluded.

Categories: Cyber Risk News

Researchers Publish PoC for Docker Escape Bug

Info Security - Wed, 11/20/2019 - 12:00
Researchers Publish PoC for Docker Escape Bug

Security researchers are urging Docker customers to upgrade to the latest version after detailing a proof-of-concept (PoC) attack exploiting a critical vulnerability, which could lead to full container escape.

The CVE-2019-14271 flaw was fixed in Docker version 19.03.1, but if left unpatched could give an attacker full root code execution on the host.

“The vulnerability can be exploited, provided that a container has been compromised by a previous attack (e.g. through any other vulnerability, leaked secrets, etc.), or when a user runs a malicious container image from an untrusted source (registry or other),” explained Palo Alto Networks senior security researcher, Yuval Avrahami.

“If the user then executes the vulnerable cp command to copy files out of the compromised container, the attacker can escape and take full root control of the host and all other containers in it.”

It has been described as one of the most serious of several vulnerabilities related to the copy (cp) command detected in various container platforms such as Docker, Podman and Kubernetes over the past few years.

It’s also the first container breakout flaw since the runC vulnerability was discovered back in February.

Avrahami urged Docker developers to restrict their attack surface by never running untrusted images, and recommended they run containers as a non-root user, when root is not strictly necessary.

“This further increases their security and prevents attackers from exploiting many of the flaws that may be found in container engines or the kernel,” he added.

“In the case of CVE-2019-14271, if your container is run with a non-root user, you are protected. Even if an attacker compromised your container, he cannot overwrite the container’s libnss libraries as they are owned by root, and therefore cannot exploit the vulnerability.”

Although the vulnerability was disclosed and then patched by Docker in July, Avrahami warned that it received little public attention, “perhaps due to an ambiguous CVE description and a lack of a published exploit.”

The hope is that this first PoC will focus the minds of Docker customers, if they haven’t patched already.

Categories: Cyber Risk News

Pages