Info Security

Subscribe to Info Security  feed
Updated: 1 hour 6 min ago

Bug in New iOS Lets Attacker Access iPhone Pics

Tue, 10/16/2018 - 16:01
Bug in New iOS Lets Attacker Access iPhone Pics

A new vulnerability discovered in Apple’s latest iOS, 12.0.1, released last week, allows an attacker with physical access to an iPhone entry into photos on a locked phone, according to Jose Rodriguez, a Spanish security researcher.

While the bypass bug, reported by The Hacker News, does require that an attacker have physical access to an iPhone, an attacker could still access the photo albums and send selected pictures using Apple Messages even if the phone is locked.

Rodriguez reported the bug and provided a proof-of-concept video via YouTube in which he demonstrated various steps of the attack, which starts with an incoming call to the targeted iPhone.

After tapping the "message" option on the iOS call screen, Rodriguez selected the "custom" option, which then displayed the Messages user interface, at which point he entered random letters before calling on Siri to activate VoiceOver.

This latest bug comes only two weeks after Rodriguez discovered two similar VoiceOver vulnerabilities that gave unauthorized access to user contacts and photos, according to AppleInsider.

When the conditions of the bug are met, the iPhone displays a black screen. A left swipe on the black screen delivers an attacker to the photo library. As Rodriguez demonstrated in his proof of concept, a double tap then returns him to the Messages app where he is able to insert images into the Messages text box.

In total, the attack is a 10-step process that works on all current iPhone models running the latest version of the Apple mobile operating system, including the iPhone X and XS devices. 

Though the bug is concerning, the attacker must have a “certain level of precision” to perform the process and achieve the desired outcome, said AppleInsider

Categories: Cyber Risk News

Execs Fear Orgs Unprepared for Incident Response

Tue, 10/16/2018 - 15:23
Execs Fear Orgs Unprepared for Incident Response

Executive-level security professionals fear their organizations are not well positioned to respond to a cyber-attack, according to the results of a new poll from Deloitte.

In a poll of more than 3,150 security professionals across all industries and sectors taken during a webcast on cyber preparedness and war-gaming, survey respondents indicated that in large part, cybersecurity remains siloed. As a result, many employees across the organizations are not well versed in how to respond to a cyber incident. In addition, participants reported that they were only somewhat confident in their organization’s ability to respond to and remediate a cyber incident despite the reality that their organizations had experienced a cybersecurity incident within the past 12 months.

While it's become commonplace to espouse that all employees play a role in cyber awareness, 30% of CEOs and executive-level respondents said their greatest challenge is that employees don’t understand the organization’s incident response plan. That lack of understanding seems to correlate with a lack of resources. For 20% of respondents, a lack of access to the funding, tools and skills needed to respond to cyber incidents is a handicap.  

“We used to say it’s ‘not if, but when’ an organization will experience a cyber incident. That message has evolved well beyond a single incident to ‘how often’ or ‘how to respond to and withstand persistent attacks,’” said Andrew Morrison, principal, Deloitte Risk and Financial Advisory Cyber Risk Services, Deloitte & Touche LLP, in a press release.

“Improving internal processes and providing employees with the knowledge, practice and skills needed to succeed can help organizations mitigate risk through preparedness, as well as increase overall business resilience to future attacks.”

Yet nearly half of respondents (49%) said that their organizations do not conduct cyber war-gaming exercises so that all employees can better understand what to do in the event of a cyber incident. As a result, 34% of participants reported not knowing their own role within their organization’s cyber incident response plan.

“Cyber war games are an important way to raise awareness of the latest cyber risks and attack types, as well as cyber risk management and adaptive response capabilities an organization needs during, after and preparing for the next cyber incident,” said Daniel Soo, cyber war-gaming leader for Deloitte cyber risk services and Deloitte Risk and Financial Advisory principal.

“The most impactful war games are those that use live knowledge of an organization’s current threat environment to support the decision-making process across operations, finance, regulatory, marketing and beyond.”

Categories: Cyber Risk News

Tech Support Scams Decline as Consumers Get Savvy

Tue, 10/16/2018 - 11:55
Tech Support Scams Decline as Consumers Get Savvy

Global exposure to and losses from tech support scams has dropped over the past two years as consumers become more savvy, although in the UK the number suffering financially increased slightly, according to Microsoft.

The computing giant polled over 16,000 internet users in 16 countries worldwide to better understand how trends are evolving.

The latest figures revealed that 63% of consumers experienced a tech support scam, down from 68% in 2016. Those who lost money fell from 6% to 3%.

However, alongside direct monetary loss, a further 8% of consumers spent time and money checking and ‘repairing’ their PCs. That’s not to mention the 76% who reported moderate to severe stress as the result of being hit by a scam.

The report claimed that fewer pop-up ads and windows have helped reduce consumer exposure to the scams. These typically masquerade as alerts from a reputable provider like Microsoft and trick the victim into believing that their machine has been infected.

Consumers are also becoming more skeptical about unsolicited contact from a tech support ‘operative.’

Over a third (38%) said that if they were contacted by ‘tech support’ they’d try to block the company the scammer claimed to come from and 33% would look up the issue online.

Interestingly, younger netizens are more likely to be tricked into handing over their money. This may be because a higher percentage are exposed to pop-ups because of visiting high-risk torrent sites and similar. Microsoft also warned that these more ‘tech savvy’ youngsters are more likely to be over-confident.

Although the overall figures for tech support scam victims appears to be coming down globally, the UK bucked the trend.

Here, 62% of respondents said they had experienced a scam, with 6% losing money as a result, an increase from just 2% in 2016.

Microsoft urged UK victims to contact Action Fraud.

Categories: Cyber Risk News

Cybersecurity Salaries Rise 6% in One Year

Tue, 10/16/2018 - 11:22
Cybersecurity Salaries Rise 6% in One Year

Salaries for cybersecurity professionals have risen by 6% in one year, double the national average of 2.9%, according to Acumin Consulting’s latest annual Salary Survey.

The firm analyzed 56 key cybersecurity positions across its database of end users, system integrators, consultancies and public sector divisions to provide a holistic view of salaries across organization type and role seniority.

Acumin’s findings revealed that education and compliance roles saw the biggest increases (20%) in the last year, with security analysts also benefiting from an average salary rise of 13%. Those in the role of information security officer saw the lowest increase (1.5%), whilst application security specialists and product directors saw their wages up by two percent.

“Our 2018 Salary Survey provides a snapshot of the issues that have been driving boardroom agendas this year, namely data protection regulation and user education,” said Simon Hember, group business development director at Acumin. “With the pressures brought down on organizations by the GDPR, professionals with skills in compliance and process are commanding record salaries.”

However, it appears the public sector is failing to meet the salaries being offered by private sector organizations.

“Opportunities for security professionals in the public sector should be booming, especially given the government’s commitment to the National Cyber Security Strategy and GCHQ’s recent drive to recruit 2000 roles to deal with the threat of nation state actors,” Hember added. “However, it’s no surprise that the public sector is struggling to offer the salaries, and attractive packages that can be offered by private sector organizations or indeed well-funded security start-ups.”

Categories: Cyber Risk News

UK’s MoD Exposed in 37 Security Breaches: Report

Tue, 10/16/2018 - 09:50
UK’s MoD Exposed in 37 Security Breaches: Report

The UK’s Ministry of Defence (MoD) appears to have exposed highly sensitive data and systems to the risk of compromise after reports revealed 37 breaches of security protocol last year.

The heavily redacted reports don’t indicate whether the security breaches led to sensitive military information falling into enemy hands, but their scale should be alarming.

The cybersecurity slip-ups include sending sensitive information unprotected over the internet — where it could potentially have been intercepted by cyber-spies.

Peripherals were connected to ministry networks without checking first for malware, and phones and laptops were taken overseas where they were apparently at risk of malware infection or interception of communications.

In some cases, devices, documents and even rooms were left unsecured, raising the prospect that unauthorized third parties could access them, according to Sky News.

A statement sent from the ministry argued that disclosing more info could increase the risk of a cyber-attack against it.

“The MoD takes the security of its personnel and establishments very seriously but we do not comment on specific security arrangements or procedures,” it added.

The UK’s MoD is not the only defense department to have been found wanting when it comes to cybersecurity recently.

Reports emerged over the weekend that as many as 30,000 Pentagon staff may have had their personal and financial data stolen via a third-party contractor.

Even more concerning, a Government Accountability Office (GAO) report recently found critical vulnerabilities in nearly all US weapons systems under development.

Eset cybersecurity expert, Jake Moore, argued that the number of security breaches recorded by the MoD is concerning.

“Human error still occurs and this report simply echoes that you can have endless computing power and other unmanned mitigation techniques in place, yet the human firewall can still easily be a target and let these attacks in,” he added. “Such prevention techniques as robust and effective staff training will no doubt reduce the number of reported attacks on the MoD.”

Categories: Cyber Risk News

UK Launches “World First” IoT Code of Practice

Tue, 10/16/2018 - 09:01
UK Launches “World First” IoT Code of Practice

The UK government claims to be leading the way with a newly released Code of Practice (CoP) designed to drive security-by-design in the manufacture of IoT products.

Developed in partnership with the National Cyber Security Centre (NCSC), the ICO and others, the "world first" CoP aims to improve baseline security in the sector and ensure smart devices that process personal data are aligned with the GDPR.

It’s focused initially on the consumer space.

HP and Centrica Hive are the first two IoT-makers to sign up, and the government hopes its mapping document will make it easier for others to follow.

Regulation is also being developed to improve the security of consumer-grade IoT products, according to the government.

The move can be seen as a response to the risks posed to individuals and businesses from unsecured consumer IoT devices, as exploited most famously by the Mirai botnet attacks of 2016.

It also comes as the British Standards Institution (BSI) readies a new kitemark scheme for consumers and businesses to help them better identify products they can trust to be reliable and secure.

The CoP received a cautious welcome from security experts, but many argued it doesn’t go far enough.

“A code of practice is a step in the right direction, but more needs to be done. The industry should follow best practices and self-regulate, before regulators put a static, cumbersome device security framework in place,” argued John Sheehy, VP of strategy at IOActive.

“Security must be built in from the design phase of any new connected device. It cannot be an afterthought, which only makes it more costly to the manufacturer. Until the industry takes a long-term view on cybersecurity risk or faces material financial consequences, we are likely to see things get worse before they get better.”

Andy Kays, CTO at Redscan, added that global standards are needed to improve IoT security across the development lifecycle.

“Right now, cybersecurity is often last in a long list of some manufacturers’ priorities. New features and services are driving sales, not robustness. Manufacturers are selling prototypes as fully-fledged products to generate attention and get to market as quickly as possible,” he added.

“Retailers need to do their part in helping to protect consumers by ensuring that they choose to stock products that meet recognized security standards.”

Matt Walmsley, EMEA director at Vectra, was sceptical of the CoP’s impact.

“Voluntary codes of practices will likely only attract organizations who are already proactive and bought into addressing the issues the CoP seeks to address,” he argued.

“In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the frame work’s recommendations.”

Categories: Cyber Risk News

Endpoint Attacks Increase as Patching Slows

Tue, 10/16/2018 - 09:00
Endpoint Attacks Increase as Patching Slows

While it’s no surprise that organizations are being compromised, a new study released by Ponemon Institute found that the rate at which organizations are compromised is quite alarming.

The study, 2018 State of Endpoint Security Risk, found a 20% increase in the number of companies that have been compromised by attacks originating at their endpoints over the last 12 months.

The Barkly-sponsored survey included 660 IT and security professionals. All participants had identified zero-day and fileless attacks as the paramount concern when it comes to threats. Of all the participants, nearly two-thirds of organizations have been compromised in the past 12 months.

As a result, 70% of participants said they have replaced antivirus solutions in the past 12 months or have plans to replace them in the coming 12 months. Identifying the greatest challenges when it comes to security gaps, survey respondents cited the high volume of false positives, inadequate protections and high management complexity as their top frustrations.

Additionally, four out of five participants said they struggle to keep up with patching and reported an average delay of 102 days for patching endpoints. Despite the prevalence of zero-day attacks, the survey found that 43% of respondents said they are taking more time to test and roll out patches.

“This study confirms the biggest gap organizations need to address is proactively blocking zero-day and fileless attacks, which are responsible for the majority of today’s endpoint compromises,” said Mike Duffy, CEO of Barkly. 

For those companies that have suffered an endpoint attack in the last 12 months, the cost of attacks has also increased. Companies that reported endpoint attacks that bypassed defenses reported a 42% cost increase year-over-year, bringing the average cost of an endpoint attack for an organization to $7,120,000 in 2018. That works out to be $440 per endpoint, and the price tag is almost doubled that for small-to-midsized business that shell out an average of $763 per endpoint.

Of the successful attacks, 76% leveraged unknown and polymorphic malware or zero-day attacks. These techniques increase the odds of success, making attackers using zero-day attack vectors four times more likely to compromise endpoints, compared to traditional attack techniques.

“This increase in successful attacks have exposed a gap in protection that existing solutions and processes are not addressing,” said Larry Ponemon, chairman and founder of Ponemon Institute, in a press release. “Antivirus products missed more attacks than they stopped in 2018 and organizations believe their current antivirus is effective at blocking only 43% of attacks. There is a clear need for more effective solutions to block zero-day and fileless attacks.”

Categories: Cyber Risk News

#Cyberrecoded: Get the Certification that is Right for You

Tue, 10/16/2018 - 08:30
#Cyberrecoded: Get the Certification that is Right for You

Speaking at the Cyber Recoded conference in London, Steven Furnell, professor of cybersecurity at the University of Plymouth, discussed the quantity of certifications and the need to understand what is most suited for a person.

Pointing to industry reports around the shortage of skilled people in the industry, Furnell said that this “means organizations are employing and wages are increasing significantly,” while the National Cybersecurity Strategy shows that actions to tackle the skills shortage are in progress. However, Furnell admitted that there is “no single path” to a career, and there is a range of certifications you can gain and use.

Referring to the level of skills and focus, Furnell explained that there is a differing level of what certifications require and what they say about the person, and even with a vendor-issued certification, it “doesn’t necessarily mean skills in a particular product, but skills of some degree.”

He added that with different providers and certifications, not all are the same. He highlighted Comptia’s Security as being “very much geared towards entry level practitioners” which does not require prior experience, however the salary expectations for someone with a Security or a CISSP were very similar.

He said: “The industry is not aware of what a certification brings to the table, but does that mean it is the wrong thing to look at? Experience is the key, and not just getting the certification, but where you get them [employees] from and what they bring to the organization.”

He concluded by saying that security requires proper education and knowing how to fit in, but that professionalism cannot just be taught; you need the right attitude “and if you want to be a pen tester, it is the level of professionalism in which you do that role.”

Categories: Cyber Risk News

Octopus Targets Central Asian Diplomats

Mon, 10/15/2018 - 15:40
Octopus Targets Central Asian Diplomats

An attack aimed at Central Asian diplomatic organizations, dubbed the Octopus Trojan, is able to disguise itself as a popular online messenger, according to researchers at Kaspersky Lab.

The Trojan, a malicious program for Windows, has possible links to DustSquad, a Russian-language cyber-espionage actor that focuses on Central Asian users that Kaspersky researchers have been monitoring for two years.

Attackers successfully leveraged the news that the widely used Telegram messenger may become banned in Kazakhstan. The Trojan was distributed in a package that appeared to be a legitimate version of the Telegram messenger for Kazakh opposition parties, researchers said. Once installed, Octopus gives attackers remote access to victims’ computers.

“The launcher was disguised with a recognizable symbol of one of the opposing political parties from the region, and the Trojan was hidden inside. Once activated, the Trojan gave the actors behind the malware opportunities to perform various operations with data on the infected computer, including (but not limited to) deletion, blocks, modifications, copying and downloading,” researchers wrote.

Via remote access, the attackers were able to spy on victims, steal sensitive data and gain backdoor access to the systems. “We have seen a lot of threat actors targeting diplomatic entities in Central Asia in 2018,” said Denis Legezo, security researcher, Kaspersky Lab, in a press release.

“DustSquad has been working in the region for several years and could be the group behind this new threat. Apparently, the interest in this region’s cyber affairs is growing steadily. We strongly advise users and organizations in the region to keep an eye on their systems and instruct employees to do the same.”

Kaspersky Lab recommends that organizations educate staff on digital hygiene in order to reduce risk. In addition, robust endpoint security solution with application control functionality can strengthen defenses.

Categories: Cyber Risk News

iPhone a Growing Target of Crypto-Mining Attacks

Mon, 10/15/2018 - 15:15
iPhone a Growing Target of Crypto-Mining Attacks

Apple has increasingly been the target of crypto-mining attacks, and according to Check Point, iPhone attacks increased by nearly 400% over the last two weeks in September. 

In its most recently published Global Threat Index, Check Point researchers said they are continuing to investigate the reasons behind this sharp increase but reported that crypto-miners continued to be the most common malware in September 2018. Coinhive continued to hold the number-one position, which it has occupied since December 2017.

While Coinhive currently impacts 19% of global organizations, researchers also reported that the information-stealing Trojan Dorkbot held onto second place with a 7% global impact. The report also noted significant increase in Coinhive attacks against PCs. Attackers used the Coinhive mining malware to target iPhones, which aligned with a rise in attacks against users of the Safari browser, the primary browser used by Apple devices.

The mining malware that rivals Coinhive, known as Cryptoloot, ranked third place overall on the Threat Index, making it the second-most prevalent crypto-miner in the index. Differentiating itself from Coinhive, Cryptoloot requests a smaller revenue percentage from websites than its top competitor.

“Crypto-mining continues to be the dominant threat facing organizations globally,” Maya Horowitz, threat intelligence group manager at Check Point, said in a press release. “What is most interesting is the fourfold increase in attacks against iPhones and against devices using the Safari browser during the last two weeks of September. These attacks against Apple devices are not using new functionality, so we are continuing to investigate the possible reasons behind this development.”

“In the meantime, attacks such as these serve as a reminder that mobile devices are an often-overlooked element of an organization’s attack surface, so it’s critical that these devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defenses.”

Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) was the top most exploited vulnerability for the seventh-consecutive month, with a reported global impact of 48% of organizations.

Categories: Cyber Risk News

Attack Vectors Long Quiet Make Loud Q3 Comeback

Mon, 10/15/2018 - 13:55
Attack Vectors Long Quiet Make Loud Q3 Comeback

Cyber-criminals eased into the year with a somewhat quiet first and second quarter, but according to a new report from Malwarebytes, attackers made some noise in Q3 2018.  In the Cybercrime, Tactics and Techniques Q3 2018, researchers found that business detections were up 55% compared to 4% for consumers, indicating that cybercriminals are targeting victims who promise a greater return on their investments.

One notable shift in tactics was with the use of traditionally consumer-leaning malware, which the report said are now being leveraged in business attacks. The number of Trojan detections for both businesses and consumers rose 86% from last quarter.

Ransomware, cryptojacking and adware also contributed to this increase in business attacks. In addition, older strains of banking Trojans experienced a comeback, and researchers discovered the emergence of new ones, making this form of malware the number-one detection for both businesses and consumers.

Information-stealing malware, like Emotet and LokiBot grew in Q3. Researchers reported an overall increase of 5% or 1.7 million more detections in Q3 than in Q2. Emotet detections rose by 37% and ranked in the top six malware for business.

Exploit kits also had a busy quarter, with Underminder and Fallout standing out among exploit kit activity. Though not used as a singular weapon, exploit kits were added as components of web-based attacks. Attackers notably targeted Asia and expanded from South Korea into Japan.

Ransomware attacks on businesses were up 88%. Although consumer detections decreased, researchers noted the development of 40 new ransomware variants, though not all were released into the wild. Gandcrab evolved to become more lethal, and Magniber expanded into new regions.

In related news, Malwarebytes researchers noted that over the last few months, MirkoTan (a Latvian company that makes routers and ISP wireless systems) has been dealing with a stream of attacks affecting its products’ operating systems. The string of attacks began in late April when a critical flaw in RouterOS was identified.

Jérôme Segura, lead malware intelligence analyst at Malwarebytes today wrote about a new attack that has emerged, with threat actors using social engineering to get users to install a fake update with a piece of malware that scans random IP ranges to identify vulnerable routers and exploit them. Once infected, the routers are injected with a Coinhive script that forces the users behind the router to mine for cryptocurrency while they browse the internet.

Categories: Cyber Risk News

#Cyberrecoded: Students Should Get Involved to Get Hired

Mon, 10/15/2018 - 13:15
#Cyberrecoded: Students Should Get Involved to Get Hired

Build contacts, start or join a hacking society and follow security’s trends and news to get a good start in the industry.

Speaking at the Cyber Recoded conference in London, a panel of graduates in their first jobs spoke on the 'Getting Past the Gatekeepers' panel about their experiences on getting the necessary experience that employers are looking for.

The panelists, who came from a mixture of universities across the UK and from different academic backgrounds, talked of the need to gain contacts and get involved in local security groups in order to achieve mentoring and career advice opportunities.

Chloe Ungar, student at Leeds Beckett University and intern at Hedgehog Cyber Security, said that it is invaluable to have a network around you, such as a hacking society as it “takes away scary aspects [of security], gives you confidence and allows you to experience things” more than just doing a degree would. “Without the society, I would not have pushed myself to go to conferences where I met the company who would become my employer.”

The panelists were unanimous on engaging with societies and groups both local and national, as well as joining DEF CON groups and rookie track opportunities at Security BSides events.

Asked by moderator Daniel Nash if industry were interested in experience such as working with hacking societies, James Stevenson from BT said that “if you’re passionate about it, someone else will be passionate about it.”

Jack Wilson, former Abertay University student, said that their HackSoc allowed members to present research in their meetings and gain experience in speaking.

In terms of finding work, Stevenson said he had been actively writing and producing podcasts before applying for jobs, and employers were more interested in that sort of work.

Ungar said she had identified the company she wanted to work for and met them having emailed, and heard back within half an hour, at 4 am. Brett Calderbank, who had worked in policy and governance before working in a SOC, said it was important to keep on top of what is happening in the industry, “as this is such an evolving industry.”

Nash concluded by saying that if there is no society then start your own, as while it is a lot of effort it will pay dividends for experience. 

Infosecurity asked which of the panelists had picked the company they wanted to work for, and what qualities they were looking for in an employer? Ungar said she found her employer at a BSides London conference, and she was attracted to a smaller company “where every employee counts.”

Wilson explained he had started to look for a graduate scheme six months before graduating, and gathered enough information to determine what he liked and what they [potential employer] were looking for, while Stevenson said it was important to identify the company and even if they say no, take the feedback and improve yourself, and keep on applying.

Categories: Cyber Risk News

Pentagon Staff Hit by Major Data Breach

Mon, 10/15/2018 - 11:01
Pentagon Staff Hit by Major Data Breach

The US Department of Defense has suffered a major breach of employee’s personal and financial information, according to reports.

An unnamed official told AP that the incident may have affected as many as 30,000 civilian and military personnel.

A statement seen by the newswire confirmed that the incident had been discovered at the beginning of October, although it’s not clear when the breach took place.

“The department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the department,” the statement noted. “This vendor was performing a small percentage of the overall travel management services of DoD.”

The vendor is not being disclosed for security reasons but the Pentagon is said to be taking steps to cancel its contract.

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” the statement continued.

The news comes just days after a damning Government Accountability Office (GAO) report found critical vulnerabilities in nearly all weapons systems under development.

It claimed the Pentagon is only “just beginning to grapple" with the challenges highlighted in the report.

“One test report indicated that the test team was able to guess an administrator password in nine seconds,” the GAO claimed. “Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the internet and gain administrator privileges for that software.”

To add insult to injury, when confronted with the findings, weapons program officials are said to have dismissed some test results as “unrealistic.”

Categories: Cyber Risk News

WannaCry Cost NHS £92 Million

Mon, 10/15/2018 - 09:50
WannaCry Cost NHS £92 Million

The infamous WannaCry ransomware campaign of 2017 caused losses in the region of £92m for the NHS, the government has revealed.

In a progress update titled Securing cyber resilience in health and care, the Department of Health and Social Care caveated the figures by saying they are only broad estimates.

Broken down further, around £19m was lost directly as a result of access to info and systems being unavailable, leading to cancelled appointments and similar.

Over 19,000 appointments and operations are said to have been cancelled as a result of WannaCry.

“It is anticipated that 1% of care was disrupted over a one week period, based upon an estimate of the average level of care provided by the NHS in a one week period,” the report explained. “It is estimated that there was approximately £19m of lost output. However demand for NHS services fluctuates, therefore this should only be considered an approximate estimate.”

A much larger £72m was lost in the aftermath with additional IT support drafted in to help restore data and systems.

“Assuming each of the 80 severely affected trusts would have required the equivalent of five days FTE additional resource of an IT specialist, the cost of IT support at the time of the attack would have been £0.5m,” the report explained.

“After the attack we have estimated an average level of resource required by organizations based upon their size and the severity of disruption. There were a few anecdotal reports of costs by individual organizations, but not enough data to make a robust estimate. Therefore the figures quoted below should be considered an approximate estimate.”

WannaCry is said to have disrupted services across one-third of hospital trusts and around 8% of GP practices.

Mollie MacDougall, threat intelligence manager at Cofense, argued that ransomware could have life-threatening consequences for patients.

“If there is one lesson healthcare organizations can learn from these trends, it is to have appropriate anti-phishing programs in place that build on existing security capabilities, to include augmenting incident response efforts with real-time human-intelligence,” she added.

“Phishing keeps proving itself to be a successful vehicle for delivering damaging malware like ransomware, and as threat actors continue to find ways to bypass automated defenses, so too must network users be educated and armed to be a successful last line of defense against them.”

Categories: Cyber Risk News

Facebook Breach Hit 30 Million

Mon, 10/15/2018 - 08:55
Facebook Breach Hit 30 Million

A major breach announced by Facebook last month affected 20 million fewer customers than at first predicted, but for 14 million unlucky users hackers managed to access virtually all their profile info.

The social network’s VP of product management, Guy Rosen, explained in an update on Friday that of the 50 million people whose access tokens were thought to be affected, 30 million actually had the tokens stolen.

“For 15 million people, attackers accessed two sets of information — name and contact details (phone number, email, or both, depending on what people had on their profiles),” he said.

“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For one million people, the attackers did not access any information.”

So far, there’s no sign that the attackers accessed third-party apps, Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, or advertising/developer accounts.

There was also more info on exactly how the attackers managed to carry out the attack.

According to Rosen, they “already controlled” a set of accounts, and had developed an automated technique to move from one to another, stealing access tokens for the friends of those accounts, and the friends of these friends etc.

By doing this, they obtained access tokens for around 400,000 users. Then “the attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people,” said Rosen.

Customized messages will be sent to those affected over the next few days with advice on how to protect themselves from follow-on scams. Users can also check here to see if they were affected.

Categories: Cyber Risk News

Secret Amazon Data Center Gives Nod to Seinfeld

Fri, 10/12/2018 - 16:05
Secret Amazon Data Center Gives Nod to Seinfeld

On October 11, 2018, WikiLeaks published AmazonAtlas, a 20-page document from late 2015 containing the addresses and operational details for more than 100 of Amazon’s data centers, one of which indicates an affinity for the comedy of Jerry Seinfeld.

In addition to revealing the information about the data centers, located in 15 cities across nine countries, WikiLeaks also created a map showing the exact locations of the centers. A center in Manassas, Virginia, operates under the pseudonym Vandalay Industries, a fictitious latex company made famous in a Seinfeld episode when an unemployed George Costanza assured the unemployment office that he was on the verge of landing a job.   

According to WikiLeaks, “Amazon is known as Vandalay Industries on badges and all correspondence with building manager.” It’s not at all uncommon for Amazon to operate out of data centers that are owned by other companies. In fact, the intent is to have little to no indication that Amazon operates at the location, which lends to the secrecy of its whereabouts.

Though Amazon has long been a leading cloud provider for the intelligence community, the leaked locations could potentially compromise the company’s status as a leading contender for a $10 billion contract with the Department of Defense (DOD).

“Amazon is one of the only companies with the certifications required to host classified data in the cloud. The Defense Department is looking for a single provider and other companies, including Oracle and IBM, have complained that the requirements unfairly favor Amazon,” WikiLeaks wrote.

“While one of the benefits of the cloud is the potential to increase reliability through geographic distribution of computing resources, cloud infrastructure is remarkably centralized in terms of legal control. Just a few companies and their subsidiaries run the majority of cloud computing infrastructure around the world. Of these, Amazon is the largest by far, with recent market research showing that Amazon accounts for 34% of the cloud infrastructure services market.”

Prior to the leak, the locations of the cloud infrastructure controlled by Amazon were hidden. In revealing the locations, WikiLeaks also create the Quest of Random Clues, a puzzle game that encourages players to find the data centers while highlighting various concerns, one of which includes contracts with the intelligence community.

Infosecurity Magazine contacted Amazon for comment, but the company has not responded.

Categories: Cyber Risk News

No Cookies for CartThief, a New Magecart Variant

Fri, 10/12/2018 - 15:07
No Cookies for CartThief, a New Magecart Variant

A new variant of the Magecart attacks has been targeting smaller e-commerce operations, according to The Media Trust’s digital security and operations (DSO) team.

Researchers found a new type of malware that targets payment pages on legitimate Magento-hosted retail sites. Dubbed CartThief, the malware’s behavior is similar to that of the current iteration of the Magecart malware.

As soon as credit card information is entered into a checkout page and a payment is submitted, the malware collects, encrypts and sends personally identifiable (PII) and financial information to the malicious actors’ command-and-control server.

What sets this malware apart is the method used to encode or obfuscate the malicious domain and the PII data collection activity. To avoid arousing suspicion and sneak past many blocking technologies, there are no user-identifying cookies or source codes to set off alarms for users. The absence of cookies is one feature that differentiates CartThief from other Magecart variants. 

“The fact that the malware targets sites using a variety of payment gateway providers calls into question the effectiveness of PCI DSS security standards for online businesses, in particular the absence of a requirement for businesses to know and manage all third-party code present on their sites and apps,” wrote Michael Bittner, digital security and operations manager at The Media Trust.

By exploiting vulnerabilities in web applications, bad actors were able to attack Magento-hosted e-commerce sites and insert rogue files into legitimate HTML code, granting them access to the payment page. Because the activity has only been executed on a handful of smaller e-commerce sites, researchers believe that the attackers are intentionally flying under the radar while testing the malware before staging a larger-scale attack, which they suspect could come during the holiday shopping season.  

“Given increasing malicious activity and the advent of financial penalties, e-commerce operations should police their digital ecosystem for any unauthorized activities and actors by continuously scanning their sites. Doing so will help them pre-empt any security issues,” Bittner wrote.

Categories: Cyber Risk News

Hackers Win Big by Gambling on Identity Spoofing

Fri, 10/12/2018 - 14:44
Hackers Win Big by Gambling on Identity Spoofing

In analyzing global cybercrime patterns ThreatMetrix found that identity spoofing, fueled by stolen identity data, is the most prevalent attack vector for the gaming and gambling industry.

Additionally, the Q2 2018 Gaming & Gambling Report discovered that location (IP) spoofing attacks increased 257% year-over-year, making it the fastest growing attack vector in the space. Because more sophisticated location spoofing tools are available, fraudsters are making frequent attempts to disguise their true location and launder money.

Distinguishing trusted users from fraudsters is made increasingly more challenging with malicious account takeovers (ATOs) and the use of collusive play and self-excluders.

“Rising cybercrime levels is no small issue for a sector that enjoys a truly global customer base,” said Ellie Burns, fraud and identity manager at ThreatMetrix, in a press release. “With more than two billion gamers worldwide, nearly 60% of the industry's traffic is cross-border.

"Operators must contend with a rapidly evolving regulatory landscape and stringent new anti-money laundering laws, making the verification of the true location of a transacting gamer a vital component in authenticating identity.”

An additional contributor to the growth of IP spoofing attacks is that users are trying to access services that might be restricted in their locations, which is one factor driving the high volume of cross-border traffic.

Increased mobile transactions were also a key finding in the report, resulting from more people placing bets and accessing accounts from their smartphones. The report revealed that 71% of all gaming and gambling transactions are now made via mobile devices, which is a 45% increase year-on-year. Not surprisingly, mobile payments are attacked more often than any other transaction. Hackers have realized that mobile serves as a door of opportunity where they are able to monetize stolen credentials.

“To deal with these challenges, gaming and gambling operators must incorporate dynamic digital identity intelligence that pieces together key indicators, such as device intelligence, true geo-location, online identity credentials and threat analysis, to better inform risk decisions. The key is to be able to effectively differentiate trusted users from fraudsters and understand changes in trusted user behavior, without adding unnecessary friction,” said Burns.

Categories: Cyber Risk News

UK Finance: New Tax Could Pay for Fraud Losses

Fri, 10/12/2018 - 10:59
UK Finance: New Tax Could Pay for Fraud Losses

Trade association UK Finance has called for a new tax on payments to create a fund that banks can use to compensate victims of fraud.

CEO of the banking lobby, Stephen Jones, made the proposals before a Treasury Select Committee this week, reportedly claiming that a “tiny levy” on each payment could help to break the stand-off between financial institutions and other stakeholders over authorized push payment (APP) fraud.

“Customers will pay if the banks have to pay,” he’s reported to have said. “There’s no such thing as a free lunch here. It’s a question of how can the cost be fairly distributed across the system.”

APP occurs when a scammer tricks their victim into making payments to an account controlled by them. Banks argue that they shouldn’t be responsible for compensating the consumer if they’ve basically met their level of care.

A third of fraud losses in the UK last year were down to APP, amounting to £236m.

However, earlier this year the Financial Ombudsman Service (FOS) revealed that in disputes it is called upon to arbitrate, banks often try to blame customers — which it said is increasingly difficult to do given the growing sophistication of online scams.

The heated debate is part of an overall attempt to draw up an industry code governing how APP victims should be compensated.

Brooks Wallace, head of EMEA for cybercrime and fraud prevention at Trusted Knight, argued that Jones’ proposals could set a dangerous precedent and claimed the banks were trying to “shift financial responsibility to the customer before [fraud] really starts to impact their bottom line.”

“This statement demonstrates two things - firstly, that banks are starting to feel the burden of hefty fraud losses through more sophisticated online crime. Secondly, that they are becoming increasingly unwilling to foot the bill,” he added.

"This is a risky route to go down. While some fraud is not the fault of the bank, often fraud could have been halted if the bank had better fraud prevention in place for its customers. While the banks could argue that losses are down to third-parties — such as payment details being stolen in retailer data breaches — ultimately, financial organizations need to have more rigorous procedures for identifying and stopping fraudulent transactions taking place.”

Categories: Cyber Risk News

FitMetrix Exposes “Millions” of Customers’ Data

Fri, 10/12/2018 - 09:30
FitMetrix Exposes “Millions” of Customers’ Data

A leading fitness software company may have exposed millions of customer records by failing to protect a cloud database.

Researcher Bob Diachenko said he found the exposed database hosted on AWS via a simple Shodan search for unsecured Elasticsearch instances which could be targeted by ransomware attackers.

He found the cloud store of 119GB of data belonging to Fitmetrix, with two identical sets of data and two IP addresses. Interestingly one was labelled as “compromised” as it contained a ransom note from an ultimately unsuccessful attempt to extort the company.

“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note,” Diachenko wrote.

“This script sometimes fails and the data is still available to the user even though a ransom note is created.”

The exposed data included name, gender, email address, birth date, home and work phone, height, weight and much more.

The total number of records affected topped 122 million, although it’s unlikely that all of these contain customer data, according to Diachenko, who estimated that “millions” were still likely to have been affected.

Parent company Mindbody, which acquired the firm earlier this year, finally responded and secured the database five days after first being contacted, on October 10.

Balaji Parimi, CEO of CloudKnox Security, said these incidents are occurring more frequently as complex multi-cloud environments become more popular.

“The most likely scenario in this case is that a FitMetrix employee changed the privacy configuration for these servers to share access and simply forgot to change it back when the task was completed. These incidents are rarely malicious. They are the result of what’s emerging as the biggest cyber-threat facing enterprises today: the complexity of and lack of visibility organizations have into their own infrastructure,” he argued.

“In order to mitigate these types of mistakes and the threat they pose, it’s critical for companies to devote cybersecurity resources to gaining better visibility. That means understanding which employees have the types of privileges that can affect the company’s security posture and limiting those privileges to properly-trained, security-conscious employees. With proper visibility and authorization settings, organizations can put real guard rails in place to help prevent these types of mistakes.”

Categories: Cyber Risk News