Info Security

Subscribe to Info Security  feed
Updated: 2 hours 41 min ago

Businesses Are Collecting More Data Than They Need

Tue, 07/10/2018 - 15:06
Businesses Are Collecting More Data Than They Need

Businesses have gotten into the habit of collecting lots of data, but the mounting data they’ve compiled surpasses its usefulness. Nearly half of all companies having no idea where their sensitive data is stored, according to a new survey from Gemalto.

The fifth annual Data Security Confidence Index surveyed 1,050 IT decision makers and 10,500 consumers worldwide, revealing that 46% of companies don’t know where all of their sensitive data is stored and a majority of companies are unable to analyze all the data they collect. 

The research found that for most businesses, the ability to analyze the data they collect changes depending on geography. In India, for example, 55% of businesses are able to effectively analyze the data they collect, yet only 47% of businesses in Australia can.

India and Australia rank best at using the data they collect. While 89% of global organizations said analyzing data effectively gives them a competitive edge, only one in five Benelux (20%) and British (19%) companies report that they are actually able to do so. 

Two-thirds of respondents said their organizations are failing to carry out all procedures in line with data protection laws, suggesting a decline in confidence when it comes to businesses securing customers’ data.

“If businesses can’t analyze all of the data they collect, they can’t understand the value of it – and that means they won’t know how to apply the appropriate security controls to that data,” says Jason Hart, vice president and CTO for data protection at Gemalto.

“Whether it’s selling it on the dark web, manipulating it for financial gain or to damage reputations, unsecured data is a goldmine for hackers. You only need to look at the recent hacks on the World Anti-Doping Agency and International Luge Federation to see the damage that can be done. What’s more, data manipulation can take years to discover, and with data informing everything from business strategy to sales and product development, its value and integrity cannot be underestimated.”

Categories: Cyber Risk News

Asian Countries Frequent Targets of APT Attacks

Tue, 07/10/2018 - 14:28
Asian Countries Frequent Targets of APT Attacks

In a live webinar today, Kaspersky Lab experts presented their review of Q2 2018 advanced persistent threat (APT) activity. In addition to charting the latest campaigns, tools and techniques deployed by established threat actors, Vicente Diaz and Costin Raiu, security researchers in Kaspersky Lab’s global research and analysis team, also discussed the reawakening of previously quiet groups, revealing that Asia was the epicenter of APT activity during Q2 2018.

Some of the many threat actors watched were Lazarus and its subgroups BlueNoroff and Andariel. While BlueNoroff tended to target financial institutions, Andariel specialized in nonfinancial institutions; both are financially motivated. As the geopolitical situation continues to evolve between North and South Korea, researchers are unsure what the new role of Lazarus will be.

Lazarus groups remained active and were detected by McAfee, which reported the Bankshot attack against Turkish financial institutions. Also in Q2, ESET detected that casinos in Latin America were targeted and then followed by destructive attacks. Kaspersky’s own telemetry revealed attacks on financial institutions in Asia.

Manuscrypt was the tool of choice in many recent attacks, and in June US Cert warned of a new version of this malware, formerly known as FALL CHILL and now dubbed TYPEFRAME.

Researchers also noted relatively high activity from the Scarcruft and DarkHotel APT. Scarcruft, also known as Group 123 and Reaper, was actively using a new malware and a new backdoor called Poorweb throughout Q2. The group’s activity indicated an increase in its capabilities. While researchers initially suspected the group being responsible for CVE-2018-8174 announced by Qihoo 360, they later confirmed that this second zero day was a different activity group called DarkHotel.

These two groups, while different, overlap in many ways.

The LuckyMouse APT, also known as APT27 and Emissary Panda abused National Data Centers in Asia, planting waterholes in high profile websites. Researchers observed activity from multiple Chinese-speaking actors targeting Mongolia over the last 10 months, which they suspect is not coincidental, thought they are not sure if the activity is coordinated.

A VPNFilter campaign discovered by researchers from Cisco Talos targeted over half a million domestic networking hardware and storage devices all over the world. It affected a large set of hardware vendors using a capability which creates the possibility of infecting computers behind the compromised hardware through traffic injection. The FBI attributes this activity to Sofacy/Sandworm (BlackEnergy APT) actors.

“The second quarter of 2018 was very interesting in terms of APT activity, with a few remarkable campaigns that remind us how real some of the threats we have been predicting over the last few years have become,” said Vicente Diaz, principal security researcher, Kaspersky Lab global research and analysis team.

“In particular, we have repeatedly warned that networking hardware is ideally suited to targeted attacks, and we have highlighted the existence and spread of advanced activity focusing on these devices.”

Categories: Cyber Risk News

Stolen Taiwanese Certs Used in Malware Campaign

Tue, 07/10/2018 - 09:48
Stolen Taiwanese Certs Used in Malware Campaign

Security researchers have discovered yet another cyber-attack campaign using stolen certificates to circumvent traditional security tools.

The tactic was being used to launch a remotely controlled backdoor dubbed Plead and a related password stealer, according to Eset senior malware researcher, Anton Cherepanov.

Plead was spotted last year being used by a group known as BlackTech to compromise targets in East Asia including Hong Kong, Japan and Taiwan, and as such could be a Beijing-backed venture.

Two certificates were used to sign the malware, one belonging to Taiwanese security company Changing Information Technology and another issued by D-Link.

“We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen,” explained Cherepanov.

After being notified of the discovery, D-Link revoked the certificate last week, he added.

However, BlackTech is still using the Changing Information Technology certificate, despite it also having been revoked last week.

Kevin Bocek, chief cybersecurity officer at Venafi, pointed out that the use of stolen certificates is not new and was in fact popularized by the Stuxnet authors.

“If you steal trusted machine identities from global technology companies, you can execute highly effective attacks that don’t raise any alarms. This is just one more demonstration of how machine identities, in this case code signing certificates, are being abused by malicious actors. There’s no doubt we’re going to see a lot more of these attacks in the future,” he added.

“Code-signing certificates are often a core component of DevOps and cloud infrastructure; and because organizations are using a lot more machine identities, these risks will only grow. In fact, researchers are already seeing a dramatic rise in the trade of stolen code-signing certificates on the dark web.”

Categories: Cyber Risk News

Polar Flow Suspends Feature After Privacy Snafu

Tue, 07/10/2018 - 09:30
Polar Flow Suspends Feature After Privacy Snafu

The developer of a popular fitness app has been forced to suspend one of its core services after reporters found a way to track the location and uncover the identity of thousands of military personnel.

Finnish firm Polar produces a variety of devices and the Polar Flow app, which claims to allow users to make their profiles private.

However, according to reports in the Dutch media and UK site Bellingcat, an API error exposed the fitness activities of private users all the way back to 2014.

It was simple from the information to spot where the user was exercising and where they lived, based on the map.

Over 6400 users were apparently identified in locations such as MI6, the White House, the NSA and military bases including Bagram Airfield in Afghanistan.

Polar responded on Friday by suspending the Flow Explore feature, and implementing “corrective actions.”

The firm explained that the problem stemmed from users which had run both public and private sessions on the app and could be linked by their unique User Identifier (UID).

“With the help of this identifying UID it was possible to retrieve users public training sessions by altering the search parameters in the browser. By doing this, the training sessions belonging to a private profile could be linked to each other. Training sessions that have not been set to public by the user are not displayed publicly,” it continued.

“When there are multiple public training sessions that always start and end in the same location, it is possible to deduce potential points of interests associated with the user. The same method also worked the other way round: one could first find sessions in a specific location and then search for these users’ other training sessions. This was especially unfortunate, for example, for military personnel and intelligence agents.”

The discovery comes just a few months after fitness app Strava was found to be revealing potentially sensitive information about military bases and supply routes via its global heat-map website.

Categories: Cyber Risk News

Trustwave Sued by Insurers Following Heartland Breach

Tue, 07/10/2018 - 08:43
Trustwave Sued by Insurers Following Heartland Breach

A security vendor is being sued to the tune of $30m by two insurance companies looking to recoup funds they used to settle claims following the Heartland Payment Systems breach.

Lexington Insurance Company and Beazley Insurance Company filed a complaint in Cook County Circuit Court at the end of June against Trustwave, which has since fired back with its own legal action.

The insurers claim the security firm was effectively to blame for one of the biggest breaches of the 2000s after its PCI DSS compliance scans of Heartland failed to pick up issues which led to the security incident, according to reports.

It’s said that Trustwave signed a deal with the payments giant in 2005 and started monthly vulnerability scans in 2006 and 2007 before migrating to providing Compliance Validation for Heartland which added extra network penetration and validation services.

According to the complaint, the 2009 data breach can be traced back to July 24 2007, when malware was installed on Heartland’s system via SQL injection — which was not picked up by the scans.

The result is now well known: attackers were able to compromise around 100 million credit and debit card numbers from over 650 financial service clients of Heartland, costing the firm over $148m.

According to the report, a subsequent Visa investigation found eight PCI DSS violations despite Trustwave’s clean compliance reports. The card giant is said to have then told Heartland to cease its PCI DSS partnership with the security firm.

Insurer Lexington apparently paid $20m to Heartland as a result of its policy while Beazley handed over $10m to its claimant, money they now want back from Trustwave.

In a statement sent to Infosecurity, Trustwave said it had filed a lawsuit in Delaware against the insurers’ “time-barred and unwarranted attempt” to recoup payments resulting from the breach.

“Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached,” it added.

“Trustwave did not manage Heartland’s information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers’ demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously.”

Categories: Cyber Risk News

Metro's Cybersecurity Audit Kept Classified

Mon, 07/09/2018 - 13:34
Metro's Cybersecurity Audit Kept Classified

Officials at Washington D.C.’s Metro, the Metropolitan Area Transit Authority, said that while they are not publicly sharing the results of a recent internal cybersecurity audit, they intend to improve their cybersecurity strategies after the results revealed that the agency is vulnerable to attacks.

Infosecurity Magazine contacted Metro who has yet to return our call. In a statement, Metro Inspector General Geoffrey A. Cherrington said, “By its nature, such an audit in the wrong hands could expose vulnerabilities and thereby undermine our shared goal of making [Metro’s] IT environment even more secure. For that reason, we have made an exception to our standard practice of posting audits to our website, and this one will be withheld from release.”

The audit was reportedly conducted behind closed doors by Metro’s board of directors in late June, and the results remain classified in order to help prevent any future attacks should malicious actors try to exploit any of the known vulnerabilities that were identified.

Transportation is one of the areas of primary concern when it comes to attacks on critical infrastructure, and the Washington Post reported that the weaknesses identified in Metro's audit could potentially endanger its security system and possibly imperil safety and day-to-day operations.

This recent audit is only one of several security-related audits scheduled over the next fiscal year. The June audit focused largely on Metro’s incident response plan and looked to identify where its people, processes and procedures could be improved. Across all sectors of cybersecurity, the growing skills gap limits an organization’s ability to detect and respond to attacks. The results of Metro’s audit showed where its most vulnerable, paving the path to minimize gaps in order to reduce risk.

The next six scheduled reviews will examine additional risks, “from a massive data breach of SmarTrip card information to potential attacks that could interfere with critical safety operations such as rail traffic control systems, gas and fire sensors, the power grid, station ventilation, and voice and data communications,” according to the Washington Post.

Categories: Cyber Risk News

Proposed Changes to New Zealand's Privacy Act

Mon, 07/09/2018 - 12:07
Proposed Changes to New Zealand's Privacy Act

A new bill to repeal and replace the 1993 Privacy Act of New Zealand is awaiting approval. If the changes are accepted, the bill would mandate that public and private sector agencies notify affected individuals and the Privacy Commissioner when they experience a data breach that poses a risk of harm, according to Stuff.

First introduced on 20 March 2018, the bill is currently in select committee. According to Parliament, “Its key purpose is to promote people’s confidence that their personal information is secure and will be treated properly.”

Australia made similar changes to its privacy regulations, which went into effect in February 2018. In the months that followed, the country was the target of some high profile breaches, most notably the takedown of PageUp in which information was potentially compromised after the Australian-based company that powers jobs and recruitment sites for companies around the world experienced a breach.

While New Zealand was impacted by the breach, they do not have the same mandatory data breach notification regulations.

The 2018 first quarter CERT NZ report showed for the first time “more than 500 incidents were reported in the quarter, and we have introduced new age data. Looking at the 180 reports about individuals that provided date of birth, all age ranges were affected. Overall financial loss continues to be high, with nearly $3m of losses reported. This is more than half the total losses reported to CERT NZ in 2017.”

By providing a framework for protecting an individual’s right to privacy of personal information, the bill aims to establish an internationally recognized standard for privacy obligations, which includes the Organisation for Economic Co-operation and Development (OECD) Guidelines and the International Covenant on Civil and Political Rights.

The proposed Privacy Bill would allow for two types of complaints to be filed by an aggrieved individual or their representative. The first is a complaint alleging that an action of an agency has interfered with the privacy of an individual. The second is a public register complaint.

Categories: Cyber Risk News

Unauthorized Party Accessed DomainFactory Data

Mon, 07/09/2018 - 11:08
Unauthorized Party Accessed DomainFactory Data

After a person in their user forum reportedly claimed that they had accessed DomainFactory customer data, the company confirmed that they had been breached by an unauthorized outsider.

On 6 July, a system message reported that upon learning about the potential breach, the company initiated a detailed investigation whereupon they confirmed the outsider had gained access to customer data, adding that the access route had been secured and that they had contacted all customers and recommended that they update their DomainFactory passwords.

Data protection authorities were notified, and experts have launched an external investigation. “The protection of the data of our customers is paramount and we regret the inconvenience this incident causes, very much,” the company wrote. DomainFactory also assured customers that they are taking measures to prevent similar problems in the future.

The company first learned of the incident on 3 July. According to the information that is currently available, the data landed in the hands of external third parties on 29 January 2018 through a data feed after a system transaction.

Customer names, addresses, email addresses, phone numbers, DomainFactory passwords, dates of birth, bank names and account numbers, and Schufa scores were reportedly some of the information included in the compromised data.

DomainFactory has reportedly taken reasonable steps to address the cause of the data breach by blocking access, disabling suspicious systems, changing all access data of their employees and instructing an external security company to assist them in a forensic investigation of their system environment. They are trying to quickly take additional security measures to protect customer privacy.

In an 8 July update, the company wrote, “In our important Customer Information release dated July 7, 2018, we have indicated that we currently recommend the removal of all passwords as a precautionary measure. As a result, we have received more inquiries about which accesses should be changed exactly. Please change the following passwords: customer passwords, phone passwords, email passwords, FTP/live disk passwords, SSH passwords and MySQL database passwords.”

Categories: Cyber Risk News

Timehop Breach Hits 21 Million Customers

Mon, 07/09/2018 - 10:30
Timehop Breach Hits 21 Million Customers

Social media aggregation site Timehop has revealed a major breach of customers’ personal information affecting 21 million users.

The firm claimed in a post over the weekend that it discovered a network intrusion on July 4, leading to the compromise of names, email addresses and phone numbers.

The firm offers an unusual service in resurfacing old social media posts from years gone by. However, although the hackers stole the “access tokens” provided to Timehop by its social media partners, it claimed these were quickly deauthorized and that there’s no evidence of unauthorized access of user data through these tokens.

“No private/direct messages, financial data, or social media or photo content, or Timehop data including streaks were affected,” the firm added. “To reiterate: none of your ‘memories’ — the social media posts & photos that Timehop stores — were accessed.”

In a separate blog post, the firm explained more on how the attack happened, specifically tracing it back to a compromised cloud platform credential.

“On December 19, 2017 an authorized administrative user's credentials were used by an unauthorized user to log into our Cloud Computing Provider. This unauthorized user created a new administrative user account, and began conducting reconnaissance activities within our Cloud Computing Environment. For the next two days, and on one day in March, 2018, and one day in June, 2018, the unauthorized user logged in again and continued to conduct reconnaissance,” the firm revealed.

“On July 4, 2018, the attacker(s) conducted activities including an attack against the production database, and transfer of data. At 2:43 pm US Eastern Time the attacker conducted a specific action that triggered an alarm, and Timehop engineers began to investigate. By 4:23 pm, Timehop engineers had begun to implement security measures to restore services and lock down the environment.”

The firm responded swiftly by taking various steps such as: conducting a user audit and permissions inventory, changing all passwords and keys and adding MFA to all accounts, revoking inappropriate permissions and increasing monitoring.

"It’s ironic that a service which brings back memories from the past was also breached by an attack vector which is one of the oldest: taking over an administrator account,” argued Imperva director of threat research, Ben Herzberg. “My hopes are that with the new privacy regulations, such as GDPR, companies will take better care of PII and such incidents will become less common."

Categories: Cyber Risk News

Ex-Employee Arrested After Trying to Sell Spyware

Mon, 07/09/2018 - 10:02
Ex-Employee Arrested After Trying to Sell Spyware

A former employee at a notorious Israeli spyware maker has been arrested and charged after trying to sell his ex-company’s wares on the dark web, according to reports.

The unnamed 38-year-old was a senior programmer with privileged access to NSO Group’s networks.

After being fired on April 29 the individual is said to have downloaded IP worth hundreds of millions of dollars, before trying to sell it for $50m online.

However, their plans were disrupted when the potential buyer alerted NSO, which called in the police to arrest the suspect on July 5, according to Reuters.

The spyware maker, which has sold surveillance tools to governments around the world, claims none of its proprietary information has been exposed.

However, the Israeli Justice Ministry said that the former company employee’s actions posed a threat to national security, meaning more details of the case are being kept private.

Experts pointed to the case as yet another incident highlighting the potential insider threat facing firms.

"It is never a good idea to behave in an unprofessional manner — from logic bombs and dead-man-switches to IP and trade secret theft, it is always a mark of immaturity, desperation and a violation of trust,” argued Cybereason chief security officer, Sam Curry. “This is a true in Hollywood and health sciences as it is in software and manufacturing, but it’s especially stupid in the world of cyber-warfare, international relations and national security.” 

High-Tech Bridge CEO, Ilia Kolochenko added that no organization is safe from the risks posed by insider threats.

“Four-eyes principles, anomaly detection, role-based access to sensitive data and two-factor authentication, continuous monitoring and employee vetting can substantially reduce those risks, but not eliminate them,” he added.

“Worse, being extremely busy with external security threats, many organizations blindly trust their internal employees and tend to ignore automated security alerts coming from the inside. In many cases, conscientious employees are tricked in a sophisticated manner by cyber-criminals to unwittingly help them get inside of corporate networks.”

NSO Group sprang to notoriety in 2016 when one of its tools, a spyware product known as Pegasus, was used in a sophisticated campaign against internationally renowned campaigner Ahmed Mansoor, which some have traced back to the UAE government.

Categories: Cyber Risk News

Experts Welcome London Cybercrime Court Plans

Mon, 07/09/2018 - 08:52
Experts Welcome London Cybercrime Court Plans

Security experts have welcomed confirmation of the government’s plans to build a new “world-leading” court specializing in cybercrime in London.

The new flagship 18-courtroom legal hub is being built on the site of Fleetbank House in the City, in partnership with the City of London Corporation and the judiciary.

The hope is that the new complex, which will also tackle fraud, and economic crime, will confirm London’s position as a global leader in finance and law when it opens in 2025.

The government claimed that English law is used in 40% of all global corporate arbitrations, and that over 200 international law firms have offices in the UK, helping to generate revenue worth £31.5bn two years ago.

“The flag of English law is flown in countries across the globe, and London already leads the way as the best place to do business and resolve disputes,” claimed lord chancellor, David Gauke.

“This state-of-the-art court is a further message to the world that Britain both prizes business and stands ready to deal with the changing nature of 21st-century crime.”

Dan Pitman, senior solutions architect at Alert Logic, argued the move was a positive one.

“Cybercrime suffers from being perceptually segregated from traditional crime from the viewpoint of the public, and victims often don't even contact legal and law enforcement organizations when affected,” he added.

“Specifically calling out Fleetbank House’s new role in that space will drive home the fact that cybercrime is just that — crime."

Sarah Armstrong-Smith, head of continuity & resilience at Fujitsu UK & Ireland, claimed the new plans show the government is taking the cyber-threat seriously.  

“Organizations and the government have an obligation to collaborate to make cybersecurity as much of a priority as the public, who are regularly asked to hand over financial and other personal data,” she added. “After all, cybercrime is not a probability, it is an inevitability, and it will be the way in which the UK prepares for it that can make all the difference.”

Categories: Cyber Risk News

Cryptocurrency Exchanges Banned in India

Fri, 07/06/2018 - 15:53
Cryptocurrency Exchanges Banned in India

Today marks the official implementation of the Reserve Bank of India's (RBI) prohibition on providing services to crypto-related businesses. Despite companies making a last-ditch effort to remove the ban, India’s Supreme Court, led by Chief Justice Dipak Misra, ruled that the ban will stay.

The ban was first announced in April 2018, and financial institutions and cryptocurrency exchanges have since tried to legally fight it. Still, on 3 July India’s Supreme Court held that the ban would go into effect as of 6 July, despite many companies arguing they need more time.

“This [the Supreme Court action] is a big blow to not only cryptocurrency trading platforms, but also individuals holding cryptocurrency. The choking of banking channels means that virtually all cryptocurrency related transactions will have to be done in cash or not at all,” Rashmi Deshpande, associate partner, Khaitan & Co, told The Hindu.

The ruling has already impacted cryptocurrency exchange Zebpay who has warned its customers, “If you are holding any rupees, or depositing any rupees in Zebpay, there could soon come a time when we may not be able to honor withdrawal requests. Please continue only if you understand this risk.”

According to Unhashed, “The central bank has also been actively drawing attention to the recent security issues and price volatility of cryptocurrency to embolden the skepticism of India’s policymakers.” As a result of the ban being upheld, many suspect that cryptocurrency traders will resume business in the black market.

In an effort to confront growing concerns over virtual currency and the attempts to ban them altogether, the EU released a lengthy paper entitled, Virtual Currencies and Central Banks Monetary Policy: Challenges Ahead.

While advocating for regulations, the 33-page paper noted, “Transactions in VCs also offer increased anonymity resulting in the higher security of personal data and limited interference by public authorities.” The document also asserted that, “Policy makers and regulators should not ignore VCs, nor should they attempt to ban them. Both extreme approaches are incorrect.”

Categories: Cyber Risk News

Startup Think Cyber Security Joins LORCA

Fri, 07/06/2018 - 12:26
Startup Think Cyber Security Joins LORCA

A cybersecurity startup, Think Cyber Security, that aims to reform the way that people think about cybersecurity risk in business, has joined the London Office for Rapid Cybersecurity Advancement (LORCA) centre as part of the first cohort of businesses. The companies come together with the intention of supporting cybersecurity innovation to scale and develop their solutions.

Think Cyber Security, founded by Mike Butler and Tim Ward in 2016 and funded in part by Innovate UK, leverages behavioral science to ensure that security training is timely and appropriately contextual so that end users can make effective changes to their daily digital habits.

As part of the first cohort, Think Cyber Security will enjoy the opportunity to grow within an extensive community of other businesses, investors and academics across the international cybersecurity sectors.

Based in East London, LORCA is run by Plexal along with Deloitte’s cyber team and the Centre for Secure Information Technologies (CSIT). The center opened in June and will receive a new cohort of cybersecurity businesses every six months. LORCA aims to have worked with 72 promising companies by 2021.

The industry is faced with many challenges that relate to automation, regulations and orchestration, and the joint efforts of those running LORCA and the evolving groups of cohorts that will join the center hope to deliver solutions to those challenges through building a collaborative community of innovative leaders.

In commenting on this new venture, Think Cyber Security CEO Tim Ward said, “We will be basing ourselves at the site as many days a week as we can. It’s a great facility for hosting meetings, collaborating with fellow startups and with onsite services – for example, design, insurance, legal and banking.

“We have time scheduled to work with Deloitte and CSIT and hope to have opportunities to run trials of our software with these partners and their customers facing cybersecurity challenges. We are also expecting to be involved in an international mission of some kind to drive exports.”

Categories: Cyber Risk News

Malware Delivers Cryptor or Miner, Trojan's Choice

Fri, 07/06/2018 - 11:56
Malware Delivers Cryptor or Miner, Trojan's Choice

A long-existing Trojan family still functioning today has spawned new malicious samples of malware, which infects its victims with either a cryptor or a miner, according to Kaspersky Lab.

Distributed through spam emails with documents attached, the samples are related to the Trojan-Ransom.Win32.Rakhni family. “After opening the email attachment, the victim is prompted to save the document and enable editing. The victim is expected to double-click on the embedded PDF file. But instead of opening a PDF the victim launches a malicious executable,” researchers wrote.

The Trojan decides which payload should be downloaded onto the victim’s PC at the moment the malicious executable is launched. “The fact that the malware can decide which payload it uses to infect the victim provides yet another example of the opportunistic tactics used by cybercriminals,” said Orkhan Mamedov, malware analyst, Kaspersky Lab.

“They will always try to benefit from their victims: either by directly extorting money (cryptor), by the unauthorized use of user resources for their own needs (miner), or by exploiting the victim in the chain of malware distribution (net-worm).”

Since first discovered in 2013, the malware writers have changed the way their Trojans get keys. Where they were once locally generated, they are now received from the command and control (C&C). They’ve also altered the algorithms used, going from exclusively using a symmetric algorithm and evolving through a commonly used scheme of symmetric and asymmetric.

Analysts have recently discovered 18 symmetric algorithms used simultaneously. The crypto-libraries are also different, as is the distribution method, which has ranged from spam to remote execution. In the recently spotted samples, criminals added a new mining capability feature.

According to researchers, the malware primarily targets companies rather than ordinary users, and is mainly spread throughout Russia. The Russian Federation has been most frequently attacked by Trojan-Downloader.Win32.Rakhni, with more than 95% of the unique victims. Kazakhstan, Ukraine, Germany, and India are the remaining four of the top five countries attacked, with each having less than 2% of unique users attacked relative to all users attacked by this malware.  

Categories: Cyber Risk News

New Infosecurity Magazine Online Summit to Launch in September

Fri, 07/06/2018 - 09:17
New Infosecurity Magazine Online Summit to Launch in September

Infosecurity is delighted to announce the latest evolution of its successful online education offering the Virtual Conference with the launch of the new Infosecurity Magazine Online Summit 2018.

The two-day event will take place September 11 & 12 and will feature 14 virtual sessions including:

  • Easy to digest sessions covering the top technical infosec challenges
  • Panel debates discussing the key industry issues, looking at case studies and contributing real world learnings
  • Profile interviews with industry experts and pioneers offering personal insights and guidance

Topics explored will include what and when to automate in security, the phenomenon of cryptojacking, how to threat hunt, the future of penetration testing, making security more usable and advancements in authentication.

Sessions will be produced and moderated by the Infosecurity Magazine editorial team, feature industry experts, thought leaders and specialists, and will be CPD accredited.

What’s more, a series of new and improved features will allow registered viewers to:

  • Book a place on specific sessions in advance and receive automated reminders
  • Collect CPE credits with their Infosecurity Magazine account, without the need to download certificates after each session
  • Networking and share knowledge through avatar-enabled chat rooms running throughout the event
  • Access and download some of the latest research and whitepapers in the global resource center

“The Online Summit is our chance to bring the leading trends in cybersecurity forward for discussion, inviting leading names and experts to provide the educational experience for the listener,” said Dan Raywood, contributing editor, Infosecurity. “After 2017 put cybersecurity in the world’s headlines several times, 2018 has seen new trends emerge such as cryptojacking and threat hunting, both of which we will be covering in September.

“I’m also delighted that the theme of Next Gen continues, this time looking at those providing opportunities for new employees and graduates, and ensuring that the supply line of future employees remains strong and skilled.” 

Register for the event and download the full agenda for Infosecurity Magazine Online Summit – EMEA and Infosecurity Magazine Online Summit – North America here!

Categories: Cyber Risk News

State of the SOC? Depends on Who You Ask

Thu, 07/05/2018 - 17:41
State of the SOC? Depends on Who You Ask

Exabeam released its 2018 State of the SOC Report, which revealed that many organizations don’t have the right people and technology to man their Security Operations Centers (SOCs). The consequence is that they are leaving themselves open to potentially devastating cyber-attacks and alert fatigue, according to the report.

While 91% of SOCs have been operating for three or more years, CIO and CISO managers are more focused on preventative measures and process improvements than frontline workers, the report found.

The survey queried IT pros working in a SOC – from the most senior to those managing and working on the front lines – and the responses reflect the stark differences of opinion between executives and their teams. Of the respondents, 28% of frontline workers focus on automation where 55% of CIO/CISO and management focus on automation.

Less than half (40%) of SOCs are reportedly outsourced, but 95% outsource parts of the SOC. Of those that outsource in part, 45% outsource monitoring while 47% outsource detection. Only 5% of SOCs outsourced entirely.

Without a connected SOC team, many operations ­teams aren’t able to protect themselves, which was especially noticeable around technology. Job functions had little impact on those who reported false positives and keeping up with security alerts as their top-of-mind concerns.

A large majority (79%) of managers and frontline employees expressed frustration with outdated equipment. While a portion of survey participants (38%) wouldn’t alter anything about the SOC, many would like to see changes. Of the total respondents, 17% would like to see changes around technology, 14% around staffing and 12% around processes.

Nearly half of all respondents (4%) said that the volume of security alerts is the biggest pain point, which correlates with the high number of SOC professionals that believe their SOC is understaffed, with 63% of SOC professionals reporting that they could use anywhere from 2-10 more employees. Additionally, most SOC professionals have a longer tenure in IT than in the SOC.

Categories: Cyber Risk News

Former Brownsville Fire Chief Faces Breach Charges

Thu, 07/05/2018 - 15:55
Former Brownsville Fire Chief Faces Breach Charges

In addition to the charges of theft by a public servant and misapplication of fiduciary property, former Brownsville, Texas, fire chief Carlos Elizondo now faces security breach charges. According to KRGV News, Elizondo was indicted by a grand jury in an 11-count case of computer security breach charges.

After Elizondo was suspended from the fire department on 9 October 2017, he allegedly logged into a computer network 11 different times between 11 October and 23 November 2017. Elizondo was reportedly attempting to access the emergency reporting system portal for the Brownsville Fire Department without consent of the City of Brownsville.

Elizondo was arrested in May outside of his attorney’s office on two misdemeanor charges of computer security breach, according to a 3 July report from Firehouse. Infosecurity Magazine contacted the Brownsville Fire Department, who declined to comment on the ongoing investigation.

Whether it’s the Office of Personnel Management breach in 2015, the attack on the City of Atlanta or the string of municipalities that have been hacked because of a vulnerability in Click2Gov, it is clear that government agencies are equally as vulnerable as private companies to attacks from outside and within.

In a 4 July post on best security practices for public entities, BenefitsPRO wrote, “Public agencies use an extensive network of critical systems and communication that operate over potentially vulnerable channels.”

Failure to deny former employees access to networks creates security risks, particularly from malicious insiders, as was the case with the former employee at Tesla who is being sued for hacking and theft, according to CNN.  

Yet it is often the case that former or suspended employees have continued access with their login credentials long after they have left their place of employment. In the case of the former Brownsville fire chief, the fact that he was reportedly told not to access the emergency reporting system was insufficient. Though Elizondo’s intent remains unclear, the charges are a reminder that public agencies are susceptible to insider threats.

“It’s one thing to have an insider try to snoop around systems and files, but it’s another issue altogether if they’re successful,” said Ken Spinner, VP of global engineering at Varonis.

“The company needs to have the controls in place to ensure these insiders don’t get very far when they try to access valuable information. Not all threats to your company are external, and no company is safe from insider threats.”

Categories: Cyber Risk News

Digital India Susceptible to Security Breaches

Thu, 07/05/2018 - 14:51
Digital India Susceptible to Security Breaches

India’s Prime Minister, Narendra Modi, is preparing for a digital revolution that includes strategies to improve cybersecurity for a digital India; however, as the divide between users and nonusers of the internet narrows, the risk for cyber-attacks increases, according to Prem Behl, Chairman of Exhibitions India Group. As a result, defending India’s critical infrastructure, financial institutions and data security from hackers is critical as the nation advances into the digital age.

In addressing potential solutions to the issues of paramount concern in India’s financial institutions, Behl applauded a joint venture between The Floor and Cyber Security Group, based in Tel Aviv and Hong Kong. "It’s time for India to get smart about cybersecurity, and tapping into one of the world’s largest pools of talent and know-how in cybersecurity, will secure the banking and government infrastructure systems against cyber-attacks."

With the number of breaches against banks and financial services continuing to rise around the globe, "it makes a lot of sense to invest in solutions that use best in class technologies that are up-to-date with the expanding cyber-threat landscape. With the right solutions, these entities can reduce costs, avoid bad publicity and better protect against online threats,” Behl wrote in a 4 July post.

As India evolves into the digital world, it remains vulnerable to cyber-attacks, not only within its financial institutions but also in its critical infrastructure and data security. At the 2018 Cyber Security and Data Protection India Summit on 22 June, Maj. Gen. Sandeep Sharma, VSM, National Technical Research Organization (NTRO) agreed that every sector is being impacted by India’s digital revolution. “As the data breaches increase in scale and frequency, business today must prepare to ensure an effective, swift and well-orchestrated response,” he said, according to The Asian Age.

Despite the ambitions of the Prime Minister, there seems to be a striking divide between the digital transformation of critical government databases and the digital revolution of India’s citizens. According to a 2018 survey from the Pew Research Centre, reported internet use across 39 countries is lowest in India and Tanzania. Only 25% of adults in India report owning a smartphone or using the internet regularly. The 2017 global survey results show that those numbers are higher (35%) among 18-36 year olds.

Categories: Cyber Risk News

Claranet Acquires Training & Pen Test Experts NotSoSecure

Thu, 07/05/2018 - 09:30
Claranet Acquires Training & Pen Test Experts NotSoSecure

Managed IT services provider Claranet has announced the purchase of NotSoSecure, experts in ethical hacking training and penetration testing for networks, web and mobile apps.

The deal will see NotSoSecure, which works with a range of internationally-renowned businesses and organizations, encompassing government agencies, FTSE 250 players and Fortune 500 companies, join the Claranet portfolio, with the company’s founders Dan Haagman and Sumit (Sid) Siddharth remaining with the business.

Charles Nasser, founder and CEO of Claranet, said: “Our acquisition of NotSoSecure has been made as part of our vision to further enhance the security services and expertise that we are able to offer to our customers, as well as gain access to new global markets such as the US and Australia.

“NotSoSecure’s passion for excellence and desire to be at the forefront of cybersecurity training and innovation were crucial factors in this latest acquisition. Their ambitious aims for growth are very much aligned with our own, so we are eagerly anticipating the impact they will have on the success of the wider Group.”

NotSoSecure’s Siddharth added: “Since we established the business, the risk of cyber-attacks for organizations around the world has grown exponentially. However, this has not been matched by an increase in training and knowledge and, as a result, there is now a severe global skills shortage in cybersecurity.

“We are delighted to add our specialist, hands-on training and pen testing expertise to Claranet’s portfolio of services and look forward to extending our reach, so businesses can develop their capabilities and stay secure.”

Categories: Cyber Risk News

Machine Learning, Cloud, Compliance and Business Awareness Drive Cybersecurity

Thu, 07/05/2018 - 08:30
Machine Learning, Cloud, Compliance and Business Awareness Drive Cybersecurity

Senior businesses awareness of cybersecurity, legal and compliance issues and cloud-delivered products are some of the trends driving the industry, according to Gartner.

According to its Top Six Security and Risk Management Trends, Gartner said that “business leaders are becoming increasingly conscious of the impact cybersecurity can have on business outcomes” and encouraged security leaders to harness this increased support and take advantage of its six emerging trends “to improve their organization’s resilience while elevating their own standing.” The trends are as follows:

  • Trend No. 1: Senior business executives are finally becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation
  • Trend No. 2: Legal and regulatory mandates on data protection practices are impacting digital business plans and demanding increased emphasis on data liabilities
  • Trend No. 3: Security products are rapidly exploiting cloud delivery to provide more-agile solutions
  • Trend No. 4: Machine learning is providing value in simple tasks and elevating suspicious events for human analysis
  • Trend No. 5: Security buying decisions are increasingly based on geopolitical factors along with traditional buying considerations
  • Trend No. 6: Dangerous concentrations of digital power are driving decentralization efforts at several levels in the ecosystem

In regard to cloud computing, which Gartner said is affected by trends 3 and 6, “new detections technologies, activities and authentication models require vast amounts of data that can quickly overwhelm current on-premises security solutions” and this is driving a rapid shift toward cloud-delivered security products which “are more capable of using the data in near real time to provide more-agile and adaptive solutions.”

Also with regards to emerging trends, Gartner predicted that “by 2025, machine learning will be a normal part of security solutions and will offset ever-increasing skills and staffing shortages” as well as offering solutions to multiple security issues, such as adaptive authentication, insider threats, malware and advanced attackers.

Peter Firstbrook, research vice-president at Gartner, said: “Look at how machine learning can address narrow and well-defined problem sets, such as classifying executable files, and be careful not to be suckered by hype.

“Unless a vendor can explain in clear terms how its machine learning implementation enables its product to outperform competitors or previous approaches, it's very difficult to unpack marketing from good machine learning.”

Categories: Cyber Risk News