Info Security

Subscribe to Info Security  feed
Updated: 18 min 40 sec ago

NTT Data Center Subsidiary Settles with FTC in Privacy Spat

Wed, 07/01/2020 - 19:14
NTT Data Center Subsidiary Settles with FTC in Privacy Spat

A subsidiary of Japanese tech communications giant NTT has settled with the Federal Trade Commission over a complaint that it misled customers about its participation in the Privacy Shield framework.

NTT Global Data Centers used to be called RagingWire, but the Japanese telco acquired a majority 80% stake in the business in 2014, buying the remaining stock in January 2018. In November 2019, the FTC accused the Nevada-based data storage company of not being honest about its participation in the EU-US Privacy Shield framework.

Privacy Shield is a legal framework that lets companies transfer consumer data from EU countries to the US. It imposes privacy conditions on those companies to ensure that they remain compliant with EU law. It replaced the prior Safe Harbor agreement that existed between the two countries after a legal challenge ended that arrangement.

The FTC said that RagingWire claimed to participate in the Privacy Shield framework in its online privacy policy between January 2017 and October 2018, even though it had allowed its certification to lapse in January 2018. The Department of Commerce, which administers the framework, asked it twice to remove the claims or restore its certification, but it ignored the requests until the FTC approached it in October 2018.

The company also failed to meet a key Privacy Shield condition, according to the FTC complaint: after its certification lapsed, it didn't continue to apply the framework's protections to personal information collected while participating in the program.

The consent agreement says that NTT Global Data Centers will not misrepresent its role in government privacy programs again. It will also hire an independent third-party assessor to review its compliance for as long as it remains self-certified under Privacy Shield. It must also protect personal information it collects while operating under the framework even after its certification lapses, or return or delete that data.

The FTC's legal team reached the settlement agreement with the company in April 2020, suspending its lawsuit until FTC commissioners could consider the proposal. They voted 3-1-1 in favor, with one commissioner not participating and one dissenting.

The statement from those voting in favor said that the data center operator "was, in fact, touting its participation in Privacy Shield as a selling point."

Categories: Cyber Risk News

California's CCPA Gets Teeth Today

Wed, 07/01/2020 - 18:42
California's CCPA Gets Teeth Today

As of today, the California state government is enforcing the California Consumer Privacy Act (CCPA). Companies that don't comply with the law can expect stiff penalties from the government, along with potential consumer lawsuits.

Although the CCPA was signed into law two years ago and has been in effect since January 1, there was a six-month grace period during which companies were expected to review their procedures and ensure that they complied with the regulations. Today marks the start of real enforcement, when the attorney general can hold businesses accountable for violations.

Industry had pressured the state government to delay the enforcement date as companies struggled to cope with the COVID-19 pandemic, but the government held firm. It submitted the final set of proposed regulations for approval under the CCPA on June 2.

Darren Wray, CTO at data privacy company Guardum, warned that California has a reputation for aggressively pursuing its regulations. "Regulators are almost certainly going to come down strongly on high-profile breaches or compliance failures to show they mean business," he said. "We can also expect to see an uptick in the number of consumer complaints when they are unhappy with how a company has handled their data. We will also see more social media shaming for large companies that have failed in their new CCPA duties."

From today, penalties against companies that violate the CCPA rules could cost companies $2,500 per individual violation, or $7,500 for intentional violations. The law also allows for consumer lawsuits with statutory payments of $100–$750 per violation.

This could all lead to soaring fines, warned Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals. "With companies collecting data about millions of California residents, the numbers add up quickly to sums that could dwarf the FTC's $5 billion settlement with Facebook," he said.

The law affects any person or organization doing business in California with over $25m in annual revenue, or any business collecting information on over 50,000 people or devices. Companies making more than 50% of their annual revenue from the sale of personal information also come under the CCPA.

Categories: Cyber Risk News

Bitcoin Scammers Use Celebrity Names to Lure Victims

Wed, 07/01/2020 - 17:59
Bitcoin Scammers Use Celebrity Names to Lure Victims

Phishing scammers have targeted thousands of victims in an intricate cryptocurrency fraud, it was revealed this week. They used extensive information about the victims along with a complex multi-stage campaign that used fake news sites and celebrity names to lure them into a fraudulent investment scheme.

The online heist, discovered by Singapore-based threat hunting and intelligence company Group-IB, targeted victims across countries including the UK, Australia, South Africa, the US, and Singapore.

Victims receive a text message informing them of a news report about a lucrative new investment scheme. The message contains a URL supposedly pointing to a well-known media outlet. In fact, it is a unique short link to a redirect page. This page uses the short link to look up extensive personal data about the victim, including their name, phone number, and occasionally an email address.

The page sends this data when redirecting the victim to a fake news website tailored to look like a legitimate news site. The scammers even fake different news properties depending on the victim's location. UK residents are taken to a spoofed page from the Daily Mirror, for example.

The fake news story describes the cryptocurrency investment scheme, misleading the victim by attaching a celebrity to the story and claiming that they had made lots of money with it. All links in the article would take the victim to a site for the investment fraud. Links are customized with the victim's personal information as parameters, which the investment page uses to populate a registration form.

This would leave the victims with little to do other than click the submit button, at which point they are told they will be contacted via phone by a representative. They are also asked to fill their account with a minimum of 0.03 bitcoins.

This is not the first scam to hijack celebrity names in a bid to lend credence to a shady investment site. Group-IB identified a similar one in February. What's different about this one is the amount of personal information that the scammers already had about each victim, the company said. It has searched for this information on online marketplaces to no avail. The scammers may have purchased the information from a data broker, it mused.

Cryptocurrency scammers have a habit of hijacking well-known brands and names. One common tactic is to take over verified Twitter accounts to get that all-important blue badge, and then to alter the account name to make it look like a celebrity is writing the tweets. Scammers have used this tactic to hijack Elon Musk's name when luring people into cryptocurrency fraud.

Categories: Cyber Risk News

Remote Workers Becoming More Security Conscious Although Bad Habits Persist

Wed, 07/01/2020 - 15:45
Remote Workers Becoming More Security Conscious Although Bad Habits Persist

Remote workers have become significantly more cybersecurity conscious since the COVID-19 lockdown began, according to a new study from Trend Micro. It found that nearly three-quarters (72%) of remote workers are more aware of their organization’s cybersecurity policies, and 85% now take instructions from their IT team seriously.

Additionally, 81% agreed that workplace cybersecurity is partly their responsibility, whilst 64% acknowledged that it is a security risk to use non-work applications on a corporate device.

The findings, taken from interviews with 13,200 remote workers across 27 countries, suggest that employees are increasingly recognizing the additional cyber-threats to businesses brought about the sudden shift to mass home working during the pandemic.

Despite this however, the report indicated that bad cybersecurity habits remain highly prevalent amongst remote workers. Over half (56%) of respondents admitted to using a non-work application on a corporate device, and 66% have uploaded corporate data to that application. Personal browsing using work laptops was found to be undertaken by 80% of remote workers, with just 36% fully restricting the sites they use, whilst 39% said they often or always access corporate data from a personal device.

A small proportion even admitted to watching/accessing porn (8%) and accessing the dark web on their work laptop (7%).

These kinds of risky behaviors appear to stem from attitude rather than ignorance, with 34% stating that they do not give much thought as to whether the apps they use are sanctioned by their organizations’ IT team.

Bharat Mistry, principal security strategist at Trend Micro, said: “It’s encouraging to see that so many take the advice from their corporate IT team seriously. Having said that, there are individuals who are either blissfully ignorant or worse still who think cybersecurity is not applicable to them and will regularly flout the rules. Hence having a one size fits all security awareness program is a non-starter as diligent employees often end up being penalized. A tailored training program designed to cater for employees may be more effective.”

Categories: Cyber Risk News

Entries Now Open for the 2020 Tech Trailblazers Awards

Wed, 07/01/2020 - 13:30
Entries Now Open for the 2020 Tech Trailblazers Awards

Entries have now opened for the Tech Trailblazers Awards 2020, which recognize the achievements of outstanding early-stage tech companies around the world.

The awards are only available for smaller businesses and startups under six-years-old, and applicants must also be at C-series funding or below. Since the awards were launched in 2012, many previous winners have gone on to lucrative futures. In the ‘cloud’ category, seven former winners or runners up have been subsequently acquired, while winners or runners up in the ‘security’ category have gone on to collectively raise $722m in funding rounds.

There are 12 major enterprise categories that can be applied for in addition to three special categories, all of which are now open. The enterprise categories are as follows:

  • AI
  • Big data
  • Blockchain
  • Cloud
  • Containers
  • Developer tools
  • Fintech
  • IoT
  • Mobile technology
  • Networking
  • Security
  • Storage

The three special categories are made up of female and male CxOs of the year, as well as the Firestarter award. Early-stage startup firms – those aged two years or under without VC funding – can apply for one of the tech categories for free via the new Firestarter bursary, which will automatically enrol them for the Firestarter award.

Rose Ross, founder of the Tech Trailblazers Awards, said: “This year’s process will be more comprehensive than ever. Entrants will have the opportunity to build their case with an executive interview for the Founders on Fire podcast and, in another first for the awards, shortlisted companies will be offered an opportunity to present a ‘Lightning Talk’ to the judges.

“The awards are a cracking opportunity for ambitious companies to present their innovations to the influential group of people that is our international judging panel.”

Infosecurity’s editor Michael Hill is confirmed as one of the judges for the awards.

Entries close on September 11 and the online entry process is powered by Judgify, making it easy to create and refine entries over a period of time prior to submitting.

Categories: Cyber Risk News

Malware Uses Postal App Lure to Send SMS Messages and Steal Data

Wed, 07/01/2020 - 12:30
Malware Uses Postal App Lure to Send SMS Messages and Steal Data

A new version of Android malware, which exfiltrates and sends SMS messages, has been detected stealing financial and application data and reading account information and contact lists.

According to research by Cybereason, the malware, which it calls FakeSpy, is under constant development and has been active for over three years. Research found the attackers send fake text messages to lure victims into clicking on a malicious link, which directs them to a malicious web page and prompts them to download an Android application package (APK).

FakeSpy masquerades as a legitimate postal service application, and once installed, requests permissions so that it may control SMS messages and steal sensitive data on the device, as well as proliferate to other devices in the target device’s contact list.

The researchers determined that the developers are adding new features to the malware on a regular basis. “The newer version of FakeSpy uses new URL addresses for malicious communication with FakeSpy,” the research explained. “The function mainly uses a DES encryption algorithm to encode these addresses.”

Calling it “one of the most powerful information stealers on the market,” the Cybereason Nocturnus research team said the malware authors seemed to be putting a lot of effort into improving the malware, bundling it with numerous new upgrades that make it more sophisticated, evasive and well-equipped.

In terms of attribution, Cybereason's investigation suggests the threat actor behind the FakeSpy campaign is a Chinese-speaking group dubbed Roaming Mantis, a group that has led similar campaigns. It began by mainly targeting users in South Korea and Japan, and that has now extended more globalyl.

Jake Moore, cybersecurity specialist at ESET, said the fake text lure often works “as the victims expect an unknown number and – even if they haven’t ordered something – they assume the message is genuine, clicking through to any given links.”

Niamh Muldoon, senior director of trust and security at OneLogin, added: “The challenge for the individuals and organizations building delivery apps such as the ones targeted by the latest FakeSpy variation is building a process that enforces MFA without introducing too much end-user friction; balancing the risk and user-acceptance is key.”

Categories: Cyber Risk News

Nominations Open for the Outstanding Security Performance Awards 2021

Wed, 07/01/2020 - 11:45
Nominations Open for the Outstanding Security Performance Awards 2021

Nominations are now open for the Outstanding Security Performance Awards (OSPAs) 2021.

The OSPAs are an independent and inclusive global awards scheme currently running in 13 countries to recognize and reward companies and individuals across the security sector. The awards present an opportunity to acknowledge role models and thought leaders who have made significant contributions to the industry and will be judged by high-profile professionals representing the many leading supporting associations and groups.

Professor Martin Gill, founder of the awards, said: “I encourage everyone working in the sector to submit at least one nomination; security too often operates under the radar and the OSPAs provide the opportunity to highlight and promote the pioneering work that is being carried out.”

Entry to the UK OSPAs is open and nominations are invited in the following categories:

  • Outstanding In-House Security Manager/Director Outstanding Contract Security Manager/Director
  • Outstanding Security Team Outstanding Contract Security Company (Guarding)
  • Outstanding Security Consultant Outstanding Customer Service Initiative
  • Outstanding Security Training Initiative Outstanding Security Installer/Integrator
  • Outstanding Event Security Team Outstanding Security Partnership
  • Outstanding Security Equipment Manufacturer Outstanding New Security Product
  • Outstanding Security Officer Outstanding Young Security Professional
  • Outstanding Cyber Security Initiative Lifetime Achievement Award

Nominations are open until October 1 2020 and shortlisted nominees will be announced in November. The awards ceremony will take place in the first quarter of 2021.

Categories: Cyber Risk News

FCC: Huawei and ZTE Are National Security Threat

Wed, 07/01/2020 - 11:00
FCC: Huawei and ZTE Are National Security Threat

The Federal Communications Commission (FCC) has officially declared Chinese tech firms Huawei and ZTE national security risks, as part of its plans to remove the vendors’ equipment from US telecoms networks.

The FCC’s decision means that no carrier tapping the $8.5bn Universal Service Fund (USF), a government subsidy used mainly by smaller telcos often serving rural areas, can use the funds to purchase kit from the two Chinese firms.

“With today’s orders, and based on the overwhelming weight of evidence, the [FCC’s Public Safety and Homeland Security] Bureau has designated Huawei and ZTE as national security risks to America’s communications networks — and to our 5G future,” said FCC chairman Ajit Pai. 

“Both companies have close ties to the Chinese Communist Party and China’s military apparatus, and both companies are broadly subject to Chinese law obligating them to cooperate with the country’s intelligence services.”

The FCC first revealed its plan back in October 2019, stating at the time that under the proposals the USF would not be allowed to pay for firms deemed a national security risk. It also suggested that existing USF recipients would have to be audited to see how many have Huawei/ZTE kit in place and how much it would cost to remove and replace it.

In March this year, a new law freed up $1bn to help smaller telecoms firms rip-and-replace Huawei and ZTE equipment.

Huawei and others have long argued that such plans are self-defeating as they will set US innovation back and represent poor value-for-money for taxpayers and consumers alike.

However, Pai struck a defiant tone in his prepared comments yesterday.

"The Bureau also took into account the findings and actions of Congress, the executive branch, the intelligence community, our allies and communications service providers in other countries,” he said.

“We cannot and will not allow the Chinese Communist Party to exploit network vulnerabilities and compromise our critical communications infrastructure. Today’s action will also protect the FCC’s Universal Service Fund — money that comes from fees paid by American consumers and businesses on their phone bills — from being used to underwrite these suppliers, which threaten our national security.”

Categories: Cyber Risk News

CIOs Raise the Alarm Over TLS Cert Security Risks

Wed, 07/01/2020 - 09:45
CIOs Raise the Alarm Over TLS Cert Security Risks

Three-quarters of global CIOs are concerned about the proliferation of TLS certificates and the growing security risks associated with them, according to a new study from Venafi.

The security vendor polled 550 CIOs from the US, UK, France, Germany and Australia to better understand attitudes to the certificates increasingly used to protect data flowing to trusted machines.

Digital transformation efforts have led to an explosion of TLS certs to protect modern computing systems, but in so doing, the manual or semi-autonomous processes used to keep track of them are no longer fit-for-purpose.

That can lead to large numbers expiring without the knowledge of IT, exposing the organization to risk. A previous Venafi study revealed that IT professionals on average each found over 57,000 TLS machine identities that they did not know they had in their businesses and clouds.

More than half (56%) of CIOs polled in the new study said they worry about outages and business interruptions due to these expired certificates.

The problem is only set to get worse: 93% of respondents told Venafi that they had a minimum of 10,000 active TLS certificates, while 40% said they have over 50,000 currently in use. However, nearly all (97%) of CIOs estimated that the number of TLS certificates used by their organization would increase at least 10-20% over the coming year.

Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi, claimed that CIOs are likely still underestimating the number of TLS machine identities they currently have in use.

“As a result, they are unaware of the size of the attack surface and the operational risks that these unknown machine identities bring to their organization. Whether it’s debilitating outages from expired certificates, or attackers hiding in encrypted traffic for extended periods of time, risks abound,” he argued.

“The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network — and this includes short-lived certificates that are used in the cloud, virtual and DevOps environments.”

Categories: Cyber Risk News

Lawmakers Call on Government to Regulate Social Media

Wed, 07/01/2020 - 08:40
Lawmakers Call on Government to Regulate Social Media

UK lawmakers have called on the government to take action “without delay” to regulate social media, in a bid to tackle misinformation online.

The House of Lords Committee on Democracy and Digital Technologies reported on Monday that a “pandemic of misinformation” poses an existential threat to democracy, and that companies like Facebook and Google need to be held accountable.

The list of reforms set out by the committee included tighter regulation for political advertising to ensure it is brought into line with other forms of advertising in requirements for truth and accuracy.

Working with the Advertising Standards Authority, political parties should develop a code of conduct to ban inaccurate ads during times of elections and referendums, it said. Wildly inaccurate claims made by the Leave campaign, including that the NHS would receive an extra £350m per week if Britain left the EU, are believed to have influenced many to vote Brexit.

There should also be more transparency around who pays for specific political ads and beefed up powers for the Electoral Commission to fine £500,000 or 4% of total campaign spend for those breaking the rules.

The Lords also called on the government to push ahead with an online harms bill which would give regulator Ofcom the power to hold platform providers legally responsible for content produced by individuals with large numbers of followers. The regulator should be given powers to fine such companies 4% of global annual turnover or force ISPs to block serial offenders.

Ofcom should also be given the power to ensure online firms are transparent in how their algorithms work so they are not operating in a discriminatory manner, the committee said.

An independent ombudsman should be appointed to provide a point of contact for individuals to complain to in the event they feel let down by digital platforms.

Committee chair and Labour peer, David Puttnam, argued that the perils of misinformation have become clear during the COVID-19 crisis.

“We have set out a program for change that, taken as a whole, can allow our democratic institutions to wrestle power back from unaccountable corporations and begin the slow process of restoring trust,” he added.

“Technology is not a force of nature and can be harnessed for the public good. The time to do so is now.”

Catherine Stihler, chief executive of the Open Knowledge Foundation, argued that the only way to fight misinformation and disinformation is to make information open, so authorities like journalists and scientists can report the facts.

“Tech giants have a responsibility to increase transparency and work closely with fact checkers, but self-regulation is never going to be enough by itself – government intervention is required,” she added.

“The UK government should take account of public opinion and the recommendations in this report and work towards a future that is fair, free and open.”

Categories: Cyber Risk News

Faulty Drivers Fuel ATM Hacking Problem, Say Researchers

Tue, 06/30/2020 - 18:52
Faulty Drivers Fuel ATM Hacking Problem, Say Researchers

Faulty Windows drivers are to blame for many attacks against ATM and point-of-sale (POS) devices, according to research from Portland, Oregon–based hardware security research company Eclypsium. In a report released this week, it built on previous research highlighting how attackers can exploit poorly designed third-party drivers to gain control over the kernel of Microsoft's operating system and the underlying device firmware. It went on to explain how people can exploit these vulnerabilities to target highly regulated devices.

The researchers found a vulnerable Windows driver exposing a Diebold Nixdorf ATM to attack after acquiring the computer used in the ATM, which controls critical components, including the cash cassettes. The hardware driver provided arbitrary access to I/O ports on the system, enabling it to access devices connected via the PCI interface. The system also used the driver to update the device's BIOS firmware, which could enable it to install a boot kit, they warned. The ATM vendor has already worked with Eclypsium to fix the problem, the report said.

This is not an isolated problem, the researchers warned. "These capabilities in a vulnerable driver could have a devastating impact on ATM or POS devices. Given that many of the drivers in these devices have not been closely analyzed, they are likely to contain undiscovered vulnerabilities," the report said.

Eclypsium drilled down into the specific driver problems that create problems for the Windows kernel in previous research. It named several vendors that had released vulnerable drivers for their devices.

For a long time, there was no way for Windows to mitigate these problems. That changed with the introduction of hypervisor-enforced code integrity (HVCI), which protects Windows from malicious code using built-in virtualization features. The problem is that this feature requires newer processors and isn't yet supported by many third-party drivers, they warned.

ATM hardware doesn't get replaced all that often, meaning that many of them won't be equipped with HVCI. Regulations also slow down the driver patching process, the researchers added. If a device is certified to external security standards, then any change that a vendor makes to its software or firmware could result in delays as it goes through the certification process again, they said.

Other security companies have also highlighted problems with patching ATM software. In a 2019 white paper about ATM security challenges, Fortinet pointed out that manual processes for patching ATMs might fall outside the scope of corporate patch management systems that banks use for conventional IT equipment. That can make it difficult for IT administrators to patch thousands of ATMs across a distributed infrastructure, it warned.

Attacks on ATM hardware (as opposed to the use of add-on skimming devices) are a perennial problem for banks. In September 2019, malware from the Lazarus Group was discovered targeting ATMs in Indian banks. Cash-out crews have also reportedly been targeting US ATMs with 'jackpotting' attacks, in which malware forces devices to continually dispense cash, since 2018.

Categories: Cyber Risk News

Unauthorized Data Sharing Puts Companies at Risk

Tue, 06/30/2020 - 18:07
Unauthorized Data Sharing Puts Companies at Risk

Inappropriate data sharing continues to be a problem for companies, according to a survey from data discovery and auditing software vendor Netwrix. Although most companies have designated secure storage areas for their data, many find it leaking into insecure areas, its research found.

A quarter of companies have discovered data stored outside designated secure locations in the past year, according to the vendor's "2020 Data Risk & Security" report. It took them considerable time to discover the stray data, with 23% reporting that it lay undiscovered for weeks.

This data seems to make its way into insecure storage because employees don't follow data sharing policies, if they exist at all. According to the survey, 30% of systems administrators granted direct access to sensitive data based only on user requests. The results show up in audits and can lead to financial penalties. Of companies that experienced unauthorized data-sharing incidents, 54% ended up with non-compliance findings from audits.

Many companies don't keep tabs on user data access privileges, the survey found. He reported that a little over half of all organizations don't review these access privileges regularly.

This lack of visibility into access rights makes it hard to track data sharing. According to the survey, only half of all organizations are confident that employees are sharing data without the IT department's knowledge. Of those, 29% cannot track employee data sharing at all, making their claims difficult to prove.

The survey examined all stages of the data life cycle from creation through to disposal. It found poor practices at the data-creation stage that have direct implications for other stages such as data sharing. Nearly two-thirds of the survey respondents said that they couldn't confirm they only collect the minimum amount of customer data required. Of those, 34% are subject to the GDPR, which limits the amount of data they are allowed to collect. Companies that collect more customer data than they need to and fail to manage it properly later on compound their security risk.

The survey covered 1,045 IT professionals around the world, with the largest proportion (48%) coming from North America, followed by 26% from the EMEA region. Half the companies had 1,000 employees or fewer.

Categories: Cyber Risk News

US Government Warns of Palo Alto Vulnerability

Tue, 06/30/2020 - 17:10
US Government Warns of Palo Alto Vulnerability

The US government has warned of a critical flaw in Palo Alto Networks equipment that could enable attackers to take over its devices with minimal skill.

The warning, issued by US Cyber Command, urged people to patch all devices affected by the vulnerability immediately. It said that foreign advanced persistent threat actors will attempt to exploit it soon.

Please patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use. Foreign APTs will likely attempt exploit soon. We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.

— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) June 29, 2020

As a user of these products, US Cyber Command would have reason to worry about foreign nation-states targeting its networks and those of its partners. It is one of eleven unified commands at the US Department of Defense, and oversees the US military's cyberspace operations.

The vulnerability, CVE-2020-2021, concerns the authentication process in PAN-OS, which is the operating system driving Palo Alto firewalls. When authentication using the Security Assertion Markup Language (SAML) is enabled and the 'Validate Identity Provider Certificate' option is unchecked, the system doesn't verify signatures properly, enabling someone to gain unauthenticated access to protected resources over a network.

Although it has a severity of 10—the highest possible—this is not a remote code execution vulnerability. It would, however, allow an unauthenticated attacker with network access to web interfaces to log into its firewalls as administrator. The bug affects its PA and VM series next-generation firewalls, the company said in the vulnerability announcement.

This attack could be particularly damaging to customers now because they rely heavily on firewall and VPN access to serve employees working remotely during the COVID-19 pandemic.

The security hardware vendor said that it is not aware of any malicious attempts to exploit the vulnerability thus far.

Administrators can patch the vulnerability today by upgrading to new versions of the software. It has patched versions 8.0, 8.1, 9.0, and 9.1 with point releases to fix the problem. Alternatively, they can simply disable SAML authentication to eliminate the issue until they get the chance to fix it with a point upgrade, meaning that they would have to switch to another form of authentication.

This advisory comes almost exactly a year after Palo Alto announced a remote code execution flaw in its GlobalProtect Portal and Gateway interface products. That vulnerability, rated High with a CVSS score of 8.1, allowed attackers to execute arbitrary code without authentication. In April 2019, CMU-CERT also warned that the company's VPN software was storing cookies insecurely in log files.

Categories: Cyber Risk News

New Cybersecurity Standard for IoT Devices Established By ETSI

Tue, 06/30/2020 - 15:30
New Cybersecurity Standard for IoT Devices Established By ETSI

A new standard for cybersecurity in the Internet of Things (IoT) has been unveiled today by the ETSI Technical Committee on Cybersecurity. It establishes a security baseline for internet-connected consumer products and for future IoT certification schemes. It is hoped the standard, titled ETSI EN 303 645, will help prevent large-scale, prevalent attacks taking place against smart devices.

Developed in collaboration with industry, academics and government, the standard aims to restrict the ability of cyber-criminals to control devices across the globe and launch DDoS attacks, mine cryptocurrency and spy on users in their own homes. This has become a major concern for the cybersecurity industry due to the growing prevalence of smart devices in households, many of which have security weaknesses.  

Earlier this month, for example, an investigation by Which? found that 3.5 million wireless indoor security cameras across the world potentially have critical security flaws that make them vulnerable to hacking.

ETSI EN 303 645 outlines 13 provisions for the security of a wide range of IoT consumer devices and their associated services. These include children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances and smart home assistants.

Five specific data protection provisions for consumer IoT are also set out in the standard.

Mahmoud Ghaddar, CISO Standardization, commented: “Ensuring a better level of security in the IoT ecosystem can only be achieved if governments, industry and consumers collaborate on a common and reachable goal, and standardization bodies like ETSI have provided the right platform to achieve it for this standard.”

A number of manufacturers and IoT stakeholders have already developed products and certification schemes according to ETSI EN 303 645. Juhani Eronen, chief specialist at Traficom, added: “To date we have awarded the labels to several products including fitness watches, home automation devices and smart hubs. Being involved in the development of the ETSI standard from the start helped us a lot in building up our certification scheme. Feedback from companies and hackers has been very positive so far.”

Categories: Cyber Risk News

Indian Government Bans TikTok and 50+ Chinese Apps

Tue, 06/30/2020 - 11:25
Indian Government Bans TikTok and 50+ Chinese Apps

The Indian government has banned over 50 Chinese-made smartphone apps including popular social title TikTok over concerns they may be stealing user data.

The 59 titles also include Twitter-like platform Weibo and WhatsApp clone WeChat, as well as a range of other browser, camera, news, entertainment and communications apps.

A government statement noted that the decision was taken due to fears that the apps were “prejudicial to sovereignty and integrity of India, defense of India, security of state and public order.”

These concerns were linked to fears over users’ data security and privacy.

“The Ministry of Information Technology has received many complaints from various sources including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India,” it said.

Although the concerns may be genuine, the timing appears to be deliberate, coinciding with a period of heightened tensions between the two Asian giants after recent border clashes left 20 Indian soldiers dead.

According to the BBC, India is TikTok’s biggest foreign market with an estimated 120 million users.

However, the app has come in for criticism not only in India. In the US, the Pentagon banned its use by soldiers early this year on security concerns related to its Beijing-based owner ByteDance.

The Committee on Foreign Investment in the United States (CFIUS) has launched an inquiry into whether the user data TikTok collects represents a national security risk. If this becomes a full-blown investigation it could even put the sale of the title, which was originally a US app called, in jeopardy.

Concerns also swirl over the extent to which TikTok is influenced by Beijing, after it appeared to censor content linked to pro-democracy protesters in Hong Kong.

ProPrivacy digital privacy expert, Ray Walsh, argued that although New Delhi’s decision was probably taken for geopolitical reasons, it doesn’t mean it has no basis in privacy best practice.

“The decision will drastically reduce the amount of data passing from Indian citizens to Chinese authorities, via seemingly innocuous and hugely popular apps such as TikTok. These apps are known to harvest huge amounts of data from their users, resulting in covert international surveillance for the Chinese government,” he argued.

“Although the ban is likely to be controversial among Indian citizens, it may well cause other world leaders to consider whether they could or should impose similar sanctions.”

It remains to be seen how easy it is to enforce such a ban in practice.

Categories: Cyber Risk News

InFraud Cybercrime Gang Member Pleads Guilty to Charges

Tue, 06/30/2020 - 10:30
InFraud Cybercrime Gang Member Pleads Guilty to Charges

A leading figure in a notorious cybercrime organization has pleaded guilty before a Nevada court to racketeering charges.

Russian national Sergey Medvedev — aka “Stells,” “segmed” and “serjbear” — pleaded guilty to conspiracy charges under the Racketeer Influenced and Corrupt Organizations Act (RICO), according to the Department of Justice (DoJ).

According to the indictment, the InFraud group he was a member of was founded in 2010 by 34-year-old Ukrainian Svyatoslav Bondarenko to be an expert in “carding” — the online trafficking of stolen personal and financial information.

“Under the slogan, ‘In Fraud We Trust,’ the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware and other illicit goods,” the DoJ said. 

“It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information and other contraband were permitted to advertise to members.”

By March 2017 there were an estimated 10,900 registered members of InFraud. The DoJ claimed that during its seven-year history it made over $568m from its victims — financial institutions, merchants and individuals.

The group was finally taken down in early 2018 after police in Australia, the UK, France, Italy, Kosovo and Serbia swooped on 13 individuals thought to have key roles in InFraud. An indictment was subsequently released charging 36 suspected members.

Medvedev, 33, was extradited from Thailand after being arrested there during the 2018 international police crackdown.

The news comes just days after another Russian national, Aleksei Burkov, was sentenced to nine years behind bars for operating the Cardplanet website, which sold stolen card data.

Categories: Cyber Risk News

US Suspends Sensitive Tech Exports to Hong Kong

Tue, 06/30/2020 - 09:45
US Suspends Sensitive Tech Exports to Hong Kong

The US government has said it will suspend export of sensitive defense technologies to Hong Kong after China passed a controversial national security law in the Special Administrative Region (SAR).

In a brief statement on Monday, commerce secretary Wilbur Ross argued that the new law meant that sensitive US tech may find its way into the hands of the People’s Liberation Army (PLA) or the fearsome Ministry of State Security (MSS), both of which are prolific sources of cyber-attacks on foreign targets.

“Commerce Department regulations affording preferential treatment to Hong Kong over China, including the availability of export license exceptions, are suspended,” he continued.

“Further actions to eliminate differential treatment are also being evaluated. We urge Beijing to immediately reverse course and fulfill the promises it has made to the people of Hong Kong and the world.”

The controversial law was passed unanimously today by China’s rubber-stamp parliament, the National People’s Congress.

It seeks to criminalize activities such as secession and collusion with foreign forces, but many see it as an attempt to muzzle political activists and protesters in the region. The law also flies in the face of the binding “one country, two systems” agreement between China and the UK which intended the SAR to retain its autonomy for 50 years after the handover in 1997.

Judging by Ross’s remarks, the ban on exports of sensitive technologies to Hong Kong is likely to presage a wider revocation of the SAR’s special status under US law, by which it is granted certain preferential economic and trading rights over China.

On Friday, the State Department also imposed visa restrictions on Chinese Communist Party officials accused of undermining Hong Kong’s autonomy.

Beijing’s opaque political system is such that no Hong Kongers have yet even been able to see and read for themselves exactly what the legislation entails.

However, reports suggest it will carry a maximum sentence of life.

Categories: Cyber Risk News

#COVID19 HMRC Phishing Scams Persist, Begin Targeting Passport Details

Tue, 06/30/2020 - 08:45
#COVID19 HMRC Phishing Scams Persist, Begin Targeting Passport Details

Fraudsters are continuing to exploit self-employed people with advancements in already-established COVID-related HMRC phishing scams.

Uncovered by Griffin Law, the latest variation of this attack is now targeting the passport details of self-employed people, along with other information including personal and bank details.

According to Griffin Law, the scam begins with a text message purporting to be from HMRC informing the recipient they are due a tax refund which can be applied for online via an official looking site that uses HMRC branding and is entitled “Coronavirus (COVID-19) guidance and support.”

The bogus site then asks for several pieces of the user’s sensitive information before also requesting their passport number as ‘verification’ – a new aspect of the scam previously discovered by Griffin Law.

So far, Griffin Law has ascertained that around 80 self-employed London-based workers have reported receiving this scam to their respective accountant.

Stav Pischits, CEO of Cynance, said: “The COVID-19 crisis has triggered a sharp rise in phishing attacks targeting businesses and individuals with realistic scams promising financial support and purporting to be from HMRC.

“All it takes is a single employee to accidentally hand over confidential company information, such as bank account details, a username or password for a potentially catastrophic data breach to occur.”

It’s therefore vital that all companies invest in improving cybersecurity procedures, particularly with millions of employees working remotely for the foreseeable future, he added.

Chris Ross, SVP, Barracuda Networks, warned that cyber-criminals will continue to exploit any situation to harvest financial data from individuals and see the national emergency as the perfect opportunity to fool vulnerable victims into handing over personal information.

“Security awareness is key within the workforce, and it’s vital that all employees are trained about how these schemes operate as well as how SMS can be exploited as part of a wider phishing scheme.”

Categories: Cyber Risk News

Businesses Lack a Workable Ransomware Recovery Strategy

Tue, 06/30/2020 - 08:00
Businesses Lack a Workable Ransomware Recovery Strategy

More than a third of businesses do not have a ransomware emergency plan in place, or are not aware if one exists within their company.

According to research from Ontrack of 484 organizations, 39% either did not have or were not unaware of a ransomware strategy, while 26% admitted they couldn’t access any working backups after an attack.

“The threat of ransomware has never been greater” said Philip Bridge, president of Ontrack. “The fact that only 39% of respondents to our survey have an emergency plan in place for a ransomware attack is shocking. They are gambling with their and their customers’ data.

“It is imperative, now as ever, to ensure your organization has processes and procedures in place to mitigate the impact of any cyber-attack and protect sensitive data,” added Bridge.

As the third anniversary of the NotPetya attacks were marked at the weekend, David Grout, CTO of EMEA at FireEye, said NotPetya highlighted the need for resiliency, backup and preparation, as well as the importance of being able to track and identify the perpetrators and understand their motives.

“In terms of what can be done to mitigate the effects of these attacks, primarily, it is essential that patches are made available quickly and that they are widely adopted. If a discovered vulnerability can be exploited, it is highly likely that threat groups will use it, and continue to do so until it is fixed, inflicting untold damage,” he said.

“The NotPetya attack could have been mitigated by ensuring updates to software were regularly conducted, as well as thorough assessments of a given organization’s security, especially through simulated cyber-breaches.”

Speaking to Infosecurity, BH Consulting CEO Brian Honan said, with ransomware becoming an increasing concern for many organizations, he is seeing more businesses take steps to tackle the threat.

“However, many of these steps focus very much on the preventive aspect of security controls and in particular on ensuring effective anti-virus software is in place. While this is an important element in protecting against ransomware, organizations do need to take a more holistic approach to protecting their businesses and ensuring they can continue to function and recover from an attack should it happen.”

Honan recommended having robust data backup and data recovery strategies in place. “The key is to ensure business resilience in the event of a ransomware attack,” he said. “To achieve this, organizations should incorporate their incident response processes, for all cyber-attacks and not just for ransomware attacks, with their business continuity plan so they can continue to operate, while looking to recover from secure backups.

“A good backup strategy that is regularly reviewed, secured and tested to ensure the data can be recovered is one of the most effective defenses against ransomware.”

Categories: Cyber Risk News

UCSF Pays $1.14m Ransomware Fee

Mon, 06/29/2020 - 20:02
UCSF Pays $1.14m Ransomware Fee

The University Of California San Francisco finally confirmed that it had forked over $1.14m to ransomware thieves last week, less than a month after discovering that critical academic data related to its COVID-19 research had been encrypted.

The university said in a statement on Friday that it had detected a security incident affecting some of its School of Medicine servers on June 1. It had quarantined the affected IT systems at the time. The attackers managed to encrypt some of the university's systems with ransomware and demanded a payment. Although the university believed that no patient's medical records were affected, the data was important enough that it was forced to play ball with the criminals. It said:

"The data that was encrypted is important to some of the academic work we pursue as a university serving the public good. We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained."

UCSF was one of three higher education establishments to be targeted in a single week at the start of June by the Netwalker ransomware gang.

The BBC received a tip that enabled it to drop in on a chat session between UCSF and the criminal gang on the dark web. According to the chat transcript, Netwalker originally asked for a $3m ransom, but UCSF countered, asking them to accept $780,000. The two parties kept haggling, until they agreed on a final sum of $1,140,895. That equated to 116.4 bitcoins, which the university transferred the following day.

Universities are difficult places to protect because the networks are vast and geared toward open information sharing. In September 2019, the UK's National Cybersecurity Center reported that UK universities were at particular risk from nation-state attacks, although most fail to pay much attention. In May last year, Moody's Investors Service warned that universities have numerous campuses and thousands of students along with budgetary constraints, making their cybersecurity effort especially difficult. Its research, sponsored by IBM Security, revealed 101 confirmed data disclosures at US universities in 2017, up from just 15 in 2014.

Categories: Cyber Risk News