Info Security

Subscribe to Info Security  feed
Updated: 33 min 32 sec ago

Flaw Fixed in Hotels.com Generator as Tesco Clubcard Users Impacted

Mon, 07/06/2020 - 12:15
Flaw Fixed in Hotels.com Generator as Tesco Clubcard Users Impacted

Tesco Clubcard users have been warned to check their accounts, after a weakness was discovered in the way that Hotels.com codes were generated, which then impacted Clubcard members as they tried to use their points.

Whilst Tesco Clubcard’s IT systems have not been compromised in any way, research found cyber-criminals purchased fraudulent vouchers to provide huge discounts on bookings via Hotels.com. The codes were generated by Hotels.com and made available to Tesco Clubcard members as a reward for in-store spending.

According to The Telegraph, the vouchers allowed people to get up to £750 off hotel rooms on Hotels.com. Fraudsters were able to guess the final four digits of the promotional code that unlocks the discount as the remaining nine characters follow the same pattern each time, and the codes were sold on hacker forums for between £200 and £750.

Initially alerted by researchers from CyberNews, who informed Hotels.com parent Expedia Group of the flaw, the booking site has since taken measures to resolve the issue and Tesco Clubcard temporarily removed Hotels.com from Clubcard Rewards until the issue was resolved.

A spokesperson for the CyberNews research team, said: “In the current economic climate people are looking for ways to save money, so businesses need to stay vigilant to prevent fraud. We’d recommend using longer, less predictable discount codes with more characters which make it harder for cyber-criminals to predict, as well as implementing a limit on attempts for an incorrect entry to prevent brute force attacks of this nature.”

A statement from Hotels.com said the issue “was identified and resolved promptly several months ago” and, working closely with its partners at Tesco, it ensured that only legitimate Clubcard customers were able to obtain and redeem the codes they had earned. “No customers of Hotels.com or Tesco missed out on the offer, lost money or Clubcard points as a result.”

Categories: Cyber Risk News

Corporate Cybercrime Victims Double in Five Years

Mon, 07/06/2020 - 11:00
Corporate Cybercrime Victims Double in Five Years

The number of UK business falling victim to cybercrime has doubled over the past five years, costing the economy an estimated tens of billions in the process, according to new research from Beaming.

The business ISP polled over 2500 companies between 2015 and 2019 to compile its latest report, Five Years in Cyber Security.

The percentage of respondents claiming to have fallen victim to cybercrime rose over that time period from 13% in 2015 to a quarter (25%) last year, equivalent to around 1.5 million businesses.

Although large firms with over 250 employees were the most likely to suffer attacks, with over 87% impacted last year, smaller businesses (11-50 employees) experienced the steepest rise, from 28% in 2015 to 68% last year.

Beaming estimated the total cost to UK firms over this five-year period to be in the region of £87bn, including damaged assets, financial penalties and lost productivity. A spokesperson told Infosecurity that it extrapolated the figure from an average cost calculated from interviews with business leaders. 

Phishing was the most likely form of attack to successfully strike UK victim organizations, linked to a 50% increase in victims, with employees accountable for around a third of breaches (36%) in 2019.

Beaming managing director, Sonia Blizzard, argued that automated attack methodologies have helped cyber-criminals ramp up scale, frequency and sophistication.

“The threat has grown astronomically over the last five years. What used to be seen as a big-business problem has become a serious concern for every company director, manager and IT professional out there,” she added.

“Small businesses are now on the front line in the war against cybercrime, but they haven’t invested in cybersecurity or employee education at the same rate as their larger counterparts, and they are easier targets as a result.”

Although many small (20%), medium (24%) and large companies (36%) now discuss cyber-threats at board level, investments in security have not always been forthcoming.

In 2015, 30% of businesses had a firewall at the network perimeter; a figure that stands at just 37% today. Those with employee awareness-raising programs in place rose from 20% to just 22% over the same time, according to the report.

Categories: Cyber Risk News

North Korean Hackers Behind Magecart Attacks

Mon, 07/06/2020 - 09:40
North Korean Hackers Behind Magecart Attacks

North Korean hackers appear to have been breaking into US e-commerce stores since May 2019 and planting digital skimming code to make money for the hermit nation.

Researchers at Sansec claimed today that the notorious Lazarus (Hidden Cobra) group was behind attacks on at least several dozen stores, including a recent high-profile raid on US accessories retailer Claire’s.

It’s unclear how the attackers gained access to the victims’ back-end systems, although spear-phishing against retail staff is a distinct possibility.

“To monetize the skimming operations, Hidden Cobra developed a global exfiltration network. This network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity,” Sansec continued.

“The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family run book store from New Jersey.”

The researchers linked various elements of the attacks to previous North Korean activity, including domains such as technokain.com, darvishkhan.net and areac-agr.com where malware and skimmers have been launched from.

“Does the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations? Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely,” argued Sansec.

“First, thousands of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors.”

The revelations over Pyongyang-sponsored Magecart attacks mean the despotic regime is using yet another tactic to fill its government coffers.

Previously, groups like Lazarus have been associated mainly with attacks on banks and cryptocurrency exchanges.

A UN report from last year claimed the Kim Jong-un regime had managed to generate $2bn from such attacks.

Categories: Cyber Risk News

Google VP Withdraws from Black Hat 2020 Over its Name

Mon, 07/06/2020 - 08:36
Google VP Withdraws from Black Hat 2020 Over its Name

A Google VP has ignited a fierce debate in the cybersecurity industry over the use of potentially discriminatory language after withdrawing from the upcoming Black Hat USA virtual event in protest.

David Kleidermacher, who is VP of Android security and privacy, thanked the organizers of the long-running security conference but said it was time to change.

“Black hat and white hat are terms that need to change. This has nothing to do with their original meaning, and it’s not about race alone – we also need sensible gender-neutral changes like PITM versus MITM,” he argued on Twitter.

“These changes remove harmful associations, promote inclusion and help us break down walls of unconscious bias. Not everyone agrees which terms to change, but I feel strongly our language needs to (this one in particular).”

Many leapt to his defense: noted researcher Kevin Beaumont argued that more speakers and attendees should boycott Black Hat until the organizers change the name.

However, Kleidermacher’s comments also brought out a significant number of industry professionals who disagreed.

Many focused on the fact that the term itself is not derived from a notion of things that are “black” inherently being malign, but of the fact that the villains in old cowboy movies used to wear black hats while the heroes wore white hats.

However, Kleidermacher argued that the issue goes beyond this narrow interpretation.

“To reiterate – the need for language change has nothing to do with the origins of the term black hat in infosec. Those who focus on that are missing the point. Black hat/white hat and blacklist/whitelist perpetuate harmful associations of black = bad, white = good,” he said.

That didn’t deter some industry commentators who described the stance as “performative” and “virtue signalling.” Others argued that industry efforts would be better spent on more practical ways to make the sector more diverse.

“The companies at the forefront of changing these tech terminologies hardly have black professionals at the decision table and their top leadership, that’s the change we ask, not sidelining us by making a lingua change no reasonable person asked for,” argued @0xSkywalker.

Back in May, the UK’s National Cyber Security Center (NCSC) updated terminology on its website, replacing “blacklist” and “whitelist” with “deny list” and “allow list,” after being contacted by a concerned customer.

Categories: Cyber Risk News

NSA Issues VPN Security Guidance

Fri, 07/03/2020 - 19:19
NSA Issues VPN Security Guidance

The National Security Agency released guidance this week on securing IPsec virtual private networks as companies across the US continue to grapple with remote working in the wake of the coronavirus pandemic. The advice included a warning not to rely on vendor-supplied configurations.

The document came in two flavors: a guide to securing VPNs and a version with more detailed configuration examples. It warned that many VPN vendors provide cryptography suites and IPsec policies pre-configured for their devices, along with extra ones for compatibility. The Internet Security Association and Key Management Protocol (ISAKMP) and the IPsec policy define how VPNs should authenticate each other, manage their security associations, and generate their keys at different phases of a VPN connection.

"If either of these phases is configured to allow obsolete cryptography, the entire VPN will be at risk, and data confidentiality might be lost," the document warned.

The NSA advised administrators to ensure that these policies comply with the Committee on National Security Systems Policy (CNSSP)-15 standard, which defines parameters for the secure sharing of information between national security systems. Even configuring CNSSP-15-compliant default policies may not be enough, because many VPNs are configured to fall back to alternative policies if their default one is not available. That risks using non-compliant security policies if administrators leave vendors' pre-configured alternatives on their devices, the document said.

Introduced in the 1990s, IPsec is a traditional protocol for VPNs to talk to each other. It can be used for remote access, or for inter-VPN communications. It is an alternative to SSL/TLS VPNs, which offer entirely browser-based access without using a dedicated software application on the client side.

The NSA also advised administrators to reduce the attack surface of their VPN gateways. Because these devices tend to be internet-accessible, they are prone to network scanning, brute-force attacks, and zero-day vulnerabilities, it warned. One way to reduce this risk is to limit accepted traffic to known IP addresses if working with peer VPNs.

"Remote access VPNs present the issue of the remote peer IP address being unknown and therefore it cannot be added to a static filtering rule," it noted. However, admins can still limit access to specific ports and protocols, such as ports 500 and 4500, accessible via UDP.

Categories: Cyber Risk News

Moose Remain Unaware of Lottery Privacy Breach

Fri, 07/03/2020 - 18:37
Moose Remain Unaware of Lottery Privacy Breach

It isn't often that you hear the words "breach," "privacy," and "moose" in the same sentence, but thanks to the province of Nova Scotia, that just changed. The maritime province on Canada's East Coast was dealing with the publicity fallout from an information leak this week after reportedly mismanaging the distribution of personal license information to hunters.

Each year, Nova Scotia Lands and Forestry holds a lottery to distribute moose-hunting licenses in the Cape Breton region. Restricting licenses is important to preserve the moose population, which has declined of late.

According to the CBC, the government department distributed licenses to the winners. The problem was that they were the wrong licenses. Hopeful hunters received other peoples' names and wildlife resource card numbers in the mail.

The government used to publish the names of the winners in the local newspaper, but stopped doing that. Some hunters believe that was because lottery winners would be pestered by outfitters hoping to sell them equipment. The information, if distributed to the wrong people, would enable them to purchase licenses for hunting other animals illegally.

A government official said that the botched mailing was down to human error. Letters to hunters were printed separately from envelopes, and staff didn't realize that the letters contained information specific to individuals. The government is recalling information packs that it sent out and mailing new ones.

This may be a low-level breach, but it is the latest in a series of slip-ups by the Nova Scotia government that had more serious ramifications. In May, it removed online documents involving appeals to its Workers' Compensation Board that included personal details about peoples' health, medications, and family.

Last year, the Nova Scotia Health Authority had to notify almost 3,000 people about a breach of their health information after a successful phishing attack on an employee. The province was also the recipient of the Electronic Frontier Foundation's 2019 What the Swat? Award after it arrested a teenager for downloading 7,000 sensitive documents from publicly accessible URLs on its website. It later dropped the charges.

Categories: Cyber Risk News

Avaddon Ransomware Still Using Excel 4.0 Macros

Fri, 07/03/2020 - 18:05
Avaddon Ransomware Still Using Excel 4.0 Macros

Just like jokes, sometimes the old vulnerabilities are the best ones. So, stop us if you've heard this before: ransomware criminals are still using malicious Excel 4.0 macros in campaigns. This week, Microsoft's security intelligence team noted that Avaddon was the latest malware to use the macros as an infection vector.

This week, Avaddon ransomware became the latest malware to use malicious Excel 4.0 macros in campaigns. Emails carrying the malicious Excel attachments were sent to specific targets, primarily in Italy. When run, the malicious macro downloads the Avaddon ransomware. pic.twitter.com/K8TN9X9xQR

— Microsoft Security Intelligence (@MsftSecIntel) July 2, 2020

Avaddon is a form of ransomware that emerged in early June, and it is the latest malware campaign to use Excel 4.0 macros to spread in recent weeks. "The technique has been adopted by numerous campaigns, including ones that used COVID-19 themed lures," it said. We documented this back in May when the NetSupport Manager RAT appeared.

"This week's campaign continues a recent trend of delivering ransomware as the immediate payload in email campaigns," Microsoft said.

Avaddon searches for data to encrypt and then appends its own extension to encrypted files, dropping a ransom note in each folder that it affects. That links to a payment site accessible via the Tor network containing a unique ID that the victim can use to log in. They then see a ransom amount and instructions on how to pay.

The original ransomware campaign used in June used emails to distribute a JavaScript downloader that looked like an image file. However, online criminals will often change their techniques to keep victims guessing. Avaddon's organizers reportedly posted to Russian-speaking hacker forums earlier this year, stating that they were operating an affiliate program for the ransomware. This would pay affiliates a portion of the ransom from any of their victims. One of those affiliates could well be responsible for the macro-based infection approach.

Macros are an old method of distributing malware that fell out of favor after Microsoft introduced more protections to stop them. Macros are disabled by default in more recent versions of Microsoft Office, meaning that criminals would have to persuade victims to turn them on. Enterprise IT admins can even set documents not to give users that option. However, not all of them do that, and many victims' computers aren't managed by an admin at all. So this ancient delivery method is still a fruitful vector for attackers.

Categories: Cyber Risk News

Record Number Enrol in Online NCSC CyberFirst Courses

Fri, 07/03/2020 - 15:00
Record Number Enrol in Online NCSC CyberFirst Courses

A record number of teenagers have enrolled in the National Cyber Security Center’s (NCSC) CyberFirst summer courses this year, with classes held online for the first time due to the COVID-19 pandemic. As a result, the NCSC plans to offer a mix of classroom and virtual learning for future summer courses, even when social distancing restrictions have ended.

Taking place annually, the courses offer teenagers aged from 14-17 the opportunity to develop their digital and problem-solving skills as well as introduce them to the cyber-threat landscape. In the program, leading experts from industry and GCHQ teach topics including how to analyze common cyber-attacks, crack codes and defend devices and networks.

Moving the courses online has proved a resounding success, with a record number of applications received: 1700 students will be accepted this year, an increase of 600 compared to 2019.

Chris Ensor, deputy director for cyber-growth at the NCSC, commented: “Moving this year’s CyberFirst summer courses online has proven hugely popular, with a record number of boys and girls participating and developing their cyber-skills from home – in a way that is fun, insightful and engaging.”

The CyberFirst courses were first launched in 2016, with the aim of getting more youngsters interested in cybersecurity to help address the skills shortage and lack of gender diversity in the sector.

Commenting on the news, Fiona Boyd, head of enterprise and cybersecurity at Fujitsu, said: “The record number of teenagers signing up to the NCSC’s CyberFirst summer courses is a fantastic first step towards tackling the STEM skills gap. The cybersecurity skills gap in particular is too large for organizations to ignore with a reported 3.5 million unfilled positions expected by 2021.

“Raising awareness of a cybersecurity career at an early age can help introduce younger students into the industry with a variety of ideas and ways of thinking. In turn, a well-trained cybersecurity team can not only prepare for the future, but stay ahead of emerging cybersecurity threats that may manifest from technologies such as AI and 5G.”

The UK government has recently introduced a number of other new initiatives to tackle the cybersecurity skills shortage. In May it announced the creation of a new online cyber-school to help develop a new generation of cybersecurity professionals.

Categories: Cyber Risk News

V Shred Exposes Pics and PII on 100,000 Customers

Fri, 07/03/2020 - 11:00
V Shred Exposes Pics and PII on 100,000 Customers

Nearly 100,000 customers have had their sensitive personal data and revealing photos exposed online after a US-based fitness company misconfigured an Amazon database.

Las Vegas-headquartered V Shred left the S3 bucket containing over 1.3 million individual files publicly accessible, according to vpnMentor.

The research team discovered the leak on May 14 but it took a whole month for the company to disable access to the offending files. Initially, V Shred apparently claimed it was necessary for user files to be publicly available and denied that any PII data had been exposed. Once informed, it removed the PII but said it was leaving the other files publicly accessible, according to vpnMentor.

The 606GB trove contained three CSV files with PII on over 96,000 users, featuring full names, home and email addresses, phone numbers, birth dates, social security numbers, social media accounts, usernames and passwords, health conditions and more.

The database also contained meal plans, profile photos and “before and after” body photos for some customers, as well as details on 52 trainers, according to the report.

“Using the PII data exposed through the S3 bucket, malicious hackers and cyber-criminals could create very effective phishing campaigns targeting V Shred customers,” vpnMentor claimed.

“If the CSV files contained the social security numbers of any individuals, this would be a goldmine for cyber-criminals. They could utilize such information for a wide range of fraud and wholesale identity theft.”

Users could also be blackmailed with threats to release their before and after photos, it added.

The firm discovered V Shred’s misconfigured S3 bucket as part of a broader web mapping project which has already revealed multiple leaks, exposing hundreds of millions of sensitive records.

These include fitness tech firm Kinomap which accidentally leaked 42 million records, sports retailer Decathlon, which leaked 123 million, and a British printing company which may have exposed military secrets.

Categories: Cyber Risk News

GoldenSpy Uninstaller Appears Out of Nowhere

Fri, 07/03/2020 - 09:30
GoldenSpy Uninstaller Appears Out of Nowhere

A mysterious uninstaller has been discovered in malware-laden tax software required for download by firms doing business in China, according to Trustwave.

The security vendor explained last week how it discovered a backdoor it named GoldenSpy inside Intelligent Tax software, produced by the Golden Tax Department of Aisino Corporation. A Chinese bank requires its business clients to download the software.

The security vendor claimed at the time that the powerful backdoor, which allowed for complete remote control of a victim’s network, could not be removed, even if Intelligent Tax was uninstalled.

However, after attracting widespread publicity, the backdoor has now been joined by a new file, discovered by Trustwave’s Threat Fusion team.

“This new sample’s sole mission is to delete GoldenSpy and remove any trace it existed. Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself,” explained the firm’s VP of cyber-threat detection and response, Brian Hussey.

“This GoldenSpy uninstaller will automatically download and execute, and effectively, will negate the direct threat of GoldenSpy in your environment. However, as the deployment of this uninstaller is delivered directly from the supposedly legitimate tax software, this has to leave users of Intelligent Tax concerned about what else could be downloaded and executed in a similar manner.”

It’s still unclear who seeded the original malware in the tax software. It could either have been done without the knowledge of the bank, or is part of a much wider conspiracy designed to monitor foreign firms doing business in the Middle Kingdom.

The swift appearance of an uninstaller would seem to favor the latter theory, as it’s unlikely that cyber-criminals would care if they were found out.

“Organizations must continuously be vigilant, always threat hunting, because our adversaries will continue to find new ways to trick, manipulate and socially engineer their way into environments,” Hussey argued.

“The value of the GoldenSpy case study is not the IOCs we provided, it’s the lesson that malware can be cleverly hidden in any software, regardless of its source or supposed legitimacy.”

Categories: Cyber Risk News

Global Dating App Users Exposed in Multiple Security Snafus

Fri, 07/03/2020 - 08:30
Global Dating App Users Exposed in Multiple Security Snafus

Security researchers have discovered five dating apps in the US and East Asia which are leaking millions of customer records thanks to misconfigured cloud databases.

A team from WizCase led by Avishai Efrat explained that the Elasticsearch servers, MongoDB databases and AWS buckets they found were left publicly accessible with no password.

In the US, an Amazon bucket traced to CatholicSingles was found to be leaking a 17MB database of 50,000 records including names, email addresses, billing addresses, phone numbers, age, gender, occupation and education.

Another dating site hosted in the US, Yestiki, leaked around 4300 records (352MB) including phone numbers, names, addresses and GPS location data of date venues, as well as user ratings, activity logs and Foursquare secret key IDs.

Next up is SPYKX.com, the South Korean company behind the Congdaq/Kongdak dating app. It was found leaking 123,000 records (600MB) via an unprotected Elasticsearch server, including emails, cleartext passwords, phone numbers, dates of birth, gender, education and GPSdata.

Also in South Korea, dating app Blurry exposed 70,000 user records (3667MB) via an Elasticsearch server, including private messages sent between users – some of which contained sensitive information like social media handles and phone numbers.

Finally, Japanese dating apps Charin and Kyuun, which appear to be owned by the same company, leaked over 100 million records via the same unsecured Elasticsearch database sitting on an AWS EC2 server.

Compromised user information included email addresses and passwords, both hashed and cleartext, user IDs, mobile device information and dating preferences such as distance and age, according to WizCase.

The researchers also found an additional six exposed servers packed with dating app user information but couldn’t identify the owner, although it claimed they may be the product of a web scraping operation. Data from users of Zhenai, Say Love, Netease, Love Chat and Companion were found.

It’s unclear whether any of the companies WizCase contacted has addressed the configuration errors, but the firm warned users of potential follow-on identity fraud, phishing, blackmail and privacy risks.

Back in September last year, the same research team was able to access a database of around 77,000 users of Heyyo, a Turkey-based online dating service.

Categories: Cyber Risk News

Researchers Find Vulnerabilities in Apache Remote Desktop Software

Thu, 07/02/2020 - 19:38
Researchers Find Vulnerabilities in Apache Remote Desktop Software

Researchers have discovered a gaping hole in popular remote access system Apache Guacamole that puts thousands of companies with remote employees at risk. The flaw could allow attackers to control the software and the computers that connect to it. Luckily, there is a patch available.

With large numbers of employees now working from home, remote access systems that let users control computers in the office from their home machines are increasingly popular. One free version is the open source software Apache Guacamole.

Provided by the open source Apache Software Foundation, Guacamole is a gateway that enables remote clients to connect from a browser via various protocols, including Microsoft's Remote Desktop Protocol (RDP). It is a popular product, with over 10 million downloads of its docker container.

Researchers at Check Point began evaluating this software in mid-February as the company prepared to transfer over 5,000 employees to remote work during the early stages of the pandemic. They quickly found problems with the open source gateway. If it connects to a compromised computer inside the network, attackers can use that machine to take control of the entire gateway with potentially disastrous results, they warned.

"Once in control of the gateway, an attacker can eavesdrop on all incoming sessions, record all the credentials used, and even start new sessions to control the rest of the computers within the organization," said the researchers in their report. "When most of the organization is working remotely, this foothold is equivalent to gaining full control over the entire organizational network."

They found several critical reverse RDP vulnerabilities that the destination machine could use to control the gateway, along with new vulnerabilities in FreeRDP, which is Apache's free implementation of the proprietary RDP.

Between them, these vulnerabilities allow for Heartbleed-style information disclosure along with memory corruption. Chaining these together created arbitrary read and write capabilities on the gateway. The researchers then used a privilege elevation attack to gain control of the system.

They disclosed these vulnerabilities to Apache at the end of March, and it silently patched them on May 8 in an update to its GitHub repository. It then released an official patched version (1.2.0) on June 28.

The researchers note that all versions of Guacamole released before January 2020 are using vulnerable versions of FreeRDP, so it is important to patch now.

Categories: Cyber Risk News

US Schools and Colleges Have Leaked 24.5 Million Records Since 2005

Thu, 07/02/2020 - 18:55
US Schools and Colleges Have Leaked 24.5 Million Records Since 2005

Schools and colleges in the US have leaked 24.5 million records since 2005, according to new research by technology website Comparitech. K–12 school districts across the country have suffered 1,327 breaches in the last 15 years—with last year's count setting an all-time high.

According to a list of data breaches compiled by the site and with the help of tools from the National Center for Education Statistics (NCES), the most common cause of data breaches in K–12 schools is hacking, representing 45.9% of all incidents. It's also the biggest cause of breaches in colleges. Unintentional disclosure comes in second, with 21% in schools and 27.3% in colleges, followed by theft or loss of portable devices (11.1% in schools, and 14.7% in colleges). K–12 schools saw 60 breaches in total last year, although they lost the most records in 2018, spilling 991,340.

"There doesn’t appear to be any kind of trend in the breach numbers for K–12 schools or colleges, nor does there seem to be a pattern with college records affected," said the report. "However, over the past few years, there has been a significant increase in the number of school records affected."

Colleges saw by far the largest proportion of breaches, at 74%. Public institutions were also the hardest hit, accounting for 77.7% of the breaches at both school and college level.

The report noted that many of the breaches affected more than one institution. One good example was a data breach at Pearson Education, which affected schools across the US. This demonstrates that not all these breaches are down to mismanagement on the part of a school or college; sometimes, it's a supply-chain issue.

At the state level, California experienced the most data breaches across colleges and schools combined, accounting for 11.8%. It also lost the most records among all states. As the report points out, though, this is to be expected given that the state harbors a large percentage of the US population (around one in eight people).

Categories: Cyber Risk News

Hundreds Arrested After Cops Dismantle Encrypted Phone Network

Thu, 07/02/2020 - 18:22
Hundreds Arrested After Cops Dismantle Encrypted Phone Network

Law enforcement has arrested 746 people in the UK after cracking an encrypted phone network used for criminal activities. The UK National Crime Agency had been working with international partners to crack the EncroChat network since 2016, it revealed today.

EncroChat was one of the largest providers of encrypted mobile communications via its secure mobile phone network, operating from servers in France. It also offered an instant messaging service, the NCA said. It had 60,000 users worldwide, 10,000 of whom were in the UK. They used the network for trading illicit commodities, laundering money, and planning hits on rivals, it added.

The service used its own specialist devices, costing around €1000 each. It would then charge €1500 for a six-month subscription offering worldwide coverage. Devices didn't require users to associate a SIM card with their account, and they used a dual operating system with an encrypted interface designed to avoid detection.

The company also removed cameras, microphones, GPS capability, and USB ports from its hardware and enabled criminals to delete messages on the devices. It could also wipe them entirely from afar with a kill code.

Each message sent via the device used a different set of keys, according to EncroChat's website, which said: "If any given key is ever compromised, it will never result in the compromise of previously transmitted messages—or even passive observation of future messages."

Police crack the code

That didn't stop police from cracking the system, though. Law enforcement said that EncroChat realized its network had been compromised and warned its users to throw away their handsets on June 13.

We may never know how police managed that decryption, and the French aren't talking, according to Europol. One clue might lie in EncroChat's apparent decision to cobble together its own encryption, which cryptography experts always warn against. Its website said:

"The algorithms employed are many times stronger than that of PGP (RSA+AES). We employ algorithms from different families of mathematics, which protects message content in the event that one encryption algorithm is ever solved."

French police began investigating the encrypted communication service in 2017 after finding the handsets cropping up repeatedly in criminal seizures. It filed a case with Eurojust, the EU Agency for Criminal Justice Cooperation, in 2019. In April this year, Eurojust set up a joint investigation team comprising French and Dutch police, with support from other countries including the UK, Sweden, and Norway.

The French, which also set up its own task force in March this year, led the investigation into EncroChat's encryption. It was eventually able to insert a device somewhere in the communication chain to access criminal correspondence.

The JIT got access to the network two months ago, harvesting data and sharing it via Europol. UK police used this data to plan Operation Venetic, an attack on the UK organized crime network.

"Operation Venetic is the biggest and most significant operation of its kind in the UK," the NCA said.

Working with local police, the NCA seized over ₤54m in raids on EncroChat users, along with 77 firearms and two tons of class A and B drugs.

Categories: Cyber Risk News

Security Analysts Disproportionate in their Investigation of Malware

Thu, 07/02/2020 - 15:00
Security Analysts Disproportionate in their Investigation of Malware

The forms of malware most frequently investigated by security analysts are not actually the most widespread ones used by cyber-attackers, according to a new study by Kaspersky. It revealed that whilst Backdoors (24%) and Droppers (23%) are amongst the top three most commonly sent free requests to the Kaspersky Threat Intelligence Portal, they only make up 7% and 3% of all malicious files blocked by the Kaspersky endpoint products, respectively.

The Kaspersky Threat Intelligence Portal is a means to help analysts to better understand the background of an attack following the detection of malicious activity in order to develop effective response and remediation measures.

Anonymized statistics from the portal show that 72% of the free requests sent related to three categories: Trojans (25%), Backdoors (24%) and Droppers (23%). Although figures from the Kaspersky Security Network demonstrate that Trojans are indeed usually the most widespread type of malware, the amount of Backdoors and Droppers are nowhere near as frequent as these requests would suggest.

The reason for this disparity is believed to be because researchers are often interested in the final target of the attack, whereas endpoint protection products aim to prevent attacks at an early stage, before they reach the user’s computer.

Kaspersky added that researchers could also be interested in analyzing certain kinds of threats in extra detail due to factors such as their novelty and media coverage.

Denis Parinov, acting head of threats monitoring and heuristic detection at Kaspersky, said: “We have noticed that the number of free requests to the Kaspersky Threat Intelligence Portal to check viruses, or pieces of code that insert themselves in over other programs, is extremely low – less than 1%, but it is traditionally among the most widespread threats detected by endpoint solutions.

“This threat self-replicates and implements its code into other files, which may lead to the appearance of a large number of malicious files on an infected system. As we can see, viruses are rarely of interest to researchers, most likely because they lack novelty compared to other threats.”

Categories: Cyber Risk News

New Mac Ransomware Hidden in Pirated Software

Thu, 07/02/2020 - 11:30
New Mac Ransomware Hidden in Pirated Software

Security researchers are warning of new Mac ransomware spread via pirated software on torrent and similar sites.

Malwarebytes director of Mac and mobile, Thomas Reed, explained that the EvilQuest malware is now dubbed “OSX.ThiefQuest” to avoid confusion with a 2012 gaming title.

He was first alerted to the ransomware hidden in a legitimate-looking edition of macOS firewall Little Snitch and uploaded to a Russian torrent site. However, it has subsequently been found in an installer for DJ software Mixed In Key 8 and will “undoubtedly” be hidden in other pirated software, Reed claimed.

“The malware wasn’t particularly smart about what files it encrypted, however,” he continued. “It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption.”

Other researchers have indicated that the ransomware also contains a keylogger, due to the presence of calls to system routing CGEventTapCreate, and even steals any cryptocurrency wallet-related files it finds. The malware also opens a reverse shell to communicate with a command and control (C&C) server, Reed explained.

Once complete, the pop-up message demands $50 from the victim to recover their files. As of yet there is no decryption key available, although Reed said that researchers are working on trying to understand what kind of encryption the malware uses and whether it can be cracked, like the FindZip Mac variant.

In the meantime, he recommended best practice backups and effective AV as the main way to mitigate the threat.

“The best way of avoiding the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all-important data, and at least one should not be kept attached to your Mac at all times (ransomware may try to encrypt or damage backups on connected drives),” Reed concluded.

“I personally have multiple hard drives for backups. I use Time Machine to maintain a couple, and Carbon Copy Cloner to maintain a couple more. One of the backups is always in the safe deposit box at the bank, and I swap them periodically, so that worst case scenario, I always have reasonably recent data stored in a safe location.”

Categories: Cyber Risk News

Security Serious Opens Nominations for Fifth Unsung Heroes Awards

Thu, 07/02/2020 - 10:45
Security Serious Opens Nominations for Fifth Unsung Heroes Awards

Nominations for the fifth annual Security Serious Unsung Heroes Awards are open.

Intended to recognize the people who significantly contribute to the information security industry, whether in the classroom, in law enforcement or within corporate organizations, nominations are now open and will remain open until August 31 2020. The Unsung Heroes Awards will take place on Tuesday October 13 via a virtual cocktail event.

A total of 14 awards are open for nomination, including a new award added this year to recognize those helping to keep UK businesses safe during the COVID-19 pandemic. The categories are:

  • Captain Compliance 
  • Godfather/Godmother of Security 
  • Cyber Writer 
  • CISO Supremo  
  • Security Avengers (best team) 
  • Best Security Awareness Campaign 
  • Security Leader/Mentor 
  • Apprentice/Rising Star 
  • Best Educator 
  • Best Ethical Hacker/Pen Tester 
  • Channel Champion 
  • DevSecOps Trailblazer 
  • Data Guardian  
  • COVID Hero

The Unsung Heroes Awards, created by Eskenzi PR and Smile on Fridays, have been sponsored by KnowBe4, Protiviti and Qualys. Yvonne Eskenzi, director of Eskenzi PR and founder of the Security Serious Unsung Heroes Awards, said: “It's true that 2020 might feel like a year worth forgetting, but cyber-criminals certainly haven't given up. There must be some incredible superstars out there in cybersecurity keeping businesses and their remote workers safe – and we want to thank those people.

“We need everyone’s help to nominate those security professionals they think are worthy of acknowledgement and bring a little joy back into this year!"

Previous award winner Quentyn Taylor, director of information security EMEA for Canon Europe, said that it is really important to support these kinds of efforts. “The Unsung Heroes Awards recognize the real people in information security, not just the ones you see in the magazines every single time,” he said. “Not just the ones who get put on the news whenever there’s an incident, but the ones who maybe don’t have time to do that but are soldiering away in the background to make the world a safer place, and that’s why these awards have credibility.” 

Categories: Cyber Risk News

Scam Cryptocurrency Biz Dissolved After Stealing £1.5m

Thu, 07/02/2020 - 10:15
Scam Cryptocurrency Biz Dissolved After Stealing £1.5m

A scam cryptocurrency trading platform has been wound up by the courts after stealing £1.5m in clients’ funds.

Gpay Limited was incorporated on 30 August 2017, and later traded as Cryptopoint and XtraderFX, according to a statement from government agency The Insolvency Service.

It was finally closed down in the public interest last week by the High Court, after scamming countless novice traders who were drawn to the platform via online advertising.

These ads, often on social media, claimed that the platform was supported by experienced traders and innovative technology that could help even investors with no prior experience to make money.

They also falsely claimed that Gpay was endorsed by Martin Lewis, founder of MoneySavingExpert, and entrepreneurs from the hit TV show Dragons’ Den.

“Screw you! Piss off! And good riddance Gpay ltd,” Lewis said in a Facebook post linking to the government announcement.

Government investigators had found that at least 108 clients had lost almost £1.5m, in many cases despite having paid for insurance designed to protect them against any losses.

Those that tried to remove funds from their trading accounts were told that this wasn’t possible unless they sent across copies of photo ID, utility bill and debit/credit card. Such requests were apparently not necessary when the victims initially sent over their deposits.

Withdrawals would also be blocked if customers hadn’t traded with their deposited funds, according to the government.

“GPay persuaded customers to part with substantial sums of money to invest in cryptocurrency trading. This was nothing but a scam as GPay tricked their clients to use their online platform under false pretenses and no customer has benefited as their investments have been lost,” said Insolvency Service chief investigator, David Hill.

“We welcome the court’s decision to wind-up GPay as it will protect anyone else becoming a victim. This scam should also serve as a warning to anyone who conducts trading online that they should carry-out appropriate checks before they invest any money that the company is registered and regulated by the appropriate authorities.”

Categories: Cyber Risk News

Facebook Privacy Snafu Exposes User Data to Thousands of Apps

Thu, 07/02/2020 - 09:10
Facebook Privacy Snafu Exposes User Data to Thousands of Apps

Facebook has discovered another back-end privacy issue which meant that thousands of apps continued to receive users’ personal information even after access should have automatically expired.

The social network’s vice-president of platform partnerships, Konstantinos Papamiltiadis, explained in a blog post that rules to limit developer access to Facebook user data were brought in several years ago.

“In 2014, we introduced more granular controls for people to decide which non-public information — such as their email address or their birth date — to share when they used Facebook to sign into apps,” he said.

“Later, in 2018, we announced that we would automatically expire an app’s ability to receive any updates to this information if our systems didn’t recognize a person as having used the app within the last 90 days.”

However, the firm recently discovered that some apps continued to receive previously authorized user data, even though they hadn’t used the app in 90+ days.

“From the last several months of data we have available, we currently estimate this issue enabled approximately 5000 developers to continue receiving information — for example, language or gender — beyond 90 days of inactivity as recognized by our systems,” Papamiltiadis continued.

“We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.”

The issue was fixed within a day and he said that Facebook is introducing new Platform Terms and Developer Policies to improve transparency further with the developer community and ensure they “clearly understand their responsibility to safeguard data and respect people’s privacy.”

The social network has been tightening its restrictions on third-party developers since the Cambridge Analytica scandal in 2018. In September last year it announced the removal of tens of thousands of apps from hundreds of developers that were suspected of having the potential to abuse policies on user privacy and security.

Categories: Cyber Risk News

SonicWall Appoints Tristan Bateup as Country Manager for Ireland

Thu, 07/02/2020 - 08:15
SonicWall Appoints Tristan Bateup as Country Manager for Ireland

Cybersecurity solutions company SonicWall has announced the appointment of Tristan Bateup as country manager for Ireland as the firm seeks to expand its presence and capabilities in the country.

Bateup has more than 10 years of experience in the cybersecurity industry, having previously spent five years managing SonicWall partner business at distributor Exertis before joining SonicWall to serve as strategic account manager for the UK and Ireland.

Will Benton, regional director, Northern Europe at SonicWall, said: “Tristan’s experience and skills have already proved invaluable in establishing our presence in Ireland since his appointment. SonicWall places great importance in its partner relationships, and Tristan’s strong experience on both sides of the relationship contributes to bringing us even closer to our partner network in Ireland.”

To address the needs of Ireland-based customers, SonicWall will be consolidating its channel strategy and expanding its partner base in the country, responding to the rising demand for enterprise cybersecurity solutions in the growing Irish economy and the strong competitive market.

“Ireland is growing strongly, and that brings security concerns,” Bateup explained. “Recently, Irish businesses have had to deal with increasingly insidious threats from cyber-criminals while adjusting to a 100% remote workforce. SonicWall has evolved its Boundless security offering to cover the skills and budget gaps caused by just such a scenario. So joining the team when today’s Irish customers need hyper-distributed IT is the right move at the right time.”

Categories: Cyber Risk News

Pages