A scareware attack is targeting Apple iPhone and iPad users, “locking” their browsers unless they pay a ransom.
According to Lookout Inc., “the attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying,” the firm explained in a blog.
The irony of course is that this is not an actual ransomware campaign—it’s just cleverly disguised as one.
“A knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the iOS Settings—the attack doesn’t actually encrypt any data and hold it ransom,” Lookout noted. “Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.”
As such, the attack is contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, the firm said.
As far as victim targeting, the group involved in this campaign purchased a large number of domains that try to catch users who are seeking controversial content on the internet, including pornography and some music-oriented sites. Each site would serve up a different message based on the country code identifier. Once a target is identified the pop-up messages have an email address for the target to contact, which appear to be country-specific and part of a wider phishing campaign.
Apple's iOS update yesterday addressed the issue, but users who have not yet updated their devices are still at risk. The computing giant closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app, according to Lookout.
Artificial intelligence (AI) and machine learning (ML) have been marketed as game-changing technologies amid the climbing number of breaches, increased prevalence of non-malware attacks and the waning efficacy of legacy antivirus (AV). Yet doubts still persist, especially when they’re used in siloes. For now, it appears to be a fledgling space.
According to Carbon Black’s Behind the Hype report on the subject, nearly two-thirds (64%) of security researchers said they’ve seen an increase in non-malware attacks since the beginning of 2016; and, the vast majority (93%) of security researchers said non-malware attacks pose more of a business risk than commodity malware attacks.
This group of attacks include remote logins (55%); WMI-based attacks (41%); in-memory attacks (39%); PowerShell-based attacks (34%); and attacks leveraging Office macros (31%).
Against this backdrop, two-thirds of security researchers said they were not confident that legacy AV could protect an organization from non-malware attacks, such as those seen in the recent WikiLeaks CIA data dump—opening the door for new approaches. Yet, three-quarters (74%) of researchers said AI-driven cybersecurity solutions are still flawed and 87% of security researchers said it will be longer than three years before they trust AI to lead cybersecurity decisions.
“AI technology can be useful in helping humans parse through significant amounts of data,” the report noted. “What once took days or weeks can be done by AI in a matter of minutes or hours. That’s certainly a good thing. A key element of AI to consider, though, is that it is programmed and trained by humans and, much like humans, can be defeated. AI-driven security will only work as well as it’s been taught to…While AI is being used to effectively highlight nonobvious relationships in data sets, it still appears to be in its nascent stages.”
As a result, only 13% of these researchers indicated they will look to implement AI-driven cybersecurity solutions at their organizations over the next three years.
On the ML front, 70% of security researchers said attackers can bypass ML-driven security technologies; and nearly one-third (30%) said it’s easy to do so.
“Any reasonable ML approach to endpoint security is going to face the problem of obtaining training data at scale. If you’re looking at files, you’ll need a lot of files,” Carbon Black noted. “If you’re looking at behavior, you’re going to need a lot of behavior. Unfortunately, obtaining many examples of real attacks as they happen isn’t always feasible.”
Carbon Black recommends that users assemble a massive body of baseline data, a torrent of detonation data, and statistics and comparisons among behaviors for validation.
“Collectively, these approaches will give you a powerful set of tools to generate patterns of malicious behavior,” the report said.
Bottom line? This is a nascent space. While AI and ML-driven security solutions can exist as effective components to cybersecurity programs, they should not yet be exclusively relied upon as sole protections.
“According to a majority of security researchers, cybersecurity will continue to be, at least for the next five years, a battle of human vs. human, where AI and ML can be used to augment and empower human reasoning, not replace it,” the report concluded.
In case anyone doubted that data breaches are in full-court press mode, research from Gemalto has revealed that a full 1,792 data breaches led to almost 1.4 billion data records being compromised worldwide during 2016. Big events like the AdultFriendFinder breach contributed significantly to the spike.
That represents a whopping increase of 86% compared to 2015, according to Gemalto’s Breach Level Index. And further, more than 7 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. That translates to over 3 million records compromised every day, or roughly 44 records every second.
Identity theft was the leading type of data breach in 2016, accounting for 59% of all data breaches and up by 5% from 2015. The second most prevalent type of breach in 2016 was account access-based breaches—these made up 54% of all breached records, which is an increase of 336% from the previous year. This highlights the cyber-criminal trend from financial information attacks to bigger databases with large volumes of personally identifiable information, Gemalto said in its report.
Another notable data point is the nuisance category, with an increase of 102% accounting for 18% of all breached records—this category is thus up 1,474% since 2015.
“The Breach Level Index highlights four major cyber-criminal trends over the past year,” said Jason Hart, vice president and CTO for data protection at Gemalto. “Hackers are casting a wider net and are using easily-attainable account and identity information as a starting point for high-value targets. Clearly, fraudsters are also shifting from attacks targeted at financial organizations to infiltrating large data bases such as entertainment and social media sites. Lastly, fraudsters have been using encryption to make breached data unreadable, then hold it for ransom and decrypting once they are paid.”
Speaking of encryption, last year 4.2% of the total number of breach incidents involved data that had been encrypted in part or in full, compared to 4% in 2015. In some of these instances, the password was encrypted, but other information was left unencrypted. However, of the almost 1.4 billion records compromised, lost or stolen in 2016, only 6% were encrypted partially or in full (compared to 2% in 2015).
"Knowing exactly where their data resides and who has access to it will help enterprises outline security strategies based on data categories that make the most sense for their organizations,” Hart said. “Encryption and authentication are no longer ‘best practices’ but necessities. This is especially true with new and updated government mandates like the upcoming General Data Protection Regulation (GDPR) in Europe, US state-based and APAC country-based breach disclosure laws. But it’s also about protecting your business’ data integrity, so the right decisions can be made based on accurate information, therefore protecting your reputation and your profits.”
The Breach Level Index also measures the severity of breaches based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful (scores run 1-10).
Last year, the account access-based attack on AdultFriendFinder exposing 400 million records scored a 10 in terms of severity on the Breach Level Index. Other notable breaches in 2016 included Fling (BLI: 9.8), Philippines' Commission on Elections (COMELEC) (BLI: 9.8), 17 Media (BLI: 9.7) and Dailymotion (BLI: 9.6). The top 10 breaches in terms of severity accounted for over half of all compromised records.
While Yahoo! reported two major data breaches involving 1.5 billion user accounts, these were not accounted for in the BLI’s 2016 numbers, since they occurred in 2013 and 2014. Also, 52% of the data breaches in 2016 did not disclose the number of compromised records at the time they were reported.
The report also found that malicious outsiders were the leading source of data breaches, accounting for 68%, up from 13% in 2015. The number of records breached in malicious outsider attacks increased by 286% from 2015. Hacktivist data breaches also increased in 2016 by 31%, but only account for 3% of all breaches that occurred last year.
Across industries, the technology sector had the largest increase in data breaches in 2016. Breaches rose 55%, but only accounted for 11% of all breaches last year. Almost 80% of the breaches in this sector were account access and identity theft related. They also represented 28% of compromised records in 2016, an increase of 278% from 2015.
The healthcare industry accounted for 28% of data breaches, rising 11% compared to 2015. However, the number of compromised data records in healthcare decreased by 75% since 2015. Education saw a 5% decrease in data breaches between 2015 and 2016 and a drop of 78% in compromised data records. Government accounted for 15% of all data breaches in 2016. However, the number of compromised data records increased 27% from 2015. Financial services companies accounted for 12% of all data breaches, a 23% decline compared to the previous year.
The monthly smartphone infection rate in the second half of 2016 jumped 83% from the first six months, with overall infections in mobile networks reaching an all-time high in October, according to new data from Nokia.
The infection rate in mobile networks – which includes Windows/PC systems connected by dongle and mobile IoT devices – rose “steadily” during the year to hit a new high of 1.35% in October.
The vast majority of infections (85%) discovered in mobile networks belonged to smartphones, with Android (81%) the main culprit, followed by Windows/PCs (15%) and 4% linked to iPhones and other mobile devices.
“Many people are surprised to find that Windows/PCs are responsible for a large portion of the malware infections detected when analyzing mobile network traffic. These Windows/PCs are connected to the mobile network using USB dongles and mobile Wi-Fi devices or simply tethered through smartphones. They are responsible for 15% of the malware infections observed. This is because these devices are still a popular target for professional cybercriminals who have a huge investment in the Windows malware ecosystem. However, as the smart phone becomes the more preferred platform for accessing the internet, cybercrime is clearly moving in that direction.”
The news comes as Apple issued its iOS 10.3 release, designed to fix a Safari-based scareware issue and more importantly roll out a whole new file system which will make encryption an even bigger part of devices.
First announced at the Worldwide Developers’ Conference last year, the Apple File System (APFS) will replace the decades-old Hierarchical File System (HFS).
Reports suggest it could help users save some disk space and speed up performance, but perhaps most controversially will support strong full disk encryption natively.
Users will be able to choose a maximum security “multi-key encryption with per-file keys for file data, and a separate key for sensitive metadata”.
As described by Apple: “Multi-key encryption ensures the integrity of user data even when its physical security is compromised."
This is sure to raise the heckles of law enforcers and politicians on both sides of the Atlantic but will please businesses and Apple users no end.
Only a few days ago home secretary Amber Rudd attacked tech firms like WhatsApp for allowing terrorists to hide their communications, and hinted that she would be looking to force some kind of compromise on encryption. That appears even more unlikely after this latest update.
LastPass engineers have Google researcher Tavis Ormandy to thank yet again for another busy few days after the British white hat found a second critical bug in the password manager.
Ormandy tweeted over the weekend that he began ‘working’ on the research in an unusual location:
“Ah-ha, I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. Full report and exploit on the way.”
On Monday, LastPass responded by explaining that the Google Project Zero man had reported a new client-side vulnerability in its browser extension.
“We are now actively addressing the vulnerability. This attack is unique and highly sophisticated,” it added.
“We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”
The firm offered a few steps that users could take to protect themselves from client-side security issues.
These include: launching sites directly from the LastPass vault; switching on two-factor authentication for any site that offers it; and to be constantly on the lookout for phishing attacks.
It’s the second vulnerability in a week that Ormandy has reported to LastPass.
Last week, the password manager firm was forced to fix a critical zero day that would have allowed remote code execution, enabling an attacker to steal users’ passwords.
The prolific Ormandy also helped to make the firm more secure last year when he found “a bunch of obvious critical problems” in the service.
Yet he has also publicly appeared to query the logic of using an online service which, if breached, could give up its customers’ passwords.
One Twitter follower claimed at the time: “I'm perplexed anyone uses an online service to store passwords.” Ormandy responded: “Yeah, me too.”
Rights groups, former military bosses and law enforcers have dismissed the home secretary’s attack on end-to-end encryption, claiming she already has some of the most sweeping surveillance powers of any state at her disposal.
Amber Rudd took to the Andrew Marr Show on Sunday to criticize firms like WhatsApp and Facebook, which use encryption to secure messages for their users, as aiding terrorists.
“We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other,” she said, branding it “completely unacceptable” that the authorities can't access messages on these services in emergencies.
It emerged that Westminster attacker Khalid Masood may have used WhatsApp moments before he killed four people outside the Houses of Parliament last week.
However, experts have been quick to dismiss Rudd’s calls.
The Ministry of Defence’s former cybersecurity boss, major general Jonathan Shaw, accused her of using the tragedy to impose her political will on others. He argued that terrorists will simply move on to other more secure methods of communication.
“The problem will mutate and move on. We are aiming at a very fluid environment here. We are in real trouble if we apply blunt weapons to this, absolutist solutions,” he told BBC Radio 4’s Today program.
Liberal Democrat home affairs spokesperson, Brian Paddick – a former deputy assistant commissioner at the Met – argued that what Rudd is calling for is “neither a proportionate nor an effective response".
Meanwhile, Open Rights Group executive director, Jim Killock, branded Rudd’s words nothing more than “cheap rhetoric”.
The Investigatory Powers Act already provides the home secretary with the theoretical ability to enforce a “Technical Capability Notice” – which could be used to persuade tech firms to create backdoors, he claimed.
“The striking thing is that if she was genuinely serious about her suggestion, she would not be making public demands; she would be signing legal orders to force companies to change their products. She would not be telling us about this,” Killock added.
“We should use Amber Rudd’s cheap rhetoric as a launch pad to ask ourselves why she has such sweeping powers, and what the constraints really amount to.”
The FBI is warning of an concerted effort on the part of cyber-criminals to target medical and dental facilities via their File Transfer Protocol (FTP) servers.
Criminals are accessing protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass and blackmail business owners. The Feds said that the Bureau is aware of criminal actors who are actively targeting such facilities via insecure FTPs that are operating in “anonymous” mode.
“Research conducted by the University of Michigan in 2015 titled, ‘FTP: The Forgotten Cloud,’ indicated over 1 million FTP servers were configured to allow anonymous access, potentially exposing sensitive data stored on the servers,” the FBI said in its alert. “The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username such as ‘anonymous’ or ‘ftp’ without submitting a password or by submitting a generic password or email address.”
While computer security researchers are actively seeking FTP servers in anonymous mode to conduct legitimate research, cyber-criminals could also use an FTP server in anonymous mode and configured to allow “write” access to store malicious tools or launch targeted cyberattacks.
“In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber-criminals who can use the data for criminal purposes such as blackmail, identity theft or financial fraud,” the FBI warned.
Medical and dental healthcare entities should request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server.
Ordering a DDoS attack has become as easy as ordering the latest bestseller from Amazon—and can offer incredible return on investment for the attacker.
According to Kaspersky Lab, DDoS-for-hire services are generally self-service, eliminating the need for direct contact between the organizer and the customer. Customers can make payments, get reports on work done and so on, all online. In fact, Kaspersky said that the order page “looks more like the web page of an IT startup than a cybercriminal operation.”
“These web services are fully functional web applications that allow registered customers to manage their balance and plan their DDoS attack budget,” the firm said in a blog posting. “Some developers even offer bonus points for each attack conducted using their service. In other words, cybercriminals have their own loyalty and customer service programs.”
But lowering the barrier to entry doesn’t stop there—it’s also incredibly cheap to carry attacks out these days. One DDoS service advertised on a Russian public forum offers attacks from $50 per day, for instance.
Kaspersky did a review of the Dark Web to find out the going rate for DDoS as-a-service, and found the average to be slightly higher than the example above—attacks typically cost $25 per hour, with the cyber-criminals making a profit of about $18 for every hour of an attack.
The security specialist also found that organizers of DDoS services generally offer customers a tariff plan in which the buyer pays a per-second rental price for botnet capacity. For example, a DDoS attack of 300 seconds using a botnet with a total bandwidth of 125Gbps will cost about between $5 and $6.
As for profitability, it should be noted that DDoS attacks and, in particular, ransomware DDoS have already turned into a high-margin business. “The profitability of one attack can exceed 95%,” the firm noted. “And the fact that the owners of online sites are often willing to pay a ransom without even checking whether the attackers can actually carry out an attack (something that other fraudsters have already picked up on) adds even more fuel to the fire. All the above suggests that the average cost of DDoS attacks in the near future will only fall, while their frequency will increase.”
Of course, the actual cost of any one service depends on a few variables. Those include the target—government victims cost more to attack than, say, an online store, and some countries cost more to attack than others—as well as the type of attack requested. Atypical attacks that ask the botnet owner to alternate between different methods of DDoS attacks within a short period of time or implement several methods simultaneously can increase costs.
The rate also depends on the anti-DDoS protection the potential victim has. “If the target uses traffic filtering systems to protect its resources, the cyber-criminals have to come up with ways of bypassing them to ensure an effective attack, and this also means an increase in the price,” Kaspersky explained. In one case, “cyber-criminals were asking for $400 per day to attack a site/server that uses anti-DDoS protection, which is four times more expensive than an attack on an unprotected site.”
Also, the cheaper it is for a criminal to maintain a botnet (defined, for example, by the average cost of infecting a device and including it in a botnet), the more likely they are to ask for bargain-basement prices for their services. For example, a botnet of 1,000 surveillance cameras may be cheaper than a botnet of 100 servers, simply because cameras and other IoT devices are less secure and take less effort to compromise.
As for mitigation, Ben Herzberg, security group research manager for the Incapsula product line at Imperva, offered us the following advice: “In a nutshell, though the organization needs to map their assets, understand what sort of risks they’re facing on the different assets (for example: websites, third-party services, VPNs, etc.), and set a process which will minimize those risks—in most cases by taking a DDoS mitigation service to protect the organization.”
He added, “The best way for organizations to mitigate DDoS attacks is as far away from their network as possible, such as in the cloud, before it even reaches the organization’s ISP. With the vast increase of IoT devices, allowing cheap attacks like the ones stated in the Kaspersky research, attackers may send enormous amounts of traffic and packets, which may easily exhaust the organization’s pipeline.”
Hackers have accessed job-seeker information from America’s JobLink (AJL), a multi-state web-based system that links job seekers with employers.
AJL works with various state governments and the US Department of Labor to act as a national resource for employment opportunities. The organization said that an outside source exploited a vulnerability in the AJL application code to view the names, Social Security numbers, and dates of birth of job seekers in the AJL systems of up to 10 states: Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont.
The timeline is fairly concise: On February 20, the intruder created a job seeker account in an AJL system. The hacker then was able to leverage a misconfiguration in the application code to gain unauthorized access. After noticing unusual activity, American’s Job Link Alliance–Technical Support (AJLA–TS) uncovered the incursion and disabled the hacker’s access to the AJL systems on March 14. It’s now working with law enforcement officials and the FBI to identify and apprehend the perpetrator.
There’s no word on how many users were affected, but AJLA-TS said that it’s working with an independent forensic firm to find that out, including where those individuals are located. It also indicated that it has been working on notifications, with most victims receiving an email by the first week in April.
“Notifying potentially affected individuals has been a top priority since AJLA–TS discovered that the error messages we were receiving were due to malicious activity and not a technical issue,” it said. “The forensic firm’s analysis required the review of a significant amount of system data. This analysis was needed to confirm that the hacker had actually accessed individuals’ information, so as not to unnecessarily alarm affected individuals.”
Almost a third of European employees have sent unauthorized information to a third party.
According to research of 4000 people in Europe, 29% of respondents have “purposefully” sent information out of their company, while 15% have taken “business critical information with them from one job to another”. Over half (59%) planned to use it in their next job.
Neil Thacker, deputy CISO at Forcepoint, said that the choice to steal information is about responsibility and accountability from a cultural perspective. “Once [an employee] leaves, their loyalty has gone and when loyalty is gone, we do see an essence of data leakage and storing.”
The research also found that 14% of respondents would sell corporate log-ins to an outsider, and 40% of those would do so for less than £200. Perhaps this is because 22% either do not believe data breaches incur a cost to their employers, or were unsure whether they would.
Mike Smart, product and solutions director at Forcepoint, said: “Research has consistently shown that breaches caused by employees are among the most damaging in terms of their financial and reputational impact. Organizations that ignore the potential security risks that can be caused by employees and other insiders miss an opportunity to strengthen their security posture and protect their companies more broadly.”
In an email to Infosecurity, Oliver Pinson-Roxburgh, EMEA director at Alert Logic, said: “In my experience, we never started a social engineering exercise with bribes as they would always alert security to our actions and would be sure to get us rumbled. We always made it through in other means before getting people to pay.
“That’s not to say the insider threat isn’t real; just that the attackers have loads of other more covert ways before going this route. It also really depends on the organization though - in more challenging environments, getting to someone inside the organization would always be an option and that would start with profiling the correct person to get you best access. This is also maybe where the respondents are going with this, which is ‘what could they possibly do with my access?’ I for sure would not want any of my employees considering that game of Russian roulette.”
Carl Leonard, principal security analyst at Forcepoint, added that the sensitivity of the breach depends on what the data is – personally identifiable information, credentials, business plans. “People’s behavior changes over time and you adjust your risk for doing certain things, and in the last month of [someone’s employment] you don’t let them download or access the source code repository and businesses have not got the know how to do that,” he said.
Pinson-Roxburgh said that overall, people want to do their jobs well and if they meet hurdles they will jump over them or pass under them - whichever is easier.
“Educate people to be diligent, limit their ability to make bad decisions and be able to detect an incident and be ready to respond,” he said. “I have also seen people just not understand their processes and procedures, and end up using unsafe online tools to do their job and inadvertently leak information. I am sure this is often a time pressure issue, or process gets in the way and they cannot understand the risk or impact on the business. Leaders need to take a stand and lead by example, drive good practice and behavior around security of data!”
Only half (56%) of UK firms have a strategy in place to protect devices and data from cyber-threats, according to a new report from the Institute of Directors and Barclays Bank.
A survey of 844 IoD members found that while nearly all (95%) said they consider cybersecurity to be important to their business, they aren’t following through with practical steps to lower online risk.
Less than a third use virtual private networks (VPNs), for example.
What’s more, if their business became a cyber-attack victim, less than half (40%) would know who to contact.
This is especially important given that new European data protection rules set to land in May 2018 will mandate 72-hour breach notifications to the local supervisory authority – in the UK’s case, the Information Commissioner’s Office (ICO).
The IoD study also revealed that less than half of respondents (44%) had funded cyber-awareness training and many leave gaps of over a year between programs.
The ICO last week urged local councils – liken their counterparts in the private sector – not to forget to train temporary staff, and to conduct annual refresher training for all employees.
On the plus side, the report found that two-thirds of respondents now use a variety of different passwords, minimizing their risk exposure, and nearly three-quarters have processes in place to verify the authenticity of inbound electronic invoices or payment requests.
Richard Brown, director of EMEA channels & alliances at Arbor Networks, said he was shocked by some of the report's findings.
“Attack methodologies are evolving by the day and as such, it is no longer acceptable for businesses to be complacent about their cybersecurity strategy,” he added.
“Businesses must take the fight to cyber-criminals with improved intelligence sharing and better co-operation with law enforcement. Organizations should also instrument their internal networks so that they have broad and deep visibility of network traffic, threats and user behavior.”
There could be long queues in store for US visa applicants after it was revealed the Trump administration is gearing up to enforce mandatory social media and other checks on anyone who has traveled to a country now controlled by ISIS.
Leaked memos sent from secretary of state Rex Tillerson to embassy bosses apparently reveal a range of new “extreme vetting” measures promised by Trump on the campaign trail.
These include co-ordinating with law enforcement and intelligence operatives to “develop a list of criteria identifying sets of post applicant populations warranting increased scrutiny.”
They also order a “mandatory social media check" for any applicant who has ever been to a country now controlled by the Islamic State.
That could create significant extra workload for officials, delay applications and raise the risk of visas being processed based on nationality and religion rather than the level of threat posed to the US, experts told Reuters.
The memos apparently also reveal some furious back-peddling for Tillerson and the Trump administration following court decisions challenging large parts of two presidential Executive Orders which would have banned immigration from Muslim-majority countries.
Trump’s EOs aren’t just causing chaos at the US border: they’re also causing concern among allies.
The Enhancing Public Safety order – basically an attempt to clamp down on illegal immigrants – rang alarm bells inside Europe after some suggested it could put in jeopardy the Privacy Shield data transfer agreement between the US and EU.
The European Commission said it’s monitoring the situation after it was revealed that the order states privacy protections won’t be extended beyond US citizens or residents.
It’s not been a stellar start to the Trump administration’s four-year term, with FBI boss James Comey last week confirming the agency is investigating possible collusion with Russian officials in the run-up to the presidential election.
The UK’s small and medium sized businesses (SMBs) are increasingly taking on cyber-insurance to help mitigate risk as incidents increase, but levels remain low overall, according to new research from GlobalData.
The consulting firm’s UK Cyber Insurance 2017 report reveals that penetration of cyber-related insurance policies among the country’s SMBs grew from just 2% in 2014 to nearly 14% last year.
That’s low compared to take-up of other “commercial products”, according to the report.
GlobalData analyst, Danielle Cripps, claimed in a statement that SMEs are arguably the most in need of insurance as they have the fewest resources to recover from cyber-attacks.
However, she added that the forthcoming European data protection laws would help to drive adoption further, ensuring SMEs have the policies in place to help them swiftly recover in the event of a breach or similar.
“Insurance will help by providing financial support, and may additionally give access to extra technical support from experts called out to help with a claim,” Cripps argued.
“Businesses will also have more accountability and conditions to comply with, making them more liable under the new regulation. The additional risk this creates means businesses are more likely to seek cover which will help drive the market.”
When taken as a whole, the UK’s businesses significantly increased their adoption of cyber-insurance. It grew 50% between 2015 and 2016, according to stats from CFC Underwriting.
Over a quarter (26%) claimed the GDPR had driven them to invest.
The insurance provider also revealed that the UK represents just 8% of CFC’s policy count yet 17% of its claims count – indicating low levels of cybersecurity maturity.
Privacy breaches (31%) accounted for the largest number of claims, followed by financial loss (22%) and ransomware (16%). Malware accounted for only 7% of claims, followed by DDoS attacks (5%), “unauthorised access to systems” (5%), and business interruption (4%).
By now, you may have heard that a hacking organization identifying itself as the Turkish Crime Family has gone hunting for a very big fish: It said that it has credentials for hundreds of millions of Apple accounts of various sorts (including email and iCloud), and it’s threatening to wipe all of the iPhones in the cache unless a hefty ransom is paid.
The group is asking for either $75,000 in Bitcoin or $100,000 in iTunes gift cards before the April 7 deadline. It’s a major shakedown—but is it legitimate?
Turkish Crime Family (let’s call them TCF) was first reported by Vice’s Motherboard as having 559 million total accounts—and other reports say there are either 200 million or 300 million vulnerable iPhone accounts. Regardless of the number, it’s a lot—and on the surface the news, if TCF really does have those credentials, would indicate that Apple has suffered a major data breach.
But the computing giant says it hasn’t. Apple said in a media statement: “There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services. We're actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication."
Which means that the danger, if it does exist, isn’t new for these Apple users. And indeed, many of the accounts could be defunct: Some of the addresses are @mac.com and @me.com addresses, which could be almost two decades old.
Motherboard confirmed a back-and-forth conversation between the hackers and Apple security teams, but TCF has yet to publicly provide solid proof of how and what information they have, besides a YouTube video (now removed) that Motherboard said shows someone logging into an iCloud account.
Meanwhile, ZDNet said that it was able to get a data sample of 54 allegedly breached accounts from TCF—finding that they were all legitimate email addresses. The outlet also reached 10 users that said the listed pilfered passwords were correct.
What does it all add up to, if anything? John Bambenek, threat systems manager of Fidelis Cybersecurity, said that he’s skeptical about the hacker group’s claims, noting that there are always people who make unfounded threats to organizations in the hope of an easy payday—or notoriety.
“The hacker group is not following what’s become typical operating procedure,” he said via email. “For example, if this were a real ransomware attack, they would be communicating privately with the company they are targeting. Based on previous incidents, the current threat has all the hallmarks of a stunt. If they really have the ability to wipe iPhones then they would have wiped a few already as ‘proof of life’.”
But that said, do consumers really want to roll the dice with their pictures and other information on the phone?
Lamar Bailey, director of security research and development for Tripwire, said via email that the hackers may have indeed been able to meticulously assemble a cohesive database of previously stolen Apple credentials by making use of various former data breaches of sources outside of Apple—this is a good highlight once again of the widespread problem of password re-use. Hundreds of millions of them? Possibly. It would have required a large effort, but he noted that it could be done.
“If this is legit, the hackers would have had to obtain access to the individual user accounts via breaking the passwords of each of the user accounts or have acquired access to the Apple iCloud servers,” he said. “The access to each user account is much more realistic since we have seen numerous reports of all the weak passwords people use for their computers and accounts.”
And, he added, if the hackers have password access to individual user accounts, they can indeed erase phones remotely and change passwords for the Apple account.
“The hackers cannot remove backups for Apple devices from the cloud, but changing the passwords will make it hard for the legitimate users to reset and recover their devices,” he noted. “Once the end-user has access to their account, they will be able to restore their device.”
Apple users—and indeed all users of any online-facing service—should make sure they’re using strong passwords and enabling two-factor authentication as an added protection.
“Having a local backup of your device is always a good idea too. It is faster to restore a device locally than over the internet, and having a small NAS (Network Attached Storage) device at home for pictures and backups is a good investment to supplement the cloud backups,” Bailey added.
Gift cards are under attack by hackers, and consumers are being advised to check their balances.
Luxury retailers, supermarkets, and major coffee distributors with gift card processing capabilities are all the target of a new widespread cybersecurity attack, according to Distil Networks, which has tracked activity on nearly 1,000 customer websites.
Hackers are using a bot dubbed GiftGhostBot, to test a rolling list of potential gift card account numbers at a rate of 1.7 million gift card numbers per hour. It is believed that once they correctly identify gift card numbers with this brute force-like approach, they can resell the account number on the Dark Web or use them to purchase goods.
“Like most sophisticated bot attacks, GiftGhostBot operators are moving quickly to evade detection, and any retailer that offers gift cards could be under attack at this very moment,” said Rami Essaid, CEO of Distil Networks. “While it is important to understand that retailers are not exposing consumers’ personal information, consumers should remain vigilant. Check gift card balances, contact retailers and ask for more information. In order to prevent resources from being drained, individuals and companies must work together to prevent further damage.”
GiftGhostBot is also an advanced persistent bot, or APB, Distil said, as evidenced by the fact that it is lying about its identity by rotating user-agent strings; its significant distribution; its ability to mimic a normal browser; and its persistence techniques. If it is blocked using one technique, it adapts and returns using a different attack technique.
The impact could be wide-ranging.
“Consumers may suffer from a loss of faith in gift cards and make an irate call to the company that issued the gift card if they see their account balance disappear,” the firm noted in its analysis. “Assuming the gift card is not FDIC protected or registered, if the issuing company doesn’t replenish the amount, the consumer relationship is damaged.”
It added, “Businesses have to successfully handle these dissatisfied customer calls asking for a refund to maintain their future relationship. But…requests into the website could reach millions each day and potentially inundate the servers leading to slowdowns or downtime; it amounts to an application denial of service.”
As the Sweet Sixteen round continues for March Madness, the increased interest in the tournament has also attracted the attention of threat actors who've produced a variety of ways to trick fans into downloading malicious code.
Zscaler researchers have observed multiple threats, including a clear upward spike in malicious activity over the last 15 days since the tournament began, such as phishing pages, adware downloads, improper handling of user data and attempts at domain squatting.
March Madness, the annual NCAA college and university-level basketball tournament, has seen its best ratings in years this season. According to the NCAA and Nielsen stats, the 2017 NCAA Tournament was the most-watched in 24 years for its opening weekend, with an average of 9.325 million viewers, which is up 10% from 2016. NCAA March Madness Live has generated an all-time record 69.1 million live streams through the first Sunday of the tournament, an increase of 24% over last year. And, official March Madness social media handles generated 26 million social engagements across Twitter, Facebook and Instagram through last Sunday, which is up 20% year-over-year.
This increased activity is translating into more users streaming games and checking their brackets for updates. Zscaler said that it saw the traffic in this category increase by 100% during the game week.
The dangers are diverse. For instance, if fans are looking to stream the NCAA tournament for free, they can easily find the games at www.ncaa.com. But they have options—not good ones.
“A simple Google search of the phrase ‘NCAA free streaming’ yields some dubious results, including this one from ifirstrowus[.]eu which comes up as the fifth hit on the search page. Basketball enthusiasts that click through this site to watch the games will be sorely disappointed. Instead of watching their alma mater, they will be redirected to a site that installs a browser hijacker, which prompts users to install toolbars and change the homepage to search.searchliveson[.]com to continue watching the game.”
Also, domain-squatted addresses can be used to host phishing webpages that steal user credentials and other information.
As is typical with top sporting events, the bad guys are looking to take advantage of a wide audience.
“The best advice we can offer is to be sure to use NCAA-sanctioned bracket applications through your web browser,” Zscaler noted. “There are many third-party sites out there that attempt to probe the user to create login credentials. We observed that one such application collects a username and password and then transmits it in the clear. This plain text credential transfer makes the connection vulnerable to sniffing attacks. Since users commonly set the same login credentials for multiple websites, the attackers might gain access to users' email accounts, bank accounts, tax preparation accounts etc.”
Business Email Compromise (BEC) attacks jumped 45% in the final quarter of 2016, compared to the previous three months, according to new stats from Proofpoint.
The security vendor claimed such attacks have grown both in volume and sophistication.
Also known as “CEO fraud” and “whaling”, these attacks typically involve fraudsters spoofing the email addresses of company CEOs to trick staff members into transferring funds outside the company.
However, Proofpoint also includes attempts to target HR teams for confidential tax information and sensitive employee data, as well as engineering departments which may have access to a wealth of lucrative corporate IP.
In its analysis of over 5000 global enterprise customers, it claimed that in two-thirds of cases the attacker spoofed the “from” email domain to display the same as that of the targeted company.
These attacks can thwart some systems, because they don’t feature malware as such – just a combination of this domain spoofing and social engineering of the victim to force them to pay up.
Part of the trick is to harry the target, rushing them so they have less time to think about what they’re doing.
That’s why over 70% of the most common BEC subject line families appraised by Proofpoint featured the words “Urgent”, “Payment” and “Request”.
The vendor claimed that firms in the manufacturing, retail and technology sectors are especially at risk, as cyber-criminals repeatedly look to take advantage of more complex supply chains and SaaS infrastructures.
Vice-president of products, Robert Holmes, argued that although employee education was important, it needs to be complemented by the right set of tools to weed out fraudulent emails.
“When it comes to BEC attacks, employees should never be an organization’s first line of defense. It is the organization’s responsibility to ensure that security technologies are in place, so that BEC attacks are stopped before they can reach their intended target,” he told Infosecurity Magazine.
BEC has become so popular among the black hats that the FBI warned organizations last year the scams had cost billions since 2013.
Trend Micro predicted that 2017 would see more and more cyber-criminals turn to BEC given the potential rich pickings – claiming the average pay-out is $140,000, versus just $722 for a typical ransomware attack.
However, Holmes argued that ransomware and BEC actors are likely “two distinct types of criminal”.
“While ransomware attacks require technical infrastructure to launch campaigns at scale, BEC attacks are socially engineered and highly targeted in nature, conducted by a single actor rather than teams, and generally launched from shared email platforms,” he explained.
“While cyber-criminals will always go where the money is, we do not envision a drastic change in tactics such as traditional purveyors of ransomware transitioning to BEC. As long as ransomware and trojans continue to pay, cyber-criminals with technical skillsets are unlikely to down tools and pivot towards such a fundamentally different type of attack vector.”
Security experts have uncovered a sophisticated cyber-attack campaign in China designed to spread Android malware via fake mobile base stations.
The “Swearing Trojan” malware – so named because of the Chinese expletives found in its code – was first discovered by Chinese web giant Tencent’s security business.
It’s designed to steal personal info and even bypass banks’ two-factor authentication systems by intercepting incoming SMS codes for account log-ins.
Most interestingly it has been observed spreading via fake base transceiver stations (BTSs), which are operated by the attackers. These send phishing texts to the targeted phones spoofed to appear as if they came from telcos China Mobile and China Unicom.
“Using a BTS to send fake messages is quite sophisticated, and the SMS content is very deceptive. The message tricks users into clicking a malicious URL which installs malware. Fake messages from people victims may be romantically involved with have also been seen in these attacks,” explained Check Point mobile security researcher, Feixiang He.
“Once an infected app is installed it asks the user for only screen lock-related permissions to avoid suspicion. After installation, the malware spreads by sending automated phishing SMSs to a victims’ contacts.”
Crucially, the Trojan doesn’t communicate with a C&C server but sends back any information obtained to the attacker via text or email, helping it stay undercover.
Other phishing tactics used to spread the malware include fake app update notifications; malicious MMS messages related to trending events; and work-related documents.
He warned that such tactics could be used outside of China if cyber-criminals elsewhere see them performing well.
“Many mobile malware discovered in the Chinese market in the past, such as HummingBad, turned out to be early birds which continued to spread worldwide,” he said. “The widespread use of the Swearing Trojan was achieved by using fake BTSs and automated phishing SMSs. Both of these threats can be adopted by western malware as well.”
Michael Downs, director of telecoms security at Positive Technologies, explained that detecting fake base stations can be tricky, so it’s not clear how widespread the practice is.
“The issue is that the equipment to create a fake tower is legitimately available and relatively inexpensive to purchase. For those lacking the technical prowess, ‘how to’ guides can be found online. If that’s not worrying enough, there are even ready-made solutions traded where all that’s needed is to switch it on,” he added.
“That said, operators could do more to keep track of their radio perimeter. Analyzing radio signals can help identify fake BTS and, with the use of triangulation, pinpoint the location so fake towers can be disassembled.”
Google has released perhaps its strongest rebuke yet to Symantec over the latter’s CA business, claiming it will reduce trust in the security giant’s certificates in order to restore confidence to Chrome users.
In a lengthy post issued on Thursday, Google engineer Ryan Sleevi explained that an initial investigation into 127 mis-issued certificates subsequently turned up problems with 30,000 certificates, issued over several years.
This comes on top of a previous set of mis-issued certificates which led to the 2015 sacking of several Symantec employees.
Google has consequently resolved to: reduce the accepted validity period of newly issued Symantec-issued certificates to nine months or less; require the re-validation and replacement of all currently-trusted Symantec-issued certificates; and temporarily remove EV status for all Symantec-issued certs, for at least a year.
“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,” argued Sleevi.
“These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.”
He went on to argue that Symantec had failed to provide timely updates to its customers as problems occurred.
“Despite having knowledge of these issues, Symantec has repeatedly failed to proactively disclose them. Further, even after issues have become public, Symantec failed to provide the information that the community required to assess the significance of these issues until they had been specifically questioned,” said Sleevi.
“The proposed remediation steps offered by Symantec have involved relying on known-problematic information or using practices insufficient to provide the level of assurance required under the Baseline Requirements and expected by the Chrome Root CA Policy.”
Venafi chief cybersecurity strategist, Kevin Bocek, argued the case highlights once again how fragile the system of trust for the internet really is.
“This news also highlights how critical it is for businesses to be able to replace machine identities – keys and certificates used for SSL/TLS – quickly. Even small businesses can change passwords for all employees in minutes, but the largest global businesses with very sophisticated IT operations struggle to respond to an external event like this,” he added.
“Google is the 800-pound gorilla on this issue. It is likely to require the world’s largest banks, retailers, insurers and cloud providers to replace the identifies these questionable Symantec certificates because it turns on padlocks that let users know their transaction is secure.”
A new breed of financial scam involving Bitcoin is actively spreading across social networks.
“They succeed by leeching onto the money-driven hype associated with the latest and greatest hallmarks of popular culture,” said researchers at ZeroFOX, which uncovered the campaign. “Earlier this month, the price of a single Bitcoin eclipsed the price of an ounce of gold for the first time ever. This news, coupled with the exploding adoption of its underlying technology—blockchain—beyond the financial world, is attracting a new flock of clientele, investors and entrepreneurs to the fledgling cryptocurrency.”
There are four main categories of scam, ZeroFOX noted in an analysis: Malware gambits, Bitcoin phishing impersonators, Bitcoin-flipping scams and Bitcoin pyramid schemes.
On the malware front, bad actors try to entice users to click through URLs posted to social media using the promise of Bitcoin. The URL leads to a website that attempts to download a malware-laden app. Fake Bitcoin surveys are often used to distribute malware too.
Meanwhile, impersonators post links on social media that lead to phishing websites that allegedly offer a search service, enticing users to enter in their private Bitcoin key to see if it exists in their database. Once entered, the private key will simply be phished, allowing the scammer to spend directly from the curious Bitcoin owner’s wallet.
Flipping scams advertise on Instagram and elsewhere, and offer to instantly exchange Bitcoins for money after paying an initial startup fee or a promise to double your initial investment overnight. Of course once turned into the “exchange bureau,” the Bitcoins are stolen immediately.
In the pyramid scheme, scammers are hawking high-yield investment programs and multi-level marketing. It’s a well-known configuration that goes back decades in the real world: A low initial investment can be multiplied by signing up additional members using referral links. The Bitcoin version often involves fake donations; people involved use social media to spread word of the scheme.
The rise of the Bitcoin scam is a result of a perfect storm of trends, the firm noted. For one, social media is a perfect conduit to the right kind of victim.
“Social media provides access to a key demographic of digitally connected people who are most interested in getting into the Bitcoin game, but who also lack the specialized expertise necessary to tell a legitimate from an illegitimate offer,” the researchers explained.
Also Bitcoin, as a virtual currency, is anonymous—much like cash. But unlike the cold, hard stuff, it’s decentralized and not controlled by any financial institution or government.
“When fraud is committed in Bitcoin’s name, its lack of a central authority is exactly what makes it impossible to recover any losses,” ZeroFOX noted. “Once a victim is duped, the buck stops there: No bank or credit card issuer can bail them out in this regulatory vacuum.”
The other interesting hallmark is that Bitcoin transactions can neither be changed nor removed.
“This is a feature, not a bug,” the researchers explained. “No one can alter records after the fact, creating an incorruptible and permanent ledger dating all the way back to the first-ever transaction. There’s no way to recover losses once Bitcoins are spent, creating an easy way to engage in money-flipping scams, like ‘send me Bitcoins, and I’ll pay you back double!’”