Info Security

Subscribe to Info Security  feed
Updated: 50 min 19 sec ago

Philippines Convicts Rappler Founder of Cyber-libel

Mon, 06/15/2020 - 18:13
Philippines Convicts Rappler Founder of Cyber-libel

The founder and executive director of social news website Rappler was today found guilty of cyber-libel by a court in the Philippines.

Maria Ressa and former Rappler reporter Reynaldo Santos Jr. each face up to six years in jail after becoming the first two journalists to be convicted of cyber-libel in the country. 

Judge Rainelda Estacio-Montesa permitted Santos and Ressa to post bail, pending an appeal. Should their convictions be upheld, each will serve a minimum custodial sentence of six months and one day. 

The cyber-libel case against the pair stemmed from a 2017 complaint filed over a Rappler story that was published in 2012, before the cybercrime law was passed.

The businessman who lodged a complaint against the Rappler duo sought damages of approximately $1m. The judge ruled that the complainant should receive the equivalent of $8,000 in local currency for moral and exemplary damages. 

Ressa has vowed to fight the judgment made against her over a case that she described in the press conference that followed her conviction "was meant to be a cautionary tale."

"It is a blow to us. But it is also not unexpected," said Ressa. "I appeal to you, the journalists in this room, the Filipinos who are listening, to protect your rights. We are meant to be a cautionary tale. We are meant to make you afraid. But don't be afraid. Because if you don't use your rights, you will lose them."

The case against Ressa and Santos was seen by many as a touchstone to indicate what freedom the press will be allowed in the Philippines under the administration of President Rodrigo Duterte. 

It's the first of eight active cases filed against Ressa and Rappler since Duterte ascended to power in 2016.

Ressa reminded her fellow Filipinos of the inherent danger of allowing a free press to be silenced.  

"Freedom of the press is the foundation of every single right you have as a Filipino citizen. If we can't hold power to account, we can't do anything," said Ressa.

"The verdict basically kills freedom of speech and of the press," the National Union of Journalists of the Philippines said, while the Foreign Correspondents Association of the Philippines termed the verdict "a menacing blow to press freedom."

Categories: Cyber Risk News

Mobile Threats Delivered by Adult Content Double

Mon, 06/15/2020 - 16:57
Mobile Threats Delivered by Adult Content Double

Threat actors hiding malware in adult content are targeting mobile users over those who turn to their PCs to get turned on. 

Research published by Kaspersky found that while PC threats masquerading as pornography fell by 40% in 2019, attacks on mobile users increased. 

Kaspersky's review of 2019 threat activity discovered that the number of mobile users attacked by threats disguised as pornographic content grew two-fold in 2019, reaching 42,973 users, compared to the 19,699 targeted in 2018.

By contrast, the number of PC users affected by malicious adult content fell from 135,780 users attacked in 2018 to 106,928 in 2019. 

To further their understanding of the attacks waged against mobile users, researchers checked all files disguised as pornographic videos or adult content–related installation packages for Android and ran 200 popular porn category tags against this database. 

"The analysis showed results for 105 tags in 2018 and for 99 tags in 2019, demonstrating that not all porn is used by cybercriminals to target their victims," wrote researchers.

Additional analysis demonstrated that pornographic content that could be rated as violent was rarely ever used by threat actors for spreading malware.

Advertising software that shows users unwanted content or redirects them to unwanted advertising pages was the most prominent mobile threat both in variety and in the number of attacked users. Out of the top 10 porn-related threats for mobile users in 2019, seven belonged to this class of threat.

An advertisement application detected as AdWare.AndroidOS.Agent.f hit 35.18% of mobile users targeted by malicious pornographic content in 2019. Typically, this type of threat is distributed through various affiliate programs that target victims with malicious applications or generate money per installation.

Dmitry Galov, security researcher at Kaspersky, said that the research demonstrated how cybercriminals adapt their tactics based on social trends. 

“As users are becoming more mobile, so are cybercriminals,” said Galov. 

“While we have not witnessed many changes in the techniques used by cybercriminals, statistics show that this topic remains a steady source of threats and users need to be aware of that, taking steps to protect access to the valuable data they keep on their devices."

Categories: Cyber Risk News

Foodora Data Breach Impacts Customers in 14 Countries

Mon, 06/15/2020 - 16:19
Foodora Data Breach Impacts Customers in 14 Countries

Online food delivery service Delivery Hero has confirmed a data breach affecting its Foodora brand. 

The cybersecurity incident has exposed the account details of 727,000 customers in 14 different countries. Information exposed in the incident included names, addresses, phone numbers, and hashed passwords.

While no financial data was leaked, customers' geolocation data, accurate to within a couple of inches, was breached. Such data could prove embarrassing to any individuals who have ordered food while pursuing a clandestine affair. 

Data breached in the incident was found online on May 19, posted in a forum where stolen data is wont to show up, according to the Gov Infosecurity website. Whoever posted the data on the forum claims that Foodora was compromised in 2019. 

A spokesperson for Delivery Hero said that the exposed information dated back several years. 

"Unfortunately, we can confirm that a data breach has been identified concerning personal data dating back to 2016," said a Delivery Hero spokesperson. 

"The data originates from some countries across our current and previous markets."

The compromised data appears to belong to Foodora users in Australia, Austria, Canada, France, Germany, Hong Kong, Italy, Liechtenstein, the Netherlands, Norway, Singapore, Spain, and the United Arab Emirates. 

Data breach expert and Have I Been Pwned website creator Troy Hunt said that over 600,000 unique email addresses were among the leaked data. According to Hunt's research, the oldest Australian files exposed in the incident date back to August 2015. 

Delivery Hero was founded in 2011 by Niklas Östberg. The business is based in Berlin, Germany, and operates in over 40 countries internationally in Asia, Europe, Latin America, and the Middle East. 

The company, which has around 22,000 employees, partners with more than 500,000 restaurants globally to deliver over 3 million food orders per day. 

Delivery Hero is not yet sure how the breach occurred but is taking steps to find out. 

A spokesperson said the company has "started a thorough internal investigation" and is "working closely with our security and data protection teams, as well as local authorities, to identify what caused the breach and inform the affected parties."

The spokesperson added that the "relevant authorities" have been informed of the data breach.

Categories: Cyber Risk News

Poor Password Practices and Growing Acceptance of Biometrics in Financial Accounts

Mon, 06/15/2020 - 16:00
Poor Password Practices and Growing Acceptance of Biometrics in Financial Accounts

Only 40% of UK citizens use separate passwords across each of their financial accounts. This is according to the FICO Consumer Digital Banking Study, which showed a large proportion of people do not undertake recommended practices regarding logins and passwords in their financial accounts. The findings are particularly concerning in light of the substantial rise in eCommerce during the COVID-19 pandemic.

The research also found that more than a fifth of British people have just two to five passwords, which they re-use across all their financial accounts. Interestingly, the 55+ age category was the group most likely to have separate passwords between accounts (41%), in line with recommendations.

Additionally, 18% of those surveyed stated they write their passwords down, which is widely seen as a security weakness, while only 18% use recommended password management software.

Just under half (42%) claimed to be able to remember their passwords and almost a quarter (24%) revealed that they have abandoned an online purchase because of forgetting their username or password.

More positively, there was a high rate of acceptance recorded for the use of biometric security methods (71%) in online banking. For logging into a banking app, 48% said they would be happy to use a fingerprint scan, 25% a facial image and 23% a voiceprint.

“Whilst our research was conducted just before the COVID-19 lockdown, the findings send a very clear message that UK consumers understand the greater security benefits of biometrics over passwords,” said Sarah Rutherford, identity solutions expert, FICO. “Since face-to-face interactions are likely to be reduced for some time to come, it is crucial for consumers and financial institutions to have mutual respect for the benefits biometrics deliver – not just for security but in terms of removing the delay and friction from financial transactions.

“Consumers don’t generally manage their passwords well, so biometrics offers a far more simple and secure way to verify a person’s ID.”

The huge rise in remote working in recent months is another reason why it is becoming increasingly important for people to improve their password practices, and this may serve to accelerate moves towards biometric-based systems of authentication across all sectors.

Categories: Cyber Risk News

Exposed Cloud Databases Attacked 18 Times Per Day

Mon, 06/15/2020 - 11:00
Exposed Cloud Databases Attacked 18 Times Per Day

Exposed cloud databases are probed within just hours of being set up, according to new research from Comparitech.

The firm’s security research team, headed by Bob Diachenko, has written many times of Elasticsearch servers left online but unsecured by organizations, putting them at risk of discovery by cyber-criminals.

However, to find out just how widespread black hat scanning for such exposed instances is, Comparitech decided to build a honeypot.

It left a database filled with fake data on an Elasticsearch instance, completely unsecured, for 11 days in May.

During that time it detected 175 unauthorized requests, which averages out to 18 attacks per day. The first one came just eight-and-a-half hours after deployment, days before the database was even indexed by popular IoT search engines Shodan and BinaryEdge. This illustrates how many hackers use proactive scanning tools, Comparitech said.

However, the largest number of attacks (22) on any one day came just after the instance was indexed by Shodan. In fact, two attacks came in just a minute after it was indexed.

Attacks came mainly from the US, Romania and China, and most were looking for more information about the database and its settings.

Some sought to exploit Elasticsearch vulnerabilities from 2015 to install cryptocurrency mining software, steal passwords and change the configuration of the server with a view to stealing and deleting all data.

A few days after the research concluded, the still-exposed honeypot was attacked by a malicious bot that deleted the contents of the database and replaced it with a ransom message.

Boris Cipot, senior security engineer at Synopsys, argued the research highlights just how little time organizations have to find and remediate any configuration errors in the cloud.

“We see often that insecure steps are made when deploying instances in the cloud environment. Insecure security settings lead to exploitable systems and devices,” he added.

“I recommend that companies have procedures around provisioning resources and hold to them much like a pilot’s check list in preparation for take-off. This then leads to two important things: first, the creation of security policies and procedures and secondly, a check list that does not allow room for mistakes.”

Categories: Cyber Risk News

Twitter Shutters 32,000 State-Linked Accounts

Mon, 06/15/2020 - 10:15
Twitter Shutters 32,000 State-Linked Accounts

Twitter has added a further 32,242 accounts to the many already removed from the platform for links to state-backed influence operations.

Working with the Australian Strategic Policy Institute (ASPI) and Stanford Internet Observatory (SIO), the social network found and removed all content associated with the accounts, which are linked to three campaigns by the Chinese, Russian and Turkish governments.

The vast majority (23,750) have been linked to Beijing’s efforts to promote narratives favorable to the Chinese Communist Party (CCP) “while continuing to push deceptive narratives about the political dynamics in Hong Kong.”

Although these were caught before being able to amass large numbers of followers, around 150,000 additional accounts were detected acting as “amplifiers” of the content produced by this core of 23,000.

“Based on feedback from researchers on our prior disclosures that we need to better refine the disclosure process to enable efficient investigation of the core activity, we have not included the 150,000 amplifier accounts in the public archive,” Twitter explained.

The firm also shut down 1152 accounts linked to Current Policy, a media website promoting “state-backed political propaganda” in Russia, attacking dissidents and favoring Putin’s United Russia party.

The final campaign spotted and shut down by Twitter was detected in early 2020 and featured fake and compromised accounts promoting political narratives favorable to the ruling AK Parti of President Tayyip Erdogan.

Some 7340 accounts were closed, several of which were associated with organizations critical of the government and Erdogan.

“These compromised accounts have been repeated targets of account hacking and takeover efforts by the state actors identified above,” said Twitter. “The broader network was also used for commercial activities, such as cryptocurrency-related spam.”

Categories: Cyber Risk News

Live Event Manufacturer Reveals Employee Data Breach

Mon, 06/15/2020 - 08:51
Live Event Manufacturer Reveals Employee Data Breach

A major manufacturing company for live events has disclosed a data breach affecting the personal and financial information of its employees.

Tait Towers Manufacturing produces rigging, lighting and other equipment for concerts, theatrical performances and the like. It claims to have worked on many of the highest-grossing concert tours of all time.

The US-headquartered multinational waited nearly two months before last week disclosing an incident which was detected on April 6, but began on February 16. The firm said an unauthorized third party had accessed a server and some employee email accounts.

It has since reset server and email logins to remediate the incident and deployed multi-factor authentication and endpoint monitoring systems to improve safeguards for the future.

Among the compromised information are employee names, addresses, email addresses, dates of birth and Social Security numbers or financial account numbers.

Although the company said it has “no reason to believe that any of the information maintained in the server and email accounts was misused,” the data would be tactically useful for cyber-criminals in developing phishing campaigns and/or follow-on fraud.

Tait has urged clients, employees and vendors to monitor their financial accounts for any unusual activity while it completes its investigation into the incident. It is also offering the usual free credit monitoring to affected employees.

“Many data breaches like the Tait breach are caused by employees and executives opening attachments or clicking links in emails from an unidentified third-party sender,” argued Chris Hauk, consumer privacy champion at Pixel Privacy.

“Educating employees about the risks of indiscriminate link clicking has never been more important than it is in today's always-connected world.”

Categories: Cyber Risk News

Business Owner Receives Death Threats After Racist Hack

Fri, 06/12/2020 - 17:27
Business Owner Receives Death Threats After Racist Hack

The life of a Houston business owner has been threatened after cyber-criminals hacked into her company's social media account and posted racist messages.

Founder and CEO of Infinity Diagnostics Center Jessica Hatch said her company's Instagram account was compromised on Thursday afternoon by an unknown malicious hacker. After gaining access to the account, the threat actor uploaded multiple stories designed to paint Hatch and her business as racist.

"Here at Infinity we do not support African Americans. If we kept them picking cotton we wouldn't be having these issues with them," read one of the malicious posts.

Hatch said that the business has employed African Americans on a regular basis and that it, in fact, currently employs an African American massage therapist.  

Another offensive story uploaded to Infinity's Instagram account included the text “We do not employ African American individuals. The things going on right now is a clear example that they do not know how to behave."

As a result of the attack, Hatch received a stream of hateful comments and death threats from misguided Instagram users who believed the vile comments had come from the business owner.

"It's just horrible," Hatch told "Like I feel like I'm literally being attacked."

After learning about the racist posts, a completely mortified Hatch asked Instagram to close down the account. 

Hatch said she personally has not had access to the company's Instagram account for at least six weeks. 

Commenting on who she believes is responsible for the attack, Hatch said she believed the culprit was a former employee whose responsibilities used to include publishing social media posts on behalf of the business. Hatch said that to perform their role, the ex-staffer had access to the company's social media passwords. 

Hatch made the following plea to the former employee: “Just come forth and say, ‘I’m sorry. I did not think it was going to go to this extreme. I was mad at you.’ Let people know that you did it and I did not."

Since the death threats were made, the Houston Police Department has been checking in on Hatch and the business. An investigation into the hack is ongoing.  

Categories: Cyber Risk News

Building of Asia Pacific Submarine Cable Begins

Fri, 06/12/2020 - 16:36
Building of Asia Pacific Submarine Cable Begins

A high-performance submarine cable is being built to enhance communications in the Asia Pacific region. 

Stretching 9,400 kilometers, the Asia Direct Cable (ADC) will connect China (Hong Kong SAR and Guangdong Province), Japan, the Philippines, Singapore, Thailand, and Vietnam.

The ADC has been designed to enable vast amounts of data to be transmitted across the East and Southeast Asia regions. Multiple pairs of high-capacity optical fibers will allow the cable to carry over 140 Tbps of traffic. 

Construction of the cable is being carried out by the NEC Corporation and is expected to reach completion in the final quarter of 2022. The ambitious project is being led by the Asia Direct Cable Consortium, composed of leading communications and technology companies, including SoftBank, China Telecom, China Unicom, PLDT Inc., Viettel, CAT, Singtel, and Tata Communications.

A spokesperson for the consortium said: "ADC’s high capacity allows it to support increasingly bandwidth-intensive applications which are driven by technological advancements in 5G, the cloud, the Internet-of-Things (IoT) and Artificial Intelligence (AI). This will further enhance the expansion of communications networks in the region."

The ADC cable landing in Japan will be enabled through SoftBank's Maruyama Cable Landing Station (CLS). Maruyama CLS currently provides landing services for many submarine cables including the Trans-Pacific submarine cable system JUPITER.

JUPITER, which is expected to start operating later this year, is a fiber-optic submarine cable system that will connect Japan, the US, and the Philippines with a total extension of approximately 14,000 km. 

Chang Weiguo, one of the ADC co-chairs from China Telecom, said: “The ADC system provides the highest cable capacity and necessary diversity for Asia’s key information hubs, which will enable carriers and service providers to better plan their networks and services for a sustainable development."

SoftBank's Koji Ishii added: “This new system will contribute to drive the Asian ICT business growth as one of the core infrastructures in the region and to meet the evolving marketplace."

NEC has helped to create multiple submarine cable systems in the Asia Pacific region over the years, including the 9,500-km Japan-Guam-Australia cable system (JGA), the 10,500-km Southeast Asia–Japan 2 consortium (SJC2), and the 16,000-km Bay to Bay Express Cable System (BtoBE).

Categories: Cyber Risk News

Ransomware Hits Tennessee City

Fri, 06/12/2020 - 15:56
Ransomware Hits Tennessee City

The Tennessee city of Knoxville has been forced to shut down its computer network after falling victim to a ransomware attack.

Cyber-criminals mounted their attack on the county seat of Knox County in the early hours of Thursday, June 11. No information has been shared so far on how threat actors were able to compromise Knoxville's system. 

The city's chief operating officer, David Brace, said digital forensic experts had been called in to investigate the breach and pinpoint the weak point through which threat actors gained access. 

While no information has been released regarding what files were encrypted in the attack, Brace assured the public that no financial or personal information had been compromised. 

City spokesman Eric Vreeland said that since no credit card information is stored by the city, people who have made any online reservations of city facilities are not believed to be at risk following the attack.

While acknowledging that the attackers had issued a monetary demand to the city, Brace was close-lipped over how much cash was involved.  

"They’ve asked for a ransom, and that’s it," Brace told 10News.

After detecting the attack, which took place around 4:30 am, the city's IT staff shut down the computer network to minimize damage and isolate the malware. Brace said the city was soldiering on, accessing the information it needed via backup servers. 

As a result of the attack, emergency services in the city are experiencing technical issues. Knoxville Fire Department spokesman D.J. Corcoran said email communications between personnel might suffer, though the department's ability to respond to fires was thankfully not affected.

Knoxville Police Department spokesman Scott Erland said the impact of the ransomware incident had been felt by the city's men and women in blue, who are currently unable to take reports on any traffic crashes that don't involve an injury or an inoperable vehicle blocking a roadway. 

Erland said: "Those needing a report should do so through their insurance provider. No additional city services or patrol functions have been impacted. The KPD will advise once normal operations are resumed."

Both the Federal Bureau of Investigation and the Tennessee Bureau of Investigation have been informed of the ransomware attack.

Categories: Cyber Risk News

Over 100,000 UK Security Cameras Could Be at Risk of Hacking

Fri, 06/12/2020 - 13:55
Over 100,000 UK Security Cameras Could Be at Risk of Hacking

More than 100,000 indoor security cameras across UK homes and businesses may have critical security flaws that make them vulnerable to hacking, an investigation by Which? has found. Owners of wireless cameras that use the CamHi app could be at risk of having their home or business spied upon by cyber-criminals, in addition to having data stolen or other devices targeted, according to the analysis.

Although many cameras have been removed from sale, many remain available from online marketplaces such as Amazon, eBay and, and include popular brands like Accfly, ieGeek and SV3C. Over 12,000 were activated in UK homes in the last three months alone, and Which? believes there are around 3.5 million of these camera types in use around the world, mainly in Asia.

The investigators believe 47 different brands worldwide have a critical flaw in their camera design and software. This could allow hackers to access the video stream to spy on homes as well as talk to people if the camera has a microphone. Additionally, they could potentially steal or change passwords, discover the exact location of the camera location and target other devices connected to the same network. Even changing the password may not protect against such attacks.

Commenting on the findings, Jake Moore, cybersecurity specialist at ESET, said: “The massive growth in Internet of Things (IoT) devices placed in the home and office provides the perfect opportunity for cyber-criminals to make money from particular types of malware. IoT devices are far too often packaged up with weak (if any) built-in security features, so the public are on the back foot from the outset. Security updates also tend to be infrequent which puts further risks on the owner.

“Updates and 2FA are critical but you may need to ask yourself if you really need your security camera online 24/7. If the cameras still record on the premise, they may not need to be online at all, preventing the risk of an attack altogether.”

Last month, the UK government launched a program to incentivize the creation of design schemes that test the security of IoT products due to the growing prevalence of these kinds of devices in households. 

Categories: Cyber Risk News

Aussie Beer-Maker Suffers Ransomware Attack

Fri, 06/12/2020 - 10:45
Aussie Beer-Maker Suffers Ransomware Attack

One of Australia’s largest drinks companies is warning of potential beer shortages after suffering a major ransomware attack.

Lion sells Tooheys, XXXX, Emu and other popular Aussie beer brands, as well as a range of non-alcoholic drinks.

A ransomware attack on Monday forced a shutdown of key systems at a time when the country is just coming out of COVID-19 lockdown, and the hospitality industry is looking to recoup some major losses over recent months.

However, Lion revealed in an updated statement today that a reboot of systems is taking longer than anticipated, and could lead to product shortages.

“Throughout the COVID-19 shutdown, we were able to continue to brew beer safely. We had stock at hand and were gearing up to increase brewing. This attack has delayed those plans, and because of the situation we have limited visibility of our products,” it said.

“We’re working to bring our breweries back online as soon as possible. In the meantime, we will be managing our stock levels very closely and may see some temporary shortages. We apologize in advance to our customers and consumers and ask for their patience as we do what we can to get back to normal supply levels.”

On the Dairy & Drinks side of the business, the incident continues to affect customer service and some manufacturing sites are still offline. Although there’s been no impact to the collection of milk or fruit, ordering has reverted to manual processes.

Jake Moore, cybersecurity specialist at ESET, argued that cyber-criminals are taking advantage of companies that may have been forced to radically shift operations due to the pandemic.

“In effect, more victims have been hit whilst their eyes have been diverted,” he added. “It can be increasingly difficult to bat off all the potential threats, although understanding the backup process and simulating attacks will take businesses a long way in assessing risk.”

Categories: Cyber Risk News

Privacy Expert Slams Amazon’s Facial Recognition ‘Pause’

Fri, 06/12/2020 - 09:15
Privacy Expert Slams Amazon’s Facial Recognition ‘Pause’

Amazon has come under fire from privacy groups after saying it will only pause police use of its controversial facial recognition software for a year.

The tech giant said in a statement that it wants to give lawmakers time to improve regulation of the industry.

“We've advocated that governments should put in place stronger regulations to govern the ethical use of facial recognition technology, and in recent days, Congress appears ready to take on this challenge,” it said. “We hope this one-year moratorium might give Congress enough time to implement appropriate rules, and we stand ready to help if requested.”

Launched in 2016, Amazon’s Rekognition software has, like many similar products, been accused of racial bias. A 2019 MIT study on this even led to a shareholder vote on whether the company should stop selling the product to governments. However, only 2.4% of shareholders voted in favor.

“Automated systems are not inherently neutral. They reflect the priorities, preferences and prejudices – the coded gaze – of those who have the power to mold artificial intelligence,” that study concluded.

“We risk losing the gains made with the civil rights movement and women’s movement under the false assumption of machine neutrality. We must demand increased transparency and accountability.”

Amazon’s decision comes in the wake of civil unrest in the US over the death of George Floyd in police custody.

However, it came in contrast to IBM, which earlier this week announced it would exit the facial recognition business altogether. That makes Amazon’s announcement seem more like a PR stunt, according to Ray Walsh, digital privacy expert at ProPrivacy.

“Amazon claims that its Rekognition tech should only be used by the police to arrest suspects when the technology is 99% sure a match is correct. US police forces, however, are known to ignore this request and to instead take up to five matches from the system to be treated as suspects,” he argued.

“Despite this – and the fact that studies have shown Rekognition is far less accurate when dealing with African American faces – Amazon has been enthusiastically selling its technology to US police forces to create a revenue stream.”

Categories: Cyber Risk News

Kubernetes Clusters Hit by Kubeflow Crypto-Mining Attack

Fri, 06/12/2020 - 08:20
Kubernetes Clusters Hit by Kubeflow Crypto-Mining Attack

A first-of-its-kind campaign targeting a popular Kubernetes toolkit seeded cryptocurrency mining malware across multiple clusters, according to Microsoft.

Open source project Kubeflow is a framework for running machine learning tasks in Kubernetes.

As the nodes used for these tasks tend to be relatively powerful, sometimes including GPUs, they’re an attractive target for crypto-miners, according to Yossi Weizman, security research software engineer at the Azure Security Center.

Back in April, his team detected a suspect image subsequently found to be running an XMRIG miner, deployed from a public repository onto multiple clusters.

Weizman explained that the Kubeflow dashboard is exposed by an Istio ingress gateway and, by default, is accessible only internally. However, users may have unwittingly made the set-up less secure by tweaking these settings.

“In some cases, users modify the setting of the Istio Service to Load-Balancer which exposes the service to the internet. We believe that some users chose to do it for convenience: without this action, accessing the dashboard requires tunneling through the Kubernetes API server and isn’t direct,” he said.

“By exposing the service to the internet, users can access the dashboard directly. However, this operation enables insecure access to the Kubeflow dashboard, which allows anyone to perform operations in Kubeflow, including deploying new containers in the cluster.”

This likely allowed attackers to deploy a backdoor container in the cluster, Weizman added.

Although only “tens” of clusters were affected in this operation, it comes hot-on-the-heels of a larger-scale cryptocurrency mining campaign against Kubernetes clusters spotted by Microsoft in April.

Weizman concluded that organizations should make use of authentication and access controls, ensure sensitive interfaces are not exposed to the internet, regularly monitor the runtime environment, allow deployments of only trusted images and always scan images for vulnerabilities.

Categories: Cyber Risk News

US Cops' Personal Info Leaked Online

Thu, 06/11/2020 - 17:40
US Cops' Personal Info Leaked Online

The US Department of Homeland Security has produced a document warning that the personal information of America's police officers is being leaked online. 

According to the unclassified intelligence document obtained by The Associated Press, threat actors are searching for private or identifying information about cops serving in departments nationwide and publishing it online in a form of cyber-attack known as doxxing.

In the document, the DHS warns that the digital act of doxxing could engender actual physical violence perpetrated by "violent opportunists or domestic violent extremists" if information like officers' home addresses fell into malicious hands. 

A further dire consequence of doxxing that the DHS said could happen is that law enforcement officials would be prevented from carrying out their duties.

Included in the document is the bombshell that numerous high-ranking police officials have already fallen victim to doxxing attacks that have seen their home addresses, email addresses, and phone numbers splashed across social media. 

Top brass officers whose privacy has been compromised are serving in cities including Washington, Atlanta, Boston, and New York.

The DHS believes doxxing attacks on police officers are linked to the ongoing protests over police brutality triggered by the death of George Floyd

The report states that “at least one of the police commissioners was targeted for his alleged support of the use of tear gas to disperse protests."

Police officers in cities across America have been placed in a difficult position, ordered to keep the peace as numerous peaceful demonstrations have been high-jacked by looters and violent extremists. 

It seems that the excessive force used by a minority of cops has tarnished the reputation of America's entire law enforcement community, the majority of whom uphold their sworn oath to protect and serve the public. 

Some protestors have cited Floyd's death as evidence of systemic racism in the police force. They may be surprised to learn that of the people shot to death by US police in between 2017 and June 2020, 1,398 were white, 755 were black, 542 were Hispanic, 133 were "other." The race of a further 588 people shot to death by American cops was unknown.

Categories: Cyber Risk News

SD-WAN is the Cloud Security of Choice for Half of UK Businesses

Thu, 06/11/2020 - 17:15
SD-WAN is the Cloud Security of Choice for Half of UK Businesses

Software-defined wide area network (SD-WAN) is the cloud security solution of choice for around half (49%) of UK businesses, who have either deployed it or are planning to do so in the next 12 months, according to a report by Barracuda Networks.

The research also found this approach is being used by 27% of UK decision makers, who have added security to their public cloud, whilst 33% said SD-WAN is their preferred additional security solution to add to the public cloud.

In the study, global IT decision makers from a broad range of sectors across EMEA, APAC and the US were surveyed about their attitude to SD-WAN; a targeted, software-defined approach to the traditional wide-area network.

Nearly half (48%) of UK respondents thought SD-WAN improved overall connectivity, while 45% said it increased network flexibility and agility. None of those surveyed from the UK said there were no benefits in deploying the software.

The sector with the highest uptake of SD-WAN in the EMEA region was construction and property, with 80% of respondents from this area saying they have already deployed it, or expect to in the next 12 months. This was followed by the IT technology and telecoms industries (76%).

There is currently zero deployment of SD-WAN in EMEA public sector organizations, although 35% are in the process, or expect to do so in the next year, according to the analysis.

Microsoft Azure was the most popular SD-WAN product; it was 50% more favored globally than Amazon AWS and 125% more preferred than Google GCP. The survey indicated that Microsoft Azure was perceived to be more secure and user friendly than AWS and GCP.

Klaus Gheri, VP, network security, Barracuda, commented: “As more organizations move to the public cloud, SD-WAN technology is a critical part of securing these cloud deployments. By deploying an all-in-one, secure SD-WAN solution natively built into the public cloud network, organizations can reap the full benefits of public cloud.”

Categories: Cyber Risk News

Macy's Pays $192,000 to Settle Data Breach Suit

Thu, 06/11/2020 - 16:20
Macy's Pays $192,000 to Settle Data Breach Suit

US department store giant Macy's has agreed to pay almost $200,000 to settle a lawsuit brought over a data breach, according to Footwear News

The class-action lawsuit was brought after a third party managed to obtain customer information from the company in spring 2018. In the suit, plaintiff Anna Carroll accused the 162-year-old company of failing to properly secure customer data against cyber-attackers.

On June 5, Macy's received final approval from a federal judge in Alabama to settle the suit. The retailer has set aside $192,500 to be allocated to eligible class members. 

Under the terms of the settlement, plaintiff Anna Carroll will receive a payment of $2,500 from Macy's. A further $60,000 will be shelled out by the store to cover legal costs. 

Class members will be reimbursed up to $1,500 provided they can supply documents to prove that they incurred expenses and lost time as a direct result of the data breach. Claimants who are unable to prove that their time was wasted in dealing with the fallout from the breach can only claim a single $30 payment. 

Judge R. David Proctor called the settlement “fair, reasonable, and adequate” in a memorandum. 

Opting to pay to make the suit go away is not an admission of failure to implement adequate cybersecurity measures on Macy's part. The company has stated that it "is not in any way liable for the cyber-attack" but chose to settle the suit because of the "risks, uncertainties, burden, and expense of continued litigation." 

Macy's customers were informed in July 2018 that a third party had used valid usernames and passwords to gain access to accounts on and between April 26 and June 12 that year. 

In November 2019, Macy's notified its customers of a further data breach that occurred in October 2019. A Massachusetts consumer subsequently filed a class-action against Macy's in March 2020 over the 2019 data breach. 

According to the suit, Macy’s has offered “neither financial compensation nor an opportunity to obtain, free of charge, certain professional monitoring” aimed strictly at protecting against identity theft for one year.

Categories: Cyber Risk News

UK Government Awards £10m Fund to Develop Cybersecurity Tech Solutions

Thu, 06/11/2020 - 15:25
UK Government Awards £10m Fund to Develop Cybersecurity Tech Solutions

The UK government is investing £10m over the next four years to boost the development of new cybersecurity technology solutions, digital secretary Oliver Dowden has announced today at London Tech Week Connect. Nine grant winners will share the fund from the government’s Digital Security by Design program, launched last year, which aims to improve the resilience of UK organizations to cyber-attacks.

The winners will use the money to build on their innovative solutions and create enhanced software and applications to contain any hacking attempts.

The selected solutions tackle a range of cyber-threats. The University of Southampton will get a portion of the fund for its ‘HD-Sec’ solution, which seeks to speed up the process of and reduce errors and security vulnerabilities in software design that could have been exploited by hackers.

Another is ‘AppControl’ from the University of Glasgow, which will use the money to leverage its state-of-the-art microprocessors, with the aim to ensure vital systems that could be used in cars, medical robots or nuclear power plants remain digitally secure.

Each team will be expected to demonstrate the economic and societal benefits of their new secure technology by creating a working example of their solution.

Dowden said: “We have a world-class cybersecurity sector and together we are working hard to make sure the UK is the safest place to work, connect and live online. With government support, these projects will build cutting-edge, secure technologies that will give people and businesses further confidence in our digital services and help weaken the threat of cyber-attackers.”

The initiative forms part of the UK government’s commitment to increase investment in R&D by 2.4% of GDP by 2027. Yesterday, applications were opened for the world’s first artificial intelligence (AI) and data science conversion courses in the UK, which will begin in autumn 2020.

Cyber-attacks are an increasing threat to organizations in the UK. According to the government’s Cyber Security Breaches Survey 2020, published in March, 46% of businesses and 26% of charities have experienced cybersecurity breaches or attacks in the last 12 months.

Categories: Cyber Risk News

MAZE Attacks Victoria Beckham's Advisory Firm

Thu, 06/11/2020 - 15:24
MAZE Attacks Victoria Beckham's Advisory Firm

The threat group MAZE claims to have carried out a cyber-attack on a mergers and acquisitions firm whose client list includes former Spice Girl and fashion designer Victoria Beckham. 

MAZE maintains that it has encrypted and exfiltrated data from New York company Threadstone Advisors using ransomware. 

Threadstone is an independent advisory firm based on Madison Avenue that specializes in the consumer and retail sectors. The company worked with Beckham to facilitate a minority investment by NEO investment partners. 

Other clients of the M&A firm include Charles S. Cohen, Pittsburgh Brewing Co., Harrys of London, and Xcel Brands. 

Notice of the alleged assault was posted on the cyber-criminals’ blog within the past 24 hours, along with the phone number and email address of Threadstone's managing director, Joshua Goldberg. 

Proof of the attack in the form of files containing Threadstone's data has not been made available by MAZE. However, the threat group claims on their blog that such evidence is "coming soon." 

No information has been shared as to how much of Threadstone's data MAZE claims to have accessed or how much the group is demanding as a ransom payment. 

Infosecurity Magazine contacted Goldberg to confirm the alleged attack but had not received a response at time of publication. 

Commenting on the possible cyber-crime, Emsisoft's Brett Callow said: "For companies that hold sensitive information about its clients, data theft is a nightmare scenario."

Callow said that this particular type of cyber-attack placed companies in an impossible situation. 

"Whether the ransom is paid or not, their information is in the possession of cyber-criminals and may be made publicly available and/or sold or traded with other criminal enterprises," said Callow. 

"At best, a company will receive a pinky promise that the stolen data will be deleted and not misused—but as that pinky promise is being made by criminal scumbags, it carries very little weight. No weight at all, in fact."

Previous victims of MAZE include IT services firms Cognizant and Conduent. Cognizant admitted that its run-in with the MAZE group in April 2020 could end up costing the firm $70m.

Categories: Cyber Risk News

Malicious Apps Pose as Contact Tracing to Infect Android Devices

Thu, 06/11/2020 - 14:13
Malicious Apps Pose as Contact Tracing to Infect Android Devices

Threat actors are using fake COVID-19 contact tracing apps to infiltrate Android devices in countries around Asia, Europe and South America.

According to research from Anomali, 12 fake apps have been detected as targeting citizens in Armenia, India, Brazil, Chhattisgarh, Columbia, Indonesia, Iran, Italy, Kyrgyzstan, Russia and Singapore.

Once installed, the apps are designed to download and install malware to monitor infected devices, steal banking credentials and personal data.

In particular, the Anubis and SpyNote malware have been detected as being downloaded by these apps. Anubis is an Android banking Trojan that utilizes overlays to access infected devices and then steal user credentials, while SpyNote is an Android Trojan used for gathering and monitoring data on infected devices.

The fake app detected as imitating the Brazilian government’s official COVID-19 tracing app imitates the legitimate application by asking for the accessibility service privilege on the user’s app settings, and once the user enables the permissions, the app will run in the background and hide the icon from the application drawer.

“We believe the threat actors are distributing the malicious apps via other apps, third-party stores, and websites, among other channels,” Anomali said.

“Threat actors continue to imitate official apps to take advantage of the brand recognition and perceived trust of those released by government agencies. The global impact of the COVID-19 pandemic makes the virus a recognizable and potentially fear-inducing name, of which actors will continue to abuse.”

Previous research by Lookout found a larger mobile surveillance campaign operating out of Libya and targeting Libyan individuals. Upon first launch, that app informed the user it did not require special access privileges, “but subsequently proceeds to request access to photos, media, files, device location, as well as permission to take pictures and record video.”

Tom Davison, technical director – international at Lookout, said: “One single app-based malware campaign may in fact be spread through 10s or even 100s of infected apps. Frequently these will impersonate well-known apps, or latch onto topics of interest for their intended targets.

“As more countries adopt government-sponsored or privately developed contact tracing apps, it is not unexpected that further malicious app samples will emerge. None of the samples observed by Lookout were ever on the Google Play Store and the advice to users is to always download mobile apps from official stores.”

Paul Balkwell, vice-president EMEA at AppRiver, a Zix company, told Infosecurity that it has already seen how vulnerable people are to these kind of attacks that impersonate legit COVID-19 contact tracing government apps. “With contact tracing considered a fundamental vehicle to reopening world economies, we will unfortunately see an increase in these malicious apps and other opportunistic scams,” he said. “The threat environment is evolving to match the current situation.”

Asked if he expected there to be more fake/malicious apps pretending to be contact tracing apps, Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), said given that contact tracing implementations are trending towards using Bluetooth and discussion includes knowing contacts and communicating where the contact occurred, “it’s reasonable for consumers to expect any contact tracing app to request extra permissions like access to device contacts and location.”

However, as consumers have no way to vet the true technical requirements for any contact tracing app, Mackey said if the app also requests access to camera, phone or files, that might seem reasonable enough. “This then represents a perfect cover for cyber-criminals who could request excess privileges and safely mount their attacks while legitimate contact tracing protocols and apps are being developed,” he added.

Javvad Malik, security awareness advocate at KnowBe4, said criminals will latch onto any current event and news story to try and get malware onto devices, and the COVID-19 pandemic has provided ample opportunities for them to do so and the contact tracing apps are no exception.

“It is likely that as more people become aware of contact tracing apps we will see a sharp rise in the number of fake malicious apps,” he said. “Not only that, but we'll probably see alternate apps crop up which will claim to block contact tracing apps or make users invisible to authorities. The advice, as always, is for users to remain vigilant about apps. They should only trust official sources and not download apps which are sent to them via SMS, email or social media.”

Categories: Cyber Risk News