Cyber Risk News

Snapchat: Claims of Employees Spying "Inaccurate"

Info Security - Fri, 05/24/2019 - 17:51
Snapchat: Claims of Employees Spying "Inaccurate"

In response to news that multiple Snapchat employees abused their privileged access to spy on users, reported by Motherboard, the social media platform said the allegations are false.

“Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses,” Motherboard wrote on May 23.

Whether accurate or not, "the incident highlights the risks posed by insider threats. Most of the employees are busy doing their day-to-day jobs but a handful have malicious intent thus causing harm to the organizations they work for,” said Mayank Choudhary, senior vice president at ObserveIT.

“As in the case of Snapchat where a few users with elevated access were able to take their own and consumers’ data easily. Existing security controls did not pick this up, given most of the technology is focused on protecting the company from external threats. It’s high time that organizations focus on insider threats with platforms that help customers known the whole story, protect IP quickly, easily and reliably.”

However, the Motherboard report states that how any access might have been abused or which system was used remains unknown. Pointing out that the spying happened 'several years ago,' the story does note that one tool, SnapLion, is capable of accessing user data, according to multiple anonymous sources.

“Any perception that employees might be spying on our community is highly troubling and wholly inaccurate,” a Snapchat spokesperson wrote in an email to Infosecurity.

“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have, including data within tools designed to support law enforcement. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination.”

Categories: Cyber Risk News

Moody's Downgrading of Equifax Is a Message to Boards

Info Security - Fri, 05/24/2019 - 17:20
Moody's Downgrading of Equifax Is a Message to Boards

While affirming Equifax’s senior unsecured rating at Baa1 and short-term rating at Prime-2, Moody’s Investor Services downgraded the company’s outlook from stable to negative due to the 2017 cyber-attack.

“The outlook revision to negative reflects weaker operating performance and credit metrics than originally expected following the cybersecurity breach in 2017,” the May 17 rating action notice stated.

"Free cash flow may remain around only $150 million per year for a few years, or less than half of annual free cash flow prior to the breach," said Edmond DeForest, Moody's vice president and senior credit officer. "Diminished free cash flow limits Equifax's ability to reduce its financial leverage," he continued.

Infosecurity Magazine reached out to Equifax for comment in reaction to the news that was reported May 23 by CNBC. An Equifax spokesperson wrote in an email, “Moody’s affirmed our Baa1 senior unsecured rating and the short-term rating at Prime-2.  Any questions about the outlook change should be directed to Moody’s. EFX remains solidly investment grade and the revision in Moody’s outlook will not impact our internal investments, including new products, our $1.25bn EFX2020 technology and security advancements, or future acquisitions.”

According to CNBC, a Moody’s spokesperson said the downgrade is significant because “it is the first time that cyber has been a named factor in an outlook change.”

The news isn’t all that surprising to industry experts who have long been saying that cybersecurity is a boardroom issue. “Everyone is in business with a single goal, which is to make money. This includes the bad guys, except that they want to make their money by preventing someone else from doing the same,” said Laurence Pitt, strategic security director, Juniper Networks.

Because cyber-risk is integral to business risk, boards will likely see this downgrade as a clear message in a language they can understand, said Steve Durbin, managing director of the Information Security Forum.

“For quite some time, I have been encouraging both the insurance industry and credit rating agencies to take cyber risk into account when setting policy pricing and assessing company value. Moving forward, this should become the norm since cyber-risk is so integral to business risk that an assessment of business health without taking cyber risk and a company’s resilience into account will become meaningless. For the cybersecurity industry, this supports what many have been advocating for some time – that cyber is a business issue and must be taken seriously by boards.”

Categories: Cyber Risk News

APT Increasingly Targets Canadian Orgs

Info Security - Fri, 05/24/2019 - 17:02
APT Increasingly Targets Canadian Orgs

Canadian organizations are being warned that they are increasingly becoming the targets of cyber-threats, with researchers discovering nearly 100 malicious email campaigns that have been specifically targeting Canadian audiences, according to new research from Proofpoint.

The emails were customized for either Canadian organizations or a more general Canadian audience, a May 23 blog post said. One feature included in these malicious emails is the use of fraudulent branding from notable Canadian companies, researchers said. Malicious actors are also leveraging “French-language lures and geo-targeted imposter attacks for ensnaring corporate credentials and banking info.”

Historically Canada is included in threats targeting the entire North American region, though most of these threats are typically  focused on the US. Based on prior activity, researchers observed these campaigns believed to be the work of the advanced persistent threat (APT) group TA542.

“Much of this is due to Emotet. TA542, the primary actor behind Emotet, is known for the development of lures and malicious mail specific to given regions. However, we also saw customization ranging from French-language lures to brand abuse from a number of actors geo-targeting Canada,” according to the blog post.

Threat actors are also leveraging Ursnif, an information-stealing Trojan used largely to compromise online banking websites. In addition to Emotet and Ursnif, researchers are tracking activity involving other malware strains known as IcedID, The Trick, GandCrab, Danabot, Formbook and Dridex.

When it first appeared back in 2014, Emotet was mostly seen targeting Western European banks. In these more recent campaigns, “Proofpoint researchers observed stolen branding from several notable Canadian companies and agencies including major shipping and logistics organizations, national banks, and large government agencies. Top affected industries in Canada include financial services, energy/utilities, manufacturing, healthcare, and technology.”

Researchers warned that while these ubiquitous phishing attacks and business email compromises (BECs) may be targeting Canada in this particular campaign, “other forms of imposter attacks remain ongoing threats, both internationally and in Canada.”

Categories: Cyber Risk News

GDPR: Security Pros Believe Non-Compliance is Rife

Info Security - Fri, 05/24/2019 - 10:55
GDPR: Security Pros Believe Non-Compliance is Rife

Most IT security professionals believe GDPR non-compliance is commonplace, as the landmark data protection legislation turns one tomorrow, according to Infosecurity Europe.

Over 6400 industry practitioners responded to a Twitter poll run by the leading cybersecurity event, which runs from June 4-6.

Some 68% said they thought many organizations have likely not taken the GDPR seriously enough, while nearly half (47%) claimed regulators are being too relaxed when it comes to enforcement.

Recent research indicates that regulator the Information Commissioner’s Office (ICO) has investigated 11,468 data breach cases between May 2018 and March this year, but just 0.25% have led to monetary fines.

On the plus side, only a little over a third (38%) Infosecurity Europe respondents said GDPR compliance efforts had hindered other cybersecurity plans.

Mark Taylor, partner at Osborne Clarke, claimed that organizations are now turning their attention to the “practicalities of compliance,” but that complications are starting to emerge for multi-nationals.

“First, within a large group, it can be hard to accurately determine the various roles — i.e. data controller and data processor — which the group members have under GDPR. This is important because it determines the relative responsibilities of the group members, and which regulator has jurisdiction over them,” he explained.

“Second, the local laws supplementing GDPR across Europe have adopted variations of GDPR to a greater extent than we might have ideally hoped for. So while GDPR has made international compliance easier, it hasn’t unfortunately made it a one-size-fits-all approach everywhere.”

Taylor also argued that regulators in different jurisdictions are taking a different approach to enforcement.

“Looking forward, I think that enforcement activity will step up, with companies that are undertaking higher-risk processing likely to be most at risk,” he added.

Categories: Cyber Risk News

IoT Attacks Cost UK Firms Over £1bn

Info Security - Fri, 05/24/2019 - 09:07
IoT Attacks Cost UK Firms Over £1bn

Cyber-attacks on IoT devices could cost the UK economy over £1 billion each year, according to new research from Irdeto.

The Dutch security vendor polled IT security decision makers at UK organizations in the transport, manufacturing and health sectors, finding that attacks on connected kit caused losses of £244,000 on average.

Along with the headline costs, over half of respondents claimed to have suffered downtime in the past year as a direct result of IoT attacks. Two-fifths (41%) said customer data had been compromised in these raids.

This could present a major compliance challenge if GDPR regulators judge the victim organizations haven’t taken suitable steps to protect customer data. It could also lead to attrition: a third (33%) of respondents said they’d lost customers and 29% claimed their brand's reputation had taken a hit.

Attacks on IoT devices can also have an impact on the physical world, given the increasingly vital role they play in a range of sectors: from drug infusion pumps to connected cars.

Worryingly, 28% of organizations told Irdeto they suffered compromised end-user safety as a result of attacks in the cyber domain.

Irdeto VP of strategic partnerships, Steeve Huin, argued that unsecured IoT endpoints are like low-hanging fruit for cyber-criminals.

“It’s clear that, if not addressed, a lack of IoT security could pose a serious financial threat to the wider UK economy. With so many devices entering the market, and being deployed in critical businesses, the need for improved security measures is without question,” he added.

“Connected device manufacturers must move away from the traditional mindset of ‘build, ship and forget’ and ensure that devices are secure from the very point of design, incorporating multiple layers of security as well as offering regular health checks and software updates. If unsure, consumers should also ask their manufacturers about device security and appropriate measures to keep their information secure.”

This should be easier to do in the future, once the government has introduced a new law designed to improve IoT security.

Announced at the start of May, the proposals aim to improve baseline security standards among manufacturers, and require retailers to add a label to each product explaining whether it has met the standards or not.

Categories: Cyber Risk News

Assange Hit with New 18-Count Indictment

Info Security - Fri, 05/24/2019 - 08:49
Assange Hit with New 18-Count Indictment

The US authorities have slapped Julian Assange with a new 18-count indictment on charges relating to illegally obtaining, retaining and disclosing classified information via WikiLeaks.

The indictment supersedes an earlier charge of hacking the Pentagon, and has drawn criticism from advocates of press freedom.

It could also make the UK Home Secretary’s decision to extradite the Wikileaks co-founder more difficult, given that the revelations published by the whistle-blowing site were ostensibly done so in the public interest — something that Assange’s lawyers argue should be covered by the First Amendment anyway.

The charges relate to hundreds of thousands of secret diplomatic cables and other documents related to US wars in Afghanistan and Iraq.

They allege that the 47-year-old conspired with whistleblower Chelsea Manning, a former army intelligence analyst, to obtain and then publish the documents, harming national security.

Crucially, the published trove contained unredacted names of US informants in Iraq and Afghanistan, and US State Department ‘diplomats’ globally, potentially putting them at risk, the DoJ claimed.

It listed 90,000 Afghanistan war-related “significant activity” reports, 400,000 Iraq war-related reports, 800 Guantanamo Bay detainee assessment briefs, and 250,000 US Department of State cables.

The indictment also contains the original charge, that Assange agreed to crack a password hash stored on US Department of Defense computers connected to the Secret Internet Protocol Network (SIPRNet).

If found guilty, Assange faces 10 years behind bars for each count, amounting to a total of 175 years.

Last month, Assange was arrested at the Ecuadorian embassy in London after the Metropolitan Police were invited in following the Ecuadorian government’s termination of asylum. He had been holed up there since 2012 after breaching the terms of his bail.

Categories: Cyber Risk News

LinkedIn Admits a Delay in Renewing TLS Cert

Info Security - Thu, 05/23/2019 - 16:43
LinkedIn Admits a Delay in Renewing TLS Cert

LinkedIn users noticed on Tuesday that attempts to access the site from their desktop or laptop computer were met with an alert warning that the connection was not secure – the result of LinkedIn’s failure to renew the TLS certificate for its lnkd.in URL shortener, according to Computer Business Review (CBR).

It turned out that the company had what it is calling a brief delay in renewing the TLS certificate. The company quickly took action after being notified. “We had a brief delay in our SSL certificate update yesterday, which was quickly fixed, and member data was not affected,” a LinkedIn spokesperson wrote in an email. The new certificate is valid until May 2021.

Forcepoint security analyst, Carl Leonard tweeted:

If you are wondering why your browser is throwing a Certificate Error when navigating around @LinkedIn posts their cert expired a few hours ago on the URL shortener lnkd[.]in. Qualys' SSL check report for that domain: https://www.ssllabs.com/ssltest/analyze.html?d=lnkd.in …

Leonard and others noted that this is the second time that LinkedIn has allowed a certificate to expire. “Large organizations with hundreds of millions of users globally should be setting the standard for security practices and unfortunately this is the second time that LinkedIn failed to update their SSL certificate, effectively putting user data and privacy at risk,” Leondard reportedly told CBR.

"Certificates control communication and authentication between machines, so it's critically important not to let them expire unexpectedly. Unfortunately, most organizations don’t even have a clear understanding of how many certificates are in use or which devices are using them; so they definitely don't have a clear idea of when they will expire,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“This lack of comprehensive visibility and intelligence routinely leads to certificate-related outages; this is not a unique occurrence. Ultimately, companies must get control of all of their certificates; otherwise, it’s only a matter of time until one expires unexpectedly and causes a debilitating outage."

Categories: Cyber Risk News

Mobile Banking Malware Rose 58% in Q1

Info Security - Thu, 05/23/2019 - 16:36
Mobile Banking Malware Rose 58% in Q1

The first quarter of 2019 saw a significant spike in mobile banking malware that steals both credentials and funds from users’ bank accounts, according to researchers at Kaspersky Lab.

“In Q1 2019, Kaspersky Lab detected a 58% increase in modifications of banking Trojan families, used in attacks on 312,235 unique users. Banking Trojans grew not only in the number of different samples detected, but their share of the threat landscape increased as well. In Q4 2018, mobile banking Trojans accounted for 1.85% of all mobile malware; in Q1 2019, their share reached 3.24%,” today’s press release stated. 

Researchers reportedly uncovered 29,841 different modifications of banking Trojans during the first three months of the year, up from 18,501 in Q4 2018. “As is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using cloud technologies,” researchers wrote.

“Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company’s cloud already contains information about the object. This is basically how the latest malicious programs are detected.”

The report also noted that a new version of Asacub malware, which was first noted in 2015, accounted for more than half of all banking Trojans that attacked users. Over the past two years, attackers have modified its distribution scheme, which resulted in a spike of the malware in 2018, when it was reportedly used to attack 13,000 users a day. Though distribution has since declined, the malware remains a significant threat, with researchers observing Asacub used to target 8,200 users a day on average.

“The rapid rise of mobile financial malware is a troubling sign, especially since we see how criminals are perfecting their distribution mechanisms,” said Victor Chebyshev, security researcher at Kaspersky Lab. “For example, a recent tendency is to hide the banking Trojan in a dropper – the shell that is supposed to fly to the device under the security radar, releasing the malicious part only upon arrival.”

Categories: Cyber Risk News

Fake Trezor App in Google Play Scams Users

Info Security - Thu, 05/23/2019 - 16:31
Fake Trezor App in Google Play Scams Users

Malicious actors have been using a new set of fake cryptocurrency apps on Google Play that are reportedly able to phish and scam users out of cryptocurrency, according to ESET researchers.

Researchers observed one app impersonating Trezor, a hardware cryptocurrency wallet. The app, called Coin Wallet – Bitcoin, Ripple, Ethereum, Tether, actually connects to a fake wallet, reportedly created on May 1, that scams unsuspecting users out of money. It appears as the second-most popular search on Google Play, according to researchers.

Bitcoin has seen growth this month, with prices inching back up to the $8,000 range. Cyber-criminals were quick to exploit this price boost and got to work targeting users with scams and malicious apps.

“We haven’t previously seen malware misusing Trezor’s branding and were curious about the capabilities of such a fake app. After all, Trezor offers hardware wallets that require physical manipulation and authentication via PIN, or knowledge of the so-called recovery seed, to access the stored cryptocurrency,” explained Lukáš Štefanko, the ESET researcher in a press release.

After analyzing the fake app, researchers noted that the fake Trezor app can’t cause harm to Trezor users because of Trezor’s multiple security layers; however, “it is connected to a fake cryptocurrency wallet app 'Coin Wallet, which is capable of scamming unsuspecting users out of money. Both these apps were created based on an app template sold online,” Štefanko added.

“The app claims it lets its users create wallets for various cryptocurrencies. However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we’ve named 'wallet address scams' in our previous research into cryptocurrency-targeting malware,” said Štefanko.

ESET reported the fake Trezor app to both Google’s security teams and Trezor, which confirmed that the fake app did not pose a direct threat to their users. “However, they did express concern that the email addresses collected via fake apps such as this one could later be misused in phishing campaigns. At the time of writing, neither the fake Trezor app nor the Coin Wallet app are available on Google Play,” today’s press release stated.

Categories: Cyber Risk News

UK Political Parties Fail on Email Security Ahead of Elections

Info Security - Thu, 05/23/2019 - 09:40
UK Political Parties Fail on Email Security Ahead of Elections

The UK’s political parties are largely failing to protect their members from phishing attacks ahead of the European elections, a security vendor has claimed after revealing poor take-up of the DMARC protocol.

Domain-based Message Authentication, Reporting and Conformance, to give it its full title, is widely regarded as a best practice solution to help mitigate the threat of email impersonation.

Although not a silver bullet for email security, it helps to guarantee the legitimacy of the sender, which is why the UK government mandated its use for departments back in 2016, with the US following two years later.

However, according to analysis from Red Sift of all 22 main UK political parties participating in the European Parliament elections, only five had DMARC implemented.

These were the Lib Dems, Labour, the SNP, and two lesser known organizations: the Socialist Party and the Animal Welfare Party. That means the Conservatives, UKIP the Brexit Party and others are potentially putting their members at risk of phishing and other email scams.

However, even those that implemented DMARC are not quite there yet: Red Sift detected only “p=none” policies, which are the weakest form of the protocol. It amounts to little more than monitor mode, meaning recipients may still get phishing emails in their inbox — dubious messages are neither sent to the user’s spam folder nor rejected outright.

Randal Pinto, co-founder and COO at Red Sift, described the results of the firm’s analysis as “deplorable.”

“Let’s lay our cards out on the table, the World Economic Forum calls out phishing as the one of the most successful methods by which to carry out a cyber-attack, so at a time when election fraud and fake news are abound, surely politicians should be taking voter safety into consideration,” he added.

“To have all of the official UK political parties neglect this fundamental defense system is a worrying indicator of their willingness to protect their voters.”

The news follows another security audit of major political parties released this week by SecurityScorecard, which found Sweden’s parties topping the list, with the Liberal Democrats doing best in the UK.

Categories: Cyber Risk News

TalkTalk Overlooked Nearly 5000 Customers in Breach Notification

Info Security - Thu, 05/23/2019 - 09:30
TalkTalk Overlooked Nearly 5000 Customers in Breach Notification

A mishandled 2015 data breach continues to hound TalkTalk after it emerged that the UK telco failed to notify nearly 5000 customers that had been affected.

After being contacted by viewers who suspected their details had been stolen via the telco, consumer rights program Watchdog Live investigated.

It subsequently found their full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details available via a simple Google search.

“A recent investigation has shown that 4545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologize — 99.9% of customers received the correct notification in 2015,” the firm told the BBC in a statement.

“On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”

The latter may be technically true, but it gaslights the issue somewhat, as fraudsters are more than capable of using such details to impersonate their victims in order to elicit more information which could be monetized.

Affected customers told the show they have been the victim of frequent scam calls, while some have suffered attempted identity fraud which has impacted their credit rating.

The original incident involved the compromise of 157,000 customers, including bank account numbers and sort codes for over 15,000 of them.

It led to a £400,000 fine from regulator the ICO after it was found that attackers had exploited a simple SQL injection flaw in web pages that TalkTalk didn’t even know existed.

The firm was also widely criticized for its incident response, sending out confusing messages via a CEO not in possession of all the facts.

TalkTalk’s profits halved following the incident, with the firm paying £42m to cover incident response, external consulting and increasing call volumes as a result of a breach.

Categories: Cyber Risk News

TalkTalk Overlooked Nearly 5000 Customers in Breach Notification

Info Security - Thu, 05/23/2019 - 09:30
TalkTalk Overlooked Nearly 5000 Customers in Breach Notification

A mishandled 2015 data breach continues to hound TalkTalk after it emerged that the UK telco failed to notify nearly 5000 customers that had been affected.

After being contacted by viewers who suspected their details had been stolen via the telco, consumer rights program Watchdog Live investigated.

It subsequently found their full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details available on the dark web.

“A recent investigation has shown that 4545 customers may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologize — 99.9% of customers received the correct notification in 2015,” the firm told the BBC in a statement.

“On their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”

The latter may be technically true, but it gaslights the issue somewhat, as fraudsters are more than capable of using such details to impersonate their victims in order to elicit more information which could be monetized.

Affected customers told the show they have been the victim of frequent scam calls, while some have suffered attempted identity fraud which has impacted their credit rating.

The original incident involved the compromise of 157,000 customers, including bank account numbers and sort codes for over 15,000 of them.

It led to a £400,000 fine from regulator the ICO after it was found that attackers had exploited a simple SQL injection flaw in web pages that TalkTalk didn’t even know existed.

The firm was also widely criticized for its incident response, sending out confusing messages via a CEO not in possession of all the facts.

TalkTalk’s profits halved following the incident, with the firm paying £42m to cover incident response, external consulting and increasing call volumes as a result of a breach.

Categories: Cyber Risk News

UK Invests £22m in Army Cyber Centers as Russian Threat Looms

Info Security - Thu, 05/23/2019 - 08:45
UK Invests £22m in Army Cyber Centers as Russian Threat Looms

The UK government has been sharing cyber-intelligence with 16 NATO allies and others outside the alliance on coordinated Russian attempts to probe critical infrastructure and government networks for vulnerabilities, according to Jeremy Hunt.

The foreign secretary will say today at the NATO Cyber Defence Pledge Conference in London that the Kremlin is engaged in a global campaign designed to find IT flaws that could be exploited to cause damage.

“The challenge today is therefore to apply the eternal verities at the heart of NATO’s success to the alliance’s newest operational domain. And that means deterrence – strengthening our joint ability to deter those who would harm our citizens in cyberspace,” Hunt will reportedly say.

The conference is itself testament to the growing threat to member nations from Russian state-sponsored hackers, allowing sharing of best practices and intelligence to counter the rogue nation to the east.

Hunt will also reaffirm the right of NATO states to enact a “proportionate response” to any further attempts to meddle in democratic elections, even if they fall below the Article V threshold which states that an attack against a member nation is considered an attack on all 29 allies.

Cyber was recently added as a legitimate military domain by the alliance.

In related news, the UK government is set to invest £22m in new cyber-operations centers for the army.

Set to launch in 2020, the facility will aim to bridge the gap in capabilities between the security services and the military.

“These new cyber centers will allow the army and defense to transform the way we use data, at speed, so that we can compete with our adversaries in a way fit for the 21st century,” said major general Tom Copinger-Symes, general officer commanding force troops command.

“Combining artificial intelligence with our military analysts will help us better understand threats and exploit opportunities, in turn enabling us to get the truth out much more rapidly, quashing the noise of disinformation from our enemies.”

Categories: Cyber Risk News

Fraud Attacks from Mobile Spiked 300% in Q1

Info Security - Wed, 05/22/2019 - 17:21
Fraud Attacks from Mobile Spiked 300% in Q1

Fraud attacks from mobile apps spiked by 300% in the first quarter of 2019, according to new researcher from RSA.

Published today, the Fraud Attack Trends: Q1 2019 report found that the total fraud attacks from rogue mobile applications on January 1 was 10,390 but had jumped to 41,313 by March 31.

Rogue mobile apps are those designed to duplicate legitimate apps of trusted brands, which are a fast-growing phenomenon among cyber-criminals and a huge digital risk for consumers and businesses, according to the report.

In addition, the report found that fraud attacks introducing financial malware increased 56%, from 6,603 in Q4 2018 to 10,331 in Q1 2019. Of all the fraud attacks RSA observed in the first quarter, phishing accounted for 29%, though the overall phishing volume grew less than 1% quarter over quarter. Additionally, phishing decreased rather significantly in terms of overall fraud attacks, which the report said was due to the exponential growth of attacks from rogue mobile apps.

An increasing threat for e-commerce business is fraud attacks on card-not-present (CNP) transactions, which grew by 17% in the first quarter of 2019. Of those attacks, 56% originated from mobile. 

“Canada, Spain and the Netherlands remain the top three countries targeted by phishing, representing 78% of total attack volume. The Philippines appeared on the list, replacing Brazil as a top target with 2% of total phishing volume in Q1,” the report said.

Of all the countries observed, Spain was targeted with a high volume of phishing, which the report attributed to the launch of new innovative digital payment services among many prominent financial institutions, which serves as a reminder that cyber-criminals are looking to exploit digital transformation initiatives.

“The old username/password combination is simply no longer sufficient as a form of consumer authentication. The use of multi-factor, adaptive authentication and transaction risk analysis to watch for signs of fraud based on device, user behavior and other indicators is another critical layer to prevent the onslaught of account takeover in the event of a successful login attempt,” the report said.

Categories: Cyber Risk News

Firmware Vulnerability in Mitsubishi Electric

Info Security - Wed, 05/22/2019 - 16:57
Firmware Vulnerability in Mitsubishi Electric

A vulnerability in Mitsubishi Electric’s MELSEC-Q Series Ethernet Module could allow a remote attacker to gain escalated privileges, according to an ICS-CERT advisory.

Reported by Nozomi Networks, the vulnerability “could allow an attacker to render the PLCs statue in fault mode, requiring a cold restart for recovering the system and/or doing privilege escalation or executive arbitrary code in the context of the affected system of the workstation engineering software,” said Nozomi Networks co-founder and CTO Moreno Carullo.

On May 21, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an ICS-CERT Advisory (ICSA-19-141-0s), noting that the vulnerability in uncontrolled resource consumption was exploitable remotely and required a low skill level to exploit. 

“Organizations that may be potentially impacted can implement the following National Cybersecurity and Communications Integration Center (NCCIC) mitigations: Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet,” Carullo said.

“Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may also have vulnerabilities and should be updated to the most current versions available. Also recognize that VPN is only as secure as the connected devices.”

Mitsubishi Electric has issued a firmware patch and recommends operating the affected device behind a firewall.

NCCIC encourages users to take defensive measures to minimize the risk of exploitation of this vulnerability, noting that users should:

  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • Use secure methods when remote access is required, such as VPNs, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available and that a VPN is only as secure as the connected devices.
Categories: Cyber Risk News

US May Ban Chinese Surveillance Camera Companies

Info Security - Wed, 05/22/2019 - 16:37
US May Ban Chinese Surveillance Camera Companies

Citing human rights as the primary concern, the US announced that it is considering a ban on surveillance technologies produced by five Chinese companies, adding Hangzhou Hikvision Digital Technology Co. and Zhejiang Dahua Technology Co., to a blacklist that bars them from US components or software, according to The New York Times and Bloomberg.

Hikvision’s cameras are used the world over, which has raised human rights concerns given the recent revelation that nearly 1.2 million Muslims are being detained in camps in Xinjiang, where Hikvision won five contracts worth billions of yuan last year, according to Forbes.

“We hope the company receives a fair and just treatment,” Hikvision’s secretary of the board, Huang Fanghong, reportedly said in a statement. Dahua representatives had no immediate comment, according to Bloomberg.

Evidence supports the claims that Hikvision is involved in the surveillance efforts conducted in Xinjiang, despite the company asserting that it is nothing more than a product provider.

“Hikvision's own website directly contradicts this claim,” wrote Charles Rollet for IPVM. “In 2017, Hikvision proudly posted that it had won a $79 million safe city project in Xinjiang's capital of Urumqi, stating the project included about 30,000 cameras and data centers.

“Bidding documents also show Hikvision itself directly bid and won wide-ranging surveillance projects in Xinjiang. For a $46m project in Xinjiang's Karakax (or Moyu) county, Hikvision is listed as the sole winner in Chinese bidding documents, which even include its headquarters' address in Hangzhou and state the project is 'BOT,' a scheme in which companies Build, Operate, and then Transfer projects to authorities. Hikvision is also listed as the only winner in bidding documents for a different $53 million surveillance project in Pishan County, which also list its Hangzhou address.”

In addition, Hikvision, Dahua and other companies have reportedly “benefited handsomely from Chinese President Xi Jinping’s unprecedented push to keep tabs on the country’s 1.4 billion people,” according to Bloomberg.

In 2016 IHS Markit reported that China had approximately 176 million video surveillance cameras in use through its public streets, buildings and public spaces, more than three times the 50 million used in America, Bloomberg reported.

Categories: Cyber Risk News

Google Stored Plaintext Passwords Since 2005

Info Security - Wed, 05/22/2019 - 09:29
Google Stored Plaintext Passwords Since 2005

Google has admitted that some of its enterprise customers’ passwords have been erroneously stored in plaintext, in a security issue dating back 14 years.

The tech giant’s VP of engineering, Suzanne Frey, explained that the problem occurred when it introduced a new way for G Suite domain administrators to upload and manually set new passwords for their employees, to help with onboarding and account recovery.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards,” she added.

“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

It’s unclear exactly how many users have been affected by this security snafu: Google would only say that it relates to a “subset of G Suite” customers. No consumer Google accounts were impacted.

Frey’s team also spotted a separate but similar security issue, dating back to the start of this year.

“As we were troubleshooting new G Suite customer sign-up flows, we discovered that starting in January 2019 we had inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure,” she explained.

“These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.”

All G Suite admins impacted by these issues have been notified, and Google said it will reset passwords on any affected account where action is not taken.

Facebook, Twitter and GitHub have all admitted storing user passwords in plaintext over the past year or so. In Facebook's case, hundreds of millions of users are thought to have been affected.

Categories: Cyber Risk News

FCA: £27m Lost to Crypto Scams Last Year

Info Security - Wed, 05/22/2019 - 09:03
FCA: £27m Lost to Crypto Scams Last Year

The UK’s financial regulator has warned that £27m was lost in the last financial year to scams promising big returns on cryptocurrency and foreign exchange (forex) investments.

The Financial Conduct Authority (FCA) claimed that investors lost on average £14,600 to fraud during the 12-month period, with reports of scams more than tripling to 1800.

This kind of fraud typically starts on social media, where investors are lured by “get rich quick” promises, images of luxury items and celebrity endorsements. Clicking through takes them to legitimate-looking websites where they are tricked into handing over money.

“Investors will often be led to believe that their first investment has successfully made a profit,” warned the FCA.

“The fraudster will then contact the victim to invest more money or introduce friends and family with the false promise of greater profits. However, eventually the returns stop, the customer account is closed and the scammer disappears with no further contact.”

The findings are part of an awareness campaign being run by the FCA, supported by Action Fraud and the City of London police.

Its ScamSmart website is designed to make consumers more skeptical of get rich quick cryptocurrency and forex schemes.

“We’re warning the public to be suspicious of adverts which promise high returns from online trading platforms,” said Mark Steward, executive director of enforcement and market oversight at the FCA.

“Scammers can be very convincing so always do your own research into any firm you are considering investing with, to make sure that they are the real deal. Before investing online find out how to protect yourself from scams by visiting the ScamSmart website, and if in any doubt — don’t invest.”

Anyone that has fallen victim is urged to contact Action Fraud.

A report by Ernst & Young last year revealed that 10% of cryptocurrency ICOs lose their funds to hackers, with phishing a popular way to trick investors into handing over the private keys to their digital wallets.

Categories: Cyber Risk News

Lib Dems Come First in UK for Cybersecurity

Info Security - Wed, 05/22/2019 - 08:46
Lib Dems Come First in UK for Cybersecurity

Sweden’s political parties have the best cybersecurity posture globally, with the UK languishing in the bottom half of the table, according to a new analysis by SecurityScorecard ahead of the European Parliament elections.

Noting the impact of a major data breach at the Democratic National Committee (DNC) which helped to swing the 2016 Presidential election in favor of Donald Trump, the security vendor decided to appraise the security of political parties in the West.

It covered nine countries — the US, France, Germany, Spain, UK, Poland, Italy, Switzerland and Sweden — and two UK nations which have separate domestic parliaments, Northern Ireland and Scotland.

Some 29 political parties were selected for analysis, which covered areas including web app identification, network security and DNS configuration, malware infections, leaked credentials, patching, and more.

“SecurityScorecard found the two major US political parties, Republican National Committee (RNC) and Democratic National Committee (DNC), fared well compared to smaller US political parties and European political parties as a whole,” the report claimed.

“With that said, SecurityScorecard discovered indicators of poor security hygiene in almost all political parties.”

Sweden came top of the 11-country list, with the US in fifth and the UK down in eighth, just three notches above bottom-placed France.

In the UK, the centrist Liberal Democrats were named as the best on cybersecurity, coming top on DNS, network security and patching cadences, although its application security score fared less well.

The Conservative Party was called out for hosting an unencrypted log-in portal for its PureCampaign application.

“Although the credentials are sent to the server via a secure manner, this represents poor security design and presents a risk to a simple MitM or social engineering attack,” the report argued.

In the US, the DNC still appears not to have learned its lesson from 2016.

“While SecurityScorecard believes the DNC has made significant investments in security since 2016, the organizational behavior at managing digital assets still lags behind the RNC,” the report noted.

Categories: Cyber Risk News

DHS Issues Alert on Chinese-Made Drones

Info Security - Tue, 05/21/2019 - 16:09
DHS Issues Alert on Chinese-Made Drones

Chinese-made drones may be sending sensitive flight data to their manufacturers in China, according an alert issued by the US Department of Homeland Security (DHS), CNN reported on May 20.

In a copy of the alert obtained by CNN, DHS said, "The United States government has strong concerns about any technology product that takes American data into the territory of an authoritarian state that permits its intelligence services to have unfettered access to that data or otherwise abuses that access.”

While the report refrains from naming specific manufacturers, approximately 80% of the drones used in the US and Canada reportedly come from DJI in Shenzhen, China. DHS reportedly is concerned about "potential risk to an organization's information…[from products that] contain components that can compromise your data and share your information on a server accessed beyond the company itself," according to CNN.

"Those concerns apply with equal force to certain Chinese-made (unmanned aircraft systems)-connected devices capable of collecting and transferring potentially revealing data about their operations and the individuals and entities operating them, as China imposes unusually stringent obligations on its citizens to support national intelligence activities," the alert reportedly added.

“The Department of Commerce required Google to pull rights to use Google Play and apps on Android from Huawei. Now, we are hearing about risks of Chinese-made drones, which the primary manufacturer is DJI based in China,” said Chris Morales, head of security analytics at Vectra.

“The overall theme is that a third-party manufacturer could be using personal data for malicious intent. This is a theme that should expand beyond just a specific nation state actor. This is a real concern for any device that is collecting data on a user, regardless of where they are based.

“It doesn’t mean everyone is bad, though. Most organizations are in the business of making money and are not intentionally causing harm to consumers. Personally, I don’t even like enabling features, such as location services, on my personal device that gives even American companies too much data about me and my own personal habits.”

Categories: Cyber Risk News

Pages