Open-source Android spyware has appeared twice on Google Play.
Research conducted by ESET discovered the first known instance of spyware based on the open-source espionage tool AhMyth lurking within a radio app available on Google Play. The app in question is Radio Balouch, detected as Android/Spy.Agent.AOX.
On the surface Radio Balouch functions as an internet radio app dedicated to playing the music of the Baloch people, who inhabit Iran, Afghanistan and Pakistan. However, an investigation led by ESET researcher Lukas Stefanko found that the app had been created as a way to spy on people who downloaded it.
While listeners were enthralled by the sounds of the suroz and the benju, the spyware hidden in the app went to work stealing contact information and harvesting files stored on the devices affected.
ESET sent a report to Google detailing its discovery. Google's security team removed the malicious Radio Balouch app within 24 hours, but 10 days later it had been re-posted on Google Play by the original developer.
Stefanko said: “We also detected and reported the second instance of this malware, which was then swiftly removed. However, the fact that Google let the same developer post this evident malware to the store repeatedly is disturbing."
The Radio Balouch app first appeared on Google Play on July 2. It returned on July 13 and was again swiftly removed. The app was installed by over 100 people each time it was posted on Google Play.
Radio Balouch may be the first app containing open-source Android spyware to make it onto Google Play, but it's unlikely to be the last. Judging from how easily the app returned to Google Play after being removed, Google may wish to put in place some more stringent security measures.
“Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may soon appear on Google Play,” said Stefanko.
Radio Balouch may have ended its brief fling with Google Play, but it is still available on alternative app stores.
ESET stated: "It has been promoted on a dedicated website, via Instagram, and YouTube. We have reported the malicious nature of the campaign to the respective service providers, but received no response.”
US authorities have charged 80 members of a Nigerian-based crime ring in connection with online scams designed to swindle victims around the world out of $46 million.
A 145-page indictment lists 252 charges against the 80 suspects, who are mostly Nigerian nationals. Charges of aggravated identity theft, conspiracy to launder money and conspiracy to commit fraud have been brought against all of the accused.
Speaking at a press conference held earlier today, US attorney Nick Hanna described the fraud as "one of the largest cases of its kind in US history."
Nigerian-born Valentine Iro and Chukwudi Christogunus Igbokwe were named as co-conspirators who allegedly worked alongside people in Nigeria and in the US to dupe victims into transferring money overseas.
Iro and Igbokwe, who were arrested in the US, are accused of fraudulently getting their mitts on $6 million as part of a larger conspiracy intended to bag a cool $46 million.
The internet scams at the center of this case promised victims romance or riches in return for financial assistance.
The case began when a single bank account aroused the suspicions of the FBI back in 2016. The investigation expanded to include numerous victims around the world.
One woman in Japan fell victim to the scammers after becoming a digital pen pal on an international social network. The woman, who is referred to in court papers as F.K., was fooled into thinking she had found love with a US Army captain stationed in Syria.
Over the course of a fictitious 10-month online romance, F.K. sent daily messages to Cpt. Terry Garcia and $200,000 to help him smuggle diamonds out of the country. Neither Garcia nor the stash of diamonds turned out to be real.
F.K. was left heartbroken and virtually bankrupt after borrowing money from her friends, her sister and even her ex-husband.
F.K. and other victims in this case were tricked by sophisticated versions of the Nigerian prince scam, also known as the 419 scam after the criminal code used for fraud in Nigeria.
Despite being almost as old as email, 419 scams are effective because they exploit vulnerabilities in humans. And they are likely to remain so unless technology can find a bug fix for greed or love.
At the Open Source Summit in San Diego, California on August 21, the Linux Foundation announced the formation of the Confidential Computing Consortium. Confidential computing is an approach using encrypted data that enables organizations to share and collaborate, while still maintaining privacy. Among the initial backers of the effort are Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent.
“The context of confidential computing is that we can actually use the data encrypted while programs are working on it,” John Gossman, distinguished engineer at Microsoft, said during a keynote presentation announcing the new effort.
Initially there are three projects that are part of the Confidential Computing Consortium, with an expectation that more will be added over time. Microsoft has contributed its Open Enclave SDK, Red Hat is contributing the Enarx project for Trusted Execution Environments and Intel is contributing its Software Guard Extensions (SGX) software development kit.
Lorie Wigle, general manager, platform security product management at Intel, explained that Intel has had a capability built into some of its processors called software guard which essentially provides a hardware-based capability for protecting an area of memory.
“You can think of it as a trusted execution environment,” she said. “In that trusted execution environment, the hardware protection is there for both the data as well as the code.”
Wigle noted that as there is a move toward increasing use of artificial intelligence, people care about the privacy of data, but are also interested in protecting their own proprietary algorithms as well, since a lot of the time, that’s where the intellectual property resides.
While Inte’s SGX is a hardware level item, Microsoft’s Open Enclave SDK is designed to make it easier for users to get up and running with confidential computing. Gossman emphasized that the Open Enclave effort is all about making confidential computing accessible.
“This is middleware; it provides application portability and makes it easier to write applications that run across different devices and even into the cloud,” Gossman said.
The promise of confidential computing is already finding multiple use cases, according to Wigle. She said that, for example, collaboration is already happening with healthcare data, where sensitive data can be shared safely in a way that is helping to potentially unlock new innovations.
“We live in a world where a lot of times convenience and privacy are at tension with each other and this is a capability that has a promise of letting us have it all,” Wigle said. “However, we do need to cooperate with others to make that happen.”
Gossman explained that fundamentally what confidential computing can enable is transactions and collaboration between multiple parties that don’t necessarily entirely trust each other, yet still want to work with each other.
The overall promise of confidential computing could potentially be transformational in ways that aren’t yet known, which is one of the reasons why the Linux Foundation has helped to facilitate the creation of the new consortium.
“We're really excited about this effort,” said Jim Zemlin, executive director of the Linux Foundation. “We do think this is something that can improve security and privacy for all of us.”
Danish authorities are reviewing 10,700 court cases over concerns that cellphone location-tracking data given as evidence may have been flawed.
Concerns were raised after police discovered a glitch in an IT system used to convert data supplied by phone companies into evidence that can be used to place a suspect at a crime scene. The error caused data to be omitted during the conversion process, giving police an incomplete picture of where a cellphone had been taken.
The identified error was fixed in March, but a second problem emerged that could potentially place an innocent person at the scene of a crime. It transpired that some cellphone tracking data had linked phones to the wrong cellphone towers.
How decisive the flawed data may have been in determining the 10,700 verdicts affected is currently unknown. The court cases now under review date back to 2012.
On Monday Denmark's director of public prosecutions, Jan Reckendorff, announced a two-month ban on the use of cellphone data in criminal cases while the large-scale review of verdicts is carried out.
Speaking to the country's state broadcaster, Reckendorff said: “We cannot live with incorrect information sending people to prison.”
A steerage group has been established by the country's minister for justice to monitor the review process and assess any legal ramifications caused by the flawed data. Should it arise that flawed cellphone data has put innocent Danes behind bars, a device originally intended to connect people will have instead separated them from everyday society in the most definitive terms.
After review, a report on each case will be sent to the court and to the case's defense lawyer. Cases in which the flawed data is found to have had a significant impact on the verdict will be retried.
Head of the Danish Bar and Law Society's criminal law committee, Karoline Normann, told The New York Times that prior to the discovery of the bugs, the accuracy of cellphone data hadn't been called into question.
Normann said that going forward, lawyers will have to take into consideration that “evidence that may appear objective and technical doesn’t necessarily equal high-evidence value.”
With a view to create a “highly differentiated, intrinsic security cloud,” the deal will see VMware be better positioned to better protect enterprise workloads and clients through Big Data, behavioral analytics and AI.
“By bringing Carbon Black into the VMware family, we are now taking a huge step forward in security and delivering an enterprise-grade platform to administer and protect workloads, applications and networks,” said Pat Gelsinger, CEO, VMware.
The combination of Carbon Black’s solutions with VMware’s security offerings, including AppDefense, Workspace ONE, NSX and SecureState, will create a modern security cloud platform for any application, running on any cloud, on any device, the company said. “This combined offering will provide customers advanced threat detection and in-depth application behavior insight to stop sophisticated attacks and accelerate responses,” a statement read.
Patrick Morley, CEO of Carbon Black, said in a blog post that this was “a massive opportunity” as there is an “opportunity here for Carbon Black to truly disrupt the security industry — and ultimately help more customers stay safe from cyber-attacks.”
Morley added: “VMware has a vision to create a modern security platform for any app, running on any cloud, delivered to any device – essentially, to build security into the fabric of the compute stack. Carbon Black’s cloud-native platform, our ability to see and stop attackers by leveraging the power of our rich data and behavioral analytics, and our deep cybersecurity expertise are all truly differentiating. As a result, VMware approached Carbon Black to deliver on this vision.
“Our product strategy stays the same. Our roadmap stays the same. Our customer support stays the same. The entire product portfolio, cloud and on-premises, is included in the merger – now backed by the extensive global footprint and GTM resources from VMware. In fact, the plan is to invest more aggressively in Carbon Black and leverage our combined strengths to accelerate our growth and execute our vision for our customers.”
Carbon Black will exist as an independent business unit within VMware, and become VMware’s Security Business Unit. Launched in 2007 as Bit9, the company was known as Bit9 & Carbon Black after it acquired Carbon Black in February 2014, and officially assumed the company name Carbon Black in February 2016.
The South Korean government has said it will end a crucial intelligence-sharing arrangement with Japan, as a trade dispute between the two wartime foes deepens.
Kim You-geun, deputy director of the presidential National Security Council, said the move was a response to Tokyo’s decision to remove South Korea’s fast-track export status earlier this month.
“Under this situation, we have determined that it would not serve our national interest to maintain an agreement we signed with the aim of exchanging military information which is sensitive to security,” he reportedly told a news conference.
The General Security of Military Information Agreement (GSOMIA) was due for automatic renewal on Saturday. It enables the two Asian giants to directly share vital intelligence on North Korea’s nuclear and missile program.
In response, Japanese defense minister, Takeshi Iwaya has criticized Seoul for conflating trade and security matters.
“North Korea’s repeated missile tests threaten national security and cooperating between Japan and South Korea and with the US is crucial,” he’s reported to have said. “We strongly urge them to make a wise decision.”
Bilateral relations between the countries started to deteriorate after a South Korean court ruled last year that Japanese companies like Mitsubishi must pay compensation for their use of forced labor during Japan’s occupation of the country from 1910-45.
Japan seemed to respond by placing restrictions on the materials needed by South Korean chip-makers like Samsung to build semiconductors. Seoul came back tit-for-tat by removing Japan from a whitelist of trusted trade partners.
Commentators have argued that the spat has worrying echoes of American policy under the Trump administration: more focused on country first at the expense of vital security partnerships on the world stage.
The news could not come at a worse time, given the growing might of China in the region and its burgeoning military alliance with Russia, as well as the continued threat from North Korea.
There is an increasingly cyber-focused dimension to military alliances and warfare today. In 2017, NATO confirmed it was establishing cyber as a legitimate military domain in light of the North Korean WannaCry and Russia NotPetya attacks.
Cryptocurrency exchange bitFlyer has announced that it is adding Ethereum (ETH) to its Buy/Sell trading platform.
BitFlyer Buy/Sell users in Europe and US will now be able to send and receive ETH while ensuring they adhere to the robust regulatory standards bitFlyer guarantees for Bitcoin (BTC) transactions.
Andy Bryant, co-head and COO, bitFlyer Europe, said: “At bitFlyer, we want to offer not just the most popular coins, but the most respected ones too, which makes ETH a logical choice to expand our service offering. Not only has ETH proved itself as a useful altcoin, particularly in relation to smart contracts, it has an incredibly strong community that surrounds it. We’re committed to offering the best customer experience whilst prioritizing security and regulatory standards, and we’re proud to say Buy/Sell now offers this capability with ETH.”
Hailey Lennon, head of legal and regulatory affairs at bitFlyer USA, explained that crypto-regulation is evolving, and bitFlyer works to ensure that everything listed on its exchange complies with the global regulatory standards. “We’re excited for today’s announcement, adding Ether to our growing portfolio of coins with NYDFS approval, and we’re looking forward to launching more coins in the coming months,” she added.
bitFlyer is the only cryptocurrency exchange to be licensed in Japan, the US and Europe combined.
Ukrainian security service (SBU) agents have arrested several nuclear power plant employees in the country after they misguidedly tried to use their facility’s IT systems to mine for cryptocurrency.
Local media reports this week said the incident occurred on July 10 at the plant in Yuzhnoukrainsk in the south of the country.
The workers are said to have hooked up a supercomputer, which was kept air-gapped at the power plant, to the internet. In so doing, it’s claimed they unwittingly disclosed information on the physical security measures in place at the nuclear facility, which is a state secret.
The SBU officers seized unauthorized computer equipment which had been used to build a separate LAN designed to mine for cryptocurrency.
They reportedly took six Radeon RX 470 video cards, extension cords and cabling, various switches, a motherboard, a USB flash drive, a hard drive and even the metal frame on which was mounted the other items.
Equipment was also seized after separate searches were carried out at other parts of the facility, including premises used by a Ukrainian military unit stationed there.
This isn’t the first time such an incident has been discovered. In February 2018 it emerged that engineers at the Russian Federal Nuclear Center had been arrested for trying to mine Bitcoin with one of the country’s largest supercomputers.
“This is a great example of 'trust but verify',” argued Phil Neray, VP of industrial cybersecurity at CyberX. “Even with the strictest policies and regulations in the world, it's all theoretical if you aren't continuously monitoring for unusual or unauthorized activity.”
The news comes as new research from Kaspersky this week revealed human error was behind over half (52%) of cybersecurity incidents detected by the AV vendor in industrial environments last year.
The City of London Corporation has suffered nearly one million cyber-attacks each month for the first quarter of 2019, according to Freedom of Information (FOI) data obtained by Centrify.
The security vendor wanted to find out more about the cyber-risks facing the local authority, which governs the part of the capital housing much of the UK’s financial center.
It found that the governing body was hit by nearly 2.8 million attacks in the first three months of the year: an average of 927,000 per month. That’s up significantly (90%) from the 489,000 per month recorded in April-December 2018.
In total, the City of London suffered 7.2 million attacks from April 2018 to March 2019, of which, the vast majority (6.9 million) were classed as spam.
The second highest category was “spoof mail,” at 244,293 attacks — presumably related to phishing attempts. There were also 17,556 detections of “top malware.”
The findings could either be interpreted as a worrying rise in attacks, or proof that detection methods are getting better.
As well as 10,000 residents, the City of London welcomes millions of annual tourists thanks to attractions like the Tower of London and hundreds of thousands of daily commuters who work in one of the world’s biggest financial hubs.
“The high volume of sensitive public information contained within the systems and databases of organisations like the City of London Corporation make it a top target for cyber-criminals. Malicious email scams such as phishing and malware attacks form a substantial part of the wider cyber threat facing councils across the country, in London and beyond,” warned Centrify VP, Andy Heather.
“With so many attacks taking place every day, it’s vital that all organizations adopt a zero trust approach to user activity, to prevent hackers gaining access to council systems using legitimate log-in details that may have been stolen or purchased on the dark web.”
In 2016 it emerged that the City was being hit by more ransomware attacks than many countries.
People have been turning to LinkedIn since 2002 as a way to develop their network of business contacts. The professional social networking site has 645 million users in over 200 countries and territories around the world, who spend an average of 17 minutes on the site per month.
While using LinkedIn may be preferable to eating stale croissants and swapping business cards at yet another networking breakfast event, it has one major downside: fake profiles.
Fake profiles are typically characterized by poor spelling and grammar, a lack of engagement, a limited number of connections and a suspicious or incomplete work history.
It’s also not unusual for the photo in a fake profile to depict someone who, if they were really that good looking, would be making a living from modeling underwear on a beach somewhere rather than heading up a small HR team at a recruitment firm in Croydon.
The faux profiles, which are often duplicated, are used to contact genuine professionals to fish for information such as how to get hired at a particular company. Spam of this type can be a frequent and extremely irritating problem for executives bugged daily by multiple connection requests from fake profiles.
LinkedIn is aware of the problem and has been making a concerted effort to rid the site of its pretenders.
Paul Rockwell, LinkedIn’s head of trust and safety, said: “Our teams are working to keep LinkedIn a safe place for professionals by proactively finding fake profiles then removing them and any content they share. Between January and June 2019, we took action on 21.6 million fake accounts.”
LinkedIn managed to prevent 19.5 million fake accounts from being created by automatically halting the registration process. The other 2 million fake accounts were restricted after the company paired human review with AI, machine learning and reports of fake accounts made by genuine members.
Automation plays a key part in LinkedIn’s defense against the incoming wave of fakers. According to Rockwell, automated defenses, including AI and machine learning, prevented or took down 98% of all fake accounts. The rest were captured through manual review.
Rockwell said: “When we stop fake accounts, we start more chances for economic opportunity."
In an Aesop's fable for the digital age, Fortnite players who try to cheat are themselves being duped by ransomware disguised as a game hack.
Research conducted by cloud security specialists Cyren has found that a cheat tool claiming to improve the accuracy of a player's aim (known as an aimbot) is in reality a piece of malware designed to cause data loss.
Roughly 250 million players of the online video game were targeted by the ransomware, which has the filename "SydneyFortniteHacks.exe" and is known as Syrk.
Players who download Syrk in the misguided belief that they've stumbled across a sneaky way to up their game end up with a 12MB executable file. When the file is executed, the ransomware beast awakens and starts encrypting images, videos, music and documents stored on the player's computer. The encrypted files are marked with a .syrk file extension.
The unlucky player is then sent a threatening message demanding payment in return for a decryption password. The message includes an email address that the player must contact to discover how to make the payment.
The player is warned that if payment isn't received within two hours, files in their photo folder will be deleted, followed by files on their desktop. To underline the time-sensitive nature of the threat, the menacing message is unsubtly accompanied by a giant countdown clock.
This nasty little piece of open source ransomware was built with tools readily available on the internet. And, in a doubly deceptive move, its creators built Syrk by reworking an existing piece of ransomware called Hidden-Cry. The source code for Hidden-Cry was shared on Github last year.
Fortunately, the files to decrypt the encrypted files can be found in machines infected with the ransomware. The file dh35s3h8d69s3b1k.exe – the Hidden-Cry decrypting tool – is one of the resources embedded in the main malware.
The discovery of Syrk follows news earlier this month that Fortnite players had been targeted by malware named Baldr, also hidden in cheat hacks distributed as links via YouTube. The moral of the story is "don't cheat," but with a $30 million prize pool for the recent Fortnite World Cup, it's easy to see how players fall victim to temptation.
With more than $450 million stolen, sunny California lost more money than any other state, but at 21.67 victims per 10,000 residents, Alaska had the highest per capita victim count.
Although more people were scammed in The Last Frontier State than in any other US state, Alaskans lost the least amount of money per person, with each victim being conned out of $2,256.30 on average.
Across the state, the total number of people targeted by cyber-thieves was 1,606, based on the number of complaints received. Overall, the state's total losses in 2018 from internet scams was a painful $3.62 million.
At the other end of the scale, the state with the fewest victims per capita for the second year in a row was South Dakota. The Midwestern state, known for the Black Hills into which the faces of four presidents have been carved, had just 5.3 victims per 10,000.
Nearly $650 million was stolen from people aged 60 and over, who the report showed are the preferred prey for scammers. This age group is particularly vulnerable to confidence/relationship fraud, which occurs when scammers convince victims to send money to someone who appears to be a trustworthy person from a recognized brand, potential romantic partner or long-lost relative.
The total losses to internet scams across the United States in 2018 exceeded $2.7 billion.
The statistics are based on a total of 351,936 complaints received in 2018 by the FBI's Internet Crime Complaint Center (IC3). The real totals regarding the number of victims and the amount of money stolen through internet scams could potentially be much higher.
Many of the scams were executed over social media but most of the money was stolen through the use of fake emails. Business email compromise (BEC) and Email account compromise (EAC) schemes accounted for more than $1 billion in losses.
Matt Gorham, assistant director of the bureau’s cyber division, said: “The most prevalent crime types reported by victims were nonpayment/nondelivery, extortion and personal data breach. The top three crime types with the highest reported loss were BEC, confidence/romance fraud and nonpayment/nondelivery."
Today, August 8, marks GCSE Results Day and shows a significant drop in the number of students taking Computing and ICT exams, with a clear gender gap also apparent.
The 2019 GCSE results indicated that 68,965 male students and 20,577 female students took Computing and ICT this year, compared to 94,587 (males) and 35,623 (females) in 2018. That represents an overall drop of 40,668 fewer students.
These figures are particularly concerning given the current skills gap that the cybersecurity industry is facing. In fact, global certification association (ISC)2 has estimated that the cybersecurity industry is suffering from a workforce shortage of 2.9 million employees
“It’s worrying to see less and less students are taking Computing and ICT subjects at GCSE, said Agata Nowakowska, AVP at Skillsoft. “Last year we saw 9000 fewer students take the exams, this year it’s 40,668 fewer. We need to take action now to turn this around.”
The digital skills gap in industry is fast expanding and already at a level that can't be filled quickly enough, Nowakowska added, and so encouraging more students to take these exams isn’t enough.
“We need to focus on getting them in and keeping them there – encouraging more students to pursue these subjects through to A-Levels, degrees and beyond. The current picture is bleak and goes much deeper than exam numbers.
“The challenge is changing the ingrained unconscious biases that say these subjects are dull, boring or just for boys. Whilst it is of course disappointing to see the gender gap continue in these subjects, what is more concerning is that these results are reflective of the lack of female role models in technology and STEM as a whole. Young girls have claimed in the past that they are put off of subjects such as Computing because they see them as ‘too difficult,’ but a large number of young women have also admitted to regretting not pursing these subjects for longer. There is an opportunity here for a paradigm shift that we are simply not taking."
Nowakowska therefore argued that the onus is on parents, teachers and business leaders to show that there is a place for girls in technology.
“There are so many programs aimed at getting girls interested in these areas, but we need to go further to challenge and eradicate the old fashioned views that are clearly still very much ingrained in the public consciousness.”
The IT security community overwhelmingly believes that government-mandated encryption backdoors will put countries at a greater risk of election hacking, according to new Venafi research.
The security vendor polled over 380 security professionals at Black Hat USA 2019 in Las Vegas earlier this month, following recent comments by attorney general, William Barr.
Like his predecessors, Barr last month claimed that strong data encryption in tech products is effectively creating a “law-free zone” exploited by terrorists and criminals as it “seriously degrades” the ability of law enforcement to detect and prevent crimes.
Also like many others, he argued that government-mandated backdoor access “can and must be done,” claiming that if they only tried hard enough, tech firms could find a solution which could enable lawful access to data without undermining security for all users.
This argument has been repeatedly shot down, not only by the tech firms themselves, but also world-renowned cryptography experts. Last year they backed senator Ron Wyden’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.
Now the IT security community is arguing that backdoors would also expose countries to the threat of cyber-attacks on election infrastructure — an increasingly important issue as the 2020 Presidential election comes into view.
While 80% agreed with this sentiment, 74% said countries with government-mandated encryption backdoors are more susceptible to nation-state attacks, 72% claimed they don’t reduce the terrorist threat and 70% argued they put countries at a distinct economic disadvantage.
Last month a Senate report revealed that voting infrastructure in all 50 states was most likely compromised by Russian hackers ahead of the 2016 election. It warns that if Russia’s preferred candidate doesn’t win in 2020, it could seek to use this access to de-legitimize the result.
“We know that encryption backdoors dramatically increase security risks for every kind of sensitive data, and that includes all types of data that affects our national security,” argued Venafi VP of security strategy and threat intelligence, Kevin Bocek.
“On a consumer level, people want technology that prioritizes the security and privacy of their personal data. This kind of trust is priceless. Encryption backdoors would not only make us much less safe at a national level, they also clearly have the potential to inflict significant economic and political damage.”
Over a third of organizations have already suffered an attack on their cloud systems, yet many are failing to eradicate potential security blind spots, according to a new poll from Outpost24.
The cyber-assessment vendor interviewed 300 attendees at this year’s Infosecurity Europe show in London in June.
It found that while 37% admitted suffering a cloud attack, over a quarter (27%) said they don’t know how quickly they could tell if their cloud data has been compromised.
This lack of visibility into cloud environments also extends to testing: 11% claimed they never run any kind of testing in the cloud, while nearly a fifth (19%) said they only do so annually.
Given these findings it’s perhaps not surprising that nearly half of respondents (42%) said they believe on-premises data is more secure than that hosted in the cloud.
Despite these misgivings, a third (34%) of businesses said that more than half of their products/apps are running in the cloud, while 15% said all their assets were.
Bob Egner, VP at Outpost24, argued that cloud environments offer major cost and scalability benefits, but security can get more complex when firms start to use multiple clouds across different providers.
“Organizations should treat their cloud assets just as they would their on-premises assets and apply all the same security principles of vulnerability and application security assessment, plus checks for cloud misconfigurations and security posture,” he added.
“It is extremely important to understand the shared responsibility model and what cloud service providers such as Amazon Web Services (AWS) and Microsoft Azure can and cannot offer in terms of security. Ultimately the responsibility of protecting your data and cloud workloads lies with you, the organizations using cloud services.”
Cloud misconfiguration is a particular challenge, with hackers now stepping up efforts to find exposed databases via automated scans. The Cloud Security Alliance recently put this on its “egregious 11” list of top threats to cloud computing.
Organizations that prioritize patch updates primarily according to compliance requirements and use the Common Vulnerability Scoring System (CVSS) struggle with their vulnerability management programs, according to new research.
Perhaps unsurprisingly it found that those with high performing vulnerability management programs tended to use specific tools to prioritize patches based on cyber-risk.
However, those that based their decisions on which vulnerabilities to prioritize based mainly on the CVSS performed worse than those organizations that simply ignored it, the report claimed.
Although the impact was less serious, there was also a correlation between using compliance requirements as a primary driver in prioritizing vulnerabilities and lower coverage rates.
“Compliance is oftentimes a necessary and important method for prioritization but using compliance as the primary remediation tactic correlated with reduction of overall coverage of high-risk vulnerabilities,” Kenna Security CTO, Ed Bellis, told Infosecurity.
“We believe using a remediation strategy that focuses on both the likelihood of the vulnerability being exploited along with the impact of the exploitation (high risk) to be the optimal approach. CVSS and some other methodologies are not a good measure of exploitation likelihood and can result in companies doing much more work or missing high risk vulnerabilities altogether.”
Elsewhere, the report found that companies which dedicate discrete teams to patch specific areas of the technology stack tend to fare better in vulnerability management. Defining service-level agreements (SLAs) for fixing vulnerabilities also improves the speed and overall performance of remediation, it claimed.
Bigger budgets correlated with an increased ability to remediate more bugs at a faster rate.
According to one vendor, over 22,000 vulnerabilities were publicly disclosed last year, a third of which received a CVSSv2 score of 7 or above.
Google and Mozilla today took action to protect the online security and privacy of internet users in Kazakhstan following credible reports that the Kazakhstan government was intercepting internet traffic within the country.
A report published on Censoredplanet.org presented evidence that Kazakhstan’s internet providers were requiring users to download and install a government-issued certificate on all devices and in every browser in order to access the internet.
Once a user downloads the certificate, the government is able to intercept account information and passwords belonging to that user and can decrypt and read everything the user types and posts. This style of attack is known as a man-in-the-middle (MitM).
The HTTPS connections targeted by Kazakhstan’s government read like the list of websites an anxious parent might search when trying to track down their unruly teenager. They include Instagram, Facebook, Twitter, YouTube, Google Hangouts and Russian social network OK.RU.
The Censored Planet reported stated that “although the interception is not yet occurring country-wide, it appears the government is both willing and potentially capable of widespread HTTPS interception in the near future.”
Browser companies Google and Mozilla deployed technical solutions within Chrome and Firefox to block the Kazakhstan government’s ability to intercept internet traffic within the country.
Marshall Erwin, senior director of trust and security at Mozilla, said: “Protecting our users and the integrity of the web is the reason Firefox exists.”
Speaking on behalf of Chrome, Parisa Tabriz, senior engineering director, said: “We will never tolerate any attempt, by any organization – government or otherwise – to compromise Chrome users’ data.”
What the Kazakhstan government lacks in subtlety when it comes to spying on the online activity of its citizens, it makes up for in persistence.
The Kazakhstan government put in a request with Mozilla back in 2015 to have a root certificate included in the company’s trusted root store program. The request was denied when Mozilla discovered that the government intended to use the certificate to intercept users’ data.
Undeterred, the government tried to force its citizens to manually install the certificate, but its ruse failed when organizations took legal action.
The healthcare industry has many ailments: financial pressures, a lack of skilled healthcare providers, uncertainties around reform and, in many cases, an increasingly unhealthy populace. But that’s not all it has to deal with.
The report identifies cyber-espionage as being one of the top three most-common threats. Making up the triad of terror are data theft and disruptive and destructive threats.
An interesting finding made by FireEye was the large number of healthcare-associated databases observed for sale online between October 1, 2018, and March 31, 2019.
The databases – the majority of which could be bought for under $2,000 – contained personally identifiable information (PII) and protected health information (PHI), such as patients' ZIP codes, email addresses, driver’s licenses and health insurance details associated with healthcare institutions in the US, the UK, Canada, Australia and India. Some data sets were on sale for as little as $200.
Luke McNamara, a principle analyst at FireEye Intelligence, said: “The large number of data sets being sold and the low prices you can purchase the sets for shows how ubiquitous access to them is.”
The report acknowledged that “buying and selling PII and PHI from healthcare institutions and providers in underground marketplaces is very common" and predicted that this scenario was unlikely to change given the data’s "utility in a wide variety of malicious activity ranging from identity theft and financial fraud to crafting of bespoke phishing lures.”
Thefts of valuable research and mass records were observed being carried out by nation-states as well as by individuals.
FireEye witnessed the deployment of multiple advanced persistent threat (APT) attack campaigns by several different countries, including China, Vietnam and Russia. China attracted special mention in the report for showing a particular interest in mining data linked to cancer research.
Asked if China was the biggest culprit when it came to cyber-espionage, McNamara said: “I think so, from what we have seen over the years. They have shown the most concerted interest in the space.
“There are well-known groups like APT 32 from Vietnam who targeted the UK and many one-offs, but China by far makes up most of the activity.”
Healthcare organizations will continue to be attractive targets for cyber-criminals because of the nature and quantity of the data with which they are associated. At least with this report, they have some idea of what’s lurking in the shadows.
McNamara said: “By putting this report out there we hope to get organizations to understand the range of threats out there.”
An article published last Tuesday on the Business Insider website reported that Facebook recently sent a cease-and-desist letter to the company behind the app Who’s in Town and took action to disable the personal Facebook account of the app’s creator Erick Barto.
Speaking exclusively to Infosecurity Magazine, Barto confirmed that although he had received a cease-and-desist letter from legal firm Perkins Coie representing Facebook, the Who’s in Town app was still very much active.
Barto said: “The Who’s in Town app is still up and running and statements about Facebook blocking it are untrue.
“I had a couple of apps in the Facebook developer dashboard that were very old from 2013. They were legacy apps in my account. Facebook closed them and they closed my Facebook account and blocked my personal Instagram account.”
Asked whether What’s in Town would be complying with the cease-and-desist letter, Barto said that the company “would reply, not comply,” in an effort to start a conversation with Facebook about the safe handling of data.
The Who’s in Town app allows users to monitor the movements of people they follow on Instagram. It works by collecting geotag data shared publicly on Instagram and displaying the data in an interactive map.
Barto designed the app to highlight the amount of data people are constantly sharing online and show how easily such data can be collected and misused. With this point now made and a cease-and-desist letter from Facebook hanging over Who’s in Town’s head, you could be forgiven for thinking the outlook for the app is somewhat bleak. According to Barto, this is not the case.
Barto said: “We want more people to know about it because in the past with other projects we have made we have had more reach. As soon as we feel we have made our point with Who’s in Town we want to propose a solution to the problem, to work with Facebook on how to use data safely.”
Asked if he was nervous about taking Facebook on, Barto said: “Not if the outcome is worth it.”
The number of account takeover (ATO) cases going to court in the UK climbed 57% in the first half of 2019 as cybercrime continues to professionalize, according to KPMG.
The consulting giant’s biannual Fraud Barometer report has been analyzing crime trends in the UK over the past 30 years, specifically major fraud cases being heard in Crown Courts, where charges top £100,000.
It claimed hackers are using a variety of techniques to grab personal identity data which then allows them to hijack victims’ online bank and credit card accounts: across email, SMS and mobile apps.
However, the law is slowly catching up – at least when it comes to bank account takeover.
“The Cyber-Attacks (Asset-Freezing) Regulations 2019 (SI 2019/956) entered into force in June, and requires banks to repay funds to customers stolen as a result of account takeover,” explained KPMG's UK head of investigations, Roy Waligora. “Whilst this is a very positive step for the customer, we all need to remain vigilant as consumers will continue to bear such costs indirectly.”
ATO is also rife across consumers’ digital lives, of course, with hackers using phishing, credential stuffing and brute forcing techniques to crack everything from email inboxes to Uber and Netflix accounts.
The report also highlighted the continued commercialization of cybercrime, facilitated by the underground economy and dark web-based partnerships.
In one case, a Tyneside man was jailed for 28 months at Newcastle Crown Court after fronting a classic tech support scam designed to trick panicked users into handing over their bank account details.
Victims lost hundreds of thousands of pounds in the international campaign, which used India-based ‘call center’ scammers.
“Although awareness or cyber-criminality has increased, with a fifth of the public believing that cybercrime is the biggest challenge facing the UK today, this hasn’t been enough to stem the tide in account takeovers,” warned Rob Norris, VP enterprise and cybersecurity at Fujitsu.
“While potential attacks are not always easy to spot, a broader education on how to detect fraudulent emails is key not just to consumers’ own finances, but their employers as well; what a consumer intentionally or not exposes themselves to at home, they are also likely to do at work. The finances of consumers and success of businesses depend on this rigorous education.”