Info Security

Subscribe to Info Security  feed
Updated: 1 hour 6 min ago

Cron Crime Ring Stole Hundreds of Thousands from Mobile Bankers

Mon, 05/22/2017 - 23:18
Cron Crime Ring Stole Hundreds of Thousands from Mobile Bankers

Members of a Russian hacking group dubbed “Cron” have been arrested for spearheading a campaign to plant malware on Android devices to steal from bank customers.

The attack netted the hackers roughly $892,000—small potatoes in the financial cybercrime world—but the group apparently had plans to widen its operation.

Reuters broke the news, citing a report compiled by Group-IB, which investigated the attack with the Russian Interior Ministry. The perpetrators exploited weaknesses in SMS text message transfer services, allowing the cyber-criminals to funnel funds to personal accounts. It targeted customers of local bank Sberbank, tricking them into downloading fake mobile banking applications, pornography or ecommerce programs. These programs were instead, of course, malware that allowed the group to text messages from those devices to arrange for the transfer of money to the hackers' accounts.

“The attack highlights the growing number of attacks against mobiles and the need for users to be increasingly vigilant,” AlienVault security advocate Javvad Malik told us via email. “Jailbreaking a phone or downloading apps from unofficial app stores increases the possible attack avenues. Similarly, clicking on unsolicited links in email or SMS messages can lead to malware being installed. Also, users should be wary of what permissions an app is asking for and exercise caution where excessive permissions are being sought such as access to phone book, SMS, phone calls and such.”

A full 16 suspects were arrested by Russian authorities. Group-IB said Cron was on average compromising 3,500 devices per day, and was planning to target European lenders before the arrest, including banks in France, and potentially other western nations including Britain, Germany, the United States and Turkey.

Categories: Cyber Risk News

Barclays CEO has a Whale of a Time with Email Impersonator

Mon, 05/22/2017 - 22:58
Barclays CEO has a Whale of a Time with Email Impersonator

Barclays has stepped up its email security for all staff members, after its CEO Jes Staley was tricked into emailing with someone pretending to be the bank’s chairman, John McFarlane.

Staley had a full email conversation with the person, reportedly a disgruntled customer. The ploy was simple—the person merely set up a free Gmail account with the user name john.mcfarlane.barclays. Then, just after the financial giant’s annual meeting, he or she sent a mail with the subject line, "The fool doth think he is wise."

Inside, the hoaxster called a shareholder who called for Staley’s resignation in the wake of a whistleblower controversy, "as brusque as he is ill-informed," and proceeded to tell Staley in rather floral language that he had his back. He ended with, "Surely the fickleminded [sic] nature of the angry few will help tie up any loose ends. You owe me a large Scotch."

Staley responded with a sort of “talking-to-the-boss” enthusiasm: "You came to my defense today with a courage not seen in many people. How do I thank you? You have a sense of what is right, and you have a sense of theatre. You mix humor with grit. Thank you John. Never underestimate my recognition of your support. And my respect for your guile."

The disgruntled customer sent back a poem where the starting letters of each line spell out “whistleblower”.

Staley was of course none the wiser until someone—presumably MacFarland himself—tipped him off that whoever he was conversing with was not actually the chairman.

In the wake, Barclays has implemented messages for staff alerting them to when they email an external email address, and the recipient’s full email address are always displayed.

The incident, even though it was more of a harmless prank than anything else, brings up the broader issue of the pervasiveness of impersonation attacks like whaling.

“The experience here of Jes Staley with email impersonation is unfortunately very common globally,” said Matthew Gardiner, cybersecurity strategist for security company Mimecast, via email. “However, in this case, Barclays was very lucky as most impersonation attacks are executed by money-focused cyber-criminals. In fact, the FBI recently reported that impersonation attacks via email impact organizations on the order of billions of dollars.”

He added, “Relying on individuals to discern the difference between real and fraudulent emails is not a sufficient defense.”

Categories: Cyber Risk News

EternalRocks Worm Uses 7 Leaked NSA Hacking Tools

Mon, 05/22/2017 - 22:26
EternalRocks Worm Uses 7 Leaked NSA Hacking Tools

A Croatian researcher has uncovered a new worm that employs seven leaked NSA hacking tools to do its thing. It presents a potential threat that could have far worse consequences than WannaCry, even though it shares characteristics with the now-infamous ransomware.

It is, so far, not weaponized—but it could be at any moment, according to Miroslav Stampar, who is a member of the Croatian Government CERT. For now, it’s just code that propagates itself, but the C&C servers can send infected machines whatever command they choose at any time, including commands to download additional malware.

"The worm is racing with administrators to infect machines before they patch," Stampar told Bleeping Computer. "Once infected, he can weaponize any time he wants, no matter the late patch."

EternalRocks targets computers that have exposed, unpatched SMB ports (of which there are many), and infects them using six unique NSA tools: EternalBlue, EternalChampion, EternalRomance and EternalSynergy for initial compromise; and SMBTouch and ArchiTouch for SMB reconnaissance. The seventh tool, DoublePulsar, is used to spread to new machines and remains on infected ones as an implant. It is open by default, meaning that other bad actors can use DoublePulsar as a backdoor for any of the machines it has infected.

Stampar told the media that EternalRocks is also quite stealthy—after it infects a machine, it waits a full 24 hours before talking to the C&C infrastructure in a bid to evade researcher analysis and sandboxing. It also does not include a kill switch domain, like the one used to temporarily defang WannaCry.

All of these tools are from the cache that the Shadow Brokers have made public. The now-infamous WannaCry ransomware also used two of these tools, EternalBlue and DoublePulsar.

This is unlikely the last malware that will be built using the tools. Even though Microsoft announced that the leaked weapons don’t work against supported products, unsupported systems like XP or those who aren’t up-to-date with their patches are wide open. The bad guys have taken notice: Recorded Future recently revealed plenty of interest and chatter in Russian and Chinese darknet forums, with several tools, including EternalBlue, having been reversed engineered.

“Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses,” Recorded Future said. 

Categories: Cyber Risk News

Questions Raised After Reporter Fools Bank Biometrics

Mon, 05/22/2017 - 09:59
Questions Raised After Reporter Fools Bank Biometrics

Security experts have warned about the limitations of biometric authentication systems after a BBC reporter’s twin brother was able to access his HSBC account via the bank’s voice ID service.

Reporter Dan Simmons’ non-identical twin Joe logged in as his brother using the biometric security system launched by the lender in 2016.

After inputting account details and date of birth, the user is required to say "my voice is my password” in order to access their account.

However, Simmons was apparently allowed seven attempts at cracking his brother’s voice before getting it right on the eighth.

The bank is set to restrict user log-in attempts in future to three.

It’s important to note that access to the account did not allow Joe Simmons to withdraw funds; only view balances and transactions and make transfers. A real fraudster would also be unlikely to know the voice patterns of the person they’re trying to rip off.

HSBC claimed its Voice ID system was still a “very secure method of authenticating customers.”

"Twins do have a similar voiceprint, but the introduction of this technology has seen a significant reduction in fraud, and has proven to be more secure than PINS, passwords and memorable phrases", it added in a statement.

Alex Mathews, lead security evangelist at Positive Technologies, argued the report proves that using voice biometrics alone isn’t enough.

“As is always the case with security, a layered approach is best,” he added. “Rather than relying on it as a sole authentication method, it should be used as an additional tool, in tandem with other security practices."

However, Digital Guardian security advocate Thomas Fischer, argued that biometrics are a step in the right direction.

“The BBC is certainly not the first to research ways to fool voice recognition systems or bypass fingerprint sensors, but this is no mean feat and depends on the quality of the original biometric imprint,” he explained.

“Brute force cracking weak passwords, on the other hand, can be done with relative ease. Biometrics are certainly not perfect, but anything we can do to make it more difficult for attackers to win and easier for consumers has to be a good move."

Categories: Cyber Risk News

#WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes

Mon, 05/22/2017 - 09:20
#WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes

The WannaCry ransomware threat didn’t begin with malware-infected phishing emails as first suspected, according to a new analysis from Malwarebytes.

The security vendor claimed it had been “an easy mistake to make”, but that in reality, the now-infamous campaign began by scanning for vulnerable SMB ports exposed to the public internet.

The NSA’s EternalBlue exploit was then used by attackers to get on the target network and the DoublePulsar backdoor employed to gain persistence, allowing for the installation of additional malware, like WannaCry.

“Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks,” explained Malwarebytes senior malware intelligence analyst, Adam McNeil.

“Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.”

As for takeaways, they remain pretty much the same: regular and timely patching of systems; migration to newer, supported operating systems where possible; disabling of unnecessary protocols like SMB and network segmentation.

McNeil also agreed with Microsoft president, Brad Smith, who called out the NSA and others for stockpiling exploits. The WannaCry incident is in many ways the perfect example of what can happen when government-developed exploits get into the wrong hands.

As for WannaCry, it appears as if the original threat is no longer infecting users, but newer variants have taken over.

Cryptomining threat Adylkuzz was flagged last week as one potential new threat which uses the same NSA exploits to spread.

Categories: Cyber Risk News

#WannaCry BT Phishing Scam Spotted

Mon, 05/22/2017 - 09:00
#WannaCry BT Phishing Scam Spotted

Fraud experts are warning UK netizens of a sophisticated new phishing scam which uses the recent WannaCry ransomware attack campaign in an attempt to trick users into clicking on malicious links.

ActionFraud issued an alert late last week, claiming to have already received several reports of the BT-branded scam email.

“After analyzing the email, the domains appear very similar and this could easily catch out those who are concerned about the security of their data after the global attack”, the fraud prevention organization warned.

The message itself is pretty convincing, urging recipients in near flawless English to click on a “confirm security upgrade” button to re-establish full access to a BT account it claims has been restricted following the WannaCry outbreak.

“If you receive one of these emails do not click on any links and follow our advice on how to stay safe. Instead, go to the BT website directly and log in from there,” Action Fraud advised.

“We are also aware that companies are sending out legitimate emails of reassurance in connection with the recent cyber-attack, if in doubt contact them directly on a method other than the email you have received.”

Phishing attacks are becoming increasingly popular among the black hat community: the tactic was present in a fifth (21%) of attacks last year, up from just 8% the previous year, according to Verizon.

Separate data from the Anti-Phishing Working Group for 2016 points to over 1.2 million recorded phishing attacks worldwide, up a whopping 65% from 2015.

A template called 'Message from Administrator' had the highest average click rate of 34%, according to Wombat Security’s State of the Phish 2017 report, showing that work-related lures are most successful in getting clicks.

However, newsworthy events and popular brands like this BT scam are also popular among cyber-criminals, who use them as the initial lure, especially for consumer-based campaigns.

Categories: Cyber Risk News

Android Security Gets a Boost with Google Play Protect

Fri, 05/19/2017 - 17:58
Android Security Gets a Boost with Google Play Protect

In a timely move given the rash of trojanized apps showing up in the official Google Play store of late, the internet giant has debuted Google Play Protect.

The biggest piece of this is the news that, using machine learning, Google said that it now scans more than 50 billion apps every day to hunt for risks and potentially harmful code. Automated remediation is also part of the enhancement.

“Whether you’re checking email for work, playing Pokémon Go with your kids or watching your favorite movie, confidence in the security of your device and data is important,” said Edward Cunningham, product manager for Android Security, in a blog. “Play Protect is built into every device with Google Play, is always updating, and automatically takes action to keep your data and device safe, so you don’t have to lift a finger.”

Google has also implemented a “Find My Device” feature (something Apple has had for iPhone for quite some time), which allows users to locate, ring, lock and erase Android devices remotely—including phones, tablets and watches.  

The news comes after several instances of bad apps showing up in Google Play. For instance, HummingWhale, a new variant of the HummingBad malware, was found hiding in more than 20 apps on Google Play in January; the infected apps were downloaded several million times by unsuspecting users before the Google Security team removed them. Similarly, The FalseGuide malware was found in April to be infesting 40+ guide apps in the Google Play store; these were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an alarming 2 million infected users.

“All Google Play apps go through a rigorous security analysis even before they’re published on the Play Store—and Play Protect warns you about bad apps that are downloaded from other sources too,” Cunningham said. “Play Protect watches out for any app that might step out of line on your device, keeping you and every other Android user safe.”

Categories: Cyber Risk News

#WannaCry Exploit Now Being Used to Spread Spy Trojan

Fri, 05/19/2017 - 17:36
#WannaCry Exploit Now Being Used to Spread Spy Trojan

Threat actors are using the same EternalBlue exploit employed by WannaCry to deliver other malware—specifically, a remote access trojan (RAT) typically used to spy on people’s activities or take control of their computers.

During the recent pandemic attack, CyphortLabs discovered a similar attack to one of its honeypot servers.

“We initially thought this is WannaCry, but upon further investigation, we discovered a stealthier RAT,” researchers said, in an analysis. “Unlike WannaCry, this threat infects only once and does not spread. It is not a worm.”

The RAT has plenty of spy features, the firm said, including screen and keyboard monitoring, audio and video surveillance, the ability to transfer, download or delete files and data, and general control of the infected machine. It also takes care to block the exploit from being used for other malware.

“The threat actors probably did not want other threats mingling with their activity,” CyphortLabs said. Researchers added, “At first glance, the threat we discovered may not appear to be as destructive as the WannaCry ransomware, but it may be equally dangerous if not more, depending on the attacker’s intent.”

Interestingly, the analyzed sample was first seen on VirusTotal on April 2—and since then, there have been 12 other similar samples reported. “This is an indication that they might have been using the EternalBlue exploit well before the WannaCry outbreak on May 12,” CyphortLabs said.

It added: “WannaCry ransomware delivered a strong message to the world by being noisy and destructive,” the researchers said. “It seems that the message is clear now; that there are many systems out there that are vulnerable to cyberattacks….In addition, if WannaCry did not happen, we may not be aware of a number of systems that are vulnerable to exploits whether they are zero-day, disclosed or undisclosed, and that makes this type of stealthy threat more dangerous. What will hurt you the most are those things that you did not see coming.”

The researchers believe that the group behind the attack is the same group that spreads Mirai via Windows (which Kaspersky discovered in February), due to several similarities in the indicators of compromise (IOCs).

"We believe at this point there are parallels with a group who has been building up the Mirai botnet and is now using EternalBlue to spread,” said Mounir Hadad, senior director of Cyphort Labs, via email. “We see the same C2 servers being used as the actors portrayed [by Kaspersky]. Given the previous uses of the Mirai botnet in mounting spectacular DDoS attacks, we can only speculate that the botnet is likely very large."

Categories: Cyber Risk News

Sony Files Wide-ranging Suite of Piracy Suits in Moscow

Fri, 05/19/2017 - 17:33
Sony Files Wide-ranging Suite of Piracy Suits in Moscow

Sony Interactive Entertainment is looking to permanently block several Russian ISPs, with a slew of piracy lawsuits filed in the Moscow City Court.

In the seven complaints, Sony’s UK division said that the ISPs are streaming its gaming properties without permission, and it is seeking the blocking of 20 different specific sites.

According to Muscovite outlet Izvestia, copyright action has been taken against the ISPs before (the ISPs have not been publicly named)—and that opens the door for what Russian law terms “eternal lock.” This is a punishment reserved for repeat piracy offenders, and involves a permanent ISP blockade.

“Positive changes in legislation aimed at protecting rightsholders, plus greater attention by state bodies to intellectual property rights violations, allows us today to begin to fight against piracy on the Internet,” said Sergey Klisho, general manager of Playstation in Russia.

Any blockade would be enacted under the Russian telecom regulator, Roskomnadzor. The problem, of course, is that specific applications can simply be moved to a new streaming platform, resulting in a game of whack-a-mole for piracy regulators and content owners.

“I do not believe that Roskomnadzor can block any application,” Russian Internet Ombudsman Dmitry Marinichev told Izvestia. “You can prevent Google Play or Apple’s iTunes from distributing them. But there is still one hundred and one ways left for these applications to spread. Stopping the application itself from working on the device of a particular user is a daunting task.”

Russia passed comprehensive anti-piracy law covering films and TV in 2013, with a major expansion to include music, books and software (including games) in 2015.

Categories: Cyber Risk News

Research Finds IT Professionals Lack Company Loyalty

Fri, 05/19/2017 - 13:15
Research Finds IT Professionals Lack Company Loyalty

In a survey of 113 companies who had suffered a breach 71% of IT practitioners claimed that brand protection was not their responsibility, while 70% do not believe their companies have a high-level ability to prevent breaches.

The research, by Centrify and the Ponemon Institute, found that 67% of chief marketing officers worry about reputation, but 63% of IT practitioners worry about their jobs. For those IT practitioners that had experienced a data breach, the most negative consequences were: significant financial harm (52%), greater scrutiny of the capabilities of the IT function (51%) significant brand and reputation damage (35%) and decreased customer and consumer trust in their organization (35%).

Cybersecurity consultant Dr Jessica Barker told Infosecurity that she felt that the disconnect between IT and CMOs was most interesting, and it shows we still have a long way to go to get joined up working actually happening in organizations and for people "to truly see that cybersecurity is a business issue, not just an IT one."

Speaking on a roundtable to launch the research, Bill Mann, senior vice-president of products and chief product officer at Centrify, said that some organizations do a good job of dealing with breaches, but some do a bad job. Asked if there was not a buy-in from IT into the company culture, Mann said: “There’s a disconnect on what they do on a day-to-day basis and what sells depending on stock price.

“It is not really about strategically running strategies across organizations, and not about more investment in a company, but more about alignment and communication within organizations.”

Mann said that every board meeting should ask ’are we getting better’ and it’s not happening, and he said that from his point of view, companies should be asking and educating all members of staff on the impacts on the brand.

Asked if third-party consultants who were not part of the company were part of the problem, Mann said that this could be improved by being better managing consultants to know what their priorities are. “If you’re an Oracle DBA that’s your world, but how you reach them about what is important and a lot of communications from management are on priorities and that’s even more difficult with outsourcing”, he added.

In an email to Infosecurity, consultant Brian Honan said that in many cases, he finds IT professionals who have a primary focus on technology do not worry about company loyalty. “To them the focus is on the technology and the type of technical projects they may get involved,” he explained.

“The more successful IT professionals and security professionals tend to be those who have an active interest in the business and understand the business goals and strategies of the organization.”

Honan said that if the third party is seen as taking core and/or interesting work away, then IT professionals can feel threatened. “However, if mundane or routine tasks are outsourced or key hard to find skills are brought in, then many see this as an opportunity to focus on interesting projects and to enhance their own skills,” he said. “So companies need to be careful in how they outsource so they get the balance right.”

The research also found that those companies who were breached had suffered a 5% average drop in the stock price.

Mann said: “It’s clearly a blind spot for the C-suite and it’s time leadership recognize that protecting data is no longer just an IT problem, but a bottom-line business concern that needs a holistic and strategic approach to protecting the whole organization.”

Categories: Cyber Risk News

#SecureTour17: Business Nightmare Scenarios Detailed a Week Since #WannaCry

Fri, 05/19/2017 - 12:08
#SecureTour17: Business Nightmare Scenarios Detailed a Week Since #WannaCry

Speaking on the theme ‘The threats that should be keeping you awake at night’ at the FourSys SecureTour in London, independent computer security researcher Graham Cluley described the three main areas of concern for businesses in 2017.

Claiming that it is not about giving the audience nightmares, and not about nation-state hackers who "target private firms", Cluley said that the three main problems were: ransomware, insider threat and business email compromise.

Focusing on last weekend’s WannaCry ransomware outbreak, Cluley said that this was ransomware "on a scale never seen before", and "it hit so hard it took some hours before people came up with a logo!"

He added: “WannaCry did traditional things with Bitcoin, so what made it so different? It was not traditional ransomware; it was distributed by a worm-like feature and exploited a component in Microsoft Windows vulnerability and exploited the SMB protocol to spread very rapidly indeed.”

He went on to claim that ransomware has "truly been a threat over last few years" highlighting other instances of the NHS being hit, as well the San Francisco rapid transport being shut down, and it is also hitting mobile devices.

In the other cases, Cluley said that in the case of business email compromise, where an attacker poses as a CFO and typically targets a junior member of staff but instead of sending malware, they just send an email to try to trick a person into sending money.

“People do this and as soon as they click on the send button, it is too late”, he said. Highlighting cases affecting major companies, Cluley said that this is effectively good social engineering.

Looking at insider threat, Cluley highlighted cases of what appears to be trusted employees, where just by wearing a Red Dwarf or Iron Maiden T-shirt they are able to gain access to an IT department and network.

“We’re working together to make the internet a safer place, so don’t have nightmares."

Categories: Cyber Risk News

RSA: Quarter of UK Consumers Boycott Breached Firms

Fri, 05/19/2017 - 09:54
RSA: Quarter of UK Consumers Boycott Breached Firms

Over a quarter of UK adults have boycotted companies that mishandled their data, according to new RSA research highlighting plummeting levels of consumer trust as the volume of high profile data breaches rises.

The Dell-owned security firm polled over 2000 UK consumers recently to find out more about their attitudes to the rising tide of breach incidents sweeping the globe and upcoming regulations from Europe.

The findings should represent a wake-up call for many organizations, not least the fact that 28% of consumers have left companies which mishandled their data in favor of more secure rivals.

That stat echoes the findings of a Centrify study earlier this week which revealed that 27% of customers had discontinued their relationship with a company following a breach.

A third (34%) of those polled by RSA claimed to have lost faith in the ability of firms to look after their data, but continue to use them anyway – suggesting they feel powerless to change anything – and over half (57%) said they have no idea how many times their data has been lost.

A quarter (24%) said they’d even become immune to data loss incidents in the news, because there are simply so many.

RSA is predicting this erosion of trust will continue when the GDPR kicks in on May 25 2018, as it will force companies to disclose data breaches within 72-hours, adding to the huge number already publicized.

Only 15% of consumers had heard of the new regulation, but more than half (53%) think its maximum fines of 4% of global annual turnover is fair.

However, many of those (20%) RSA spoke to also wanted consumers to receive direct compensation in the event of data loss.

“We can see some consumers are already boycotting companies that mishandle data, so this should be a real wakeup call – particularly when you add that to the potential penalties that could be imposed,” said Rashmi Knowles, EMEA field CTO at RSA.

“Organizations can no longer see data breaches as an abstract tech or IT problem; boycotts and penalties are serious business risks and should be a board-level business issue. Make no mistake, there will be businesses that will never fully recover from such a fine, if they don’t go out of business entirely. We will all know of the EU General Data Protection Regulation then.”

Categories: Cyber Risk News

UK Activist Charged After Refusing to Hand Police Passwords

Fri, 05/19/2017 - 09:04
UK Activist Charged After Refusing to Hand Police Passwords

A man has been charged by the Metropolitan Police after refusing to hand over his laptop and mobile phone passwords when questioned at Heathrow Airport.

Muhammad Rabbani is international director at Cage, an advocacy organization which claims to “empower communities impacted by the War on Terror.”

He claimed to be unable to provide police access to his devices as they contained “crucial evidence taken from a torture survivor” which he didn’t have permission to share.

Cage outreach director, Moazzam Begg, spoke of the “constant harassment” of Muslims at airports by UK police using Schedule 7 of the Terrorism Act 2000.

“At the core of this issue is the protection of crucial evidence of torture, the key to holding high ranking officials accountable for an international crime. This will be a landmark case that will test the rule of law and justice in the ‘War on Terror’,” he said in a statement.

“I know what it is like to be forced to give your password to the authorities. In Bagram, I was tortured into surrendering my password. My colleague Rabbani was safeguarding vital and sensitive testimony, given to him by a victim of torture. Considering both the US and British governments have been found complicit and responsible for the torture and abuse of hundreds of individuals, it is perfectly right that Rabbani does everything he can to ensure these crimes are accounted for.”

The police claim Rabbani “willfully obstructed, or sought to frustrate, an examination or search” under Schedule 7.

First introduced by the Blair government in 2000, this controversial law allows UK cops to pull a suspect in for questioning for up to nine hours without needing any grounds for suspicion.

As a result, activists argue, it’s regularly used by police and immigration officers in a discriminatory fashion.

In the US, the handing over of passwords is voluntary at the moment. However, there could be plans afoot to force anyone arriving at the border to do so, with the option of declining entry to those who refuse.

Cage itself has been on the receiving end of criticism from leading terror experts.

“At the very least Cage are guilty of sloppy thinking and very unwise language,” the government’s former independent reviewer of terror legislation, Lord Carlisle, is quoted as saying.

"Before they can command any credibility from the wider community, they should make it clear that they reject the murder by ISIL of Christians and of Muslims who disagree with their views, and that they reject beheading and burning people alive.”

Rabbani will now appear at Westminster Magistrates Court on 20 June.

Categories: Cyber Risk News

Zomato Breach Exposes 17 Million Users

Fri, 05/19/2017 - 08:29
Zomato Breach Exposes 17 Million Users

Some 17 million users are said to have been affected after restaurant search platform Zomato was breached this week.

In a security update outlining what happened, the firm’s chief technologist, Gunjan Patidar, said the stolen information included user IDs, names, usernames, email addresses and password hashes with salt.

No financial information was compromised, the firm said.

“We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password,” he explained. “This means your password cannot be easily converted back to plain text. We however strongly advise you to change your password for any other services where you are using the same password.”

All passwords were immediately reset and users locked out of their accounts and forced to log back in following the incident. In addition, the firm claimed that 60% of its user base actually logs in via OAuth services, using Google and Facebook and the like – so their passwords are safe.

In a bizarre update to the update, Punditar claimed to have managed to contact the hacker who breached the site.

“The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” he said.

“We are introducing a bug bounty program on Hackerone very soon. With that assurance, the hacker has in turn agreed to destroy all copies of the stolen data and take the data off the dark web marketplace. The marketplace link which was being used to sell the data on the dark web is no longer available.”

As a precaution, Zomato said it would be urging its 6.6 million users with exposed passwords to change them on other services they may have also used them to access.

Andre Stewart, VP EMEA at Netskope, warned that data breaches of this sort can often create a dangerous domino effect of further breaches.

“When the same credentials are used across multiple accounts, one breach can make data vulnerable across many different cloud apps and services at the same time, creating significant risks to the enterprise. A year from now, this type of hack will create even more complications by exposing the company to huge fines under the GDPR”, he added.

“Wherever possible, organizations must educate end users on basic cyber hygiene and build awareness around the appropriate safe courses of action. Keeping an eye out for unusual behaviour or usage patterns will also help security teams to keep data-hungry criminals at bay.”

Categories: Cyber Risk News

#WannaCry hits Medical Devices in US

Thu, 05/18/2017 - 19:16
#WannaCry hits Medical Devices in US

Medical devices at US hospitals have been hit by the now-infamous WannaCry ransomware.

An unnamed source has released an image of an infected Bayer Medrad device, which is a radiology device used for imaging improvement for MRIs.

A Bayer spokesperson confirmed to Forbes that its products at two hospitals were indeed hit by the malware: "Operations at both sites were restored within 24 hours. If a hospital's network is compromised, this may affect Bayer's Windows-based devices connected to that network."

The spokesperson added that the company is preparing a patch for the Windows-based devices.

Some note that the patching process could be onerous. “Medical devices often use operating systems from the Microsoft’s Windows Embedded product line,” explained Craig Young, computer security researcher for the Tripwire Vulnerability and Exposures Research Team, via email. “Unfortunately...security fixes on embedded devices commonly require a complete firmware update from the vendor, which is then manually installed on the device. This can greatly increase patch delays due to the time it takes for vendors to prepare and test a new firmware to ensure that it will not interfere with the intended operation of the medical device.”

Another hindrance on keeping these systems up to date with security updates is that it requires that the devices (which may be in continuous use) are unavailable for some period of time while someone from IT installs and tests the firmware update.

“In many cases, devices will never receive updates, either because the OS is no longer supported, and memory, storage, and processing constraints may prevent the device from operating effectively with the latest software,” Young said. “Finally, I suspect that many hospital administrators may not recognize the danger from using outdated software on these devices and simply avoid patching because the device works.  This ‘if it ain’t broke don’t try to fix it’ mentality can be tremendously detrimental to hospital security.”

Terry Ray, chief product strategist for Imperva, noted that the healthcare industry continues to be a top target for cybercriminals, because of the large quantity of valuable data they manage and the potential to negatively impact critical patient care.

“With so many medical devices connected to the internet, it’s not surprising to know that some of these devices were rendered useless by WannaCry,” Ray told Infosecurity. “As we’ve seen with ransomware activity, there’s an inherent operation damage to the enterprise. That damage cannot be mitigated by paying the ransom. This attack is a wakeup call for everyone to keep their security systems up to day so they can prevent future attacks.”

Categories: Cyber Risk News

EU Slaps Facebook with $122m Fine Over User Data

Thu, 05/18/2017 - 18:39
EU Slaps Facebook with $122m Fine Over User Data

The European Commission has fined Facebook $122m for providing "incorrect or misleading" information during its purchase of WhatsApp in 2014.

The European Union’s antitrust regulators said that Facebook had originally insisted that it wouldn’t  combine its own data with that of WhatsApp, which has more than one billion users. It didn’t carry through on that promise, however—last August, the social network announced that it would begin doing just that. That sent up a red flag for those concerned that this kind of data scale offers an unfair advantage when it comes to advertising and psychometrics.

The fine comes in a week in which WhatsApp was fined €3 million by the Italian competition and consumer authority and Facebook was fined €150,000 by the French data protection regulator in relation to the companies' use of customer data. Also, a competition investigation in Germany into Facebook's privacy practices remains ongoing.

“Several transactions in recent years, including Facebook's acquisition of WhatsApp and Microsoft's acquisition of LinkedIn have been at least partly motivated by the desire to gain access to valuable data,” said Richard Craig, senior associate in the IT, telecoms and competition team at International law firm Taylor Wessing. “These transactions are facing increasing scrutiny, in particular by privacy advocates, who fear that these deals will lead to a degradation of privacy protection for consumers.”

Although antitrust regulators have been historically reluctant to consider privacy issues in competition cases, the drumbeat is growing louder when it comes to regulator scrutiny of those with access to big data. There is increasingly an imperative to ensure that these companies do not use that data in a way that harms competitors or consumers.

"The fine shows the importance of being fully transparent with competition regulators when filing for merger control clearance, although some will no doubt claim that the commission should have gone further and reopened the investigation into the transaction,” Craig added. "This is in large part as a result of an increasing focus on the relationship between the access that the major tech companies have to large and complex datasets and the potential for this to adversely affect competition.”

Meanwhile, UK Prime Minister Theresa May has announced that Facebook users will have the right to permanently delete information about themselves before they turn 18—extending the “right to be forgotten” to teenagers. This right is already enshrined in the EU's new General Data Protection Regulation, to go into effect in May 2018, which also will be signed into UK law. 

Categories: Cyber Risk News

Amazon Tops Darknet Exposure Index

Thu, 05/18/2017 - 18:37
Amazon Tops Darknet Exposure Index

Amazon is the company with the largest darknet footprint according to a new ranking—which is concerning given its massive internet presence and possession of significant customer data.

The OWL Cybersecurity Darknet Index uses a proprietary algorithm to rank each Fortune 500 company based on a company's exposed data on the darknet.

The darknet is a collection of networks on the internet that are purposefully hidden, designed specifically for anonymity. Unlike the surface web (public information available to search engines) and the deep web (online information requiring credentials, like banking sites or paid firewalls), the darknet is only accessible with special tools and software. As a result, the anonymity of the darknet facilitates the exchange of large amounts of stolen and hacked data.  The presence of a company’s data on the darknet, and the extent of that presence, is one measure of cybersecurity risk.

The study revealed that every company on the Fortune 500 is exposed to some extent, but technology and telecommunications companies overall are the largest target. Those at the top of the list have credentials and/or intellectual property exposed on the darknet which can be monetized by others.

Meanwhile financial firms—frequent targets of hackers—fare better than expected, likely reflecting their focus on significant investment in cybersecurity in recent years.

“Until now, there hasn’t been an easy way to comprehensively measure a company’s presence on the darknet,” said Mark Turnage, CEO of OWL Cybersecurity. “Using our proprietary database of darknet content, combined with our hackishness algorithm, we are able to provide companies with customized Darknet Index scores that allow them to measure the efficacy of their cybersecurity efforts over time, and how they compare to other companies in similar industries.”

Categories: Cyber Risk News

Political Parties in DMARC Fail Ahead of Elections

Thu, 05/18/2017 - 11:18
Political Parties in DMARC Fail Ahead of Elections

Security experts have warned of potential attempts to interfere in upcoming national elections in the UK, Norway and Germany after revealing gaps in political parties’ email authentication policies.

Agari claimed that of the parties that have published an email authentication policy, none appear to have properly configured it to ensure malicious emails don’t reach their targets.

The open standard DMARC (Domain-based Message Authentication, Reporting and Conformance) represents industry best practice for email authentication, allowing recipients to check whether messages comes from a verified source.

However, for it to work effectively, said political parties need to publish a DMARC “reject” policy, which none of them had done at the time of the research, Agari claimed. This will send unauthenticated messages to the spam folder or block them outright.

The UK’s Liberal Democrat and Green Party did best, with a DMARC “none” policy record in place. However, even this is not sufficient protection and needs to be upped to “quarantine” or “reject” to block spoofing attempts, the vendor argued.

Agari chief scientist, Markus Jakobsson, claimed the current state of affairs is a “disaster waiting to happen”, given the well-publicized attempts by Russia-linked hackers to destabilize the US and French presidential elections by hacking and leaking sensitive emails from political parties.

“Most organizations, including political parties, use antiquated inbound email filters, with no protection against identity deception. If an organization simply uses a spam filter, all they avoid is getting unwanted Viagra advertisements; they have no protection against phishing emails,” he explained.

“Similarly, and sadly, even those that do have phishing filters only have partial protection, since traditional phishing filters rely on the blacklist paradigm, which is not applicable to spear phishing attacks. It is vital for political organizations to recognize the risks they are taking by not addressing this problem.”

Categories: Cyber Risk News

Shadow Brokers Warn of June Data Dump

Thu, 05/18/2017 - 09:49
Shadow Brokers Warn of June Data Dump

Russia-linked hacking group The Shadow Brokers has warned of a new release of exploits next month, in an update which will likely cause sweaty palms at the NSA.

In a new missive written as usual in comically bad English, the group claimed to have possession of “75% of U.S. cyber arsenal” stolen from the NSA-linked Equation Group.

After a long ramble about WannaCry and Microsoft, in which it blamed North Korea for the global attack, the group said that next month it would announce "TheShadowBrokers Data Dump of the Month."

“TheShadowBrokers is launching new monthly subscription model,” it explained. “Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.”

This data dump could include exploits and tools for browsers, handsets and routers; new exploits for Windows 10; “compromised network data from more Swift providers and central banks”; and network data stolen from Russian, Chinese, Iranian or North Korean missile/nuclear programs.

Given the strong links between the Kremlin and the Shadow Brokers, the latter claim may simply be a hoax, designed to keep observers guessing as to the group’s origins.

NSA whistleblower Edward Snowden claimed back in August 2016 that “circumstantial evidence and conventional wisdom” points to Moscow as the force behind the Shadow Brokers.

Given that the group has come good on most of its threats previously, this latest warning is likely to cause more than a little concern at NSA HQ.

It was claimed by anonymous insiders earlier this week that the spy agency had been forced to warn Microsoft of the EternalBlue Windows exploit it developed after it was stolen by Shadow Brokers.

Although Microsoft then produced a patch for the critical SMB vulnerability it exploited, the recent WannaCry ransomware epidemic – which used the same exploit – still caused widespread damage worldwide.

If similar tools are set to be released by the Shadow Brokers from next month, the agency will have to decide pretty quickly – if it hasn’t already – whether to inform the relevant software makers.

Categories: Cyber Risk News

ICO Slaps Nuisance Text Biz with £100K Fine

Thu, 05/18/2017 - 09:09
ICO Slaps Nuisance Text Biz with £100K Fine

The Information Commissioner’s Office (ICO) has slapped a £100,000 fine on a Fareham firm accused of spamming users with millions of text messages.

Over 1000 complaints were made to the 7726 spam text reporting service and straight to the ICO between October 2015 and June 2016, the privacy watchdog said.

The culprit, OneCom Limited, was unable to explain to the ICO how it had obtained the phone numbers of these complainants or provide evidence that these users had given their prior consent.

That means it broke the Privacy and Electronic Communications Regulations (PECR) which govern marketing missives.

The firm admitted to the ICO that it sent a staggering 3.3 million text messages between October 1 2015 and March 31 2016.

“Spam texts are a real nuisance to millions of people across the country and this firm’s failure to follow the rules drove over 1000 people to complain,” said head of enforcement Steve Eckersley.

“I would urge anyone bothered by a spam text to report it, either via the ICO’s website or by forwarding the text to 7726. Your reports will help us crack down on those who fail to treat people’s information with the respect it deserves.”

Ashish Koul, president at Acqueon, argued that there’s no excuse for spamming users on this scale when technologies exist to keep firms compliant.

“These solutions are capable of checking hundreds of thousands of ‘Do Not Call/Contact’ (DNC) records in seconds – so that no erroneous texts are sent or calls are made during a campaign,” he added.

"Technology can also ensure that any contact – whether traditional telephone/SMS marketing or across digital channels such as email and social media – is as non-intrusive as possible and respects customers’ privacy. Organizations must therefore ensure they have the right systems in place to avoid making themselves the target of further fines and disgruntled customers.”

On a slightly smaller scale, the ICO has also fined a Greater Manchester used-car dealer £40,000 after it sent hundreds of thousands of spam texts to angry mobile users.

Radcliffe-based Concept Car Credit Limited is said to have sent out 300,0000 texts en masse, obtaining the data from other organizations. That meant it didn’t receive prior consent from the recipients.

The fines come just a week after the ICO levied an even higher financial penalty against Keurboom Communications Ltd: the firm behind 99.5 million nuisance calls.

The firm was fined £400,000 by the watchdog, but frustratingly has now been placed into voluntary liquidation, meaning the ICO has to recoup the money from insolvency practitioners.

Categories: Cyber Risk News

Pages