Info Security

Subscribe to Info Security  feed
Updated: 3 hours 36 sec ago

Ransomware Not Gone but More Targeted, Report Says

Tue, 05/21/2019 - 14:31
Ransomware Not Gone but More Targeted, Report Says

Cyber-criminals continue to grow more sophisticated, developing advanced attack methods, including tailored ransomware, according to the Q1 Global Threat Landscape Report, published today by Fortinet. In addition to targeted attacks, criminals are also using custom coding, living-off-the-land (LotL) and sharing infrastructure to maximize their opportunities, the report said.

Despite a decline in previous high rates of ransomware, ransomware itself is far from gone. Instead, cyber-criminals are using more targeted attacks. Ransomware “is being customized for high-value targets and to give the attacker privileged access to the network. LockerGoga is an example of a targeted ransomware conducted in a multi-stage attack. There is little about LockerGoga that sets it apart from other ransomware in terms of functional sophistication, but while most ransomware tools use some level of obfuscation to avoid detection, there was little of it used when analyzed,” the report said.

Researchers also detected an uptick in malicious actors leveraging dual-use tools, preinstalled on targeted systems to carry out cyber-attacks. 

The report noted the trend of shared infrastructure. Researchers detected a rise in the total malware and botnet communication activity, as well as the number of domains shared between threats at each stage of the kill chain.

“Nearly 60% of threats shared at least one domain indicating the majority of botnets leverage established infrastructure. IcedID is an example of this 'why buy or build when you can borrow' behavior. In addition, when threats share infrastructure they tend to do so within the same stage in the kill chain. It is unusual for a threat to leverage a domain for exploitation and then later leverage it for C2 traffic. This suggests infrastructure plays a particular role or function when used for malicious campaigns,” the report said.

“We, unfortunately, continue to see the cyber-criminal community mirror the strategies and methodologies of nation-state actors, and the evolving devices and networks they are targeting,” said Phil Quade, chief information security officer, Fortinet, in a press release.

“Organizations need to rethink their strategy to better future-proof and manage cyber risks. An important first step involves treating cybersecurity more like a science – doing the fundamentals really well – which requires leveraging the cyberspace fundamentals of speed and connectivity for defense. Embracing a fabric approach to security, micro and macro segmentation and leveraging machine learning and automation as the building blocks of AI can provide tremendous opportunity to force our adversaries back to square one.”

Categories: Cyber Risk News

Encryption is Often Poorly Deployed, if Deployed at All

Tue, 05/21/2019 - 12:09
Encryption is Often Poorly Deployed, if Deployed at All

Encryption continues to be a challenge for companies, as only a quarter of organizations admit to using it for at-rest data, and for emails and data centers.

According to research by Thales and IDC, encryption for email is only adopted by around 27% of the European respondents, while the numbers decline for data at rest, data centers, Big Data environments and full disk encryption. The only instance of European respondents ranking higher than a global number was in the instance of using cloud-native provider encryption.

Speaking at an event in London, Thales senior regional sales director, Kai Zobel, said that despite the introduction of GDPR a year ago “companies struggle to understand where the data is” and he has seen some companies buy a product to “encrypt some islands but then they struggle to continue. So we see thousands of potential servers that need to be encrypted but they [some companies] just do 200 and they think they are done.”

Zobel added that with more and more politics in the workplace, data “doesn’t want to be touched” and there is a feeling that security cannot be relied upon.

“They [organizations] have long lists of what to implement in the next 12 months, but they struggle to implement it and one of the main reasons is because of complexity,” Zobel said. “This is because they don’t have enough people to understand the technology in the best way possible.”

He also commented that a number of companies look for “good enough compliance” and people would rather spend less than ensure 100% security, “so they are just trying to find good solutions but not 'The Best' solution.”

Jason Hart, security evangelist at Thales, said that there is a wider problem of nothing changing in the last 25 years, except that we are creating more and more data. That has become a commodity, and “because of the acceleration of cloud I say to a company ‘what are you trying to protect?’ and after an hour we may get to a conversation about data and two hours later we may get to the type of data that they deem to be valuable.”

However, Hart argued that companies do not understand the risks that they are trying to mitigate, “and information security is really simple, it is about people, data and process.”

Speaking to Infosecurity, Hart said that if you look at every major breach that has occurred, there are too many instances of companies not deploying encryption properly, and also people do not look at the risk.

“You encrypted the data in the database, but what talks to the database? The application, so the data now transverses into the application’s code text and then from the application it goes into the cloud,” he said. “So they do it in silos and elements, but when people do it wrong, there is a false sense of security.” 

Categories: Cyber Risk News

Encryption is Often Poorly Deployed, if Deployed at All

Tue, 05/21/2019 - 12:09
Encryption is Often Poorly Deployed, if Deployed at All

Encryption continues to be a challenge for companies, as only a quarter of organizations admit to using it for at-rest data, and for emails and data centers.

According to research by Thales and IDC, encryption for email is only adopted by around 27% of European of the respondents they recently surveyed, while the numbers decline for data at rest, data centers, Big Data environments and full disk encryption. The only instance of European respondents ranking higher than a global number was in the instance of using cloud-native provider encryption.

Speaking at an event in London, Thales senior regional sales director, Kai Zobel, said that despite the introduction of GDPR a year ago “companies struggle to understand where the data is” and he has seen some companies buy a product to “encrypt some islands but then they struggle to continue. So we see thousands of potential servers that need to be encrypted but they [some companies] just do 200 and they think they are done.”

Zobel added that with more and more politics in the workplace, data “doesn’t want to be touched” and there is a feeling that security cannot be relied upon.

“They [organizations] have long lists of what to implement in the next 12 months, but they struggle to implement it and one of the main reasons is because of complexity,” Zobel said. “This is because they don’t have enough people to understand the technology in the best way possible.”

He also commented that a number of companies look for “good enough compliance” and people would rather spend less than ensure 100% security, “so they are just trying to find good solutions but not 'The Best' solution.”

Jason Hart, security evangelist at Thales, said that there is a wider problem of nothing changing in the last 25 years, except that we are creating more and more data. That has become a commodity, and “because of the acceleration of cloud I say to a company ‘what are you trying to protect?’ and after an hour we may get to a conversation about data and two hours later we may get to the type of data that they deem to be valuable.”

However, Hart argued that companies do not understand the risks that they are trying to mitigate, “and information security is really simple, it is about people, data and process.”

Speaking to Infosecurity, Hart said that if you look at every major breach that has occurred, there are too many instances of companies not deploying encryption properly, and also people do not look at the risk.

“You encrypted the data in the database, but what talks to the database? The application, so the data now transverses into the application’s code text and then from the application it goes into the cloud,” he said. “So they do it in silos and elements, but when people do it wrong, there is a false sense of security.” 

Categories: Cyber Risk News

DDoS Attacks on the Rise After Long Period of Decline

Tue, 05/21/2019 - 11:15
DDoS Attacks on the Rise After Long Period of Decline

The number of DDoS attacks increased by 84% in the first quarter of 2019 compared to Q4 2018, according to new research from Kaspersky Lab.

The global cybersecurity company’s findings, detailed in its DDoS Attacks in Q1 2019 report, come in the wake of dramatically falling numbers of DDoS attacks recorded throughout 2018, suggesting that cyber-criminals are once again turning to DDoS as an attack method after a sustained period of shifting their attention to other sources of income last year, such as cryptomining.

What’s more, Kaspersky Lab discovered a substantial growth in the amount of attacks that lasted more than an hour. The company suggested that the launch of newer DDoS-for-Hire services could explain the sudden rise in the number of DDoS attacks in 2019.

“The DDoS attack market is changing,” said Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “New DDoS services appear to have replaced ones shut down by law enforcement agencies. As organizations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down.

“We recommend that organizations prepare themselves effectively, in order to withstand sophisticated DDoS attacks.”

Kaspersky Labs’ advice for DDoS attack defense included:

•           Ensuring that web and IT resources can handle high traffic

•           Using professional solutions to protect the organization against attacks

Categories: Cyber Risk News

DDoS Attacks on the Rise After Long Period of Decline

Tue, 05/21/2019 - 11:15
DDoS Attacks on the Rise After Long Period of Decline

The number of DDoS attacks increased by 84% in the first quarter of 2019 compared to Q4 2018, according to new research from Kaspersky Lab.

The global cybersecurity company’s findings, detailed in its DDoS Attacks in Q1 2019 report, come in the wake of dramatically falling numbers of DDoS attacks recorded throughout 2018, suggesting that cyber-criminals are once again turning to DDoS as an attack method after a sustained period of shifting their attention to other sources of income last year, such as cryptomining.

What’s more, Kaspersky Lab discovered a substantial growth in the amount of attacks that lasted more than an hour. The company suggested that the launch of newer DDoS-for-Hire services could explain the sudden rise in the number of DDoS attacks in 2019.

“The DDoS attack market is changing,” said Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “New DDoS services appear to have replaced ones shut down by law enforcement agencies. As organizations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down.

“We recommend that organizations prepare themselves effectively, in order to withstand sophisticated DDoS attacks.”

Kaspersky Labs’ advice for DDoS attack defense included:

•           Ensuring that web and IT resources can handle high traffic

•           Using professional solutions to protect the organization against attacks

Categories: Cyber Risk News

Washington Issues Temporary License to Huawei

Tue, 05/21/2019 - 10:35
Washington Issues Temporary License to Huawei

The US government has issued a temporary license to Huawei and its affiliates, allowing American companies to supply the telecoms and handset giant until August.

Despite reports emerging over the weekend of various chipmakers halting supplies to the Chinese firm after it was placed on an Entity List last week, the Commerce Department appears to have softened its stance.

Issued on Monday, the temporary general license for Huawei and 68 non-US affiliates will run for 90 days, bringing it up to August 19 2019.

It covers various areas, including: supplies to ensure Huawei’s networks and equipment are fully operational; software updates for existing Huawei handsets; and disclosure of any security vulnerabilities to the firm.

The license also authorizes US firms to engage with Huawei and its affiliates “as necessary for the development of 5G standards as part of a duly recognized international standards body.”

At the same time, Huawei founder Ren Zhengfei has struck a defiant tone in state media reports, claiming the US “underestimates” the firm’s capabilities and that it has already made efforts to mitigate the impact of any supply chain restrictions.

He has also reportedly claimed that no company can catch Huawei in terms of its 5G technology, a fact that Western lawmakers are grappling with in weighing up how to treat the company.

Lock the company out of 5G completely and it could add years to implementation, impacting customers — or at least, that’s Huawei's argument.

Although UK Prime Minister Theresa May agreed only to allow Huawei to supply non-core parts of carriers’ 5G networks, the decision by the leading Five Eyes nation remains controversial.

A new report by right-wing think tank the Henry Jackson Society co-authored by a Conservative MP and a former government security advisor claims there is “significant risk” in allowing Huawei to supply the UK’s 5G networks.

The report includes a foreword from former MI6 boss, Richard Dearlove, calling on the government to reconsider its position.

Categories: Cyber Risk News

Phishing Kit 16Shop Targets Apple Users, Hackers

Tue, 05/21/2019 - 09:45
Phishing Kit 16Shop Targets Apple Users, Hackers

Researchers have discovered a hidden backdoor in a commercial phishing kit, 16Shop, used to attack Apple customers, according to Akamai.

“When it comes to targeting Apple users and their personal and financial data, 16Shop has emerged as a go to kit for those who can afford it. While 16Shop is sold to criminals looking to collect sensitive information from a targeted subset of the Internet community, at least one pirated version circulating online houses a backdoor that siphons off the data harvested and delivers it to a Telegram channel – proving once more that there is no honor among thieves," wrote Akamai researcher Amiram Cohen.

According to the research, this highly sophisticated and neatly constructed kit has layered defenses, as well as attack mechanisms. “It's a true multi-level kit, running different stages for different brands, depending on the information the victim provides. It has the ability to change its layout and presentation depending on platform, so mobile users will see a website tailored to their device, while desktop users see something better suited to their situation,” wrote Cohen.

Credit: Akamai

The phishing kit was allegedly developed by an Indonesian whom Cohen said “has the skill to be a legitimate security community member, as well as the skills to maintain a healthy career in development. Instead, and most unfortunately, their knowledge is applied to a criminal enterprise.”

Until now, the individual has been known only as either devilscream or Riswanda. In addition to Cohen multiple online researchers “have located various personal artifacts of Riswanda's, including GitHub repositories, security presentations, past examples of website defacements, pictures of family and friends, email address, and social media accounts.”

However, some users of the phishing kit have been sharing their criminally obtained information without their knowledge through a backdoor that makes a copy of the victim's information and secrets it over to a bot waiting in a room on Telegram, according to Cohen.

“Akamai first discovered this backdoor while examining code inside of main.php, which was obfuscated in a way that made it stand out. The highly obfuscated code collects information for all of the forms visited by the victim, and no matter what storage and delivery options are selected by the 16Shop operator, the victim's data is siphoned off and sent to the Telegram bot via API calls,” Cohen said.

The author reportedly has released video demonstrations showing active usage of Telegram as a means of data storage. “However, like other popular phishing kits, 16Shop has been pirated. Based on comparisons against multiple versions of the 16Shop, the backdoor only appears in the de-obfuscated version of the kit,” Cohen said.

Categories: Cyber Risk News

Aussie Government IT Worker Arrested for Cryptomining

Tue, 05/21/2019 - 09:45
Aussie Government IT Worker Arrested for Cryptomining

An Australian government IT contractor has been arrested on suspicion of making thousands from an illegal cryptocurrency mining operation at work.

The 33-year-old New South Wales man appeared in court today after allegedly earning AU$9000 ($6188) by “modifying his agency’s computer systems,” according to the Australian Federal Police (AFP).

At Sydney Local Court, he was charged with unauthorized modification of data to cause impairment, and unauthorized modification of restricted data, contrary to the Criminal Code Act 1995.

The charges carry a maximum penalty of 10 years and two years behind bars, respectively.

“Australian taxpayers put their trust in public officials to perform vital roles for our community with the utmost integrity,” argued acting commander, Chris Goldsmid, AFP manager cybercrime operations. “Any alleged criminal conduct which betrays this trust for personal gain will be investigated and prosecuted.”

It’s unclear how the man was eventually caught, but his home was raided by the AFP in March and personal laptop, phone employee ID cards and data files were seized.

Cryptocurrency mining continues to be a threat to businesses, while consumer detections have fallen to almost zero, according to a Malwarebytes report released in April. It said the latter trend had been influenced by Coinhive’s decision to shut down earlier this year.

Although most cryptomining in businesses occurs covertly, directed by external botnet herders in charge of compromised machines, there is always the risk of an insider threat.

A Chinese headmaster was fired last year after secretly mining cryptocurrency using his school’s electricity supply. Hunan man Lei Hua hooked up eight mining machines to the mains, running up an electricity bill of 14,700 yuan ($2125) mining Ethereum 24 hours a day.

Categories: Cyber Risk News

Fifth of Docker Containers Have No Root Passwords

Tue, 05/21/2019 - 09:20
Fifth of Docker Containers Have No Root Passwords

A fifth of the world’s most popular Docker containers contain a security issue which could make them vulnerable to attack in some circumstances, a researcher has discovered.

Kenna Security principal security engineer, Jerry Gamblin, explained that after recent Cisco Talos research revealed Alpine Linux docker images were shipping with no (nulled) root passwords, he decided to dig a little deeper.

Running a script on the 1000 most popular containers in the Docker store, he found 194 (19.4%) also had nulled root passwords.

“The findings are interesting, but I don’t want to be overly alarmist. Just because a container has no root password does not mean that it is automatically vulnerable,” he explained.

“These findings could lead to configuration-based vulnerabilities in certain situations, as was the case with this the Alpine Linux vulnerability.”

Specifically, only containers which use Linux pluggable authentication modules (PAM) or “some other mechanism which uses the system shadow file as an authentication database” are vulnerable to exploitation, as Cisco detailed.

The most popular container on the list affected by the issue was kylemanna/openvpn: a software unit that has been used over 10 million times, according to Gamblin.

Other names on the list included govuk/governmentpaas, hashicorp, microsoft, monsanto and mesosphere.

In the Alpine Linux case, exposed containers could find they are at risk of Docker image vulnerability (CVE-2019-5021), whereby an attacker can elevate their privileges to root within the container.

“Deploying containers that allow users to authenticate as root should be avoided at all costs, because authenticating as root is already outside the scope of ‘best practices’ for secure containers or generally in system,” argued Gamblin.

Categories: Cyber Risk News

KnowBe4 Announces Acquisition of CLTRe

Tue, 05/21/2019 - 08:20
KnowBe4 Announces Acquisition of CLTRe

KnowBe4 has announced the acquisition of CLTRe, adding the capability to measure security culture into its portfolio.

Led by Kai Roer, CLTRe is a Norwegian company focused on helping organizations assess, build, maintain and measure a strong security posture. It will continue to operate as an independent subsidiary of KnowBe4.

The acquisition will mean that CLTRe’s toolkit and Security Culture Framework will be available to all KnowBe4 customers later this year.

Stu Sjouwerman, CEO of KnowBe4, said: “Today’s announcement brings KnowBe4 very valuable tools to help our customers measure what matters – their security culture – so they can make decisions about how to improve. We’re excited to welcome Kai and the CLTRe team to the KnowBe4 family and to enhance our European presence while supporting more global customers.”

Roer said that KnowBe4 “is a natural fit for our evidence-based analytics and measurement tools, as KnowBe4 customers will now be able to measure their security cultures, benchmark against their industry sectors, and pinpoint exactly what kind of security culture they have.”

He said: “With KnowBe4 and CLTRe, organizations can gain true insight into their security culture, improve their security with pinpoint accuracy, report their progress to their board of directors and educate their users to make smarter security decisions.”

CLTRe measures the seven dimensions of security culture: behavior, responsibilities, cognition, norms, compliance, communication and attitudes.  

Listen to Kai Roer, along with Espen Otterstadt and Nicola Whiting, as Security Culture was discussed as part of the Infosecurity Magazine Online Summit

Categories: Cyber Risk News

Ecuador Shares Assange's Legal Docs with US

Mon, 05/20/2019 - 16:36
Ecuador Shares Assange's Legal Docs with US

Complying with a request by US authorities, Ecuadorian officials are preparing to hand over documents that are reportedly the entire legal defense against Julian Assange, compiled during the time he has been living in the Ecuadorian embassy in London, according to WikiLeaks.

"On Monday Ecuador will perform a puppet show at the embassy of Ecuador in London for their masters in Washington, just in time to expand their extradition case before the UK deadline on 14 June," WikiLeaks editor-in-chief Kristinn Hrafnsson said. "The Trump administration is inducing its allies to behave like it's the Wild West."

Assange’s lawyers are reportedly not permitted to be present during what is being called the “illegal seizure of his property.”

“The material includes two of his manuscripts, as well as his legal papers, medical records and electronic equipment. The seizure of his belongings violates laws that protect medical and legal confidentiality and press protections,” WikiLeaks said.

Ecuador officials also refused a request by UN special rapporteur on privacy, who requested permission to monitor Ecuador's seizure of Assange's property.

The US had previously asked Ecuador to share audiovisual material and additional documents, which had reportedly been collected during an internal spying operation against Assange, WikiLeaks said.

"It is extremely worrying that Ecuador has proceeded with the search and seizure of property, documents, information and other material belonging to the defense of Julian Assange, which Ecuador arbitrarily confiscated, so that these can be handed over to the agent of political persecution against him, the United States. It is an unprecedented attack on the rights of the defence, freedom of expression and access to information exposing massive human rights abuses and corruption. We call on international protection institutions to intervene to put a stop to this persecution," said Baltasar Garzón, international legal coordinator for the defense of Assange and WikiLeaks.

Though Ecuador is obviously not a part of the EU, "if arguing that because Assange is an EU resident and therefore subject to the protections of GDPR, Article 23 makes a pretty strong case that those protections become restricted if revealing that data was a matter of national defense or if some other form of legal matter, either criminal or civil, is involved,” said Nathan Wenzler, senior director of cybersecurity at Moss Adams.

“While I’m not a lawyer, it seems likely that all nations involved would have a good chance of demonstrating some sort of legal action involved here and thus, make this action a non-event under the provisions of GDPR. Morally, there’s a whole other argument here that could (and should, in my opinion) be had. However, I’m not sure there’s much that can or will be done under GDPR in this case.”

Categories: Cyber Risk News

New South Wales Announces New Cybersecurity Position

Mon, 05/20/2019 - 14:42
New South Wales Announces New Cybersecurity Position

In an attempt to centralize all of the cyber efforts and strategies of the state, New South Wales (NSW) has announced a new cybersecurity NSW office to be led by led by Tony Chapman, chief cybersecurity officer, according to a May 20 press release.

Chapman assumed the position today, which falls under the department of customer service, and wrote via LinkedIn, “The changes reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government.

I am performing the functions previously undertaken by the NSW Government Chief Information Security Officer (GCISO), established in March 2017, with a renewed focus on securing digital transformation and the continual improvement of customer service outcomes.”

To enable digital transformation, a part of the overall vision of the new customer service cluster, the office will focus on improving cybersecurity capabilities and standards to include a coordinated cyber-incident response plan and develop strategic cyber-policy positions through a revitalized cybersecurity senior officers’ group (CSSOG), according to Chapman.

To see the vision of the new customer service cluster to its fruition, Chapman said he will work to strengthen ties across NSW's government, other states' governments and the federal government to establish cybersecurity best practices that will yield better results for citizens.

“A key component of the role will be driving a culture of risk management and awareness to support greater resilience to cyber security threats. Tony and his team will build on the digital transformation work occurring across the NSW government, ensuring our digital spaces are safeguarded against cyber threats,” said the state government's chief information and digital officer, Greg Wells, in the press release.

“Cybersecurity NSW will continue its critical work enhancing whole-of-government cyber security capabilities and standards on behalf of NSW. It will also work more closely with the information and privacy commission on security, privacy and the availability of systems and services during the State’s digital transformation.”

Categories: Cyber Risk News

New South Wales Announces New Cybersecurity Position

Mon, 05/20/2019 - 14:42
New South Wales Announces New Cybersecurity Position

In an attempt to centralize all of the cyber efforts and strategies of the state, New South Wales (NSW) has announced a new cybersecurity NSW office to be led by led by Tony Chapman, chief cybersecurity officer, according to a May 20 press release.

Chapman assumed the position today, which falls under the department of customer service, and wrote via LinkedIn, “The changes reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government.

I am performing the functions previously undertaken by the NSW Government Chief Information Security Officer (GCISO), established in March 2017, with a renewed focus on securing digital transformation and the continual improvement of customer service outcomes.”

To enable digital transformation, a part of the overall vision of the new customer service cluster, the office will focus on improving cybersecurity capabilities and standards to include a coordinated cyber-incident response plan and develop strategic cyber-policy positions through a revitalized cybersecurity senior officers’ group (CSSOG), according to Chapman.

To see the vision of the new customer service cluster to its fruition, Chapman said he will work to strengthen ties across NSW's government, other states' governments and the federal government to establish cybersecurity best practices that will yield better results for citizens.

“A key component of the role will be driving a culture of risk management and awareness to support greater resilience to cyber security threats. Tony and his team will build on the digital transformation work occurring across the NSW government, ensuring our digital spaces are safeguarded against cyber threats,” said the state government's chief information and digital officer, Greg Wells, in the press release.

“Cybersecurity NSW will continue its critical work enhancing whole-of-government cyber security capabilities and standards on behalf of NSW. It will also work more closely with the information and privacy commission on security, privacy and the availability of systems and services during the State’s digital transformation.”

Categories: Cyber Risk News

New South Wales Announces New Cybersecurity Position

Mon, 05/20/2019 - 14:42
New South Wales Announces New Cybersecurity Position

In an attempt to centralize all of the cyber efforts and strategies of the state, New South Whales (NSW) has announced a new cybersecurity NSW office to be led by led by Tony Chapman, chief cybersecurity officer, according to a May 20 press release.

Chapman assumed the position today, which falls under the department of customer service, and wrote via LinkedIn, “The changes reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government.

I am performing the functions previously undertaken by the NSW Government Chief Information Security Officer (GCISO), established in March 2017, with a renewed focus on securing digital transformation and the continual improvement of customer service outcomes.”

To enable digital transformation, a part of the overall vision of the new customer service cluster, the office will focus on improving cybersecurity capabilities and standards to include a coordinated cyber-incident response plan and develop strategic cyber-policy positions through a revitalized cybersecurity senior officers’ group (CSSOG), according to Chapman.

To see the vision of the new customer service cluster to its fruition, Chapman said he will work to strengthen ties across NSW's government, other states' governments and the federal government to establish cybersecurity best practices that will yield better results for citizens.

“A key component of the role will be driving a culture of risk management and awareness to support greater resilience to cyber security threats. Tony and his team will build on the digital transformation work occurring across the NSW government, ensuring our digital spaces are safeguarded against cyber threats,” said the state government's chief information and digital officer, Greg Wells, in the press release.

“Cybersecurity NSW will continue its critical work enhancing whole-of-government cyber security capabilities and standards on behalf of NSW. It will also work more closely with the information and privacy commission on security, privacy and the availability of systems and services during the State’s digital transformation.”

Categories: Cyber Risk News

Online Account Hijacker Forum OGUsers Hacked

Mon, 05/20/2019 - 14:17
Online Account Hijacker Forum OGUsers Hacked

An online forum used by those involved in online account hijacking has been breached, according to KrebsonSecurity.

An attack on OGUsers.com leaked the personal information of nearly 113,000 people. Krebs reportedly received a copy of the database, which included usernames, email addresses, hashed passwords, private messages and IP address.

The RaidForums Omnipotent administrator announced to forum members that he had made the OGUsers forum database for available for download, writing:

Hello RaidForums Community,

Today I have uploaded the OGUsers Forum Database for you to download for free, thanks for reading and enjoy!

On the 12th of May 2019 the forum ogusers.com was breached 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I'm the first to tell you the truth view his statement here or if you don't want to visit their website view it here. According to his statement he didn't have any recent backups so I guess I will provide one on this thread lmfao.

Compromised data: Website activity, Usernames, Emails, IP Addresses, Passwords (Salted MD5), Source code, Website data, User private messages.

While users on the OGUsers.com forum expressed concern about their identities being revealed as a result of the hack, Krebs said, “It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.”

Categories: Cyber Risk News

LeakedSource Company Pleads Guilty

Mon, 05/20/2019 - 10:22
LeakedSource Company Pleads Guilty

The operators of an infamous breached credentials site have pleaded guilty to trading in stolen information, according to Canadian police.

Defiant Tech, which owns the LeakedSource website, entered the plea on Friday at a court in Ottowa, a brief notice from the Royal Canadian Mounted Police (RCMP) stated.

The charges of “trafficking in identity information and possession of property obtained by crime” came after an investigation was launched by the police in 2016, when the RCMP found that servers hosting LeakedSource were located in Quebec.

Project “Adoration,” as it was known, saw the RCMP’s newly formed National Division Cybercrime Investigative Team receive assistance from the Dutch National Police and the FBI.

In December 2017, Jordan Evan Bloom, 27, from Thornhill, Ontario, was arrested on suspicion of making an estimated C$247,000 ($200,000) from the business.

The now-defunct site had a database of around three billion passwords and identity records, which users could access via simple search functionality for a fee. This information is said to have been purchased from hackers and lifted from the public domain. Data was taken from big-name companies like LinkedIn and MySpace.

"We are pleased with this latest development,” said superintendent Mike Maclean, officer in charge of criminal operations for RCMP National Division.

“This is all thanks to the relentless efforts put by our men and women working in the National Division Cybercrime Investigative Team. I am immensely proud of this outcome as combating cybercrime is an operational priority for us."

A second man is suspected to have conspired with Bloom, but charges have so far not been brought.

Categories: Cyber Risk News

Ex-CIA Man Gets 20 Years for Handing China Secrets

Mon, 05/20/2019 - 09:54
Ex-CIA Man Gets 20 Years for Handing China Secrets

A former CIA intelligence officer has been sentenced to two decades behind bars after being found guilty last year of passing defense secrets to China.

Kevin Patrick Mallory, 62, of Leesburg, was found guilty by a federal jury in June 2018 of conspiracy to deliver, attempted delivery, delivery of national defense information to aid a foreign government, and making material false statements.

He is said to have been paid $25,000 for handing classified documents to 'Michael Yang,' a Chinese intelligence officer he met in Shanghai in March and April 2017.

These documents included information on CIA informants, according to the Department of Justice.

Fluent Mandarin-speaker Mallory is said to have scanned the Top Secret documents onto an SD card at his local FedEx store. Yet although he shredded the originals, the FBI found the storage device carefully hidden, during a search of his home.

The disgraced former spy worked for various government agencies and defense contractors, including roles as a covert case officer for the CIA and an intelligence officer for the Defense Intelligence Agency (DIA). His Top Secret clearance is said to have been terminated in 2012 when he left government service.

“Former US intelligence officer Kevin Patrick Mallory will spend the next 20 years of his life in prison for conspiring to pass national defense information to a Chinese intelligence officer,” said assistant attorney general for national security, John Demers.

“This case is one in an alarming trend of former US intelligence officers being targeted by China and betraying their country and colleagues. This sentence, together with the recent guilty pleas of Ron Hansen in Utah and Jerry Lee in Virginia, deliver the stern message that our former intelligence officers have no business partnering with the Chinese, or any other adversarial foreign intelligence service.”

Lee is thought to have provided the information needed to take down a major CIA network in China between 2010 and 2012. The US is believed to be at a distinct intelligence disadvantage now with regards to China.

Categories: Cyber Risk News

Chipmakers Cut Huawei Shipments

Mon, 05/20/2019 - 09:10
Chipmakers Cut Huawei Shipments

European and US chipmakers have stopped supplying Huawei with products while Google will cease providing technical Android support from the next OS iteration, as Donald Trump’s executive order starts to bite.

Google said in a tweet yesterday: “while we are complying with all US gov't requirements, services like Google Play & security from Google Play Protect will keep functioning on your existing Huawei device.”

However, it’s believed the same will not be true of new Huawei handsets. Google is also set to cut key support for the operating system from its next version, which could leave users without apps like YouTube and Google Maps, according to reports.

Huawei could still use the open source version of Android, although it has been developing an in-house OS which it could also switch across to in the event that Trump’s executive order is not reversed.

The firm is also being hit as global chipmakers cut supplies in compliance with the order. Qualcomm (smartphones) Intel (servers and laptops), Xilinx and Broadcom (networking kit) and many other US producers, as well as German chipmaker Infineon, have reportedly taken immediate action.

Huawei produces some processors and modems for its smartphones in-house, so Qualcomm’s decision is perhaps the least likely to affect it. The firm is said to have stockpiled other types of chips for several months while it waits to see whether the US action is a bargaining play or is set for the long-term.

However, Forrester principal analyst, Charlie Dai, said the US policy would ultimately hit global consumers hard.

“This move will have a critical impact toward Huawei’s business around smartphones,” he added. “Huawei has its own mobile OS as a backup, but it’s not fully ready yet and it’s very difficult to build up the ecosystem as what Huawei has been doing on Android. It’s a pity that customer value facilitated by the open-source spirit is now ruined by politics.”

Trump signed an executive order last week banning “foreign adversaries” from providing telecoms equipment in the US. However, Huawei and 70 subsidiaries were also placed on an “Entity List” meaning US firms are not able to supply it with their products unless Huawei is granted a special license from the Commerce Department.

Although the tech firms have already taken action, the department is still drawing up the enforcement plan, and has 150 days to do so.

Categories: Cyber Risk News

Download Hijack Flaw Patched in Slack Patches for Windows

Fri, 05/17/2019 - 13:08
Download Hijack Flaw Patched in Slack Patches for Windows

Slack users have been urged to upgrade their applications and clients to the most recent version, 3.4.0, after Tenable researcher David Wells discovered a new vulnerability that would allow an attacker to share malicious hyperlinks that could alter where a victim’s files were stored.

Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. “This vulnerability, which has been patched, would have allowed an attacker to post a crafted hyperlink into a Slack channel or private conversation that changes the document download location path when clicked. It does require user interaction to exploit, giving it a CVSSv2 score of 5.5 (Medium),” today’s press release said.

If users click on the link, an attacker could not only steal future documents downloaded within Slack but also manipulate them, such as injecting malicious code that would compromise the victim’s machine once opened, according to Wells.

The attack reportedly can be performed through any Slack direct messaging or Slack channel to which an attacker might be authenticated.

“Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," which Wells discusses in depth in his blog post.

The flaw was found in the Slack desktop application for Windows version 3.3.7, which Tenable reported to Slack via HackerOne. “Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0. Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted. As always, users are encouraged to upgrade their apps and clients to the latest available version,” a Slack spokesperson said.

“The digital economy and global distributed workforce have brought new technologies to market with the ultimate goal of seamless connectivity,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “But it’s critical that organizations realize this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organizations are secure.”

Categories: Cyber Risk News

More Orgs Use Booby Traps for Counterintelligence

Fri, 05/17/2019 - 12:20
More Orgs Use Booby Traps for Counterintelligence

A recent survey found that to gain counterintelligence the vast majority of organizations would allow an attacker to take decoy files rather than stop an attack in progress, according to the latest International Cyber Benchmark Index from the Neustar International Security Council (NISC).

A reported one in five companies are currently employing forensic investigations, as well as setting up honey pots and repositories of fake data to lure attackers in, but an impressive 71% of respondents said that instead of shutting down an attack when a bad actor accesses a deceptive file, they would be willing to let the malicious actors take booby-trapped document, according to a May 16 press release.

Being able to collect intelligence could allow defenders to identify thieves in the future, potentially revealing information about the location, ownership and possible vulnerabilities of the hackers’ machines, the press release said.

Of the respondents surveyed, 51% said their enterprise had suffered a distributed denial-of-service (DDoS) attack, and 52% of participants also identified phishing as a growing threat with targeted hacking. DDoS attacks followed close behind at 49%.

“Security leaders increasingly feel that breaches are inevitable, and there is a growing appetite for advanced forensic tools that can deliver insights around attacker attribution and tactics in real time,” said Rodney Joffe, chairman of NISC and Neustar SVP and fellow.

“Whether they opt to use them like an alarm system, ejecting bad actors from the network upon contact with a honey pot or deceptive file, or for a more sophisticated counterintelligence operation that gathers vital information on attacker movements and methods, cybersecurity professionals want solutions that can provide better real-time awareness and understanding of the enemy.”

According to the survey, the threat of social engineering continues to rise across all vectors, with 48% of respondents admitting they witnessed an uptick in attempts via email, 38% noting a rise in text-based attempts and 36% reporting a rise in attempts via phone.

Responses showed that security pros are more aware not only of where attacks are originating but also of the types of attacks that pose the greatest threats.

Categories: Cyber Risk News

Pages