More than two-thirds (67%) of UK firms believe security concerns are holding back their efforts to grow through digital innovation, with many blaming a lack of engagement at a board level, according to Ernst & Young (EY).
The global consultancy polled 175 C-suite executives at UK-based organizations, split fairly evenly between business (CEO, CFO, COO etc.) and IT (CIO, CISO) roles, in order to compile its report, Cybersecurity for competitive advantages.
While 42% claimed to be behind their competitors in adoption of new technology, cloud computing and IoT topped the list of tech perceived to pose the greatest risk to the business.
Overcoming these concerns may require closer boardroom alignment and ownership of the problem.
Some 57% of business leaders and half (50%) of technology leaders cited a lack of business sponsorship as the biggest barrier to improving their organization’s cybersecurity.
However, strategic views diverged significantly after that. Most tech leaders (58%) said that giving an individual board member overall responsibility for cybersecurity would have the greatest impact, while the majority (64%) of business leaders said the biggest gains would come from making cybersecurity more of a strategic priority.
Yet unfortunately, over half (57%) of those surveyed don’t currently have a board member with direct expertise in cybersecurity and even more (67%) don’t think one is needed.
EY’s EMEIA advisory cybersecurity leader, Mike Maddison, argued that while direct security experience may not be essential, there needs to be better understanding at a board level of cyber-related risk.
“In recent years, the rate and pace of technological advances, regulatory change, cyber-attacks and data breaches have moved cybersecurity rapidly up the corporate agenda,” he added.
“Protection and prevention are still paramount yet, to stay ahead of these evolving trends, organizations need to start thinking differently about cybersecurity. Business leaders need to make the leap from seeing cybersecurity as only a protective measure, to it also being a strategic value driver.”
Two sectors leading by example are tech, media and telecoms (TMT) and retail. TMT respondents had the highest levels of board awareness, the largest planned investments in cybersecurity and the fewest concerns around security as a barrier to tech adoption, while all retail respondents believe a “cyber-secure” brand is important for competitive advantage.
Human error was behind over half (52%) of all cybersecurity incidents detected by Kaspersky in industrial environments last year.
The Russian AV vendor’s State of Industrial Cybersecurity 2019 report is compiled from interviews with 282 firms running operational and industrial control system technology (OT/ICS).
While the vast majority of firms (81%) are planning to digitalize their operational networks to drive Industry 4.0 initiatives, far fewer (57%) have allocated a cybersecurity budget, it found.
However, budget aside, there’s a worrying shortage of cybersecurity skills in these companies: respondents’ top two concerns centered around not having enough cybersecurity experts to manage industrial networks, and a general lack of security awareness among OT/ICS operators.
In nearly half of all cases (45%) an IT security employee also looks after OT/ICS security, but although the two spheres are converging, professionals on either side can have different goals and take alternative approaches to reaching them.
For example, in the OT world operators, traditionally focused on availability and physical safety, as equipment was largely isolated from the internet. As this changes, new approaches are needed.
“This year's study shows that companies are seeking to improve protection for industrial networks. However, this can only be achieved if they address the risks related to the lack of qualified staff and employee errors,” said Georgy Shebuldaev, manager at Kaspersky Industrial Cybersecurity.
“Taking a comprehensive, multi-layered approach — which combines technical protection with regular training of IT security specialists and industrial network operators — will ensure networks remain protected from threats and skills stay up-to-date.”
To illustrate the urgency of getting security right in industrial environments, a report from April revealed that 90% of critical infrastructure (CNI) providers have had their IT/OT environments damaged by a cyber-attack over the past two years.
A website that shares adult content has caused blushes of a different kind by leaking the private data of 1.195 million global users.
An authentication failure on the website Luscious.net allowed unrestricted access to a database containing user names, locations, genders, personal email addresses and even some full names. Also available were activity logs detailing what users had liked, uploaded, commented on and shared.
Users of the website, which specializes in computer-generated pornographic animations and graphics, were left vulnerable to bullying, harassment, phishing and the threat of blackmail. It is estimated that around 20% of the user accounts were set up with fake email addresses, meaning roughly 800,000 genuine email accounts were placed at risk.
The data leak was uncovered on August 15 by a vpnMentor research team led by cybersecurity professionals Noam Rotem and Ran Locar. The team was able to access detailed information regarding user activity on the site, including image uploads and blog posts.
A spokesperson for vpnMentor said: "Some of these blog posts were extremely personal – including depressive or otherwise vulnerable content – and kept anonymous. Due to this data breach, however, the blog posts are no longer anonymous, with many of the authors' identities revealed."
After being informed of the breach, it took the operators of Luscious.net just four days to fix the security hole. It's unknown how long the private user data may have laid exposed before the leak was caught.
A number of users in Brazil, Australia, Italy, Malaysia and Australia had signed up to Luscious using official government email addresses. Though this may come as a surprise to some people, Ed Macnair, CEO of Censornet, isn't one of them.
Macnair said: "It sounds unlikely that people would use their professional email addresses for personal services, but in a survey we ran last year, 10% of respondents admitted to visiting adult websites from a work device or using the work internet connection."
Commenting on the Luscious data leak, he said: "This is hugely concerning as it risks exposing an entire organisation to an attack. It is therefore vital that organizations – government or otherwise – put strict measures on internet activity at work and discourage the use of work email addresses for personal services."
Luscious users are advised to change their username and other account details to remain safe.
For merchants and banks, payment fraud can lead to heavy financial losses and a serious besmirching of reputation.
Business and financial institutions received a helping hand today when Visa announced a suite of new industry-first payment security services and capabilities to prevent and disrupt payment fraud. The new capabilities are available to Visa clients at no additional cost or signup.
Before launching the new services, Visa commissioned Forrester Consulting to study global bank account-related fraud. The report found that the most prevalent types of fraud committed were ATM “cashout attacks” that remove fraud controls put in place by financial institutions and processors to withdraw money from cash machines fraudulently and "enumeration attacks" in which automated testing of values and credentials is carried out to gain unauthorized access to information and functionality.
Rarer but more damaging were instances of card-not-present fraud, including e-commerce and phone and mail orders, which represented nearly 40% of fraud losses and operational costs.
The approach of Visa's new service is holistic, combining preventative steps to address vulnerabilities before they are exploited with swift action when a breach does occur.
Under the new four-pronged system that went live today, Visa Vital Signs will monitor ATM and merchant transactions, alerting financial institutions when any potentially fraudulent activity occurs in a bid to prevent cashout attacks. Malicious activity can be suspended by Visa automatically or in coordination with clients.
A second layer of defense will be provided by Visa Account Attack Intelligence, which applies deep machine learning to Visa's vast ocean of processed card-not-present transactions to identify financial institutions and merchants that hackers might target with automated testing to guess account numbers, expiration dates and security codes.
Visa Payment Threats Lab provides a third layer of protection by creating an environment in which a client's processing, business logic and configuration settings can be tested to identify errors that could lead to vulnerabilities.
Bringing up the rear is proprietary solution Visa eCommerce Threat Disruption, which uses sophisticated technology and investigative techniques to proactively scan the front end of e-commerce websites for payment-data-skimming malware.
Visiting a newly registered domain (NRD) is the digital equivalent of picking up a hitchhiker: it might all go smoothly but you could also end up being robbed.
While NRDs can be created for perfectly legitimate reasons, such as hosting a new conference, they are also commonly misused by tricksters spreading malware or attempting to make a quick buck from phishing or other common scams.
A 2018 study by Farsight Security found that on average, 9.3% of NRDs died in their first seven days, with a median lifetime of just four hours and 16 minutes. The study concluded that the vast majority of these short-lived NRDs were used for cybercrime.
General awareness that shiny new domains might pose a threat has led cautious companies to block and/or closely monitor NRDs in enterprise traffic for anywhere from the first few hours after detection up to a week. But with no comprehensive study available on the malicious usages and threats associated with NRDs, a consensus hadn't been reached on whether such actions are sensible precautions or security overkill.
Out of 1,530 top-level domains analysed by Unit 42, more than 70% turned out to be “malicious,” “suspicious” or “not safe for work.” The study found that NRDs are "often times abused by bad actors for nefarious purposes, including but not limited to C2, malware distribution, phishing, typosquatting, PUP/Adware, and spam."
According to Palo Alto Networks, the safe approach is to block access to NRDs for the first 32 days after they have been registered or have undergone a change in ownership.
A recommendation was also made to block complete top-level domains (TLDs) that are predominantly used by bad actors (the threat kind, not the cast of Hollyoaks). The study calculated the top 15 TLDs with the highest malicious rate on recent NRDs and found the worst three offenders were "to," "ki" and "nf."
The study concludes: "We recommend blocking access to NRDs with URL Filtering. While this may be deemed a bit aggressive by some due to potential false-positives, the risk from threats via NRDs is much greater. At the bare minimum, if access to NRDs are allowed, then alerts should be set up for additional visibility."
Facebook has announced an expansion to its bug bounty program covering third-party apps that abuse user data, to include the Instagram ecosystem.
First launched in 2018 in response to the Cambridge Analytica scandal, the Data Abuse Bounty program works by “incentivizing anyone to report apps collecting user data and passing it off to malicious parties to be exploited.”
If an application is found to be breaking Facebook policy in this way, it could be kicked off the platform or become the subject of legal action. Facebook may also decide to conduct a forensic audit of related systems.
Cambridge Analytica infamously used data on tens of millions of Facebook users and their friends scraped by the third-party This Is Your Digital Life app to target US voters in the 2016 Presidential election.
Since that debacle, the social network was forced to kick hundreds more third-party apps from its platform for similar abuses, including one called myPersonality which was used by four million users.
The addition of Instagram to the program reflects the importance of the platform to Facebook’s business and growing concerns over developer access to user data.
In February, it was reported that data on 14.5 million Instagram accounts was being stored online in the UK with no password protection. It was suspected that a third party could be scraping accounts for publicly accessible data, for use later in marketing campaigns.
Last year, Instagram suddenly reduced the API limit for third-party apps from 5000 to 200 calls per hour, and stopped accepting new submissions, in what was seen as an attempt to improve user privacy.
Facebook set out its vision for a radical overhaul of the company in July following a record $5bn penalty issued by the FTC in response to failings that led to the Cambridge Analytica incident.
Google has been forced to remove 85 adware-laden gaming and photo apps from its official Play store which had been downloaded over eight million times.
The Android custodian was informed about the adware by Trend Micro, which detected the new variant as AndroidOS_Hidenad.HRXH.
In a blog post, mobile threat response engineer Ecular Xu claimed that the ads generated by this malware are particularly difficult to close, and feature “unique techniques to evade detection through user behavior and time-based triggers.”
After checking whether the adware has been installed for 30 minutes – an attempt to evade sandbox analysis – it will hide its icon and create a shortcut on the home screen.
“To evade detection, the app uses Java reflection – which enables the runtime behaviors of an application to be inspected or modified – and encodes the API strings in base64,” Xu continued.
Ads are then flashed up to the user, with the adware checking to make sure it isn’t showing the same ones too frequently.
“While the apps do have actual functionalities of the applications they are posing as, these ads are shown in full screen,” Xu warned.
“Users are forced to view the whole duration of the ad before being able to close it or go back to app itself. Moreover, the frequency of ads being displayed can be remotely configured by the fraudster (the default is five minutes), so it could exacerbate the nuisance for users.”
Some users would have been able to block the apps, had they been accidentally downloaded: the most recent Samsung devices restrict the creation of shortcuts on the home screen, while Android 8 and later versions require user confirmation before a shortcut can be created, Xu said.
Mobile AV from a reputable vendor can also help to block malicious apps.
Some of the apps pre-loaded with the adware included Blur Photo Editor, Magic Camera, One Stroke Line Puzzle, Toy Smash and Beautiful House.
The news serves as a continued warning to users to exercise caution when downloading Android apps, even on the official marketplace.
Twitter and Facebook have been forced to suspend nearly 1000 accounts after revealing a coordinated state-sponsored attempt by China to spread misinformation about the unrest in Hong Kong.
The news appears to indicate the first reported attempt by Beijing to engage in tactics more infamously deployed by the Putin administration in trying to influence opinion and amplify specific messages.
The accounts were banned for a range of policy violations including: spam, coordinated activity, fake accounts, attributed activity and ban evasion.
“As Twitter is blocked in PRC, many of these accounts accessed Twitter using VPNs. However, some accounts accessed Twitter from specific unblocked IP addresses originating in mainland China,” the social network said in a blog post on Monday.
“The accounts we are sharing today represent the most active portions of this campaign; a larger, spammy network of approximately 200,000 accounts — many created following our initial suspensions — were proactively suspended before they were substantially active on the service.”
In an unusual step, Twitter also released two large troves of information about the blocked accounts, containing their complete tweet and user information.
“Covert, manipulative behaviors have no place on our service — they violate the fundamental principles on which our company is built. As we have said before, it is clear that information operations and coordinated inauthentic behavior will not cease,” it concluded.
“These deceptive strategies have been around for far longer than Twitter has existed. They adapt and change as the geopolitical terrain evolves worldwide and as new technologies emerge. For our part, we are committed to understanding and combating how bad-faith actors use our services.”
The social network also shared intelligence on the inauthentic behavior with Facebook, which reacted by removing seven Pages, three Groups and five Facebook accounts as part of a small network focused on the Hong Kong protests.
Some of the content that was posted likened the protesters to cockroaches and ISIS fighters.
Citizens from the former British colony have been protesting in often violent clashes with the police for several weeks now, with millions taking to the streets on occasion. This followed the unelected local government’s attempts to introduce a law which would have allowed suspects in criminal cases to be extradited to China, where courts are controlled by the Communist Party.
Contrary to attempts by the Chinese government to portray them as violent secessionists backed by foreign governments like the US, most protesters are railing only against the single-party autocratic system of rule in China and simply want free and fair democratic elections.
Norwegian company IDEX Biometrics is forging strong bonds with smart-card and payment specialists in Asia.
IDEX shared its second quarter and half-year 2019 results in a recently issued corporate update in which the company announced a landmark multiyear, multimillion-dollar order for its dual-interface sensors. The report went on to highlight IDEX's collaborations with Tongxin Microelectronics Co. Ltd. (TMC) and PAX Technology Ltd.
Chinese company TMC will be working with IDEX to create a biometric smart-card solution for end-customer implementation. In a three-way tech tryst, point of sales terminal provider PAX will be working with IDEX and with one of China's largest smart-card producers, Chutian Dragon, to run real-life transactions of biometrics smart cards compliant with Europay, Mastercard and Visa (EMV) using IDEX's dual-interface sensor.
Also highlighted in the report were IDEX's progress toward certification and the company's attainment of some major manufacturing milestones, which included partnerships with Sian and Silone Cardtech, and a savvy supply agreement with leading global provider of cybersecurity products and solutions Feitian.
Despite its progress, the Norwegian company has yet to bring in the big bucks. In a separate brief, IDEX reported Q2 revenues of NKr0.4 million (about $44,600), an increase from revenues of NKr0.3 million in Q2 of 2018; and for the full first half of the 2019 fiscal year, revenues crossed the line at NKr1.7 million, compared to the much healthier NKr2.1 million banked over the corresponding period in 2018.
IDEX CEO Stan Swearingen said: “The evolution of the biometric smart-card market is undoubtedly gathering pace and IDEX made great progress in the quarter. Our pipeline of commercial opportunities continues to grow, and we expect sensor shipments to increase significantly. We have developed important relationships with new customers in the ecosystem, and our biometric technology is proven and ready for mass deployment. I am highly confident that our strategy and technology leadership will deliver considerable success for all our stakeholders.”
A British teenager has been sentenced to 20 months in prison after selling his services as a freelance hacker.
Elliot Gunton of Mounteney Close, Norwich, England, pleaded guilty to hacking, money laundering and breaching a Sexual Harm Prevention Order imposed in 2016. The 19-year-old hacker-for-hire also pleaded guilty to hacking offences against an Australian Instagram account.
Gunton was sentenced at Norwich Crown Court on Friday, August 16, after pleading guilty at an earlier hearing. The teen was ordered to pay back more than £400,000 he made in cryptocurrency after supplying online personal data and hacking services.
The court heard how police found cybercrime-enabling software on Gunton's laptop after a routine search of his home conducted in April 2018. The search had been carried out to ensure that the teen was complying with a Sexual Harm Prevention Order imposed by the court in 2016 for previous offences.
Information found on the laptop revealed that Gunton had offered to pass on mobile phone numbers, which would allow third parties to intercept calls and texts to commit fraud. Police also found evidence of Gunton advertising compromised data for sale and offering his services as a hacker-for-hire.
Officers were able to trace and seize £275,000 worth of cryptocurrency illegally earned by Gunton, who had failed to erase all trace of conversations he had held online in which he discussed criminal activities.
Gutton received a 20-month custodial sentence but was immediately released form the court, as he had already served his sentence while on remand. He was ordered to pay back £407,359 and issued a 42-month Community Behaviour Order with strict terms dictating his access to the internet.
The order bans Gunton from deleting his internet search history, from providing a false IP address, and from using cloud storage unless he notifies a police officer.
Detective Sergeant Mark Stratford said, "This was a complex investigation which relied on the expertise of officers and staff from the Norfolk and Suffolk Cybercrime Unit. This emerging type of criminality requires police investigators to be at the forefront of technological advancements in order to effectively combat the ever-growing paradigm of cybercrime."
The Canadian multinational is one of six vendors to be handed the title in 2019 Gartner Magic Quadrant for Unified Endpoint Management Tools report. Other companies to emerge as leaders from the report are Citrix, IBM, Microsoft, VMWare and MobileIron, which were also awarded the title in 2018.
Magic Quadrants are used to determine the relative positions of competing players in the major technology markets through proprietary qualitative data analysis. The result is that companies are placed in one of four categories: Leaders, Visionaries, Niche Players or Challengers. Vendors that emerge as Leaders have the highest composite scores for their completeness of vision and ability to execute.
In the 2019 Magic Quadrant for Unified Endpoint Management Tools, Gartner's main focus was on a unified endpoint management (UEM) solution's ability to coexist with or assist in the migration away from client management tools (CMTs) and processes. This is because of the ongoing migration of PCs from legacy CMTs to UEM that Gartner stated it witnesses in a majority of end-user organizations.
BlackBerry’s UEM solutions have been adopted by leaders in highly regulated industries, including government, healthcare, energy and financial services. The solutions work by using machine learning and predictive analysis to securely enable the internet of things (IoT) with complete endpoint management and policy control for an enterprise fleet of devices and apps.
The company’s latest offering, BlackBerry Intelligent Security, is the first cloud-based solution to harness the power of adaptive security. The tech allows IT teams to alter the security requirements and functionality of enterprise devices and apps based on a user’s real-world behavior and a risk score calculated via a combination of artificial intelligence (AI) and spatial data. And all this is achieved without leaving an additional software footprint.
The state of Texas has come under fire from a coordinated ransomware attack affecting over 20 local authorities.
The Texas Department of Information Resources (DIR) released an updated statement over the weekend detailing its response to the attacks, which occurred on Friday morning local time.
Some 23 local government agencies were hit by the attacks – which are said to have come from the same threat actor – although state IT systems and networks are not affected.
“Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time,” the statement noted. “It appears all entities that were actually or potentially impacted have been identified and notified.”
The Texas DIR urged computer users not to click through or open attachments on unsolicited emails, check email sender details, use unique and strong passwords on all accounts, alert supervisors about any suspicious activity, and take advantage of cybersecurity training.
Local government bodies are coming under increasing attack in the US, with cyber-criminals betting correctly that poor security practices and under-funding have left them particularly exposed to ransomware.
Over the past few months several cities in Florida have come under fire, with at least two, Lake City and Riviera Beach, choosing to pay a combined ransom of over $1m. In Texas, the city of Del Rio was hit in January, forcing public sector staff back to using pen and paper.
In Baltimore, which was also hit but refused to pay up, reports suggest the local authority may end up with a bill for as much as $18m.
Ransomware detections rocketed by 365% year-on-year in the second quarter of 2019, according to Malwarebytes. The vendor claimed in Q1 that virtually all of its detections were now related to attacks on businesses, as hackers focus their efforts on more lucrative targets.
A Brooklyn man has been sentenced to nearly five years behind bars after pleading guilty to a decade-long fraud and account takeover scheme that netted him over $1m.
Jason Mickel Elcock, aka “Prezzi,” pleaded guilty in March to a series of wire fraud and money laundering charges, as well as unlawful possession of a firearm.
Between 2008 and last year, Elcock and co-conspirator Shoshana Marie McGill bought stolen financial and identity data on tens of thousands of businesses and individuals, according to the Department of Justice.
They also obtained this material by hacking victims’ email accounts, bank accounts and password vaults.
The duo then monetized the stolen data by: buying goods online with victims’ card data, which they resold, opening new lines of credit in other people’s names, transferring money out of victim bank accounts, creating and cashing fraudulent checks in victims’ names and selling the data and check-making kit to other fraudsters in return for a cut of their earnings.
Elcock is also said to have deleted activity alerts and changed email account passwords to prevent victims receiving automated alerts about unauthorized transactions. He’s also said to have transferred victims’ phone numbers to ones under his control.
The decade-long scheme netted him and McGill $1.1m. Also seized from their flat were Rolex watches, laptops, tablets and smartphones, designer clothes, shoes and handbags, and other items.
In addition to his 57-month prison term, Elcock will get three years of supervised release, and has to pay back the $1.1m and restitution. McGill pleaded guilty on January 3 to conspiring to commit money laundering and was sentenced in June to five years’ probation.
“As criminals move to the digital frontier, law enforcement is following,” said NYPD commissioner, James O’Neill. “In this case, the NYPD is proud to have teamed with its FBI partners to bring this insidious criminal scheme to a close.”
Police chiefs are warning of delays to investigations and court cases after it emerged that a ransomware attack on a forensic services firm led to a backlog of 20,000 cases.
Eurofins Scientific, the largest provider of its kind in the UK, suffered the “sophisticated” attack back in June.
The global tester, which handles around half of the UK’s forensic work, is said to have decided to pay the ransom in a bid to regain access to crucial data.
The National Police Chiefs' Council (NPCC) is now reported to be working on clearing the large backlog of cases, which it says will have an impact on ongoing investigations and legal proceedings as they involve vital DNA and blood evidence from crime scenes.
The backlog is now at around 15,000 cases, but the police organization is confident it will be cleared in the next two months, according to the BBC.
“The security and integrity of the criminal justice system is of the highest possible priority, which meant we had to take stringent steps to ensure that police data had, firstly, not been manipulated or changed and, secondly, was suitably protected for the future,” said NPCC lead for the forensic marketplace, assistant chief Constable Paul Gibson.
Kaspersky principal security researcher, David Emm, said the case highlights the dilemma facing firms caught out by ransomware: whether to pay up.
“To avoid this issue in the first place, having offline and offsite data back-up is essential. The best mitigation to ransomware is having effective backup processes in place, which help companies to avoid an invidious situation where they are suddenly negotiating with cyber-criminals,” he added.
“However, if companies haven’t got a back-up and it’s too late, then they seriously need to weigh up what solution is best for them. Whilst the decision to pay a ransom to restore valuable data is entirely dependent on the victim and their unique situation, it is important to remember the following: you can never entirely trust cyber-criminals to keep their end of the deal and in paying large sums to them, you are helping to fuel an illegal economy and thus, will help to make ransomware a more lucrative business in the future.”
The UK Information Commissioner's Office (ICO) has launched an investigation into the use of facial recognition technology in London's King's Cross. The announcement followed news of the technology's use at Granary Square, a large, private development in the area.
Granary Square is a 67-acre development comprising 50 buildings. Press reports detailing the use of facial recognition in security cameras at the site first surfaced on Monday. According to the Guardian, its developers, Argent, Hermes Investment Management and AustralianSuper, admitted to using facial recognition technology "in the interest of public safety and to ensure that everyone who visits has the best possible experience."
The ICO acknowledged media reports that facial recognition was in use around King's Cross and pledged to investigate, calling the technology "a potential threat to privacy that should concern us all." Use of facial recognition systems without people's knowledge is a particular worry, Information Commissioner Elizabeth Denham added.
"As well as requiring detailed information from the relevant organisations about how the technology is used, we will also inspect the system and its operation on-site to assess whether or not it complies with data protection law," Denham said in a statement.
“Put simply, any organisations wanting to use facial recognition technology must comply with the law – and they must do so in a fair, transparent and accountable way," she added. "They must have documented how and why they believe their use of the technology is legal, proportionate and justified."
This isn't the first time that privacy advocates have expressed concerns about the use of facial recognition technology in central London. In December, privacy campaigners attacked the Metropolitan Police force for using the technology in SoHo, Piccadilly Circus and Leicester Square.
In May, San Francisco voted to ban the use of facial recognition by city departments altogether, making it the first city to do so. Oakland, California, and Somerville, Massachusetts, followed suit. July saw the House of Commons Science and Technology Committee recommend a suspension of facial recognition trials by the UK Government until the technology can be properly evaluated.
It's official: 1.5% of web logins use breached credentials, according to research published by Google. The company analyzed its own data to reach that number, which it presented at the USENIX conference this week.
Many websites still rely on only a combination of username and password to grant users access. Large data breaches have leaked billions of these credentials online, and they have been documented in databases like cybersecurity researcher Troy Hunt's Have I Been Pwned. People who reuse their email and password combinations across different sites are therefore vulnerable to credential-stuffing attacks, in which cyber-criminals attempt to access multiple websites using their stolen credentials.
In February, Google published an extension to the Chrome browser called Password Checkup. When a user enters credentials into a website, Google checks them against a database of over four billion breached usernames and passwords, warning the user if those credentials have been stolen and published in the public domain.
In the first month of operation, almost 670,000 people participated in the service, logging in 21 million times. Of those logins, 1.5% involved breached credentials, the research found.
People reused breached credentials on over 746,000 distinct domains, Google said. Video streaming and adult websites were most at risk of hijacking. Up to 6.3% of logins at those sites relied on breached credentials. Comparatively, only 0.3% of logins involved breached passwords at financial sites, and only 0.2% at government sites, the company said in a blog post yesterday. This could be because those sites had stricter password requirements, said the report. You probably couldn't use your dog's name as a password on many government sites, unless your dog's name happened to be "hs#s8d77sD^a," it said.
The research found that users took steps to reset one in four (86%) of unsafe passwords flagged by the Password Checkup extension. Of the new passwords, 94% were as strong or stronger than the originals, and an encouraging 60% were strong enough to be secure against brute-force dictionary attacks, in which it would take an attacker over 100 million guesses to identify the new password.
The number of data breaches spiked dramatically in the first half of this year compared to previous years, according to a report from vulnerability intelligence company Risk Based Security. Its analysis found that breach numbers for the first six months of 2019 grew by 54% compared to the same period last year, while the number of exposed records grew 52%.
The growth in data breach volume bucks a trend that saw the number of breaches plateau in 2017 and 2018.
"The reason? Over 1,300 data leaks, mostly exposing email addresses and passwords, were documented in the first half of 2019," the report said. "Although these tend to be relatively small events, averaging fewer than 230 records exposed per incident, these leaks have contributed substantially to the number of access credentials freely available on the Internet."
The number of records exposed in 1H 2019 (4.19 billion) may be larger than in 2018 (2.74 billion), but historical record volumes are more erratic. The first half of 2017 saw six billion records exposed, the report said.
According to the report, eight breaches within the first half of this year accounted for 3.2 billion breached records, or 78.6% of the total. Three of the breaches were among the largest of all time.
Six of the top eight breaches stemmed from misconfigured databases or web applications: Verifications.io (982 million records), First American Financial (885 million), Cultura Colectiva (540 million), two unknown organizations in India and China (275 million and 202 million, respectively) and Justdial (100 million).
Web-based breaches like these are by far the most common in terms of exposed records, accounting for 79% of total breaches in the first half of the year.
Only two of the top eight – Dubsmash's 161 million record-breach and Canva's loss of 139 million records – were down to other hacking techniques.
The number of breaches doesn't tell the whole story, either. While the first half of this year yielded more breaches than ever before, the majority had a moderate to low severity score and exposed 10,000 records or fewer.
The type of data stolen also plays a part. Email addresses and passwords are still the primary records stolen, present in 70% and 65% of stolen data sets, respectively. These can be used for credential stuffing when shared across multiple sites, but they can also be changed, the report points out.
More critical data was less commonly stolen. Addresses, credit card and Social Security numbers were only stolen in 11% of attacks, with account numbers only showing up in 10%.
The European Central Bank (ECB) has been forced to shut down one of its websites following a cyber-attack which may have compromised customer data.
The bank said in a brief statement that hackers had compromised its Banks’ Integrated Reporting Dictionary (BIRD) website, which is hosted by an external third party.
It claimed that malware had been injected onto the server “to aid phishing activities.
“As a result, it was possible that the contact data (but not the passwords) of 481 subscribers to the BIRD newsletter may have been captured,” the statement continued.
“The affected information consists of the email addresses, names and position titles of the subscribers. The ECB is contacting people whose data may have been affected.”
The BIRD website is said to provide the banking industry with info designed to help produce statistical and supervisory reports.
The ECB said that as it is physically separate from any other external and internal ECB systems, no market-sensitive data has been affected by the incident.
The BIRD website has been closed until further notice and the European Data Protection Supervisor informed about the breach.
This isn’t the first time the ECB has been hit by hackers. In 2014, attackers managed to compromise a database containing website form data – stealing 20,000 email addresses which they then tried to hold to ransom.
The financial sector has always been a major target for hackers.
It has seen a 67% increase in security breaches over the past five years, with the average cost of cybercrime for financial institutions jumping $1.4m over the past year to reach $13m, according to an Accenture report from earlier this year.
A leading open source project has come under fire for issuing misleading security advisories which may have put customers of its software at unnecessary risk.
Security vendor Synopsys analyzed 115 separate releases for popular web application framework Apache Struts and matched them up against the relevant advisories from the open source project.
In total, 24 of the 57 Apache Struts security advisories – nearly half – made mistakes when listing the versions of the framework that were impacted by vulnerabilities.
In fact, 61 additional versions of Apache Struts were impacted by at least one previously disclosed vulnerability, potentially exposing users to attack.
“While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment,” Synopsys argued.
“Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.”
On the plus side, the Apache Software Foundation and Apache Struts team were praised for their “diligence” in collaborating with Synopsys on fixing the mistakes. An updated Apache Struts Security Advisories page was published earlier this week.
Apache Struts will be known to many as the web app framework which Equifax failed to patch back in 2017, leading to a major breach of personal and financial information on more than half of all Americans and millions of UK consumers.
That incident has already cost the credit agency in excess of $1bn, as well as the jobs of the CEO and other senior executives.
Formjacking accounted for 71% of all web-related data breaches in 2018 as hackers looked to steal customers’ financial information in large quantities, according to F5 Labs.
The security vendor’s Application Report 2019 is compiled from analysis of 760 breaches and revealed that attacks like those featuring Magecart digital skimmers are on the rise.
Already this year, there have been 83 reported attacks on web payment forms, compromising over 1.3 million payment cards, the firm claimed.
The transport industry was the biggest victim of formjacking attacks, accounting for 60% of all credit card-related theft during the reporting period, followed by retail (49%), business services (14%) and manufacturing (11%).
The report also revealed that 11% of newly discovered exploits in 2018 were part of a formjacking attack chain, including remote code execution (5.4%), arbitrary file inclusion (3.8%) and remote CMD execution (1.1%).
David Warburton, senior threat evangelist at F5 Networks, argued that formjacking attacks have “exploded in popularity” over the past two years.
“Web applications are increasingly outsourcing critical components of their code, such as shopping carts and card payment systems, to third parties. Web developers are making use of imported code libraries or, in some cases, linking their app directly to third party scripts hosted on the web,” he explained.
“As a result, businesses find themselves in a vulnerable position as their code is compiled from dozens of different sources – almost all of which are beyond the boundary of normal enterprise security controls. Since many web sites make use of the same third-party resources, attackers know that they just need to compromise a single component to skim data from a huge pool of potential victims.”
“The injection landscape is transforming along with our behavior,” said Warburton.
“Adequately detecting and mitigating injection flaws now depends on adapting assessments and controls – not just fixing code. The more code we hand over to third parties, the less visibility and less control we have over it.”