Security researchers claim to have discovered a database containing a staggering 1.4 billion breached credentials, the largest of its kind ever discovered on the dark web.
The list is said to be nearly twice as big as the previous largest discovered, an Exploit.in database which exposed 797 million records, according to Julio Casal, co-founder of dark web analysis firm 4IQ.
“This dump aggregates 252 previous breaches, including known credential lists such as Anti Public and Exploit.in, decrypted passwords of known breaches like LinkedIn as well as smaller breaches like Bitcoin and Pastebin sites,” he explained in a blog post.
“This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports. Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover.”
The credentials are stored in plain text and the database even includes examples of how people set passwords, reuse them and create repetitive patterns over time.
The 41GB data dump was updated as recently as the end of November, and includes 385 million new credential pairs from 318 million unique users not seen in the Exploit.in and Anti Public lists.
The most popular password was “123456”, having been used over 9.2 million times, followed by “123456789”, which is featured in the dump over 3.1 million times.
Satya Gupta, founder and CTO of Virsec Systems, argued the discovery highlights how easy it has become for unsophisticated hackers to get hold of sensitive personal data.
"As this data becomes commoditized, its value does diminish, but [that’s] of little comfort to consumers, whose data is available to thousands of criminals,” he added. “These dark web marketplaces are probably also funding more advanced, and stealthy attacks being designed against high-value corporate, government and infrastructure targets."
Michael Magrath, director of Global Regulations & Standards at VASCO Data Security argued that the incident shows why knowledge-based verification and static passwords are no longer fit-for-purpose.
“The industry has come a long way over the past few years offering a variety of frictionless authentication solutions that do not require users to remember complex static passwords, but instead leverage integrated technologies in smartphones and other mobile devices such as facial recognition, fingerprint and adaptive authentication,” he added.
“Multi-factor authenticators are an integral part of a risk-based approach to cybersecurity. Perhaps 1.4 billion credentials will finally put the final nail in the password coffin.”
This Christmas Infosecurity has invited five top industry names to each fill the role of guest editor for a day, and we are delighted to introduce Javvad Malik, who will be taking the reins today!
Javvad is an award-winning information security consultant, author, researcher, analyst, advocate, blogger and YouTuber. He currently serves as a security advocate at AlienVault.
Javvad is known as one of the industry’s most prolific influencers, with a signature fresh and light-hearted perspective on security.
Prior to joining AlienVault, he was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning. Prior to that, Javvad served as an independent security consultant, with a career spanning 12 years working for some of the largest companies across the financial and energy sectors.
Javvad is an author and co-author of several books and is also the founder of the Security B-Sides London conference and a co-founder of Host Unknown with Thom Langford and Andrew Agnés.
Javvad has earned several professional certifications over the course of his career, including Certified Information Security Systems Professional (CISSP) and GIAC Web Application Penetration Tester (GWAPT). He’s also won numerous awards in recent years for his blogging, including the ‘2015 Most Entertaining Blog’ and the ‘2015 Best Security Video Blogger’ recognitions at the European Security Blogger Awards.
Javvad will be sharing his thoughts on the industry throughout the day with an introductory video, opinion article, Q&A with the real editor Eleanor Dallaway and a Twitter takeover!
An Android vulnerability has been uncovered that allows attackers to modify apps in an undetected way, without affecting their signatures.
The flaw (CVE-2017-13156) allows a file to be a valid APK file and a valid DEX file at the same time, according to Guard Square, which has named it the Janus vulnerability, after the Roman god of duality.
“In theory, the Android runtime loads the APK file, extracts its DEX file and then runs its code,” said researchers, in an analysis. “In practice, the virtual machine can load and execute both APK files and DEX files. When it gets an APK file, it still looks at the magic bytes in the header to decide which type of file it is. If it finds a DEX header, it loads the file as a DEX file. Otherwise, it loads the file as an APK file containing a zip entry with a DEX file. It can thus misinterpret dual DEX/APK files.”
When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update. Nefarious types can leverage the Janus issue to prepend a malicious DEX file to an APK file, so that Android will accept the APK file as a valid update of a legitimate earlier version of an app. However, the code is loaded from the injected DEX file.
“The updated application inherits the permissions of the original application,” the researchers said. “Attackers can, therefore, use the Janus vulnerability to mislead the update process and get unverified code with powerful permissions installed on the devices of unsuspecting users.”
Depending on the targeted application, a hacker can access sensitive information stored on the device or take over the device completely. Alternatively, an attacker can pass a modified clone of a sensitive application as a legitimate update, for instance in the context of banking or communications. The cloned application can look and behave like the original application but inject malicious behavior.
“Any scenario still requires the user to install the malicious update from a source outside the Google Play store,” the researchers said. “It may be relatively easy to trick some users because the application can still look exactly like the original application and has the proper signature. For experts, the common reverse engineering tools do not show the injected code. Users should always be vigilant when downloading applications and updates.”
The Janus vulnerability affects recent Android devices (Android 5.0 and newer). Google has released a patch to its OEM partners.
The Necurs botnet has increased in prevalence since the US Thanksgiving holiday, as cyber-criminals use it to distribute a new form of ransomware, according to Check Point’s latest Global Threat Impact Index.
Over Thanksgiving, hackers were found using Necurs, considered to be the largest spam botnet in the world, to distribute the relatively new Scarab ransomware that was first seen in June 2017. The Necurs botnet started mass distribution of Scarab during the holiday, sending over 12 million emails in a single morning.
Necurs has previously been used to distribute some of the most insidious malware variants to hit business networks in the past 12 months, including the Locky and Globeimposter families. But the Scarab activity has catapulted it to Check Point’s list of the top ten most prevalent malwares.
“The re-emergence of the Necurs botnet highlights how malware that may seem to be fading away doesn’t always disappear or become any less of a threat,” said Maya Horowitz, Threat Intelligence, group manager at Check Point. “Despite Necurs being well known to the security community, hackers are still enjoying lots of success distributing malware with this highly effective infection vehicle.”
As for the other threats, RoughTed, a large scale malvertising campaign, remains the most prevalent threat, with the Rig exploit kit in second, and the Conficker worm in third.
The most popular malware used to attack organizations’ mobile estates remains unchanged from October, as Triada, a modular backdoor for Android, continued to increase in prevalence. Triada grants superuser privileges to downloaded malware, as helps it to be embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
The Lokibot Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed, is in second place for mobile malware, followed by LeakerLocker, an Android ransomware that reads personal user data, and then presents it to the user and threatens to leak it online if ransom payments aren’t met.
Check Point’s Global Threat Impact Index is based on its ThreatCloud database, which holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites.
One third (32%) of IT professionals in a new survey plan to find a new employer in 2018.
According to Spiceworks’ 2018 IT Career Outlook, 75% of those planning to switch jobs are seeking a better salary, 70% are looking to advance their skills and 39% want to work for a company that makes IT more of a priority.
In terms of the tech skills necessary to be successful next year, 81% of respondents said it’s critical to have cybersecurity expertise. At least 75% of IT professionals also said it’s critical to have expertise in networking, infrastructure hardware, end-user devices, and storage and backup.
However, when asked to rate their expertise in each area, only 19% of IT pros reported having advanced cybersecurity knowledge. When comparing generations, the results show 15% of millennials reported having advanced cybersecurity skills compared to 22% of Gen X and 26% of baby boomers.
The results also show that 7% of IT professionals plan to start working as a consultant, 5% plan to leave the IT industry altogether and 2% plan to retire in 2018. Additionally, 51% of respondents expect a raise from their current employer next year, while one-fifth (21%) also expect a promotion.
About a quarter (24%) of IT professionals aren’t expecting any career changes or a raise next year.
When examining the data by generation, the results show 36% of millennial IT professionals plan to search for or take a new job next year, compared to 32% of Gen X and 23% of baby boomers. In comparison to older generations, the survey shows that millennial IT professionals are more likely to leave their current employer to find a better salary, advance their skills, work for a more talented team and receive better employee perks. Conversely, Gen X IT professionals are more likely to seek a better work-life balance, while baby boomers are more likely to leave their employer due to burnout.
Interestingly, the survey shows 70% of IT professionals are satisfied with their current jobs, but 63% believe they’re underpaid. This rate is even higher among millennials. About 68% of millennial IT professionals feel underpaid, compared to 60% of Gen X and 61% of baby boomers.
Despite feeling underpaid, IT professionals have a positive outlook on the job market next year, leading many to search for new opportunities. In fact, 36% of IT professionals believe the IT job market will improve in 2018, while 51% believe it will stay the same and only 13% believe it will get worse.
In terms of how much IT professionals are paid, the results show millennials are paid a median income of $50,000 per year, while Gen X IT professionals are paid $65,000 and baby boomers are paid $70,000. However, millennial IT professionals have an average of seven years of experience compared to 17 years among Gen X and 25 years among baby boomers.
“Although the majority of IT professionals are satisfied with their jobs, many also believe they should be making more money, and will take the initiative to find an employer who is willing to pay them what they’re worth in 2018,” said Peter Tsai, senior technology analyst at Spiceworks. “Many IT professionals are also motivated to change jobs to advance their skills, particularly in cybersecurity. As data breaches and ransomware outbreaks continue to haunt businesses, IT professionals recognize there is high demand for skilled security professionals now, and in the years to come.”
Despite the huge impact WannaCry and NotPetya had on organizations, the two ransomware campaigns earlier this year did little to affect budgets or boardroom interest in security, according to a new study.
AlienVault polled over 230 information security professionals around the world to see if anything had changed following the two major attack campaigns of May and June.
The bad news is that only 14% have had their cybersecurity budgets increased. This comes at a time when UK business spending in this area has been cut by as much as a third on last year — down from £6.2m to £3.9m, according to PwC.
“Working life has become much more difficult for many IT professionals in the wake of these attacks. But the preventative measures that many are engaged in, such as patching and security reviews, points towards a panicked reaction from management tiers,” argued security advocate Javvad Malik.
“Given the unpredictable nature of today’s security environment, organizations should focus their efforts on detection and response.”
However, overall spending on security is set to rise 8% from this year to top $96bn in 2018 as firms rush to invest in new technologies to prevent breaches and meet regulatory compliance requirements, according to new Gartner figures.
The analyst claimed that firms were indeed investing more in detection and response, especially at the endpoint, as well as automation and outsourcing.
There was more bad news from AlienVault: only 16% of IT security professionals polled said they thought their bosses have started taking a greater interest in their roles because of WannaCry and NotPetya.
What’s more, just a fifth of respondents claimed they had been able to implement changes or projects that were previously put on hold.
On the plus side, over a quarter (28%) said they think that most people in the organization listen to their IT advice more than they did before the incidents.
Microsoft has released fixes for two critical flaws in its Windows Defender product which could allow attackers to completely take control of a targeted system.
CVE-2017-11937 and CVE-2017-11940 are remote code execution (RCE) vulnerabilities that exist when the Microsoft Malware Protection Engine (MMPE) doesn’t properly scan a specially crafted file, leading to memory corruption.
A remote attacker could therefore use a specially crafted file to execute arbitrary code, leading to a full system compromise. The file could be emailed, IM’d or delivered via a compromised website, the alert noted.
As the engine automatically scans files in real-time, the bugs could be easily exploited.
The updates fix the vulnerabilities by correcting the way in which the Microsoft Malware Protection Engine scans specially crafted files.
The software flaws affect Windows Defender on all supported Windows PC and server platforms, as well as Microsoft Endpoint Protection, Windows Intune Endpoint Protection, Security Essentials, Forefront Endpoint Protection and Exchange Server 2013 and 2016.
Fortunately, the vulnerabilities are not thought to have been publicly disclosed or exploited in the wild.
Most enterprise admins will not need to take any further action as the updates will be automatically deployed.
Interestingly the bugs were reported by the National Cyber Security Centre (NCSC), part of UK spy agency GCHQ.
It’s a nice bit of PR for NCSC given its role is to educate the populace and protect UK consumers and businesses from critical cyber-threats to essential services.
The organization has been an increasingly vocal presence in the news of late, warning government agencies earlier this month to effectively ban Russian AV for any networks processing information classified “secret” or above.
Several other critical MMPE bugs have already been discovered this year allowing remote code execution by hackers.
Over a fifth of UK small business owners believe a lack of cybersecurity skills is preventing them from becoming more digitally oriented, according to a new study from a leading UK business group.
The biggest barrier to digital growth is a basic lack of IT skills, cited by 22%, but this was followed shortly behind by a dearth of in-house security skills (21%).
Half (50%) of small businesses claimed that technical skills are the most important for driving future business growth.
Business owners are right to be concerned: the FSB estimates that smaller companies in the UK suffer as many as seven million cyber-crimes every year, at a cost of £5.26bn annually.
The report continued:
“This is a substantial on-going additional cost of doing business, reducing the competitiveness of smaller firms and creating a ‘chilling effect’ on the dynamism of the small business community, not least due to the higher costs of adopting new digital networked technologies as a result of such risks. Smaller firms are the least best placed to deal with cyber-threats most effectively, because of the significant constraints under which they operate. Such constraints make smaller businesses highly vulnerable to cyber threats.”
The FSB recommended several steps the government and other stakeholders could take to improve digital skills in small businesses, including tax breaks for training courses, more effective use of the new National Careers Service website and audits of training provision by Local Enterprise Partnerships (LEPs).
“The twin pressures of rapid technological change and Brexit make upskilling the current workforce more important than ever,” argued FSB national chairman, Mike Cherry.
“Small firms clearly recognize the value of providing training for themselves and their staff, but it can be a struggle to find the time and money, and in some cases even to find the right training locally. All Local Enterprise Partnerships (LEPs) should ensure that there is relevant, accessible training available to meet the needs of small businesses and the self-employed.”
Skills gaps aren’t just a problem among small businesses. More generally the information security sector is heading for a skills “cliff edge”, according to the most recent Global Information Security Workforce Study (GISWS).
This Christmas Infosecurity has invited five top industry names to each fill the role of guest editor for a day, and on the first day of this week we are delighted to introduce Jenny Radcliffe!
Jenny Radcliffe, aka “The People Hacker”, is an expert in Social Engineering, negotiation, persuasion and influence, non-verbal communication and deception, and has been an active lifelong social engineer since breaking into a local zoo at the age of seven.
A recognized expert on psychological security she has been performing penetration tests and related assignments for clients of all sizes and types on an international basis for decades and is renowned throughout the entire security sector working with companies from many different areas of the industry. She is entirely non-technical in her methods and attacks, using psychology and a unique perspective to continually excel at breaching security systems and protecting her clients.
Using a blend of anecdotes, science and humor, Jenny is an exceptional and highly impactful professional speaker. A regular keynote at major security events and a multiple TEDx contributor, Jenny has been a guest expert on security, scams and social engineering for various television and radio shows as well as multiple online media.
Jenny is the host of the internationally successful podcast “The Human Factor” which interviews people from all walks of life about social engineering, security, business and life.
Jenny will be sharing her thoughts on the industry throughout the day so look out for her introductory video, opinion article, a Q&A with the real editor Eleanor Dallaway and a Twitter takeover!
The new generation of cyber-criminals resemble traditional Mafia organizations, not just in their professional coordination, but also in their willingness to intimidate and paralyze victims.
A new report from Malwarebytes The New Mafia: Gangs and Vigilantes determines that there are four distinct groups of cyber-criminals: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire. The report said that the entrance of new participants has transformed cybercrime from isolated and individualized acts into pervasive, savage practices run by distinct groups of individuals.
“Similar to the criminal gangs that dominated major cities like New York in the 1930s, these new participants have largely been attracted by the potential for riches and power. Likewise, these newer perpetrators of cybercrime have increasingly resorted to fear, intimidation and a feeling of helplessness to achieve their aims. Similar to the mobsters who would muscle their way into a business and make demands, cyber-criminals are taking command of computers and sensitive personal information to threaten victims.”
Research from Malwarebytes determined that the number of attacks recorded in the first 10 months of 2017 surpassed the total for all of 2016.
“The average number of monthly attacks has also increased by 23% in 2017,” the report said. “2016 itself saw a spectacular rise in business-targeted cybercrime, with a 96% increase in attacks compared to the previous year.”
The report calls for businesses and consumers to fight back by acting as ‘vigilantes’ through greater collective awareness, knowledge sharing and proactive defenses. This includes a shift from shaming businesses who have been hacked and instead engaging with them – working together to fix the problem.
Speaking to Infosecurity, Marcin Kleczynski, CEO of Malwarebytes said that old gang-style organized crime has evolved into cybercrime, in a style of “old versus new mafia through technology advances.”
He added: “The game has shifted to corporate espionage, and it is undetectable at this point as you don’t need to manipulate the blueprints, you’re just copying them without leaving a trace behind. The idea that Boeing puts together a plan for a new plane and you can skip that stage and go straight to manufacturing.”
Kleczynski said that the most damaging cyber-attacks to businesses are the ones that go undetected for long stretches of time. “In spite of high-profile occurrences over the last year, this report shows that many business executives may still have some knowledge gaps to fill. CEOs will soon have little choice but to elevate cybercrime from a technology issue to a business-critical consideration.”
Enterprise cybersecurity spending will hit a high of $96.3 billion in 2018, as organizations rush to protect themselves from damaging data breaches and meet regulatory compliance requirements, according to Gartner.
The analyst firm said the figure represents an 8% increase on 2017 spending. It added that of the 53% of organizations citing security risks as the number one driver for spending, breaches were the top risk they identified.
Those stats come from a security spending study that Gartner conducted with global clients last year.
Security testing, IT outsourcing and security information and event management (SIEM) will be among the fastest-growing sub-segments next year, boosting growth in Gartner’s infrastructure protection and security services segments.
In fact, security services revenue will hit $57.7bn in first place, followed by infrastructure protection ($17.5bn) and network security equipment ($11.7bn).
The smaller segments of consumer security software ($4.7bn) and identity and access management ($4.7bn) will bring up the rear next year.
“Overall, a large portion of security spending is driven by an organization's reaction toward security breaches as more high profile cyberattacks and data breaches affect organizations worldwide," said Ruggero Contu, research director at Gartner. "Cyber-attacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years."
Regulations including the EU GDPR, HIPAA and NIST in the US, the Overseas Citizenship of India, and China’s Cybersecurity Law, are also driving spending increases in security, the analyst claimed.
Other trends include a shift towards detection and response, especially at the endpoint, and automation and outsourcing.
The latter are in part a response to chronic industry skills shortages — in fact, spending on security outsourcing will reach $18.5 billion in 2018, an 11% increase from 2017, making it the second-largest segment after consulting.
Tim Woods, vice president, technology alliances at FireMon, argued that buying in new technologies can add complexity.
“We’re reaching a breaking point in that regard,” he added. “Automation can ease some of the management burden, at least making processes more efficient. But what it really comes down to is setting and enforcing a strong policy that creates a desirable ‘end-state’ for security.”
Tripwire senior director of security research, Lamar Bailey, argued that firms should focus on the security basics.
“A solid security program focusing on foundational security will thwart around 90% of the active threats,” he claimed.
A 20-year-old Florida man who lives with his mother was responsible for a breach of 57 million Uber users’ details last year, according to a new report.
Three people familiar with the incident told Reuters that the controversial ride hailing service made the $100,000 payment to hush up the breach through its bug bounty program, run by HackerOne.
However, that sum is at least 10-times greater than the usual payments that would be made through the program.
Uber is said to have made the payment in order to confirm the identity of the hacker — which is still unknown — and remarkably have him sign a non-disclosure agreement (NDA) to prevent future raids.
The hacker’s PC was apparently also analyzed by Uber to confirm all the data had been deleted. However, there will still be question marks over the validity of an NDA struck with a cyber-criminal, and whether or not the individual still holds the data on another device.
It’s claimed the Florida man, described by one source as “living with his mom in a small home trying to help pay the bills”, paid a second person to access the Uber GitHub account in which were stored the firm’s Amazon Web Services credentials.
CEO Dana Khosrowshahi shocked the world when he revealed last month that the firm had failed to notify the authorities of a major breach last year.
The affected parties include 600,000 US drivers and 2.7 million UK riders and drivers, although these are only estimates.
The incident could harm Uber’s chances of overturning a decision by Transport for London (TfL) in September to revoke its private operator license for the capital after claiming it was “not fit and proper” to hold one.
An estimated 3.5 million Londoners and 40,000 drivers use the app.
Ransomware has severely disrupted an entire North Carolina county, forcing a return to pen and paper for tax payments, jail services, child support and more.
In a sign of the continued threat to operations that ransomware poses, news emerged this week that 48 out of Mecklenburg County’s 500 servers were infected and forced into quarantine.
Reassuringly, county manager Dena Diorio said at a press conference that the local authority wouldn’t be paying the $23,000 ransom, but instead would begin the long and arduous process of restoring from back-ups.
“It was going to take almost as long to fix the system after paying the ransom as it does to fix it ourselves,” she said. “And there was no guarantee that paying the criminals was a sure fix.”
However, over one million residents that live in the region could be affected by the outage, with many key services now offline.
These include social services — causing problems for those in need of medical transportation — electronic tax payments, community support services and even jail services.
“Please note that we anticipate a spike in the jail numbers due to the release process being slowed,” claimed a status update.
Residents in the state’s most populous metropolitan area are being urged to stay patient while digital services are restored. Health and Human Services, the court system and Land Use and Environmental Services are being prioritized, the local authority said.
The news comes as security experts warned that the increasing popularity of cyber-insurance could actually encourage more ransomware attacks.
“We find it concerning that insurers sometimes pay ransoms to recover their customers’ data,” said Corey Nachreiner, CTO at WatchGuard Technologies.
“While we understand the business decision, insurers currently have no long-term actuarial data for cyber-incidents and ransomware. It is possible that paying ransoms will encourage this criminal business model and increase the number of incidents insurers have to handle or the cost of ransoms.”
He argued that savvy cyber-criminals could even hack insurers to identify which organizations have taken out extortion insurance and then attack them directly.
An espionage campaign being carried out in the Middle East uses a vulnerability that was patched less than a week ago.
FireEye observed the attackers targeting a government organization in the Middle East, discovering that the activity was carried out by a suspected Iranian cyber-espionage threat group, APT34. It is using a custom backdoor to achieve its objectives.
“We believe APT34 is involved in a long-term cyber-espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests, and has been operational since at least 2014,” FireEye said in an analysis. “This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.”
APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics.
“In May 2016, we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. We now attribute that campaign to APT34. In July 2017, we observed APT34 targeting a Middle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with domain generation algorithm functionality that we call BONDUPDATER, based on strings within the malware.”
In this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882, which affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory. It was patched by Microsoft on Nov. 14.
“The vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is used to insert and evaluate mathematical formulas,” FireEye explained. “The Equation Editor is embedded in Office documents using object linking and embedding (OLE) technology. It is created as a separate process instead of child process of Office applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly while copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an older compiler and does not support address space layout randomization (ASLR), a technique that guards against the exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution.”
A Chicagoland election official has put forth an “Election Security Plan”, meant to secure the voting process for Americans. It’s a hot-button topic in the wake of Russian meddling in the US presidential election last year.
Authored by Noah Praetz, director of elections with the Cook County, Ill. Clerk’s Office, the Election Security Plan represents a first-of-its-kind to be put forth by a local official since news broke that Russia attempted to infiltrate voting networks in at least 21 US states during the 2016 election.
The plan, announced at an event put on by hacking conference DEFCON and the University of Chicago’s Harris School of Public Policy outlines several strategies for stakeholders to better defend, detect, and recover from cyber threats aimed at voting equipment, systems, networks and databases. Specifically, it describes “a challenging, comprehensive, yet achievable list of actions” for both federal leaders to support the more than 9,000 voting jurisdictions around the country, as well as the responsibilities of state and local officials.
Defend: Increase the defensive capacity of local and state election officials by: Supporting a digital network for all local election officials that will facilitate rapid sharing of threats and incidents, as well as supporting increased training and resiliency; financing an election infrastructure and information security officer (EIISO) (or consultant) servicing every local and state election official in the country; and ensuring that threat and incident information known to government is shared appropriately throughout the election ecosystem.
Detect: Increase the catastrophic breach detection capacity by incentivizing: The use of modern public audits of all elections; the use of modern voting technology that captures a digital image of each ballot that can be tied to the original ballot and the cast ballot record; and the use of monitoring sensors on the networks of all willing election officials.
Recover: Eliminate even the most remote possibility of an undetectable catastrophic breach by replacing all paperless voting systems that currently serve nearly 20 percent of the country.
“This is a critical time when Americans need to be reassured that their vote is secure—and I am proud that my election administration colleagues at the state and local level are the ones serving valiantly on the front lines,” said Praetz, underscoring the need for local action backed by federal support. “Like good servants, these officials will tell you they can continue to hold the line. But they need to be fortified by resources from the federal government, and they need guidance in terms of what line they even can hold.”
In early 2017, the US Department of Homeland Security designated elections as a critical infrastructure subsector, giving the federal government more authority to take action. Sean McCloskey from the DHS's Office of Cyber Security and Communications was on hand for the announcement, highlighting DHS's current role with the Elections Security Task Force.
However, state and local officials who hold constitutional responsibility for administrating elections are often overburdened and constrained by the lack of funding needed to implement security measures.
“Recently, we’ve seen a groundswell of bipartisan national security and cyber leaders uniting to frame the problem and highlight what Russia or other nefarious actors could do to our democracy,” said Jake Braun, a cybersecurity lecturer at University of Chicago and DEFCON Voting Village representative who emceed the event. “Now it’s encouraging to see state and local leaders like Mr. Praetz—and many others who helped influence his plan—coming together to offer solutions. With the full funding and resources to do their job, there’s no question they can better secure our democracy for 2018 and beyond.”
The cryptocurrency mining company NiceHash has suspended its operations for the time being, because of a payment system compromise that translates to $64 million in losses.
Hackers made off with contents of the company’s bitcoin account, according to Andrej Škraba, the Slovenian marketplace's head of marketing. He told Reuters that the compromise was highly professional and involved “sophisticated social engineering”—and led to the loss of 4,700 bitcoins. The digital currency's value continues to skyrocket, reaching a 1 BTC to $16,000 exchange rate this week.
NiceHash matches people looking to sell processing time on their computers with those looking to mine cryptocurrency, which is a compute-intensive activity involving complex algorithms.
It’s not clear whether NiceHash users' accounts were compromised as well, though a sentence in its announcement of the breach seemed to indicate the possibility: “While the full scope of what happened is not yet known, we recommend, as a precaution, that you change your online passwords.”
For US users, their investments are not protected as traditional bank funds would be under the FDIC, which was put in place after the 1929 stock market crash to provide insurance for money kept in bank vaults and to prevent bank runs. Between this and the fact that it is by design an untraceable currency, a bitcoin wallet theft is a total loss 99.9% of the time.
How the compromise played out is likewise unknown.
"There are certainly a number potential security issues to discuss, from API vulnerabilities to web application and database protection, however, without more details from NiceHash, we can only speculate by which method of attack their website was compromised,” said Rusty Carter, vice president of product management for mobile app security company Arxan Technologies, via email. “Given the large number of bitcoin lost, it's reasonable to suspect that insufficient database security and/or a compromised web application was the likely entry point.”
Most of the focus for cryptocurrencies has been put into the security of the currency itself, while securing the storage and trading of the digital assets has not reached the same level, he added.
“If we contrast with traditional financial institutions like banks and investment firms, we see that the overall reputation of the company, established through corporate stability and security of customer assets, are fundamental priorities to building and maintaining a long-lived business,” said Carter. “With the steady growth of online and mobile banking, there has been an exponential expansion of these institutions adopting a security-by-design philosophy. This security adoption includes end-to-end application security which has become a key area of focus in order to protect the bank's reputation, and customer's assets. With this, mobile apps and API security have become critical, along with securing data in transit, at rest, and in process.”
Reuters number-crunching revealed that nearly a million (980,000) bitcoins have been stolen from exchanges since 2011, which would be worth more than $15 billion at current exchange rates. One of the largest heists resulted in the collapse of the Mt. Gox bitcoin market in 2014.
Security researchers this week revealed a flaw in several popular banking apps which could have exposed as many as 10 million customers to Man in the Middle (MITM) attacks.
The vulnerability in question stems from the fact that the affected apps’ cryptographically signed certificate failed to verify the hostname on the server it attempted to connect with.
This could allow malicious third parties on the same network as the victim to step in and take control of an online banking session, intercepting usernames and passwords to hijack an account.
Certificate pinning, a feature intended to prevent use of fraudulent certificates, actually meant that the flaw went undetected in standard tests, according to the University of Birmingham researchers that discovered it.
After running a newly developed testing tool dubbed “Spinner”, they found several of 400 “security critical” apps vulnerable, including HSBC, NatWest, Co-op and Bank of America Health.
The researchers also detailed an “in app phishing attack” affecting Santander and Allied Irish Bank apps. It could have allowed an attacker to hijack part of the user’s screen and use it to phish for the target’s log-ins.
The university worked with the National Cyber Security Centre (NCSC) and all affected banks to resolve the problems before they were publicized this week at the annual Computer Security Applications Conference in Orlando.
“In general, the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed,” said researcher Tom Chothia.
“It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network.”
Ilia Kolochencko, CEO of web security company, High-Tech Bridge, argued that most mobile apps have been riddled with vulnerabilities for years.
“This can be explained by a lack of experienced developers, a careless attitude towards mobile application security in many organizations and the relative complexity of practical exploitation of mobile app flaws,” he added.
The next stage for attackers is for indiscriminate attackers to hit businesses using repurposed malware, and merging with spy tactics for espionage.
Speaking to Infosecurity at Black Hat Europe, Eward Driehuis, research chief at SecureLink said that convergence is happening now, as cyber-criminals are doing Big Data analysis on their victims to determine what would be of value.
“Back in 2011 and 2012 fraudsters began engaging with spies to run queries over, it was not so black and white anymore.”
Drehuis said that from 2006 to 2013 it was organized cybercrime operated by nation state attackers, and from 2013 there was a trend of tools being used by nation states without a bespoke tool.
“We’re in the middle of that evolution” he said, adding that there were three events in the last 10 years from fraud to political hacking.
The first event was the rise of cybercrime in the financial space, where a victim would be reimbursed if they lost money. Drehuis said that to enable this, an attacker would need 1000 money mules, but in the case of the SWIFT attack on the Bangladesh bank, only four mules were needed to steal $81m.
The second event was ransomware, which he said was perfected by Gameover Zeus, as they found a way to get return on investment from a botnet. Drehuis said that before, you needed a victim, but with ransomware you throw the net wide and it is a risk for everyone and it became everyone’s issues.
The third was WannaCry and NotPetya as they used the Shadow Brokers vulnerabilities to propagate malware, but they didn’t have a way to return files to the victim and Drehuis said that the first rule of ransomware is to return the files to the victim or you get a bad reputation and people will not pay.
“What we see now is the banks know that they need to do something.” He said that retailers and healthcare also ‘get caught in the crossfire’ and he saw an evolution of ransomware to include espionage and cybercrime.
“Ransomware is nothing more than a form of extortion as they extort a business by stealing information and threatening to release it, and the hacking part is where the espionage and cybercrime skills are starting to merge,” he explained.
“I’ve seen the changes from something black and white: hackers stole your money, spies sold your secrets, but that’s not how it works anymore. The criminals are evolved, as they invested a lot of time in their tools like botnets and malware, and now they are recompiling it with new features and putting it in the wild.”
Driehuis concluded by saying that the current CISO needs to take action against these actors who use the same old spam emails and watering hole attacks, against attackers who will then be sophisticated enough to move around the network. “If you’re unable to detect them, they will do lateral movement and they have pretty good tools too.”
UK banks have been accused by their regulator of hiding the full extent of cyber-attacks.
Megan Butler, director of supervision at the Financial Conduct Authority (FCA), told attendees at the ICI Global Conference in London on Tuesday that the number of “material attacks” reported to the regulator has risen from just five in 2014 to 49 so far this year, a pro-rata 67% increase.
Ransomware in particular is on the up, comprising nearly 17% of those reports.
However, she urged banks to be more honest with their disclosures, claiming the FCA “does not operate a zero failure regime.
“It is imperative you do consider ‘modes of failure’ and that you are honest about them. And I want to make it very clear — especially post-Uber and Equifax — that we expect you to tell us about cyber-breaches at your firms as soon as you are aware something is wrong,” she warned.
“Our suspicion is that there’s currently a material under reporting of successful cyber-attacks in the financial sector. Certainly the number of breaches relayed back to us looks modest when you set it against the number of attacks on the industry.”
Butler said the FCA was sympathetic to the need for banks to respond appropriately to each incident, adding: “but we expect to know when you are attacked.
“The FCA works closely with the Treasury and Bank of England in our capacity as a first responder to cyber-attacks. It is therefore essential we know about breaches in real time — as much as anything so we can support firms as they respond to an attack,” she continued.
“If you aren’t sure if you need to tell us about an incident, please tell us anyway. We will let you know if we need to refine reporting requirements.”
The FCA expects all financial institutions to have in place “the essentials of good cybersecurity”, Butler argued.
Keiron Dalton, a digital identity expert and senior director at Aspect Software, urged closer co-operation between financial institutions and the authorities.
“When a bank finds a cyber-attack threat, it may learn and prevent that specific instance of fraud being successful in future, but it doesn’t share information about the incident with the wider financial community so that they can also learn to prevent similar instances,” he argued.
“That needs to change. It should also be imperative for banks to work closely with mobile network operators, as mobile is the main platform of choice for many customers. There needs to be greater synergy, and competitiveness should be put aside for the sake of reducing the financial risk that fraud places on banks’ profitability.”
Police have launched an investigation after scores of people reported fraud attempts following a breach of the Royal National Institute for the Blind (RNIB) web store, according to reports.
Card payment details were stolen from visitors to the site, which sells everything from big print stationery to eyeshields, lighting and canes.
As many as 817 shoppers may have been affected by the breach, according to the Daily Telegraph.
Some 55 people have already reported fraudulent activity of “ranging amounts” as a result of the incident, the report continued.
It claimed that the charity, which supports millions of blind and partially sighted Brits, was informed of the incident on 24 November but took three days to remediate the incident.
Andre Stewart, EMEA VP at Netskope, said organizations will need to move fast when the EU General Data Protection Regulation (GDPR) lands in May 2018.
“To comply with the regulation, businesses will need to demonstrate taking active steps to boost security and protect customers’ data privacy — as well as being prepared to react quickly if systems are compromised. With more and more data now stored off-premises, this due diligence will extend to securing corporate data wherever it may be, including the cloud,” he argued.
“Remaining vigilant to unusual user behavior, taking active measures to secure data and being ready to respond rapidly when targeted will be key to protecting the business’ reputation, customer data and, above all, their privacy.”
A government report back in August highlighted that charities may be susceptible to cyber-attacks as many lack the resources to deal with them and/or are unaware of the size and seriousness of the threat.
It concluded with the following:
“There is a need for basic awareness raising among staff and trustees, and upskilling of those responsible for cybersecurity — so they know the basic technical controls they can put in place. It may also help to disseminate government information and support via the organizations with which charities already have established relationships, such as the Charity Commission. Finally, making use of private sector expertise among trustees may also help individuals within charities to champion the issue.”