A health organization in New Zealand that was targeted in a global cyber-incident in August has uncovered evidence of earlier attacks dating back three years.
Tū Ora Compass Health took its server offline and strengthened its IT security following a cyber-attack on its website in August. On Saturday, the primary health organization (PHO) announced that an investigation by authorities, including the police, Ministry of Health, and the National Cyber Security Centre, has found evidence of multiple earlier attacks dating from 2016 to early 2019.
Martin Hefford, chief executive officer of Tū Ora Compass Health, said: "As stewards of people’s information, data security is of utmost importance to Tū Ora Compass Health. We are devastated that we weren’t able to keep people’s information safe.
"While this was illegal and the work of cybercriminals, it was our responsibility to keep people’s data safe, and we’ve failed to do that."
Tū Ora holds information dating back to 2002 on approximately 1 million individuals from the greater Wellington, Wairarapa, and Manawatu regions. Tū Ora does not hold GP notes, which are held by individual medical centers.
The organization is one of 30 PHOs that collect data from medical centers, then analyze it to ensure patients are screened for diseases like cancer and receive treatment for chronic conditions, including diabetes.
"We don’t know the motive behind the attacks, and we cannot say for certain whether or not these have resulted in any patient information being accessed, but we have laid a formal complaint with police," said Hefford. "Experts say it is likely we will never know. However, we have to assume the worst, and that is why we are informing people."
New Zealand's director-general of health, Dr. Ashley Bloomfield, said: "We have been working with the Government Communications and Security Bureau's National Cyber Security Centre to investigate this intrusion and check if other PHOs and DHBs might be at risk.
"This work is ongoing, and we expect to have an initial assessment in the next two weeks. We are also commissioning further independent reviews of the security of PHO and DHB information systems."
Elad Shapira, head of research at Panorays, commented that the best way for hackers to reach sensitive and confidential information is often through third parties, who can access data but lack the adequate security to guard it.
He said: "For this reason, assessing and continuously monitoring healthcare organizations' third-party security is critical."
The personal information of 92 million Brazilian citizens has been discovered for sale to the highest bidder on an underground forum auction.
According to BleepingComputer, the auction is present on multiple dark web marketplaces that can only be accessed by paying a fee or via an invitation from someone who is already on the inside.
The information is being sold as a 16GB database in SQL format and has a starting price of $15,000 and a step-up bid of $1,000. According to its seller, X4Crow, the records include names, dates of birth, taxpayer IDs, and some address details.
A sample of the database, which was seen and verified as genuine by BleepingComputer, also contained information relating to gender and the names of individuals' mothers.
The origin of the database is unclear, though the inclusion of the taxpayer IDs and the seller's claims that it contains the unique information of 92 million Brazilian citizens could indicate that it's a government database of the approximately 93 million Brazilians who are currently employed.
In addition to offering the data for sale, X4Crow claims that they can retrieve data available in national identification documents, such as ID cards and driving licenses, together with phone numbers, email addresses, previous addresses, professions, education levels, and vehicles. And all they need to do it is the individual's full name, taxpayer ID, or phone number.
Under Article 18 of the Brazilian General Data Protection Law ("Lei Geral de Proteção de Dados" or "LGDP"), consumers have rights relating to their data, and organizations need to ensure personal data is anonymized, redacted, or eliminated. Unfortunately, the law does not go into effect until August 15, 2020, a six-month extension from the previous February 2020 date.
Jonathan Deveaux, head of enterprise data protection with comforte AG, believes that in the future, companies may rely more on methods like tokenization to protect valuable consumer data.
He said: "An emerging best practice among many technology leaders is to adopt a data-centric security approach, which protects personal data with anonymization technology like tokenization.
"Not only does tokenization allow organizations to meet compliance requirements and remain secure, but tokenization also allows organizations to securely embrace modern technology like hybrid or multi-cloud computing, which has been scrutinized as having major data security gaps."
Leading online gift shop CafePress is the target of a proposed national class-action lawsuit in the United States after allegedly failing to update its security software and taking months to inform customers of a data breach.
The retailer was heavily criticized earlier this year for its poor cybersecurity and incident response after it emerged that 23 million customers had their personal data stolen in a breach that is thought to have occurred in February 2019.
Third-party consumer sites, including weleakinfo.com and haveibeenpwnd.com, were independently warning consumers of the breach as early as July 13, 2019, but the incident was not officially reported by CafePress to their customers until last week.
Data exposed by the breach included email addresses, names, physical addresses, phone numbers, and passwords stored as SHA-1 hashes.
The suit has been filed by consumer-rights law firm FeganScott, which alleges that CafePress failed to employ best practices when alerting customers of the data breach. According to the complaint, CafePress’ first notifications appeared on its website on September 5, but the company did not directly notify its customers until October 2, 2019.
"As galling as it is to know that a national retailer like CafePress failed in its duty to safeguard consumer information, it is reprehensible that they knew—or should have known—about the breach and failed to warn their customers that their credit card information and Social Security numbers could be for sale to the highest bidder on the dark web," said Beth Fegan, a founder of FeganScott.
It is further alleged that CafePress failed to offer adequate protection to its customers by neglecting to update security software that was widely known to be flawed.
"CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the lynchpin of its data security," said Fegan. "Hackers and security experts know that SHA-1 has been useless in protecting data since about 2005. These days, SHA-1 is the digital equivalent of a picket fence when it comes to keeping the wolves from the sheep."
The suit, filed today in US District Court in Illinois, seeks to represent all US consumers who were impacted by the breach. Consumers who are interested in learning more about this class-action suit can contact email@example.com.
UK Home Secretary Priti Patel and US Attorney General William Barr have signed a bilateral agreement paving the way for UK and US law enforcement agencies to obtain data more quickly from electronic service providers operating in each jurisdiction.
According to Julian Hayes and Michael Drury at BCL Solicitors, this “will inevitably be one way traffic, expediting the UK’s acquisition of evidence from US tech giants such as Facebook, Google and Twitter in the fight against serious crime, including terrorism and child abuse.”
According to the FT, the deal will compel US technology companies including Facebook, Google and Twitter to hand over the content of emails, texts and direct messages to British law enforcement bodies, and require the same of UK companies holding information sought by US investigators.
It currently takes police and security services anything from six months to two years to request and access electronic data, under the “mutual legal assistance” treaty between the US and UK governments. “Under the new arrangements, a UK Judge can issue the police, SFO and other specified with an Overseas Production Order, bypassing cumbersome mutual legal assistance procedures and, in principle, obtaining electronically stored data from the US within just seven days,” Drury and Hayes said.
The treaty is based on the US CLOUD Act 2018 and the UK’s Crime (Overseas Production Orders) Act 2019. The agreement still requires ratification by the US Congress and is to be presented to Parliament.
While this has been welcomed by some organizations, including the NSPCC, which described the new arrangements as “a hugely important step forward,” the bilateral agreement has been criticized on the basis that it potentially erodes key rights. “The risk is that, in the rush to comply within tight time frames, tech companies might be required to hand over data to which law enforcement authorities have no right,” Drury and Hayes said.
They also questioned whether service providers will be expected to scrutinize the order to ensure that legal and procedural requirements have been adhered to, and asked how the requirements of the new arrangements will be reconcilable with the service providers’ desire to provide encrypted services?
Thales and Verint have announced the release of The Cyberthreat Handbook, a report designed to provide insights into the most significant groups of global cyber-attackers through detailed rating cards.
The two companies combined to carry out a year-long investigation into the current cyber-threat landscape, observing attack techniques, targeted sectors and attack motives.
The research details the activities of approximately 60 major groups of cyber-attackers throughout the world, discovering that almost half of the groups analyzed were state-sponsored, often aiming to steal sensitive data from targets of geopolitical interest.
Just over a quarter were named as ideologically-motivated hacktivists, followed by financially-driven cyber-criminals (20%) and cyber-terrorists (5%).
The Cyberthreat Handbook warned that all the world’s major economic, political and military powers are priority targets of cyber-attackers, and that the sectors most targeted are States and their defense capabilities, followed by the financial sector, energy and transportation.
It was also noted that a growing number of groups of attackers are now focusing on vulnerabilities in the supply chain, and in particular on smaller partners, suppliers and service providers that are used as Trojans to access major targets.
Marc Darmon, executive vice-president, secure communications and information systems, Thales, said: “The Thales and Verint teams are immensely proud to release this report today as part of its technology and domain expertise cooperation. Unique in its breadth and depth, it is the culmination of many months of research, investigation and painstaking analysis and correlation of relevant data. As cyber-threats proliferate and evolve, cybersecurity clearly has a major role to play, particularly for critical infrastructure providers.”
Elad Sharon, president, Verint Cyber Intelligence Solutions, added: “This report generates unique insights and knowledge to cyber and security experts to mitigate and foresee cyber-attacks.”
More than three-quarters (77%) of UK workers claim to have never received any form of cyber-skills training from their employer, according to research from Centrify.
The company surveyed 2000 fulltime professional services workers in the UK, discovering that along with the notable absence of training aforementioned, 69% of those polled lack confidence in their own ability to keep their data safe and secure.
These findings come at the beginning of European Cyber Security Month, an EU awareness campaign that aims to promote cybersecurity among citizens and organizations, highlighting the importance of information security and the steps that can be taken to protect data online.
Well, it seems as though there is still significant work to do in this regard; 27% of respondents admitted to using the same password across multiple accounts, whilst 14% keep passwords recorded in unsecured notebooks.
Experts warned that such a lackluster approach to critical cyber-awareness could land employers in hot water.
Donal Blaney, cyber-law expert, Griffin Law said: “Ignorance of the law is no defense. Company directors and business owners owe it to themselves, their staff, their shareholders, and their customers to know how to protect their businesses and their customers’ data. They will only have themselves to blame if this blows up in their face one day.”
Andy Heather, VP, Centrify added:“In an age where cyber-attacks have emerged as one of the most ruthless and successful forms of crime that can be committed against a business on a large scale, it is astounding to hear that so many UK companies neglect to instill even the most basic cybersecurity measures in their employees.”
Ireland is cementing its reputation as an international security hub after four companies announced 400 new cybersecurity jobs in the Emerald Isle in the past three weeks.
Yesterday, American insurance company Aflac Incorporated announced that it will be opening a new Global IT and Cybersecurity Innovation Center as part of a multimillion-dollar investment in Northern Ireland.
Belfast has been chosen as the location of the new center, which will create 150 new jobs over the next five years, with an average salary of $55,500.
“We conducted extensive research in Europe to identify a location that not only has the expertise in IT development and cybersecurity to support our business strategy, but also complements our company culture. We believe we have found that here," said Virgil Miller, executive vice president and chief operating officer of Aflac US.
Belfast has also been chosen as the location of Contrast Security's new development and delivery center. The DevSecOps company's new facility, announced at the end of September, will bring 120 new jobs to the local economy.
Cybersecurity firm MetaCompliance said on September 30 that it would be creating 70 new jobs in the Northern Irish city of Derry as part of a $5.5 million global expansion plan. The new positions will focus on developing cloud-based solutions for the cybersecurity learning market.
Also in September, American cybersecurity consulting firm Security Risk Advisors opened its European Headquarters and Security Operations Centre in the southern Irish city of Kilkenny. The site will create 52 jobs over the next five years.
This year's growth in Ireland's cybersecurity sector follows reports in December 2018 that cybersecurity firm Imperva would be creating a new base in Belfast that would generate 220 new jobs.
Invest Northern Ireland has played a key role in this flurry of investment, supporting Imperva's new base with £1.4m, the MetaCompliance expansion with £695,000, and the new Contrast Security center with £786,500 of assistance. The company also offers support through its Skills Growth Programme.
With so many new jobs being created, the only thing that could prevent Ireland from becoming the biggest star on the international cybersecurity stage is a lack of housing and skilled labor.
Speaking to the Irish Examiner after the FutureSec conference in Cork on September 24, Ronan Murphy, CEO of multinational cybersecurity firm SmartTech247, said: "The housing crisis is seriously affecting our ability to scale. We're building our own very sophisticated AI and machine learning which we will distribute globally. It's pretty cool that we're doing it from Cork, but there's nowhere to live."
Also speaking to the Irish Examiner post-conference, Koos Lodewijkx, vice president of IBM, which has offices in Dublin, Cork, and Galway, said: "It is a challenging time, and staffing is still in short supply. We would like to expand, but it's hard to find employees."
A former employee of American Express is under investigation by the police for allegedly accessing customer information with the intent to commit fraud.
The exact details of the incident have not been disclosed, but the employee is thought to have wrongfully accessed the personal information of Amex customers in America in an attempt to open accounts at other financial institutions.
Amex began notifying customers of the data breach by letter on September 30. Customers who received the letter were told "as a result of the incident, your name, current or previously issued American Express Card account number, physical and/or billing address, date of birth, and Social Security number were compromised."
When contacted for comment, Amex would not say precisely how many customers had been affected by the breach but stated that "only a small number of our customers were impacted."
Affected cardholders have been asked by Amex to vigilantly monitor their account statements for the next two years for signs of fraudulent charges. However, Amex has stated that customers whose information was wrongfully accessed will not be held liable for any fraudulent charges.
In the letter sent to customers to notify them of the breach, Amex offered impacted cardholders a free two-year membership with Experian's identity theft and resolution service IdentityWorks by way of compensation. Customers who are already members are being offered the opportunity to extend their coverage for two years free of charge.
After informing them that their personal information was wrongfully accessed, the letter goes on to tell customers that they will need to entrust their Social Security number and current mailing address to the service provider if they wish to sign up for membership.
A spokesperson for American Express told Infosecurity Magazine: "Ensuring the security of our customers’ information is our top priority, and we are investigating this matter in close partnership with law enforcement.
"I would note that this was not a breach of American Express’ systems and the person in question is no longer an employee of American Express. In addition, only a small number of our customers were impacted, and those who are affected are being notified.
"As a reminder, our customers are not liable for any fraudulent charges on their American Express cards. Given this is an active criminal investigation, we can’t provide any further comment."
EA Games has leaked the personal data of 1600 gamers who registered to take part in a competition via the company's website.
Contenders signing up for the FIFA 20 Global Series competition were asked to enter personal information into what should have been a blank online form to verify their EA account details. But instead of being empty, the form's fields displayed the personal information of gamers who had already signed up for the soccer video game challenge.
Personal information compromised in the breach included email addresses, account ID numbers, usernames, and dates of birth.
Rather ironically, the breach occurred just hours after EA Games announced that users switching on two-factor authentication would get free access to an Origin Access Basic subscription for four weeks as part of the UK's National Cyber Security Month.
Gamers took to Twitter to vent their frustrations regarding the breach, with one gamer who was confronted with the personal data of a fellow competitor joking that he would send the player a birthday card.
Another gamer, whose personal information was leaked during the breach and who is on Twitter as @Kurt0411Fifa, tweeted: "Before I get to the absolute farce of that competitive bullsh*t, when you click the link register for verification you get other people's personal information!!!!!! WTFF, this is a new low even for this joke of a company."
It didn't take EA Games long to become aware of their balls-up, and the registration page was taken down yesterday, just 30 minutes after it was first put up.
In a statement regarding the breach released on Twitter yesterday, EA Games said: "We were able to root cause the issue and implement a fix to be clear that information is protected. We're confident that players will not see the same issues going forward."
The games publishing company also said it was taking steps to contact the 1600 gamers affected by the breach with more details and to protect their accounts.
When contacted for comment by Infosecurity Magazine, EA Games said: "We have issued a couple statements to our community on this topic but aren’t in a position to discuss further at this point. However, I will keep you updated if that should change or we make any further statements."
Registration for the competition remains closed but is expected to re-open in the next few days.
Morals and ethics should be considered when it comes to making decisions in cybersecurity.
Speaking at the Virus Bulletin 2019 conference in London, Ivan Kwiatkowski, security researcher at Kaspersky Lab, said that there are not a lot of discussions on ethics in cybersecurity, as the concept of white hat versus black hat is “the wrong way to think about things” as even the subject of ethical hacking rarely covers the issue of ethics.
Saying he was talking to people “who were thinking of doing something terrible but had not stopped to think about it yet,” he said that this a young industry and we had not developed a moral compass yet, and it is not an issue of maturity or diversity, but people rely on their personal intuition on the decisions that they face.
“Nobody wants someone to tell them right from wrong” he added, but he urged people to realize that “knowledge is power and if you control what people know about something, you can convince people.
“Infosec is about controlling what access people have to certain information.” He said that there are ethical dilemmas that people may face. such as:
- A legitimate hacking problem – that intelligence agencies and military attack organizations, and some nations set up a “surveillance apparatus which can be invaluable in preventing terrorism,” whilst others rely on “hacking back”, and some people carry the term of hacktivist and feel justified in hacking something or someone
- Vulnerability handling – when we find a vulnerability, Kwiatkowski said that we still need to reach an agreement on how to handle vulnerabilities. Some companies specialize in selling hacking tools and exploits, and swear that they only do business with governments with a good track record of democracy and human rights. However, he argued: “In some cases, there have been suspect decisions in that regard”
In the case of exploits being sold on the offensive market, he asked if it is a legal or moral issue, as moral decisions change over time. “All cultures may disagree on what morals are, we all have a moral code and maybe those questions are unsolvable and unescapable.”
He went on to say that we “owe it to ourselves” to determine what constitutes ethical behavior and what does not. Concluding, he recommended “allocating more attention to ethics” and said that it was time we adopted a global code of conduct too, and cited the EFF as being able to push that standard.
He also called on conference organizers to consider this, and to concentrate less on celebrities “especially those celebrities whose success may be traced back to suspicious behavior” and instead, he recommended conference organizers to invite philosophers and “victims of cyber-abuse to tell their stories” to let us know our shortcomings.
Speaking at the Virus Bulletin 2019 conference in London, members of the Cyber Threat Alliance discussed the benefits of sharing intelligence.
Led by moderator and Cyber Threat Alliance COO Heather King, panelists Kathi Whitbey, program manager of cyber threat intelligence information Sharing at Palo Alto Networks and Jeannette Jarvis, director product marketing at Fortinet, said that there are clear benefits to sharing data, as Jarvis explained: “There is the opportunity to expand and share more deeper intelligence.”
Jarvis said that there is an intention with the Alliance to “build equal or better ecosystems beyond what our adversaries are doing, and to know what they are sharing” and this can better protect customers with “actionable intelligence.”
Whitbey added that the founding members believed in the “power of collaboration and sharing.” Asked by King how the Cyber Threat Alliance is unique, Jarvis admitted that all of the members have different missions, but the collaborative nature means that companies can get enough data to get the complete picture of an issue.
Pointing at the WannaCry incident in 2017, Whitbey said that within hours they knew what each other was seeing and what the issue was, and “we were able to paint a picture as everyone provided what they had and we could see all the information in real time.”
Jarvis admitted that “no one has all the information” and by sharing they get the complete picture and fill in the gaps.
The panellists explained that the members don’t have the same technology, customers or are in the same regions, “but if we collaborate we all get into the environment,” Whitbey said.
Jarvis reflected on a previous role at an aerospace company, saying that it was clear from working in that role “that we need to be more connected to help customers.”
Despite the main infections taking place two and half years ago, a large number of computers remain vulnerable to the WannaCry ransomware.
Speaking to Infosecurity at the Virus Bulletin 2019 conference in London, Sophos security researcher Chet Wisniewski said that there are large numbers of businesses who did not apply the patches, released in March and after the infection in May 2017, so machines still remain vulnerable. “That’s what surprised me, with the amount of hype and the amount of news around that vulnerability, it shows that even standing on the rooftop and lighting your hair on fire is not going to be enough for people to take action,” he said.
“The good news is that there is an accidental vaccination which means that the good people won’t get infected with it,” he said. He explained that a version of WannaCry drops a payload, but that payload is currently corrupted and if another infection is attempted, if that file is detected at all, the infection will not take place.
“Fortunately, all of these copies of WannaCry we’re seeing are neutered,” he added. “It’s not hurting anyone, it’s just spreading around and making a lot of noise.”
Wisniewski went on to say that people are still not realizing that “these weaponized exploits are really dangerous, and BlueKeep has been an interesting trial of this.” In that case, he said that wormable exploits are typically published within hours, but in the case of BlueKeep that has only been added to Metasploit and other companies are using it as a penetration testing tool.
“If people have not patched since 2017, if a BlueKeep publicly exploitable worm was released, instantly millions of machines would be impacted again, and we would be in the same boat as when WannaCry was spreading around,” he said. “Every single one of those machines would be vulnerable as they have not been patched in two years, not to mention all of those that have been patched since.”
Cyber-attacks on UK businesses surged by a whopping 243% over the summer, compared to the same period last year, according to new findings from Beaming.
The Hastings-based business ISP analyzed data from the thousands of organizations across the UK that it supplies.
It found that UK firms experienced 157,528 attacks each on average between July and September, up from 45,970 during the same three months of 2018.
The firm detected nearly 500,000 unique IP addresses used to launch cyber-attacks on UK businesses during the period, with the number originating from China more than doubling over last year. A large number of attacks also originated in Taiwan, Brazil and Russia, Beaming said.
The most frequently targeted systems were Internet of Things (IoT) devices and file sharing services, accounting for 20% and 6% of attacks respectively.
FireEye warned in June of a “dramatic” increase in abuse of file sharing services such as WeTransfer, Dropbox, Google Drive and OneDrive, which are used to host malicious and phishing files in email-borne attacks.
What’s more, cyber-criminals are increasingly gearing up to exploit unprotected IoT devices, according to a Trend Micro report released last month. The firm analyzed chatter on dark web forums across the globe and found routers and IP cameras were the most commonly discussed devices.
Businesses face a threat on two fronts: they could be DDoS-ed or attacked in other ways from botnets of compromised IoT machines like these; or their own operational technology could be hijacked and sabotaged, disrupting key business and manufacturing processes.
“Previous summers have been relatively quiet when it comes to cybercrime, but the hackers haven’t yet taken a break this year. Throughout 2019 we have witnessed new highs in the volume of cyber-attacks hitting organisations in the UK and also the number of active agents behind those attempts,” said Beaming managing director, Sonia Blizzard.
“We are tackling more and more malicious code at a network level to minimize the threat of online attacks to our customers. The hackers are after the weakest link they can find, so companies need to boost their resilience to these sustained, indiscriminate attacks. They can do this by ensuring their software and cybersecurity defenses are up-to-date, putting in place measures such as managed firewalls and educating employees to help them avoid the main risks they could be exposed to.”
The UK’s local authorities are facing an unprecedented barrage of cyber-threats, amounting to almost 800 every hour in the first half of 2019, according to insurance broker Gallagher.
Of the 203 councils that responded to the firm’s Freedom of Information (FOI) requests, nearly half (49%) had been targeted since the start of 2017, with over a third (37%) attacked in the first half of the year.
Over the first six months of 2019, those councils experienced 263 million attacks — a number that is likely to be much higher if those authorities which chose not to answer the FOI request were factored in.
However, despite the barrage, most authorities seem to be holding up: just 17 attacks were reported to have resulted in the loss of data or money, although one council reported the loss of over £2m, according to Gallagher.
Just 13% of local authorities have cyber insurance, a figure the firm would obviously like to see much higher.
“Councils are facing an unprecedented number of cyber-attacks on daily basis. While the majority of these are fended off, it only takes one to get through to cause a significant financial deficit, a cost which the taxpayer will ultimately foot,” argued Tim Devine, managing director of Public Sector & Education at Gallagher.
“Costs and reputational damage at this scale can be devastating for public authorities, many of which are already facing stretched budgets. In many scenarios, the people responsible for purchasing cyber-insurance products need decisions to be made at member, or management level. The cyber threat and the need for cover needs to be high on every local authority’s agenda.”
However, most of the attacks noted in the report are likely to be the result of “automated probing and discovery tools” and therefore should not be classed as true security incidents, according to Tripwire senior director, Paul Edon.
“However, the truth of the matter is that many local authorities and councils still remain unprepared for a true cyber-attack,” he added.
“To get security right, organizations need to get the basics right. Start by understanding the risk you have. You must conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. Then ensure systems are regularly patched and upgraded. Following these basic security hygiene rules will go a long way to making your systems secure and the attackers’ job more difficult.”
Security and privacy experts have heavily criticized an attempt by the UK, US and Australian governments to strong arm Facebook into halting its roll-out of end-to-end encryption.
Mark Zuckerberg announced a major overhaul of the social network in July following its $5bn fine from the FTC — a move which will include creating a privacy-by-design culture in the firm and extending end-to-end encryption beyond WhatsApp to Instagram and Messenger.
However, western governments are predictably dismayed at any efforts which will confound attempts by their intelligence agencies and the police to track suspects.
A widely reported open letter to Facebook from three-fifths of the Five Eyes nations demanded that the firm not continue with the encryption roll-out “without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.”
That effectively means backdoor access for governments and law enforcers, something that the world’s leading cryptographers have repeatedly stated is not possible without undermining security for all.
Hannah Quay-de la Vallee, senior technologist at the non-profit Center for Democracy and Technology (CDT), repeated these arguments.
“Strong encryption and end-to-end security are bedrock technologies that keep information safe online. These technologies protect billions of communications every day, from the sensitive correspondence of victims of domestic violence to businesses’ financial records to our private medical information,” she explained.
“Creating a law that would mandate weaker and less secure technology is like mandating crumbling sidewalks to prevent criminals from escaping. It’s ridiculous, it won’t work, and it puts us all at far greater risk of serious injury.”
NSA whistleblower Edward Snowden also chipped in, warning that if Facebook caves to these government demands, “it may be the largest overnight violation of privacy in history.”
That doesn’t seem likely though, with a Facebook statement issued to confirm: “We strongly oppose government attempts to build backdoors because they would undermine the privacy and security of people everywhere.”
The open letter comes as the US and UK trumpeted a new “world first” data sharing agreement, that will allow law enforcers on both sides of the Atlantic to demand data from tech firms in the other country without needing to go through a lengthy liaison process with their respective governments.
The US Food and Drug Administration (FDA) issued a warning on Tuesday over vulnerabilities detected in decades-old software being used by many medical devices and hospital networks.
The 11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. If exploited, the vulnerabilities could allow hackers to remotely control a medical device, change its function, obstruct service, or trigger information leaks that could stop it from working.
Makers of the original IPnet software, Interpeak, no longer support it, but some manufacturers have a license to use it without support, meaning it could be incorporated into other software applications, equipment, and systems still in use in medical devices.
When the vulnerabilities were discovered, it was thought that they only affected some versions of the popular real-time operating system Wind River VxWorks. However, the true impact of the cybersecurity risk is much greater because the IPnet software was licensed and used in multiple operating systems employed by the healthcare industry.
According to the FDA, some versions of operating systems Integrity by Green Hills, ThreadX by Microsoft, Operating System Embedded by ENEA, ITRON by TRON Forum, and ZebOS by IP Infusion may contain the vulnerable software component.
Medical devices affected so far include an imaging system, an infusion pump, and an anesthesia machine. The FDA said in its warning that it "expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software."
IPnet's vulnerabilities are zero-day, meaning that they have existed since the software's creation.
The Cybersecurity and Infrastructure Security Agency issued a warning regarding cybersecurity vulnerabilities in Wind River VxWorks on July 30.
The document, which was put together by the FDA and Health Canada, says regarding third-party components: "These components can create risk of their own, which is managed by the manufacturer through risk management, quality management, and design choice. Manufacturers should manage the cybersecurity implications of the components—software and hardware—that are part of their devices.
"Similarly, post-market issues with a third-party component may also affect the security of the medical device, and manufacturers need to manage this risk. Users expect the manufacturer to understand how a security vulnerability in an underlying component such as an operating system or processor affects the medical device. Regulators will require it."
Ransomware gangs, intent on stealing American dollars, have struck at least 621 targets in the US government, education, and healthcare sectors since January.
A report into stateside ransomware attacks, released on October 1 by antivirus company Emisoft, which is an associate partner in Europol’s No More Ransom Project, paints a picture of a nation in a serious cyber-predicament.
At least 68 state, county, and municipal entities have been impacted by this particular type of attack since the beginning of the year. In just one attack on Baltimore, MD, carried out in May using the ransomware RobbinHood, recovery costs are estimated to have been $18.2 million.
A Ryuk attack on Lake City, FL, in June led to insurers forking over a $460,000 ransom minus a $10,000 deductible, and only part of the data affected was recovered.
So far this year, there have been at least 62 ransomware incidents involving school districts and other educational establishments, which potentially impacted operations at up to 1,051 individual schools, colleges, and universities.
The healthcare sector has suffered just under 500 attacks since this year's ball drop in Times Square heralded the start of 2019.
Fabian Wosar, Emisoft CTO, told Infosecurity Magazine: "When we look at absolute numbers in all areas—business, government, and home users—ransomware is on the decline. However, this is mostly due to the fact that ransomware gangs focus on business and government targets these days instead of the large-scale spray-and-pray attacks against home users that were dominant just a few years ago. So, while the pressure on home users went down dramatically, it skyrocketed for those other areas."
Describing the biggest ransomware payout he had come across, Wosar said: "The biggest confirmed payout I have seen was $700,000, but I cannot disclose specific details about that case."
How an organization decides to deal with a ransomware attack has a major bearing on whether it will be re-targeted at a later date.
Wosar told Infosecurity Magazine: "What definitely will make you a big target is if you got ransomed and paid. During a lot of these attacks we have seen ransomware groups leave behind backdoors that allow them to access the systems again in the future. Given this backdoor access and your willingness to pay for your data, you become a prime target for a second attack later down the line."
Sharing his predictions on how ransomware attacks will evolve, Wosar said: "I believe that attacks on organizations with outsourced infrastructure and IT will become increasingly common. The tools used by MSPs and other service providers act as a gateway to their clients’ systems and, as we saw in the Texas and PercSoft incidents, enable multiple organizations to be ransomed in one fell swoop."
The co-founder and former CTO of cryptocurrency mining marketplace NiceHash has been arrested by German federal police in connection with US charges of racketeering and fraud.
According to the news website 24ur.com, Matjaz Škorjanc was arrested on Monday in Schwarzbach after crossing the German border in a car with Slovenian license plates.
Slovenian national Škorjanc is wanted in the US on suspicion of being a member of a criminal organization that committed a number of cyber-frauds between 2008 and 2013.
The US alleges that the 33-year-old set up and managed online password-protected hacking forum Darkode, in which cyber-criminals convened to buy, sell, trade, and share information, ideas, and tools to facilitate unlawful intrusions into others’ computers and electronic devices.
Darkode was shut down in 2015 as part of an internationally coordinated law enforcement effort called Operation Shrouded Horizon.
Škorjanc, who was known online as "iserdo" and "serdo," is further accused of creating and deploying the malicious botnet Mariposa, which harvested personal data from nearly a million computers around the world. Mariposa caused estimated damages of around $4 million after using cyber-scamming and denial-of-service (DOS) attacks to effectively turn infected computers into remotely controlled zombies.
An indictment was filed in the US District Court for the District of Columbia on December 4, 2018, against Škorjanc, fellow Slovene Mentor Leniqi, Spaniard Florence Carro Ruiz, and American Thomas McCormick. Each of the accused was charged with racketeering conspiracy and conspiracy to commit wire fraud and bank fraud. The racketeering conspiracy charge includes conspiracy to commit bank, wire, and access device fraud, identity theft, hacking, and extortion.
McCormick—the last known administrator of the Darkode forum—was also charged with five counts of aggravated identity theft. He was arrested at the FBI’s Washington Field Office in Washington, DC, six days after the indictment was filed.
If convicted of the charges, each of the accused could spend up to 50 years behind bars.
Škorjanc has already served four years and ten months in a Slovenian prison after being convicted for his role in the Mariposa botnet.
Škorjanc's father and H-Bit CEO Martin Škorjanc said: "There is no real legal basis for the prosecution, as Matjaz Škorjanc was already convicted for the same act as prosecuted by the US prosecutor, and the sentence has already been fully passed in Slovenia.
"It is an inadmissible retrial of the same thing; it is forbidden by Slovenian, European, and American law."
The annual Security Serious “Unsung Heroes” awards were announced at an event in central London last night.
The fourth annual awards are intended to celebrate the people of the cybersecurity industry, recognizing the individuals and teams working hard to protect Britain from cybercrime and raise awareness of security issues.
“It can often be a thankless task working in cybersecurity; and as an industry, we tend to focus on technology and innovation,” said lead organizer of Security Serious Week, Yvonne Eskenzi.
“The cyber skills gap is a huge issue for this country and an event like this really shows off what a great industry it is to be a part of and the wonderful people that make it.”
The full list of winners were:
Winner: Joe Hancock – MDR Cyber
Highly Acclaimed: James Packer – (ISC)2
Winner: Dan Raywood – Infosecurity Magazine
Highly Acclaimed: Kate O'Flaherty – Tech Journalist
Best Security Awareness Campaign
Winner: Host Unknown
Highly Acclaimed: City of London Police
Winner: Hamish McGowan – Channel 4
Highly Acclaimed: Sophia McCall – Bournemouth University
Winner: Jonathan Armstrong – Cordery Compliance
Highly Acclaimed: David Hyett - UKRI
Winner: Bayside School Cyber Club supported by GVC Group
Highly Acclaimed: Toni Scullion and the Turing’s Testers
Best Ethical Hacker / Pentester
Winner: Rob Hillier – XQ Cyber
Winner: Quentyn Taylor – Canon Europe
Highly Acclaimed: Shan Lee – Transferwise
Godparent of Security
Winner: Paul Simmonds – Global Identity Foundation
Highly Acclaimed: Adrian Davis – Consulting COO & CIO
Security researchers have identified a new state-backed threat group they believe to be behind the recently disclosed attacks on European aerospace supply chain companies and organizations in other verticals.
Reports had suggested the attacks — which affected UK engine-maker Rolls Royce, French tech supplier Expleo and two other French Airbus suppliers — had been carried out either by China’s APT10 group or a regional branch of the country’s Ministry of State Security, known as JSSD.
However, security researchers at Context believe the attacks are the work of another nation state hacking group. Although the firm falls short of blaming China, it admits that the “Avivore” group does operate in the same time zone, and shares some similarities with APT10/JSSD.
The group’s attack methodology follows a set pattern. After using compromised user credentials and legitimate remote access tools to infiltrate targeted networks, hackers escalate privileges by abusing legitimate tools and/or highly privileged accounts.
Next, they conduct account and host enumeration using “net” commands, schedule execution of scripts and tooling run in the context of the “SYSTEM” user, and remove any traces of scripts, tooling and event logs following execution. RDP is also used for lateral movement.
While many supply chain attacks are “vertical” in nature, involving an initial compromise of MSPs or software vendors, the Avivore campaigns are more “horizontal” — relying on island hopping techniques.
The group abused the commercial VPNs and other collaborative solutions used by large multi-nationals and smaller engineering or consultancy firms in their supply chain. Other legitimate tools leveraged by Avivore include network scanning and certificate extractions tools, and Windows SysInternals tools such as ProcDump.
Binaries were disguised as Windows DLLs, with tools executed remotely using scheduled tasks and then removed, according to Context.
“Avivore showed themselves to be highly capable; adept at both 'living-off-the-land' and in their operational security awareness; including forensically covering their tracks. They demonstrated detailed knowledge of key individuals associated with projects of interest, and were able to successfully mirror working times and patterns of these users to avoid arousing suspicions,” explained the report.
“They were also able to manipulate victim environments and security controls to facilitate and obfuscate their activities: e.g. modifying firewall rules to accept RDP over alternate ports; establishing hosts within the victim environment as remote access proxies.”
Although most Avivore activity has taken place since early 2018, the researchers claimed that the PlugX Remote Access may have been deployed on victim networks as early as October 2015.
Other verticals thought to have been targeted include automotive, consulting, energy/nuclear and satellite/space technology.