Info Security

Subscribe to Info Security  feed
Updated: 2 hours 11 min ago

Malicious Email Exploits Greta Thunberg, Christmas, and Children

Fri, 12/20/2019 - 16:20
Malicious Email Exploits Greta Thunberg, Christmas, and Children

A malicious email campaign that exploits the notoriety of youthful Swedish climate crisis activist Greta Thunberg has been discovered by multiple research teams.

Threat actors constructed an email that appears to invite the recipient to participate in a demonstration being held to protest the lack of government action being taken to protect the natural environment. 

The email purports to be from environmental activist Greta Thunberg. In a bid to appear more authentic, the sign-off references a genuine accolade recently awarded to Thunberg—being named Time Person of the Year 2019. 

The email states that the time and location of the non-existent demonstration are included in a Microsoft Word document "Support Greta Thunberg.doc," which is attached to the email. When the victim opens the document, the Emotet malware is installed on their computer. 

Emotet is a banking Trojan that has been around since 2014 and has recently made a significant comeback. In the 2019 Q3 Threat Report by Proofpoint, researchers found that Emotet accounted for nearly 12% of all malicious emails in that quarter.

As if exploiting the positive actions of a teenager and public concern over the future of the planet wasn't enough, the emotionally manipulative scammers stooped even lower by throwing Christmas and children into the mix.  

The content of the malicious email reads: "Merry Christmas. You can spend Christmas Eve looking for gifts for children. They will tell you Thank you only that day. But the children will thank you all their lives if you come out for the biggest demonstration in protest against the inaction of the government in connection with the climate crisis."

Proofpoint researchers who detected this festive incarnation of Emotet wrote: "This campaign serves as a reminder that attackers won’t hesitate to target people’s best intentions during this holiday season."

Sickeningly, the threat actors appeared to be specifically targeting .edu domains used by students. 

"We saw more .edu domains attacked than domains associated with any specific country," wrote Proofpoint researchers. 

Versions of the same malicious email have been doing the rounds in a variety of languages, including Spanish, Italian, French, and Polish. 

The one positive takeaway is that the threat actors’ topic of choice signals growing global awareness of Thunberg and the issues for which she advocates. 

Proofpoint researchers noted that the campaign "serves as a mark of how significant environmental awareness has become and how well-known Greta Thunberg is globally."

Categories: Cyber Risk News

100% Rise in Number of UK Businesses Paying Hacking Ransoms

Fri, 12/20/2019 - 15:22
100% Rise in Number of UK Businesses Paying Hacking Ransoms

New research into the attitudes and beliefs of cybersecurity professionals has identified a sharp rise in the number of businesses paying up when stung by a ransomware attack.

The 2019 Global Security Attitude Survey Report by California cybersecurity technology company CrowdStrike shows that the number of global organizations paying ransoms from supply-chain attacks has more than doubled from 14 to 39 percent in the past year.

In the UK, over the same time period, the number of businesses coughing up their money after being held to ransom by threat actors has increased by 100 percent from 14 percent to 28 percent. 

On a more positive note, it takes UK organizations on average 39 hours to detect an adversary, versus a sluggish global average of 120 hours.

Over three-quarters (77 percent) of survey respondents admitted that their organization had experienced a supply-chain attack at least once at some point in time, up from 66 percent in 2018. However, compared to last year, more businesses said that they were prepared for such an incident. 

Over half (52 percent) of those hit by a software supply-chain attack in 2019 had a comprehensive strategy in place at the time, compared to only just over a third (34 percent) 12 months ago. 

"Reacting with speed to next-generation, persistent and pervasive threats requires the power of the cloud and crowdsourced data on the real threats facing organizations, whether they are malicious files or from file-less behaviors," said John Titmus, senior director, sales & solution engineering, EMEA region, CrowdStrike. 

"The solution to these threats lies within the power of the cloud and AI to leverage vast data sets to spot indicators of attack before those attacks break out and become breaches. Then organizations react at the speed required to beat organized cybercriminals and nation-state adversaries."

The 2019 Global Security Attitude Survey Report is based on responses from 1,900 senior IT decisionmakers and professionals from across the US, Canada, UK, Mexico, Middle East, Australia, Germany, Japan, France, India, and Singapore, working in a wide range of industries. Responses were recorded in the fall of 2019.

Categories: Cyber Risk News

UK Police in the Dock as Device Losses Soar 150%

Fri, 12/20/2019 - 10:51
UK Police in the Dock as Device Losses Soar 150%

UK police officers and staff reported on average four lost or stolen devices every day over the most recent financial year, according to newly released data.

Think tank Parliament Street received Freedom of Information (FOI) requests from 22 forces across the country to better understand their risk exposure from mobiles, tablets, laptops, radios, USBs and other devices.

In total, 2600 of these devices were reported lost or stolen over the past three financial years, with around half (1360) reported in the financial year 2018-19.

This amounts to an increase in lost/stolen devices of 150% from the 544 reported missing in 2016-17.

The worst offender was West Midlands Police, which reported 1012 missing devices over the three-year period. This included 16 laptops, 112 mobile phones and 884 police radios, 494 of which went missing last year.

There was a big drop-off before second-placed Staffordshire Police, which reported 277 lost or stolen devices, and third-placed Greater Manchester Police (225).

Those which saw the biggest increase in missing equipment between 2016 and 2019 were Gwent Police, which reported a 2500% jump, Norfolk and Suffolk Constabulary (1,500%) and Durham (200%).

Absolute Software VP EMEA, Andy Harcup, argued that most of these devices would have contained sensitive data on police investigations, including confidential information about criminals, suspects and victims.

“Everyone recognizes the loss of laptops and mobiles in the line of duty is inevitable, so it’s vital that forces have the necessary systems in place to track and freeze equipment when it falls into the wrong hands,” he added.

“This approach can help improve cybersecurity standards, protect the privacy of individuals and prevent criminals and opportunistic thieves from misusing police devices and stealing data.”

It’s not just the police that are exposed to cyber-risk related to device loss. UK government workers reported over 500 lost or stolen devices over the past year, while at the Ministry of Defence, missing device reports soared 300% over the past two years.

It's unclear whether the majority of devices reported lost or stolen by the police were password protected, encrypted, and/or fitted with device wipe capabilities, according to best practices.

Categories: Cyber Risk News

Data Leak Exposes 267 Million Facebook Users

Fri, 12/20/2019 - 10:20
Data Leak Exposes 267 Million Facebook Users

A database of 267 million Facebook user IDs, phone numbers, and names was left exposed online for a fortnight thanks to another cloud misconfiguration, according to researchers.

The trove was likely to have been the result of an illegal scraping operation carried out by cyber-criminals, according to consultant Bob Diachenko and researchers at Comparitech.

“One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018,” explained Comparitech’s Paul Bischoff.

“Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted. Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.”

The researchers warned that such a large database of sensitive information could be used in major spam, phishing and smishing campaigns.

The database itself was first indexed on December 4, with the data posted on a hacker forum eight days later. Diachenko discovered it on December 14 and notified the ISP managing the IP address, and five days later it was made unavailable.

The original leak came about because of a misconfigured Elasticsearch cluster.

This is just the latest in a long line of data leaks stemming from unsecured cloud databases. In November personal data on over one billion individuals harvested by data enrichment companies was found exposed.

Then in December, over one billion email-password “combos” were found in a similar way by Diachenko. They’re thought to have been stolen or bought by hackers.

Categories: Cyber Risk News

Court's Opinion Good News for EU-US Data Flows

Fri, 12/20/2019 - 09:46
Court's Opinion Good News for EU-US Data Flows

An EU court ruling yesterday has raised questions over the validity of the Privacy Shield data sharing framework between Europe and the US, although it confirmed the legality of standard contractual clauses (SCCs), with caveats.

The opinion of advocate general (AG) of the EU Court of Justice, Henrik Saugmandsgaard Øe, stems from the infamous Facebook-Max Schrems case in which a complaint by the latter claimed that transfer of his data from the EU to the US by the social network infringed his privacy rights.

That led to the end of the Safe Harbor data sharing agreement between the EU and US in 2015, because the latter’s bulk surveillance programs, as revealed by Edward Snowden, were considered to imperil Europeans’ privacy rights without providing any adequate cause of redress.

The new opinion issued by the advocate general indicates the EU still has concerns over Safe Harbor’s successor, Privacy Shield.

“According to the advocate general, the resolution of the dispute in the main proceedings does not require the court to rule on the validity of the ‘privacy shield’ decision, since that dispute concerns only the validity of Decision 2010/87,” a statement from the Court of Justice noted.

“Nevertheless, the advocate general sets out, in the alternative, the reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.”

However, SCCs are still a valid and legal way to transfer data to and from a “third country” (i.e. one outside the EU), despite the US surveillance regime, the opinion found.

The caveat is that data protection authorities in the trading bloc must keep an eye on the conditions within these third countries.

There is an obligation on them “to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.”

Overall, this is good for business and will ease fears about data flows post-Brexit as the UK will effectively become a third country at that time, according to experts.

“The advocate general’s opinion that the EU SCCs remain valid will be welcomed by business on both sides of the Atlantic, as the SCCs are one of the key mechanisms that underpin transfers of personal data to countries outside of the EU, including to the US,” said Bridget Treacy, partner at law firm Hunton Andrews Kurth.

“Despite the continuing validity of the SCCs, the AG points out that businesses that rely on the clauses still need to assess whether the recipient can comply with the clauses in relation to each particular transfer, and suspend transfers when that is not the case. Furthermore, EU data protection supervisory authorities have the power to suspend data transfers pursuant to the SCCs when an adequate level of protection for personal data cannot be provided in light of local laws and practices in the recipient country.”

The AG’s decision is not legally binding, but the European Court of Justice, which is hearing the case next year, usually follows the same thinking.

Categories: Cyber Risk News

Australia to Launch First ACS-Accredited University Cybersecurity Course

Thu, 12/19/2019 - 18:54
Australia to Launch First ACS-Accredited University Cybersecurity Course

Australia's Deakin University is to launch the country's first cybersecurity course accredited by the Australia Computer Society (ACS).

The ACS is the only body in Australia with the power to accredit IT and ICT courses. Only recently did it add cybersecurity to its accreditations.

Deakin University is the first educational establishment to be awarded specialist course accreditations in cybersecurity by the ACS, with five Deakin degrees and master's programs receiving recognition.

Yohan Ramasundara, president of ACS, said: "ACS has long been recognized as the accrediting body for technology-related degrees and post-graduate qualifications related to initial professional practice.

"With the growing need for expertise in cybersecurity for our evolving and growing digital economy, introducing recognition for specialist cybersecurity qualifications and expertise was a must."

ACS accreditation is awarded to an institution and its programs after a rigorous evaluation of their capacity to produce graduates who have the knowledge and skills required of a professional. Currently, there are more than 340 programs offered by over 40 institutions that are accredited by the ACS as meeting graduate standards for initial professional practice. 

Professor Karen Hapgood, Deakin’s executive dean of science engineering and built environment, said the university's new cybersecurity accreditation demonstrated the high quality and academic integrity of its cybersecurity courses.

"Deakin is proud to be able to offer students a fully accredited cybersecurity course that will be recognized industry-wide and overseas," Professor Hapgood said.

"It certainly endorses the high-quality curriculum and the high quality of academic staff teaching our courses, and validates Deakin’s decision last year to update its cybersecurity courses in line with industry and world needs.

"As cybersecurity becomes more important to our national and global security than ever before, it is vital that students can take comfort that they are being taught at the highest possible level."

Around 500 students study a Bachelor or Master of Cybersecurity at Deakin each year, with an average annual intake of 150 students. The university launched the courses three years ago.

While cyber security courses are currently offered at many universities and other educational institutions across Australia, until now none of these courses have been accredited by an external and independent body.

Categories: Cyber Risk News

Audit Faults Massachusetts' Information Security

Thu, 12/19/2019 - 18:12
Audit Faults Massachusetts' Information Security

Massachusetts' Department of Revenue is not doing enough to protect the sensitive information of taxpayers. 

A recent report on the cybersecurity protocols of the Department of Revenue (DOR), compiled by auditor of the commonwealth Suzanne Bump, found that the DOR had no system in place to assess and document third-party vendor risks.

Furthermore, the audit found that the DOR had no documented and tested incident response procedures and had not established an information technology strategy committee. 

The department previously had a security review board, but the board has not been active since early 2017.

"Without a committee or board charged with governing DOR’s IT environment, responsibility for IT governance and risk is not clear. This can result in information security risks and investments not being aligned with business needs," states the report.

"Without documented and tested incident response procedures, there is a higher-than-acceptable risk that DOR may not be able to respond properly to information security incidents, which may result in delayed identification of an incident, additional loss of data, or negative public opinion."

The audit revealed that the DOR had failed to come up with an interdepartmental service agreement with the Executive Office of Technology Services and Security (EOTSS) that defined and documented updated roles and responsibilities despite having three years in which to do so.

The report states: "DOR management officials told us that they had been trying for three years to negotiate an ISA with EOTSS. They mentioned organizational and managerial changes at EOTSS as a cause of the delay."

No instances in which sensitive data had been compromised were discovered, but Bump’s office found that the DOR "was not prepared to respond to or mitigate cyber-attacks it or its vendors face" and "did not have procedures in place to guide its response to IT security incidents."

"The whole infrastructure for data security was missing at the Department of Revenue," Bump said in an interview that aired Sunday morning on Boston TV show On the Record.

The report, which was published on December 13, covered the DOR’s IT and security-related activities from July 2016 through December 31, 2018.

Categories: Cyber Risk News

Cybersecurity a Growing Concern for America's Corporate Lawyers

Thu, 12/19/2019 - 16:32
Cybersecurity a Growing Concern for America's Corporate Lawyers

New research into litigation trends has identified cybersecurity as a major new source of legal disputes in the United States.

The 2019 Litigation Trends Annual Survey conducted by global law firm Norton Rose Fulbright questioned corporate counsel about dispute-related issues and concerns.

Of the 287 lawyers polled, 44 percent said that they foresee cybersecurity and data protection as a new source of disputes during the next few years.

The results of the 2017 and 2018 editions of the Litigation Trends Annual Survey saw cybersecurity and data protection concerns coming to the forefront as a key challenge in dispute management. However, the trend saw a marked rise this year, with respondents reporting an increase in the number of disputes triggered by data privacy issues.

From 2018 to 2019, the number of in-house counsel who rated cybersecurity and data privacy as the most important litigation issue they faced doubled. More than half of those surveyed (52 percent) feel more exposed than previously to such disputes.

Respondents to Norton Rose Fulbright's survey said that their concern over cybersecurity stemmed from the volume of threats, the creativity of threat actors, and the sensitivity of the data content. Counsel were also worried about some jurisdictions’ enactment of stringent data privacy laws.

Rapid growth in the size of the organization was also a key factor. One respondent quoted in the research wrote: "We’re growing at such a fast rate, in terms of the number of companies and the volume of work in the insurance industries, we have a large number of consumer-facing data points, so our consumer data retention is probably tripling yearly."

Companies in 2019 whose in-house counsel took part in the survey spent $1.5m on average on disputes and employed 2.5 disputes lawyers per $1bn of revenue.

Researchers found that more than 80 percent of companies conduct third-party and/or in-house assessments of cybersecurity and data protection risks, and such assessments are helpful in reducing these types of risks.

Other findings of the research are that counsel predict a rise in litigation caused by an anticipated economic downturn. Thirty-five percent of corporate counsel—8 percent more than in 2018—expect disputes to increase in the next year. Nearly two-thirds of corporate lawyers said economic downturns lead to an increase in litigation cases.

Introduced in 2004, the Norton Rose Fulbright’s Litigation Trends Annual Survey is the longest-running survey of corporate counsel on litigation issues and trends.

Categories: Cyber Risk News

Honda Leak Hits 26,000 North American Customers

Thu, 12/19/2019 - 10:56
Honda Leak Hits 26,000 North American Customers

Honda has become the latest big-name brand to expose the personal information of countless customers because of a cloud misconfiguration.

The carmaker’s North America business leaked around 26,000 unique customer records thanks to an unsecured Elasticsearch cluster, according to security researcher, Bob Diachenko.

He found 976 million records in total in the exposed database, including one million containing info about Honda owners and their vehicles — including names, contact details and vehicle information.

Although he was unable to confirm the volume of exposed records, Honda put the figure at just shy of 30,000.

“We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII,” it said in a statement sent to Diachenko. “We can also say with certainty that there was no financial, credit card or password information exposed on this database.”

On the plus side, the company acted promptly to resolve the security issue, shutting the server on December 13, just a day after it was informed. However, it claimed the misconfiguration happened on October 21 and the database was first indexed by search engine BinaryEdge on December 4, leaving plenty of time for hackers to potentially scan for and find the trove.

Diachenko warned that it could be used to craft convincing follow-on phishing emails.

“The security issue you identified could have potentially allowed outside parties to access some of our customers’ personal information. We quickly investigated this issue, determined the specific breach in protocol, and took immediate steps to address the vulnerability,” the statement continued.

“Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations.”

The incident comes just months after Honda leaked 40GB of data on its internal security systems, via another unsecured Elasticsearch server.

Categories: Cyber Risk News

Former Palo Alto IT Admin in Insider Trading Charges

Thu, 12/19/2019 - 10:24
Former Palo Alto IT Admin in Insider Trading Charges

A former IT administrator at Palo Alto Networks and four others have been charged with insider trading, in a three-year conspiracy said to have netted them over $7 million in profits.

According to a complaint filed by the SEC, Janardhan Nellore used his IT credentials and work contacts to access confidential information about his former employer’s financial performance and quarterly earnings.

He then allegedly traded Palo Alto Networks shares based on that information, and tipped off four friends: Sivannarayana Barama, Ganapathi Kunadharaju, Saber Hussain, and Prasad Malempati.

To cover up the scam, he is alleged to have told the group to use the code word “baby” to refer to the technology company’s stock. It’s also claimed that some of the group kicked back profits to Nellore in small sums to avoid scrutiny.

Nellore is said to have bought one-way tickets to India for himself and his family following an interview with the FBI, and was arrested at the airport. Reports suggest the group made over $7 million from insider trading activity that ran from 2015 to 2018.

“As alleged in our complaint, Nellore and his friends exploited Nellore’s access to valuable earnings information and attempted to hide their misconduct using code words and carefully tailored cash withdrawals,” said Erin Schneider, director of the SEC’s San Francisco Regional Office. “This case highlights our use of enhanced data analysis tools to spot suspicious trading patterns and identify the traders behind them.”  

Nellore and Barama are also the subject of criminal charges issued by the US Attorney’s Office for the Northern District of California.

Insider trading is increasingly facilitated by unauthorized IT access to digital information. In January this year, two Ukrainian nationals were charged with hacking the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, which stores documents related to company disclosures including test filings made before announcements go public.

They then allegedly sold this information to insider traders, making over $4 million in the process.

Categories: Cyber Risk News

FBI: Don’t Dabble with Public Wi-Fi This Holiday Season

Thu, 12/19/2019 - 09:40
FBI: Don’t Dabble with Public Wi-Fi This Holiday Season

The FBI has issued a warning to holiday travelers not to use public Wi-Fi on the road this Christmas because of cybersecurity concerns.

As internet users cross countries and continents to be with friends and family over the holiday period, the Feds argued that Wi-Fi hotspots should be avoided.

“Don’t allow your phone, computer, tablet, or other devices to auto-connect to a free wireless network while you are away from home. This is an open invitation for bad actors to access your device. They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera,” it said in a “Tech Tuesday” post this week.

“If you do need to connect to a public hotspot — such as at an airport or hotel — make sure to confirm the name of the network and the exact login procedures. Your goal is to avoid accidentally connecting to a fraudster’s Wi-Fi that they are trying to make look legit.”

If using a public hotspot is unavoidable, the FBI urged users not to log-in to any sensitive accounts like their online banking. Where possible, the Bureau advised individuals to use their smartphones as a private hotspot for other devices.

Although these best practices have long been promoted by the information security community, users, including business travelers, continue to expose themselves to unnecessary risks by using public Wi-Fi without adequate security.

A 2018 study from iPass revealed that 81% of global IT leaders had recorded staff Wi-Fi-related security incidents over the previous year.

VPNs are seen as the best way to ensure traffic and web browsing sessions are protected from Wi-Fi snoopers. However, UK IT leaders were least confident (38%) that their mobile workers are using a VPN every time they go online.

The FBI warning comes just weeks after LA County’s district attorney issued a public security notice warning people not to use public USB charging points for fear of so-called “juice jacking” malware attacks.

Categories: Cyber Risk News

US Senators Introduce Bill to Protect Schools Against Cyber-Threats

Wed, 12/18/2019 - 17:58
US Senators Introduce Bill to Protect Schools Against Cyber-Threats

A bill designed to enhance the cybersecurity of K–12 schools was introduced to the US House of Representatives on Monday. 

If passed into law, the K-12 Cybersecurity Act would require the Department of Homeland Security (DHS) to create a list of cybersecurity recommendations and a cybersecurity toolkit for educational institutions to use when making improvements to their cyber-protections. 

The bill was introduced by Senators Rick Scott and Gary Peters, who both serve on the Senate Homeland Security Committee. 

Peters, who also serves on the Governmental Affairs Committee, said: "Schools across the country are entrusted with safeguarding the personal data of their students and faculty, but lack many of [the] resources and information needed to adequately defend themselves against sophisticated cyber-attacks."

Support for the bill has been expressed by the National Education Association, the American Federation of Teachers, the National Association of Secondary School Principals, and the Consortium for School Networking.

It would further require the DHS to research and report back on the overall cyber-risks faced by schools.

Scott said: "The safety of our schools is always my top priority, and that includes protecting the information of our students and teachers. I’m proud to sponsor the K–12 Cybersecurity Act of 2019 to further protect our schools, students and educators, and give them the resources they need to stay safe."

The bill closely mirrors the State and Local Government Cybersecurity Improvement Act, which was introduced to the House in August but has yet to see any action.

According to data collected by Armor, over 1,000 schools in the United States have been affected by ransomware alone in 2019. In Louisiana, Governor John Bel Edwards declared a statewide emergency in July in response to ransomware attacks on three school districts.

It isn't just malware that poses a risk to American schools. In August 2019, a high school in Spotsylvania County, Virginia, wired $600,000 to a fraudulent football field turf provider after being deceived in an elaborate email phishing scam.

"School districts are a treasure trove for cyber-criminals seeking to pilfer valuable information, such as social security numbers and financial information until a ransom has been paid. From January through November of this year, SonicWall detected almost nine million intrusion attempts, demonstrating the tenacity and dedication of online threats and threat networks," commented Bill Conner, CEO of cybersecurity firm SonicWall.

Categories: Cyber Risk News

Siemens Contractor Jailed for Planting Logic Bombs

Wed, 12/18/2019 - 17:05
Siemens Contractor Jailed for Planting Logic Bombs

A Siemens contractor who sabotaged computer programs so that he would later be re-hired to fix them has been jailed.

David Tinley of Harrison City, Pennsylvania, pleaded guilty in federal court to a charge of intentional damage to a protected computer back in July 2019. 

Between 2014 and 2016, the 62-year-old computer programmer inserted malicious pieces of code known as logic bombs into software used at the Monroeville branch of Siemens in Pennsylvania. The logic bombs were designed to unleash code that would cause the software to malfunction after specific circumstances arose.

"The logic bombs ensured that the programs would malfunction after the expiration of a certain date. As a result, Siemens was unaware of the cause of the malfunction and required Tinley to fix these malfunctions," reads a statement released July 19, 2019, by the United States Attorney's Office of the western district of Pennsylvania.

Deceived by Tinley's despicable ruse, Siemens reputedly paid tens of thousands of dollars to the contractor to fix the masterfully orchestrated problems of his own sinister creation. According to a pre-sentence memorandum, Tinley paid Siemens $42,000 in restitution for that work.

For his criminal actions, Tinley faced a maximum prison term of 10 years and a maximum fine of $250,000. On Monday, December 16, United States District Judge William S. Stickman handed the corrupt contractor a six-month federal prison sentence and ordered him to pay a $7,500 fine.

Once his custodial sentence has been served, Tinley will spend a further two years under court-ordered supervision.

According to Law360 (registration required), the computer programs that prosecutors said Tinley had damaged were in fact spreadsheets that Siemens used to manage orders. 

Siemens rumbled Tinley's logic bomb–planting scheme in May 2016, when the contractor, who was out of town and unable to visit the office to carry out a fix in person, was able to provide a password that unlocked the spreadsheets to Siemens staff. 

Assistant United States Attorney Shardul S. Desai prosecuted this case on behalf of the government.

United States Attorney Scott W. Brady lauded the Federal Bureau of Investigation for its investigation, which led to the successful prosecution of Tinley.

Categories: Cyber Risk News

LifeLabs Pays to Secure Sensitive Customer Data After Cyber-Attack

Wed, 12/18/2019 - 15:59
LifeLabs Pays to Secure Sensitive Customer Data After Cyber-Attack

A Canadian laboratory testing company has made a payment to secure the sensitive information of millions of customers that was exposed during a cyber-attack.

LifeLabs opted to pay up after criminals gained unauthorized access to the information of 15 million customers. Most of the customers impacted were in British Colombia and Ontario.

In an open letter to customers, president and CEO of LifeLabs Charles Brown said customer information exposed in the incident may have included names, addresses, email addresses, logins, passwords, dates of birth, health card numbers, and lab test results.

The information accessed by the cyber-criminals has not been exposed publicly. 

Brown wrote: "I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations."

After identifying that a data breach had occurred, the laboratory engaged security experts to isolate and secure the affected systems and determine the scope of the incident. 

LifeLabs then took steps to strengthen their system against future attacks and paid an undisclosed amount to retrieve the data that had been accessed.

Brown wrote that the payment had been made "in collaboration with experts familiar with cyber-attacks and negotiations with cyber-criminals."

The laboratory's investigation into the incident indicates that the lab-test results of around 85,000 Ontario customers, who underwent tests in 2016 or earlier, may have been impacted in the incident. Similarly, any health and information accessed by cyber-criminals is thought to have dated from 2016 or earlier.

LifeLabs has offered any customers who are concerned about this incident a year's worth of free security protection that includes dark-web monitoring and identity-theft insurance.

Brown wrote that the attack occurred despite the laboratory's efforts to increase their cybersecurity in recent years. 

"While we’ve been taking steps over the last several years to strengthen our cyber defenses, this has served as a reminder that we need to stay ahead of cybercrime, which has become a pervasive issue around the world in all sectors," wrote Brown.

Brown gives no indication as to where the attack originated, when it happened, or who perpetrated it. 

Government partners were notified of the breach on October 28, and the incident is currently under investigation by law enforcement.

Categories: Cyber Risk News

Data Leak Exposes Thousands of US Defense Contractor Staff

Wed, 12/18/2019 - 11:44
Data Leak Exposes Thousands of US Defense Contractor Staff

A digital consultancy has accidentally leaked the personal details of thousands of US defense contractor employees after yet another misconfiguration of cloud infrastructure, it has emerged.

Washington DC-based IMGE accidentally exposed the names, phone numbers, home and email addresses of more than 6000 Boeing staff, according to The Daily Beast.

The trove featured government relations staff and senior executives, including one who apparently worked at the contractor’s advanced prototyping unit on highly sensitive technologies.

“This information was exposed as a result of human error by the website’s vendor,” a Boeing spokesperson told the news site. “Boeing takes cybersecurity and privacy seriously and we require our vendors to protect the data entrusted to them. We are closely monitoring the situation to ensure that the error is resolved quickly.”

The information itself is said to have been harvested by IMGE from a website called Watch US Fly, dedicated to “advancing and protecting American aerospace and manufacturing.”

That site requests that supporters leave their contact details for future campaigns and in order to direct their demands to fund Boeing projects to the right lawmakers, according to the report.

However, it is blocked in the UK so Infosecurity could not confirm these details.

It’s unclear how long the data was left exposed in the Amazon S3 bucket, although the Boeing employees were just a small fraction of the 50,000 individuals whose personal information was reportedly compromised by the snafu.

Chris DeRamus, CTO of DivvyCloud, explained that cloud misconfigurations like this are increasingly common as many users aren’t familiar with cloud security settings and best practices.

“It is especially concerning that the database contained information about 6,000 Boeing employees, many of whom are heavily involved with the US government and military, as the exposed data is more than enough information for cyber-criminals to launch highly targeted attacks against those impacted to gain more confidential government information,” he added.

“Companies who manage large amounts of sensitive data, especially data related to government and military personnel, need to be proactive in ensuring their data is protected with proper security controls. Companies must adopt robust security strategies that are appropriate and effective in the cloud at the same time they adopt cloud services – not weeks, months, or years later.”

Categories: Cyber Risk News

Over 1000 US Schools Hit by Ransomware in 2019

Wed, 12/18/2019 - 10:50
Over 1000 US Schools Hit by Ransomware in 2019

Over 1000 US schools have now been affected by ransomware so far this year, according to new data from Armor.

The security vendor claimed to have discovered 11 new school districts comprised of 226 schools that have been compromised by the malware since late October.

That brings the total number of affected school districts to 72 for the year, impacting an estimated 1039 schools nationwide.

Chris Hinkley, head of Armor’s threat resistance unit (TRU), said the attackers are deliberately targeting organizations that store sensitive data and run critical services.

“The attackers know that the services these organizations provide are critical to their communities, and they also know that schools and municipalities are typically more vulnerable to security attacks because of their limited budgets and lack of IT staff,” he said.

“This combination can give the threat actors a tremendous advantage over their victims because they know these entities cannot afford to shut down and are often more likely to pay the ransom.”

Fortunately, of the 11 districts caught in the latest round of ransomware attacks, only one is confirmed to have paid the ransom.

Earlier this week Microsoft urged customers not to pay the cyber-criminals.

“We never encourage a ransomware victim to pay any form of ransom demand. Paying a ransom is often expensive, dangerous, and only refuels the attackers’ capacity to continue their operations; bottom line, this equates to a proverbial pat on the back for the attackers,” argued Ola Peters, senior cybersecurity consultant at the firm’s Detection and Response Team (DART).

“The most important thing to note is that paying cyber-criminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored.”

The bad news for US organizations doesn’t end with school districts. According to Armor, 82 municipalities and 44 healthcare organizations have also been hit with ransomware this year.

The figures from Emisoft are even more stark: 103 municipalities and 759 healthcare providers, as well as 1224 schools may have been impacted by ransomware so far this year.

Categories: Cyber Risk News

Instagram Expands Fact-Checking Program Globally

Wed, 12/18/2019 - 10:32
Instagram Expands Fact-Checking Program Globally

Facebook is expanding its fact-checking program on Instagram globally to help combat the rising tide of misinformation on the social site.

The social network started working with third-party fact-checkers in the US back in May. If content is assessed as false, Instagram will then label it as such for global users and remove it from Explore and hashtag pages to reduce its exposure.

Now fact-checking organizations around the world will be able to participate in the program, although they’re not the only tool in the social network’s armory.

“We use image matching technology to find further instances of this content and apply the label, helping reduce the spread of misinformation. In addition, if something is rated false or partly false on Facebook, starting today we’ll automatically label identical content if it is posted on Instagram (and vice versa),” the firm explained.

“The label will link out to the rating from the fact-checker and provide links to articles from credible sources that debunk the claim(s) made in the post. We make content from accounts that repeatedly receive these labels harder to find by removing it from Explore and hashtag pages.”

Instagram said it combines community feedback — including any users who have chosen to avail themselves of a new “false information” option — with in-house technology to determine which content to send to fact-checkers for review.

Although less commonly associated with fake news and state-backed attempts to spread misinformation than Facebook, Instagram is being increasingly used in “coordinated inauthentic behavior.”

Accounts on the photo-sharing site have been removed in most of the online crackdowns announced by Facebook over the past year, including efforts by suspected Russian and Iranian state actors.

Earlier this week Instagram also announced an anti-bullying initiative which uses AI to warn users if their captions “may be considered offensive."

Categories: Cyber Risk News

BlueCross BlueShield Whistleblower Warns of Cybersecurity Vulnerabilities

Tue, 12/17/2019 - 18:30
BlueCross BlueShield Whistleblower Warns of Cybersecurity Vulnerabilities

An internal whistleblower has raised concerns about the cybersecurity of Minnesota's largest health insurer, BlueCross BlueShield. 

As reported yesterday by the Star Tribune newspaper, the whistleblower expressed concern that BlueCross BlueShield had left its system vulnerable to attack by neglecting to make thousands of important updates to its computer system.

Internal documents show that despite warnings to executives, 200,000 vulnerabilities that were deemed “critical” or “severe” were left to fester on the company's computer systems. In most cases, software patches to fix the issues were available. 

Documents obtained by the newspaper show that as far back as August 2018, cybersecurity engineer Tom Yardic met with executives to share concerns that important patches hadn't been installed.

Frustrated with their response, Yardic went on to email his concerns to the company's CEO and board of trustees on September 16. 

“I am sending this e-mail because I have been unable to impact the situation within the avenues the organization provides,” wrote Yardic. “What has not happened is a serious attempt to remedy the situation.”

In a statement emailed to the Star Tribune, the company's chief information security officer, Amy Ecklund, said that BlueCross BlueShield is working hard to cut the number of security vulnerabilities down before the end of the year. 

"We certainly understand that our members expect us to protect their most sensitive data, and we want them to know that we are committed every single day to doing just that," said Ecklund.

BlueCross BlueShield Minnesota insures 2.8 million people. To date, the company has not reported a data beach of its own systems.

The personal data of 11,000 members of Minnesota's Supervalu Group Health Plan were breached in 2015 after Minnesota BlueCross BlueShield stored their information on vulnerable computers owned by another BlueCross licensee, now known as Anthem Inc.

“Protecting our members’ information is our top priority, and our efforts are ongoing,” Minnesota BlueCross BlueShield officials said via email. “As with all companies holding sensitive information, we remain vigilant in our security systems and testing, but we will always strive to do more.”

Categories: Cyber Risk News

LightInTheBox Leaks Over 1TB of Customer Data

Tue, 12/17/2019 - 17:21
LightInTheBox Leaks Over 1TB of Customer Data

A Chinese online retailer with a huge North American fanbase has leaked more than 1 terabyte of customer data. 

The major breach in the security of LightInTheBox was discovered by researchers at vpnmentor on November 20. 

Researchers were able to gain access to a massive database containing 1.3 terabytes of daily logs dating from August 9, 2019, to October 11, 2019, totaling over 1.5 billion records. 

The substantial leak compromised the security of LightInTheBox customers across the globe. Researchers were also able to access data from the vendor's subsidiary sites, including

"Our team was able to access this database because it was completely unsecured and unencrypted," wrote researchers.

Vpnmentor notified the vendor of the breach on November 24. Although no reply was received, the database breach was closed shortly after LightInTheBox was made aware of its existence. 

LightInTheBox, which was founded in 2007, sells clothing, accessories, gadgets, and various items for the home and garden. Most of the 12 million monthly visitors to the retailer's website are based in North America and Europe. 

The company does not provide specific details about their data security and storage practices and has not publicized any measures they may take to protect their customers’ data.

Vpnmentor researchers wrote: "The data breach affected customers around the world, with entries from many of their international sites, and in numerous languages."

Private personal data exposed in the leak included users' IP addresses, countries of residence, email addresses, and the destination pages and online activity of users on the vendor's website. 

"This data breach represents a major lapse in LightInTheBox’s data security. While this data leak doesn’t expose critical user data, some basic security measures were not taken," wrote researchers. 

Researchers warned that a leak of this nature could put customers at risk from crimes far more disturbing than online fraud.

"With a website user’s IP address, we were able to identify their city of residence. If a criminal hacker had access to this, along with the other data exposed, they could trick a victim into revealing their home address, and target them for theft and home robbery," wrote researchers.

Categories: Cyber Risk News

New Jersey Health Network Pays Up in Ransomware Attack

Tue, 12/17/2019 - 16:19
New Jersey Health Network Pays Up in Ransomware Attack

New Jersey's largest hospital health network has paid threat actors an undisclosed sum to restore data compromised in a cyber-attack.

Hackensack Meridian Health's computer systems were shut down after being infected with ransomware on Monday, December 2. The attack caused major disruptions to services at 17 hospitals, nursing homes, and urgent care centers operated by the network.

Elective surgeries for roughly 100 patients were rescheduled as a result of the ransomware incident. Hackensack Meridian Health employees who were unable to access electronic records had to revert to using a paper-based system to deliver care. 

The ransomware payment, together with the costs associated with recovering from a cyber-attack, were covered by Hackensack Meridian Health's insurance policy, according to Asbury Park Press.

At first, Hackensack Meridian Health was reluctant to disclose the true nature of the problem, citing only that it was grappling with "externally-driven technical issues." 

But, on Thursday, December 5, news of the ransomware attack was leaked to NJ Advance Media by a hospital IT professional who chose to remain anonymous.

Bridget Devane, a spokesperson for the union Health Professionals and Allied Employees, or HPAE, confirmed on Friday, December 6, at 5 p.m., that "northern New Jersey hospitals are definitely back online."

Describing the disruption caused by the incident, Devane said: "There have been delays in orders and lab work, and they are having to double-check paperwork carefully to make sure everything is accurate."

According to NJ Advance Media, the health network confirmed the ransomware attack and the payment of the ransom in a statement released on Friday, December 13.

The statement read: "Due to developments in the investigation, and on advice of national experts, we could not disclose that this was a ransomware attack until now.

"Our network’s primary clinical systems are operational, and our IT teams continue working diligently to bring all applications back online safely. Based on our investigation to date, we have no indication that any patient or team member information has been subject to unauthorized access or disclosure."

Hackensack Meridian Health, which is based in Edison, New Jersey, has more than 35,000 employees and generates around $6bn in annual revenue.

Categories: Cyber Risk News