Info Security

Subscribe to Info Security  feed
Updated: 2 hours 47 min ago

Real Life Director of Evil Corp Indicted for 10-Year Cybercrime Spree

Fri, 12/06/2019 - 18:00
Real Life Director of Evil Corp Indicted for 10-Year Cybercrime Spree

US and UK authorities have indicted the leader of a notorious cybercrime gang that stole $70m from bank accounts around the world using malware.

Ukrainian-born Russian national Maksim V. Yakubets allegedly headed up an organized crime syndicate that used Bugat malware—also known as Cridex and Dridex—to drain money from the customers of just under 300 organizations in 40 different countries. 

He is further accused of participating in a second scheme involving Zeus malware, which similarly used a botnet and money mules to pilfer bank accounts.   

Yakubets, who is known online primarily as Aqua, is wanted in relation to two separate international computer hacking and bank fraud schemes spanning from May 2009 to the present day. 

The 32-year-old was indicted in a US federal court on Thursday along with a fellow alleged cyber-criminal, 38-year-old Igor Turashev from Russia's Yoshkar-Ola-Ola. Turashev is wanted in connection with the deployment of Bugat malware. 

According to the UK's National Crime Agency, the organized crime syndicate of which Yakubets was the ringleader called itself Evil Corp—the nickname given to fictional multi-national conglomerate E Corp in the smash hit TV series Mr. Robot

Yakubets allegedly ran his large-scale criminal organization from the basements of Moscow cafes, employing dozens of people. He is currently thought to be in Russia, where he is known to sport a coiffed hairdo and cruise around in a customized Lamborghini supercar with a personalized number plate that translates to "Thief." 

A reward of $5m—the largest ever to be offered for a cyber-criminal—is being offered under the Transnational Organized Crime Rewards Program for information leading to the arrest or conviction of Yakubets.  

Lynne Owens, director general of the NCA, said: "The significance of this group of cyber-criminals is hard to overstate; they have been responsible for campaigns targeting our financial structures with multiple strains of malware over the last decade. We are unlikely to ever know the full cost, but the impact on the UK alone is assessed to run into the hundreds of millions."

FBI Deputy Director David Bowdich said: "The charges highlight the persistence of the FBI and our partners to vigorously pursue those who desire to profit from innocent people through deception and theft. By calling out those who threaten American businesses and citizens, we expose criminals who hide behind devices and launch attacks that threaten our public safety and economic stability."

Categories: Cyber Risk News

Six Customers Affected by Ransomware Attack on CyrusOne

Fri, 12/06/2019 - 17:07
Six Customers Affected by Ransomware Attack on CyrusOne

One of the largest data center providers in America has become the victim of a ransomware attack.

Texas company CyrusOne confirmed yesterday that an attack involving REvil (Sodinokibi) ransomware had taken place on Wednesday. Customers of the company's New York data center, located in Wappingers Falls, suffered a loss of service as a result of the incident. 

A CyrusOne spokesperson said: "Six of our managed service customers, located primarily in our New York data center, have experienced availability issues due to a ransomware program encrypting certain devices in their network.

"Our data center colocation services, including IX and IP Network Services, are not involved in this incident. Our investigation is on-going, and we are working closely with third-party experts to address this matter."

The attackers advised CyrusOne that they would decrypt one file encrypted in the ransomware attack as a show of good faith that the remaining hijacked data would be returned upon receipt of payment. 

Exactly how the attackers gained entry to the company's network is currently unknown. The attackers say they have a private key, which they claim is the only way to access the stolen information. 

CyrusOne serves thousands of customers across 48 different data centers located around the world. Among its customers are over 200 Fortune 1,000 companies. The company said that it is currently using backups to help its customers recover lost data.

This incident is not the first time that this particular strain of the Sodinokibi ransomware has been a total pain in the coco de mer. REvil was used to attack Oracle's WebLogic server in April of this year, and since then it has also been deployed against more than 400 American dental practices and over 20 Texas municipalities.

Thomas Hatch, CTO and co-founder at SaltStack, commented: "The response and remediation from CyrusOne have been excellent given its ability to restore data from backups and respond rapidly to the attack. However, this situation highlights that data center and IaaS providers are just as vulnerable to attacks as other companies. While IaaS providers generally create very secure infrastructures, there is still the liability that they can be attacked in this manner."

Categories: Cyber Risk News

Banking Trojans Are Top Financial Services Threat

Fri, 12/06/2019 - 11:30
Banking Trojans Are Top Financial Services Threat

Banking Trojans represent the biggest potential threat to financial institutions and their customers, and are on the rise, according to new research from Blueliv.

The Spanish threat intelligence firm released data from a recent Twitter poll of over 11,000 users and its newly launched report for the banking sector, Follow the Money.

Nearly a third (31%) of respondents claimed banking Trojans were the biggest threat to financial services firms, followed by mobile malware (28%), a category also increasingly comprised of Trojans designed to access customer accounts.

The bad news is that activity appears to be escalating in this area: Blueliv’s report revealed the firm tracked a three-digit uptick in Trickbot (283%) and Dridex (130%) detections over Q2 and Q3 this year.

The botnets are known to distribute banking Trojans as well as other malware targeting financial services.

The poll also revealed that skills shortages (28%) are the biggest challenge facing banks’ IT security teams as they try to build out programs.

Recent data from (ISC)2 revealed that global skills shortages now exceed four million. In Europe the crisis is particularly acute: shortages have soared by 100% over the past year to reach 291,000.

The poll also highlighted the challenges associated with high volumes of threats and alerts (26%) and poor visibility into threats (20%), which it is claimed are hampering banking cybersecurity teams as they struggle to combat attacks.

“Because they are such high-value targets for cyber-criminal activity, it is imperative that financial services organizations monitor what is happening both inside and outside their networks in real-time to create effective mitigation strategies before, during and after an attack,” argued Blueliv CEO Daniel Solís.

“Security teams can be easily overwhelmed by the number of threat alerts they receive which can very quickly result in alert fatigue and desensitization to real, preventable threats. Threat intelligence can address the cyber skills gap through continuous automated monitoring combined with human resource to provide context, helping FSIs develop highly-targeted threat detection, prevention and investigation capabilities.”

Breaches in the financial sector tripled over the five years to 2018, with the average cost of cybercrime in the sector over $18 million, more than any other vertical, according to Accenture.

Categories: Cyber Risk News

Microsoft: 44 Million User Passwords Have Been Breached

Fri, 12/06/2019 - 10:27
Microsoft: 44 Million User Passwords Have Been Breached

Tens of millions of Microsoft customers are using log-ins that have previously been breached, putting themselves and their organization at risk of account takeover, the computing giant has revealed.

In a study running from January to March 2019, Microsoft’s threat research team checked over three billion credentials known to have been stolen by hackers, using third-party sources such as law enforcement and public databases.

It found a match for over 44 million Microsoft Services Accounts, used primarily by consumers, and AzureAD accounts, which is more worrying for businesses.

“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” it explained.

“Given the frequency of passwords being reused by multiple individuals, it is critical to back your password with some form of strong credential. Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture.”

Microsoft claimed that 99.9% of identity attacks can be mitigated by turning on MFA.

The advice is especially important in the context of ongoing credential stuffing attacks. A report from Akamai earlier this year claimed that such attacks are costing the average EMEA firm on average $4 million annually in app downtime, lost customers and extra IT support.

Attacks have already struck far and wide this year, affecting organizations such as TfL, OkCupid, TurboTax and many more.

A 2018 study of around 30 million users found that password reuse was common among over half (52%), while nearly a third (30%) of modified passwords were easy to crack within just 10 guesses.

A Google poll of 3000 computer users released earlier this year found that just a third (35%) use a different password for all accounts, and only a quarter (24%) use a password manager.

Categories: Cyber Risk News

UK Card Fraud Losses Now Accounts for Half of Europe

Fri, 12/06/2019 - 09:56
UK Card Fraud Losses Now Accounts for Half of Europe

UK card fraud now accounts for half of all losses across Europe, driven by data breaches and online scams, according to new findings from FICO.

The predictive analytics firm’s newly launched interactive European Fraud Map reveals that UK card fraud losses hit a record £671 in 2018, up 19% from the previous year.

The figure amounts to almost half the total €1.6 billion (£1.4bn) recorded across the 19 countries included in the map: in Europe plus Ukraine, Russia and Turkey.

The vast majority of the UK’s losses (£506.4m) came from card-not-present (CNP) channels, which are dominated these days by online fraud.

FICO said that the figures can be explained in part by a surge in data breaches, which has flooded underground forums with the identity data needed to carry out CNP scams. Another factor is changes in reporting processes which means more incidents are being recorded.

“The sheer volume of attempted fraud has meant that, although more fraud is being prevented now than ever before, and that it’s being caught earlier in the attack cycle, the total value lost is still on the rise,” said Matt Cox, the firm's vice president for fraud management solutions in Europe.

"Personal information lost in high-profile data breaches means it’s easier than ever for criminals to impersonate individuals and businesses, so we all need to be more vigilant — personally, and as an industry. We’re seeing the continued growth and diversification of social engineering fraud, which uses techniques like vishing, phishing and whaling.”

The UK’s Faster Payments and Europe’s SEPA Instant Credit Transfer initiatives have made speedy seamless payments a reality across the continent — but this is also helping scammers to get away with and launder fraudulently obtained funds before businesses can stop them.

UK police have been forced to go into schools this year warning about the dangers posed by money mule recruiters, as the latter continue to flood social media in a bid to snare cash-strapped teens.

“The key to fighting online fraud lies in establishing practices to protect against data compromise,” said Cox. “Drawing on global networks of loss data and confirmed cases of fraud enables businesses to identify and prevent data breaches significantly earlier, reducing the customer losses and operational pressures that often result from these attacks.”

Categories: Cyber Risk News

US Family Loses Life Savings in Money Mule Email Scam

Thu, 12/05/2019 - 18:18
US Family Loses Life Savings in Money Mule Email Scam

The Federal Bureau of Investigation has issued a warning after a family from Oregon lost their life savings in a business email compromise scam involving money mules.

Aaron Cole and his wife decided to move into a bigger house after welcoming two children into their family. The couple sold their existing home, and the title company told them they would be in touch soon with instructions for making the down payment on their new house. 

Aaron's wife received an email on December 4, 2018, from what appeared to be the title company and sent $122,850 to the account number provided in the message. A few days later, Aaron received a phone call from the title company to inform him it was time to wire the down payment.

An FBI spokesperson said: "The Coles had been the victims of a business email compromise scam and had wired their money to a criminal who had spoofed the title company’s email address and sent them fake wire instructions. Their down payment had been funneled into one account and then broken up and sent to four other banks."

After falling victim to the scam, the Cole family was left in a situation where they couldn't make the down payment on their new house and had fewer than three weeks to vacate their current home. 

"When this happened, I couldn’t come up with the words to tell my wife," said Aaron Cole.

"The equity in the house was our way to move forward. I put myself back 15 years."

Generously, the title company stepped in and offered to cover their down payment in exchange for the Cole family's help in highlighting the problem of business email compromise. 

Last year, the FBI’s Internet Crime Complaint Center (IC3) received more than 20,000 complaints from victims of business email compromise alone. These victims reported losses of more than $1.2bn. 

The cyber-criminals who stole from the Coles were assisted by the actions of money mules—people who knowingly or unwittingly transfer funds on behalf of, or at the direction of, someone else. 

Yesterday the FBI issued an advisory to the general public to be wary of any unsolicited emails or other communications containing a job offer promising easy money or a request to open a bank account in another person’s name or in the name of a business created by someone else. 

Extreme caution was also advised to anyone who receives an electronic request for money from a loved one.

Categories: Cyber Risk News

Data Breach at Nebraska Medicine an Inside Job

Thu, 12/05/2019 - 17:13
Data Breach at Nebraska Medicine an Inside Job

Nebraska Medicine has suffered a data breach after an employee accessed patients' medical records for almost three months without authorization or even the thinnest sliver of a legitimate reason. 

A routine audit of the medical record system conducted in October of this year revealed the gross violation of patient privacy, which occurred over the summer of 2019. 

The employee took their first digital stroll through patients' records on July 11. The unauthorized access then continued until October 1, when the audit was carried out. 

After discovering what was going on, Nebraska Medicine took steps to prevent any further unauthorized access from occurring. A particularly effective step was the organization's decision to fire the employee in question the day after the privacy violation was detected. 

Patients whose data had been compromised were notified by letter. Information accessed by the now former Nebraska Medicine employee included names, birth dates, addresses, medical record numbers, Social Security numbers, driver’s license numbers, clinical information, lab imagery, and notes from physicians.

In a statement released on Tuesday, Nebraska Medicine said: "Once Nebraska Medicine became aware of the incident, our staff took action to investigate, prevent further improper access, and to notify affected patients. We have no reason to believe the information accessed has been or will be misused.

"In cases where the Social Security number or driver’s license was accessible, we are offering credit monitoring for a full year, at no cost to the affected patients."

In a letter sent to patients affected by the breach, privacy officer Debra Bishop apologized for the breach and offered assurance that steps had been taken to prevent a similar incident from happening.

Bishop wrote: "This individual no longer works for Nebraska Medicine and no longer has access to Nebraska Medicine systems. To help prevent something like this from happening again, we are continuing to regularly audit our electronic medical record system for potential unauthorized activity, and are retraining staff about appropriate access of patient information."

Nebraska Medicine operates two major hospitals and 40 outpatient clinics in the Omaha area and has an international reputation for providing bone marrow and stem cell transplantation services. In 2006, Nebraska Medicine performed the first "frozen elephant trunk" heart procedure, otherwise known as open stent grafting, in the United States.

Categories: Cyber Risk News

Vulnerabilities Discovered in VPN Used by NASA

Thu, 12/05/2019 - 16:27
Vulnerabilities Discovered in VPN Used by NASA

A virtual private network (VPN) used by NASA, Shell, and BT has been found to have multiple vulnerabilities. 

Weaknesses in the Aviatrix VPN were detected by Immersive Labs researcher and content engineer Alex Seymour on October 7, 2019. 

The multiple local privilege escalation vulnerabilities Seymour discovered would have allowed an attacker who already had access to a machine to escalate privileges and achieve anything they wanted. With the extra level of privileges, the attacker would have been able to dive into files, folders, and network services that the user would not previously have been able to access.

The discovery comes just two months after the National Security Agency (NSA) and National Security Council (NSC) both issued warnings regarding state-sponsored attacks aimed at exploiting vulnerabilities in VPNs.

Alex Seymour said: "Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it. 

"People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry."

Aviatrix took swift action to address the issue, releasing a patch, v2.4.10 on November 4.

"Users should install the new patch as soon as possible to ensure there is no exploitation in the wild," said Seymour 

A spokesperson for Immersive Labs said that Aviatrix has been responsive and open to discussion after the vulnerabilities were disclosed and had taken on board advice on how to resolve the issue.

"The changes made to resolve the issue were timely and well implemented. They have kept communication open throughout the disclosure process, remaining positive and showing that they take the security of their customers and product seriously," said the Immersive Labs spokesperson. 

Seymour's suspicions were aroused when he noticed a wordy outpouring after firing up the Aviatrix VPN on a Linux machine. The last two lines of script indicated that two local web servers were started when the VPN was launched.

Weak file permissions set on the installation directory on Linux and FreeBSD made it possible to modify shell scripts that are executed when a VPN connection is established and terminated. When the back-end service executed the "OpenVPN" command, the script was executed with elevated privileges.

Categories: Cyber Risk News

Lib Dems, Labour and SNP 'Ahead' on Election Security

Thu, 12/05/2019 - 12:00
Lib Dems, Labour and SNP 'Ahead' on Election Security

Security researchers are warning UK voters to be on their guard after revealing that most of the country’s political parties still don’t have best practice email security measures in place to mitigate fraud risks.

RedSift analyzed the UK’s main 13 political parties ahead of a tense General Election on December 12, in which the direction of the country could finally be decided after three years of Brexit-related uncertainty.

It found that just three, the Liberal Democrats, Labour and the Scottish National Party (SNP), had a valid DMARC policy. The Domain-based Message Authentication, Reporting and Conformance protocol (DMARC) is recommended by security experts as a key function to help prevent phishing and other spoof email attempts.

While it’s best used in combination with other layered security measures, DMARC does help to guarantee the legitimacy of the sender, which is why the UK government mandated its use for departments back in 2016, with the US following two years later.

According to RedSift’s research, the Conservative Party, the Brexit Party and many others are exposing voters to potentially fraudulent email communications.

“This insight into political party cybersecurity is particularly concerning given that the National Cyber Security Centre, an organization that’s part of the UK government, mandated back in 2016 that all government bodies should implement DMARC so all email traffic can be monitored for malicious activity,” argued RedSift co-founder, Randal Pinto. “It’s a sorry state of affairs that three years on, voters still can’t be sure whether political pledges and requests for support are originating from credible candidates.”

Even the three parties that currently have valid DMARC policies in place can do more. They need to upgrade to a p=reject policy so phishing emails don’t end up being received by prospective voters.

The Conservative Party has already caused widespread anger for doctoring footage of opposition candidates on Brexit and changing its official Twitter feed during a televised debate to pose as an official fact-checking source.

“Confidence in politics has taken a dive recently,” argued Pinto. “The Conservative’s ‘factcheckUK’ Twitter scandal hurt the party’s credibility, damaging public trust — akin to the method scammers deploy each time they impersonate emails to elicit action.”

Categories: Cyber Risk News

China’s Great Cannon Fires on Hong Kong Protesters

Thu, 12/05/2019 - 10:30
China’s Great Cannon Fires on Hong Kong Protesters

A Chinese government-backed DDoS operation has been resurrected to disrupt pro-democracy supporters in Hong Kong, according to AT&T Cybersecurity.

The firm revealed in a new blog post yesterday that it spotted activity from the so-called “Great Cannon” starting on August 31, with the most recent DDoS attempts coming on November 25.

Specifically, it was observed trying to take offline the LIHKG website, which is used by Hong Kongers to share info and plan protests across the Special Administrative Region (SAR) of China wracked by unrest over the past few months.

The Great Cannon works by intercepting traffic from websites hosted in China and inserting malicious JavaScript in legitimate analytics scripts, thereby forcing users’ machines to covertly make requests against targeted sites.

The code not only attempts to repeatedly request the LIHKG home page but also multiple sites and memes that appear on the forum, so as to blend in with normal traffic, according to Chris Doman of AT&T Cybersecurity’s Alien Vault business.

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code that we won’t discuss here,” he explained.

“Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

The tool itself first came to prominence around four years ago when it was used to target anti-censorship organization The researchers that revealed the cannon for the first time claimed it was co-located with China’s notorious Great Firewall censorship infrastructure.

Global anger spread after the Great Cannon was then turned on developer site Github, which at the time hosted anti-censorship tools.

Researchers warned that the same tool could very easily be repurposed to deliver malware rather than DDoS attacks.

Categories: Cyber Risk News

#BHEU: Mental Health and Depression Websites Share Details in Plain Text

Thu, 12/05/2019 - 10:00
#BHEU: Mental Health and Depression Websites Share Details in Plain Text

Revealing research around web and cookie security at Black Hat Europe in London, Eliot Bendinelli, technologist at Privacy International and Frederike Kaltheuner, formerly of Privacy International and now tech policy fellow at Mozilla, described how a number of websites offering “tests” on mental health and depression shared results with third parties.

Kaltheuner said that this sort of tracking is “not just highly intrusive but is information that can be used against you.” She said that GDPR consent firms are “designed to be deceptive and annoying” and often it is easier to consent than not, and very few people know what happens when you do consent.

Therefore, the duo did accept some tracking requests and did a subject access request to get the data that had been collected, and received a statistical analysis on their age, gender and education level. This also included data shared with companies in the data broker and the advertising technology ecosystem.

This led them to do tests on websites, with a focus on three countries: UK, Germany and France. Bendinelli said that the goal was to find websites driving traffic to partners. Using tools such as Webxray to run a headless version of chrome and record all interaction you have had with a website, including cookies, images and javascript, and a HTTP Toolkit which inspects what POST queries a website is sending.

Kaltheuner revealed that 97.78% of all webpages had a third party element and while this was not nefarious, “it does come with a privacy risk.” She said that the average cookies collected were 44 for French websites, 12 in the UK and seven in Germany.

“Also, we found that 76% of websites contained a third party tracker for marketing,” Kaltheuner said, with counters found for data brokers and companies who do programmatic advertising.

Bendinelli added that having completed depression tests, he found that several stored the test results in the URL, and this was shared with a third party, and one sent them to 500 partners with answers in clear text. An NHS website sent the test scores to a website which was found to be an analytics server, which the NHS confirmed was recorded for their own analytics. “We were disappointed as there was no warning,” Bendinelli said.

Kaltheuner said that the basics of the research and this extended version had “barely scratched the surface” as they had only investigated nine websites and found poorly designed tests. “Many findings are in violation of GDPR and e-privacy,” she pointed out, saying that consent is needed to place cookies, and for processing data as “you can only process with the explicit consent of the user.”

The two concluded by acknowledging that technology changes quickly, but a broader discussion is needed about how people want to be treated, and who wants access to this and who shouldn’t.

Categories: Cyber Risk News

UK Fashion Store Sweaty Betty Suffers Magecart Heist

Thu, 12/05/2019 - 09:30
UK Fashion Store Sweaty Betty Suffers Magecart Heist

British e-commerce store Sweaty Betty has become the latest victim of a digital skimming attack after customers unwittingly had their card data stolen over the period of a week.

In an email sent to customers, the women’s fashion retailer confirmed that “a third party gained unauthorized access to part of our website and inserted malicious code designed to capture information entered during the checkout process.”

Customers placing orders online or over the phone between November 19 and 27 are thought to have been affected, although the firm has not revealed how many may have had their card details stolen.

As well as card number, CVV and expiry date, the hackers may have stolen customer names, billing and email addresses, telephone numbers and passwords for the site.

“We can confirm that Sweaty Betty has launched a comprehensive investigation following a highly-sophisticated cybersecurity incident on our website platform. We worked quickly to engage specialist technical security consultants to assist us with our investigations and we can confirm the issue has now been resolved and apologize for any inconvenience,” a spokesperson told Infosecurity sister publication Essential Retail.

“We have taken all the necessary steps to inform those who may have been affected and the Information Commissioner’s Office (ICO) has been notified. We take data security extremely seriously and the privacy of our customers remains our highest priority. Importantly, this issue has been resolved, and it is safe to shop at Sweaty Betty – whether online, by phone, or in stores.”

The incident appears to have been a classic Magecart attack, in which hackers insert malicious JavaScript into payment pages to siphon off card details as they are entered in by customers. It came just before the Black Friday sales weekend, when traffic to e-commerce stores soars.

In the past month alone, similar attacks have hit US gun-maker Smith & Wesson and department store Macy’s.

“Unfortunately, when armed with payment card information or personally identifiable information (PII), malicious parties can make fraudulent purchases, sell said data on the dark web for a quick profit, and much more,” argued Bitglass CTO, Anurag Kahol.

“Additionally, a staggering 59% of consumers reuse passwords across multiple accounts. This means that if a cyber-criminal appropriates a single password, they can potentially gain access to a user's accounts across a number of retailers and services where said password is reused.”

Categories: Cyber Risk News

Festive Virtual Hacker Conference Returns

Wed, 12/04/2019 - 17:53
Festive Virtual Hacker Conference Returns

A free holiday-themed cybersecurity conference set in a virtual North Pole is scheduled to take place for the second year running. 

KringleCon 2019 invites hackers and cybersecurity professionals from across the globe to hear expert speakers, watch educational demos, share tips, and test their skills in a cyber-battle. 

The conference, which will begin next week, was created by global cybersecurity training and certification provider SANS Institute

An extensive line-up of speakers includes IBM Security’s Stephanie Carruthers, Black Hills Information Security’s John Strand, Ian Coldwater from Heroku/Salesforce, Dave Kennedy from TrustedSec, and Lesley Carhart from Dragos.

Immediately following the conference, SANS will host its annual Holiday Hack Challenge. This year’s capture-the-flag (CTF) event will include new offensive and defensive challenges featuring machine learning and a variety of other cutting-edge technologies.

The Holiday Hack Challenge offers a series of awards and valuable educational prizes, ranging from SANS OnDemand courses to NetWars Continuous subscriptions. Challenges begin at a fun level, then progressively become more difficult until they reach a level that will really test the mettle of those who participate.

“There are many unique elements to this conference, and it starts with an overarching storyline,” explains Ed Skoudis, director of SANS Cyber Ranges and Team-Based Training and creator of KringleCon.

“A nefarious villain tries to hack the conference to cause it to be cancelled. Last year, the evil hacker locked up Santa’s castle and held conference attendees inside the castle. This year’s theme will be equally thrilling. The addition of offensive and defensive machine learning challenges is especially exciting, as we believe this to be the first time that machine learning is used in a CTF event.”

Last year's KringleCon included 51 different presentations that were given on YouTube. 

Previous holiday hacking challenges laid on by SANS include the 2015 event Gnome in Your Home, which was based around the children's book Elf on the Shelf. The book tells the story of how Santa is fed information on which children are naughty and nice via a spy network of elves who watch children in their own homes. 

The challenge took the form of a quest-style video game, complete with 8-bit Christmas music, in which participants had to work out what the internet-connected gnomes were really up to. 

Categories: Cyber Risk News

Jamaica to Create a National Cybersecurity Policy in 2020

Wed, 12/04/2019 - 17:06
Jamaica to Create a National Cybersecurity Policy in 2020

Jamaica has announced plans to develop a national cybersecurity policy in 2020.

According to the Jamaica Observer, the plan to create a strategy to protect the island country's citizens from cybercrime was announced by Jamaica's minister of national security, Dr. Horace Chang, yesterday. 

Speaking at a Cybersecurity and Cybercrime Workshop for Latin America and the Caribbean at the Hilton Resort and Spa in St. James, Chang said that the government will "be seeking to ensure that the entire government service has a reliable and robust cyber-platform on which to operate and deliver quality and safe online service."

Chang added that the creation of the cyber-safe platform will be achieved through the work of agencies such as e-Gov Jamaica. 

The minister went on to describe how the National Identification System (NIDS) Bill, passed into law in November of 2017, will act to further strengthen the country's cybersecurity framework. 

Under the new law, each citizen of Jamaica will be provided with a randomized nine-digit National Identification Number (NIN), which they will have for life, and a multipurpose National Identification Card (NIC). Rollout of the system began in January 2019. 

Chang said that the National Identification System will support "the modernization of our information and communications technology (ICT) infrastructure" and pave the way for the introduction of a multilayered technology security system that will offer protection against cyber-threats.

The Jamaican government is currently in the process of finalizing a Data Protection Bill, which Chang said will play a critical role in defending the country's cybersecurity. 

"This bill will provide a much-needed framework and guidelines for securing and protecting our people's data," said Chang. "It will also strengthen, even further, Jamaica's overall cybersecurity infrastructure."

The bill requires that data collected must be accurate and should only be obtained for specific lawful purposes, with the consent of the individual. It stipulates that data gathered may not be further used or processed in any way incompatible with the original purpose and must not be held for longer than is necessary to fulfill that original purpose.

Chang also emphasized the importance of partnerships, such as the collaboration between the Jamaica Cyber-Incident Response Team (CIRT) and the Organization of American States (OAS) Inter-American Committee against Terrorism (CICTE), in protecting Jamaica's citizens.

Categories: Cyber Risk News

Artificial Fingerprint Ring Could Combat Biometric Data Theft

Wed, 12/04/2019 - 16:09
Artificial Fingerprint Ring Could Combat Biometric Data Theft

A cybersecurity company has teamed up with a 3D accessory designer to produce a ring that could tackle the issue of what to do if your biometric data is stolen. 

The attractive and wearable piece of jewelry features a synthetic fingerprint that can be used to unlock phones, make payments, or even access a home or office. 

Unlike the actual fingerprint of a living human, which can never be replaced if lost, the artificial biometric identifier can be erased and substituted with a new version in the event of an identity theft. 

The ring represents the collaborative efforts of cybersecurity firm Kaspersky, Swedish designer Benjamin Waye, and creative agency Archetype.

“By combining the elements of art and technology, the ring makes the person wearing it stand out from the crowd as a visionary,” said the ring's designer, Waye.

“It is a different approach to how we wear jewelry. Usually, it is much more practical. Not only is it considered beautiful, but it has been designed with the aim of helping to solve a quite serious problem in today’s modern life. It helps preserve our uniqueness in a world where everything could otherwise be copied.”

In 2015, the Office of Personnel Management (OPM) hack in the United States caused 5.6 million fingerprints to be leaked. More recently, the fingerprints of over 1 million people were discovered on a publicly accessible database used by the UK Metropolitan police, defense contractors, and banks. That is in addition to multiple examples where researchers have demonstrated proof-of-concept schemes that allow human fingerprints to be stolen with the help of digital cameras and other widely available tools.

“While the ring is just one of the possible ways to tackle the current cybersecurity problems related to biometrics, this is certainly not a silver bullet,” said Marco Preuss, director of the global research and analysis team at Kaspersky, Europe. 

“A real solution will involve creating measures and technologies that would guarantee the protection of people’s unique identities. Such a solution is yet to be developed, and the current situation surrounding the safety of biometrics is not where it needs to be."

Although the ring is a proof-of-concept piece, it paves the way for further discussion on securing biometric data.

Categories: Cyber Risk News

#BHEU: Consider Adversarial Thinking, Ask If the Tool Works

Wed, 12/04/2019 - 14:45
#BHEU: Consider Adversarial Thinking, Ask If the Tool Works

Delivering the opening keynote at Black Hat Europe, offensive security engineer Amanda Rousseau talked about the move from a defensive to offensive role, and how narrow that has made our thinking.

In the first part of her talk, she said that we have become too immersed in using tools, and do not look underneath them to understand how they work.

She said that security is “filled with tools” and we are told that it is best practice to use them, but we rarely understand how they work and why it works in a certain way, so we don’t trust them.

“Why are we not pushing ourselves to look beyond the surface?” she asked, saying in one instance a tool she “was forced to use was not able to perform, so I wrote my own script and my co-workers thought I was crazy.”

Rousseau said that she was tired of the “color spectrum” of cybersecurity, as we have covered black and white hats, and red and blue teams, when in reality, everyone is on the same side, and recommended using adversarial thinking for defense and everything in between. “Fundamental skills are applicable to both sides: if you can pivot, you have adversarial foundations.”

Looking at blue teaming, she said that there is an assumption that tools and functions work in the way that they are intended, but “how many things work within bounds?” On the red team side, the problem is leaving blind spots and too many people not having experience of writing detections to communicate the changes that need to be made.

She went on to call this a “lack of follow through” and there is too much of an attitude of “not my problem” and “the blue team can figure it out,” when better collaboration and follow through for remediation can help on both sides.

Asking how improvements can be made, Rousseau said that we have “dived so deep it is hard to pivot to something else” and too many people have tunnel vision on one area of focus.

“Never mind the color spectrum, we’re all in this to make everyone’s lives better,” she said.

Categories: Cyber Risk News

#BHEU: Foster the Right Skills, Culture and Share Knowledge

Wed, 12/04/2019 - 14:07
#BHEU: Foster the Right Skills, Culture and Share Knowledge

Opening the 19th Black Hat Europe in London, founder Jeff Moss said that over the years the diversity of the security community has grown as well has the expansion of skills to include both hard and soft skills. He also said that the culture is maturing, and on the tech side “I see a slow move to a demonstration of skill” and instead of showing certifications, it is much more about “demonstrating the skills you have to be in a particular field.”

He said that we are specializing in our fields, and he encouraged delegates to specialize as “that is how you are going to be known in your fields.”

Moss also said that we are going to be rewarded for our soft skills, and for our ability to communicate what we know to management. “What is the point of your business, and what are your business objectives? Is what you are doing fun and really exciting but doesn’t align to any business goals? Then you should get out of that team and get into a team that is aligned to those business goals.”

Citing former NSA and CIA head General Hayden’s term of you “have to organize to operate,” Moss argued that you have to organize your team, people, skills and resources before you can start operating.

“Right now we’re organized for compliance, and we need to organize to operate,” he said, adding that you need to be involved with solutions and not be too far away from the problems and solutions to make an impact. He also recommended engaging with the enemy “whoever it is” and seeing how they operate and learn their strengths and weaknesses.

“The most dangerous thing is defenders who never get information from real attackers,” he explained.

Finally, he recommended “fostering the right team and talent, as if you are not recruiting and transferring knowledge and passing on lessons learned to the company as a whole, there is a disconnect”, especially if legal doesn’t understand what you are doing. “If you are operating you have all of these cylinders firing.”

Moss concluded by saying that there are a wealth of learning opportunities available, and he praised conferences for posting talks without paywalls, and encouraged more knowledge sharing in the future.

Categories: Cyber Risk News

FTC: Fraudsters Go Low-Tech to Trick the Elderly

Wed, 12/04/2019 - 12:00
FTC: Fraudsters Go Low-Tech to Trick the Elderly

Fraudsters are increasingly going back to basics in a bid to trick particularly elderly victims into handing over money, according to the Federal Trade Commission (FTC).

The regulator posted two warnings on Tuesday highlighting the lengths scammers are prepared to go today in order to collect.

It revealed that a Pennsylvania man reported being sent a threatening letter using fake FTC branding.

“The letter said his online and financial activities put him under suspicion of money laundering and terrorism. And now, all his ‘activities will be under review’,” the FTC’s associate director of consumer response and operations, Monica Vaca, said.

“Our best guess is that this letter is just the first part of a scam. The second part will probably involve ‘urgent’ phone calls telling people to send money right away. Now, though, you can spot the scam.”

She clarified that the FTC would never send out threatening letters like this, force recipients to pay — especially not by gift card, wire transfer or cryptocurrency — or share personal information.

Phone scams are increasingly common; spam calls soared 325% year-on-year in 2018 to reach an estimated 85 billion worldwide.

The FTC warned that scammers often call the elderly pretending to be a grandchild in trouble who needs urgent cash for bail, emergency hospital treatment or some other reason. They scrape details from social media to make the scheme sound more convincing.

Such 'friend and family' imposters typically manage to get as much as $2000 from their victims, versus an average media fraud loss of $462. However, the figure rises to $9000 per victim for those over 70.

As well as asking for gift cards or wire transfers, which are easier to launder, the scammers are increasingly requesting cash payments in the mail, the FTC said.

In the region of $41 million has been lost in the past 12 months to friend and family scammers, versus $26 million the previous year, explained Vaca.

Categories: Cyber Risk News

Latest Cyber-Defenders Unveiled at 10th CyLon Demo Day

Wed, 12/04/2019 - 11:15
Latest Cyber-Defenders Unveiled at 10th CyLon Demo Day

Today, nine of the most exceptional new cybersecurity businesses will pitch their latest products and innovations aimed at securing the digital economy at CyLon’s 10th London Demo Day.

The nine companies will showcase their products to over 150 prospective customers, investors and partners through quick-fire pitches. The companies joined the program in September 2019, and over the last three months have received an intensive program of workshops and mentoring from experienced industry specialists and entrepreneurs, along with making connections within CyLon’s community of buyers, investors and advisors across EMEA, UK and the US.

The participating teams joined from the UK, Turkey, Switzerland, Dubai and Israel. They are:

  • 418sec, which helps developers use open-source code in a safe and compliant way, allowing organizations to trust in the code they use
  • oneclick™, a central access and distribution platform in the cloud, enabling the management of the entire technology stack for application provisioning
  • YEO messaging, which provides secure private messaging for businesses and their customers
  • Safetech, which uses cutting edge machine learning to protect critical infrastructure and industrial networks by deflecting cyber-attacks into honeypots
  • Alterant, which securely distributes digital devices across physical spaces
  • Salvador Technologies, which decreases the recovery time after a cyber-attack
  • eXate, a data privacy solution
  • SIRP, a single integrated platform that fuses essential cybersecurity information to enable a unified response and enables the entire cybersecurity function to work as a single, cohesive unit
  • Astroscreen, which builds an end-to-end solution to monitor, detect and mitigate social media manipulation

Jonathan Luff, co-founder of CyLon, said : “Here we have nine new cyber companies building innovative products to keep our digital economy safe and secure. We have worked with the founders closely over the past three months and have introduced them to customers and investors in CyLon's global network to accelerate their growth. We look forward to working with these exceptional founders as they continue to scale their businesses.”

This cohort brings the global number of companies CyLon has accelerated to 102, and CyLon’s portfolio of international companies is now valued at more than £400m.

Categories: Cyber Risk News

Dutch Politician Accused of Targeting Women’s iCloud Accounts

Wed, 12/04/2019 - 10:55
Dutch Politician Accused of Targeting Women’s iCloud Accounts

A Dutch politician could face several years behind bars after being accused by prosecutors of hacking the iCloud accounts of hundreds of women and posting explicit photos and videos online.

Named only on the official Netherlands Public Prosecution Service website as “a 35-year-old man from Almere,” he is identified elsewhere as Mitchel van der K who sat on the local council there for the VVD party.

According to the charges, he targeted both women known personally to him and celebrities such as YouTuber Laura Ponticorvo and former Dutch hockey star Fatima Moreira de Melo.

As well as hacking their iCloud, email and chat accounts, he’s accused of leaking online images and a video of one of his victims, Ponticorvo. It was that decision which is said to have sparked the investigation leading to his arrest.

On one occasion, Van der K is accused of posing as someone else in order to trick a victim into sending him pictures of herself.

Van der K has admitted hacking the women but said in his defense that online extortionists forced him to commit these crimes or risk footage of himself being exposed online.

“The cases that the police have investigated in detail show that more than half of the accounts hacked by the suspect were women who had no (national) fame, but who did interact with him in his work or private environment,” argued the public prosecutor. “Why an unknown extortioner would have forced the suspect to browse their accounts for photos and videos, I completely miss.”

The incidents took place over a three-year period, from 2014 to 2017, covering the infamous Fappening leaks which exposed intimate images and videos of numerous celebrities.

Prosecutors are asking for a three-year jail sentence, with the court expected to hand down its verdict on December 24.

Categories: Cyber Risk News