The FBI has confirmed to a US senator that the popular mobile application FaceApp could be a counter-intelligence risk because of its Russian developers.
The app — which uses AI to transform the faces of users to make them look older, change gender and so on — leapt to fame earlier this year when the #FaceAppChallenge started trending.
It was said that the title, which was created by St Petersburg-based Wireless Labs in 2017, has access to the facial images of over 150 million users globally.
Security experts warned at the time that the app requests access to all of a user’s photos, not just the ones they want to manipulate using its tech. It also demands access to the smartphone’s search and Siri functions and background refreshes.
That was a problem for New York senator Chuck Schumer, who asked the FBI to investigate whether FaceApp posed a national security risk by potentially providing the data it harvests to Russian authorities.
Although the app’s makers say photos are uploaded only to cloud datacenters located in the US, Singapore, Ireland and Australia, and that most photos are removed from its servers 48 hours after submission, concerns persist.
It said Russia’s fearsome Federal Security Service (FSB) can remotely access “all communications and servers” on networks in the country without the need to submit formal requests to ISPs.
“If the FBI assesses that elected officials, candidates, political campaigns, or political parties are targets of foreign influence operations involving FaceApp, the FBI would coordinate notifications, investigate, and engage the Foreign Influence Task Force, as appropriate,” the letter stated.
Almost all small and medium-sized businesses in America have executives who are living in fear of a cyber-attack from foreign adversaries, according to new research published today.
The Q4 Cyberthreat Index for Business Survey by Zix-AppRiver found that 93% of SMB executives believe that as foreign adversaries attempt to breach national security or wage cyber-war, they will use small businesses such as their own as entry points. Two-thirds expect this threat to be more severe in 2020, when the next presidential election will take place.
To better protect their businesses from the evil machinations of threat actors, 62% of American SMB executives plan to increase their cybersecurity budgets in the coming year.
Among the list of cybersecurity upgrades executives would like to make, their highest priorities were employing more cybersecurity technology (58%), creating better security awareness training for their employees (57%), and conducting more regular reviews of their existing security defenses (50%).
These findings are in line with other key results from the survey, which indicate that only 43% of all SMB executives currently feel in control and confident in their own cyber-preparedness.
"In 2019, we saw cyberattacks on our government trickle down from large agencies to smaller local municipalities and schools. That follows the pattern we’ve seen in business, where attacks have expanded from big corporations to small and medium-sized businesses," said Zix CEO Dave Wagner.
"While these attacks can originate from anywhere, the survey data shows that SMBs believe foreign actors and even nation-states may be targeting them as the first step toward access to larger companies or government agencies."
The survey polled 1,049 cybersecurity decision-makers within US SMBs that employed fewer than 250 employees, covering a diverse range of industry sectors.
Respondents working with the government and technology sectors were among those most concerned about foreign state-sponsored cyber-attacks on their business in 2020.
Executives within these industries also had the highest propensity to increase their cybersecurity budgets in 2020, with 77% of technology SMBs and 76% of government SMBs planning to increase their budgets in the coming year.
"It seems unusual that small and midsize companies are concerned about foreign powers, but with elections coming up in 2020, they have legitimate reasons to worry about becoming vulnerable entry points for outside entities," said Troy Gill, senior cybersecurity analyst at AppRiver.
The US Congress is to consider a bill to block the use of Grinch bots, which buy up large quantities of toys then re-sell them at hugely inflated prices.
Cyber Grinch bots use automation technology to bypass security measures and order large batches of the most sought-after toys and other products, which are then resold at grossly inflated prices by the bad actors who deployed the bots.
"Allowing Grinch bots to rig prices and squeeze consumers during the holiday season hurts American families, small business owners, product makers, and entrepreneurs. We will not allow this market manipulation to go unchecked,” said Paul Tonko.
If passed into law, the new bill would make it illegal to knowingly circumvent a security measure, access control system, or other technological control or measure on a website or online service in this way. It would also make it an offense to sell or offer to sell any product or service obtained in this manner.
The Stopping Grinch Bots Act proposes allowing the Federal Trade Commission to treat these abusive security workarounds as prohibited unfair or deceptive acts or practices and to take action against the bad actors.
Speaking in an interview with News 8 on Friday, Senator Richard Blumenthal said: "These cyber-thieves are going to websites, buying in bulk the hottest, latest toys, and hijacking the holidays for countless children, their parents, and small businesses.
"They re-sell them at outrageously high prices. They raise the cost of the holidays and they also ruin them for a lot of children whose toys are then out of reach financially for their parents."
In 2016, Tonko’s Better Online Ticket Sales (BOTS) Act was signed into law by President Obama to ban “ticket bots” that intentionally bypass security measures on online ticketing websites to unfairly out-price individual fans. The Stopping Grinch Bots Act would apply the structure of the BOTS Act to e-commerce sites to ban bots that bypass security measures on online retail sites.
The legislation has received support from national consumer organizations, including Consumer Reports, Consumer Federation of America, and the National Consumer League.
"With some luck maybe, we can get it done before these holidays are ended, but in any event, we should have the law in place to protect consumers in the future. These cyber bots are going to be with us unless we take action against them," said Blumenthal.
The Federal Bureau of Investigation has issued a warning to holiday shoppers who are planning to swap some of their hard-earned cash for a smart TV.
In a statement released by the Oregon branch of the FBI, members of the public were warned that an unsecured TV that is connected to the internet could be used as a conduit for cyber-criminals to gain virtual entry into a home.
The FBI said: "Beyond the risk that your TV manufacturer and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router."
Potential smart TV owners were advised that hackers who had taken control of an unsecured set could do anything from messing around with volume controls to showing inappropriately violent or sexually explicit videos to children.
"In a worst-case scenario, they can turn on your bedroom TV's camera and microphone and silently cyber-stalk you," said the FBI.
Shoppers were warned that they cannot rely on the default security settings of any devices that they might purchase to provide adequate protection for themselves and their families. Instead, agents urged anyone considering buying a smart TV to make sure that they fully grasp exactly what features their smart TV comes with and how to control them before making a purchase.
The FBI said: "Change passwords if you can—and know how to turn off the microphones, cameras, and collection of personal information if possible. If you can’t turn them off, consider whether you are willing to take the risk of buying that model or using that service."
As a back-to-basics option, smart TV owners who are unable to turn off cameras but wanted to were advised to place a piece of black tape over the set's camera eye.
Javvad Malik, security awareness advocate at KnowBe4, commented: "The main takeaway from this advisory should be that keeping devices patched and secure should be the responsibility of the manufacturer; we cannot place the burden on the average consumer to be tech-savvy enough to check settings, permissions, and apply patches."
Global police have shut down nearly 31,000 domains as part of a crackdown on IP infringement.
Law enforcers from 18 EU member states including the UK joined forces with Europol, the US National Intellectual Property Rights Coordination Center, Eurojust and Interpol as part of operation IOS X.
The 30,506 domains in question were apparently associated with selling a range of counterfeit and pirated items: from pharmaceuticals, software and electronics to movies, TV streaming and music.
During the crackdown, officers arrested three suspects, seized 26,000 luxury products including clothes and perfume, 363 liters of alcohol, and a trove of hardware devices. They also froze more than €150,000 ($166,000) in several bank accounts and online payment platforms.
During the operation, Europol’s Intellectual Property Crime Coordinated Coalition (IPC³) cross-checked information gathered by officers against its databases in real-time.
The policing organization has also been responsible for training law enforcers in member state countries in IP infringement investigation techniques, it said.
It’s Don’t F***(ake) Up campaign, launched last year, is designed to inform consumers about the potential risks involved in buying from counterfeit sites.
The operation mimics a similar raid in November 2018 which saw nearly 34,000 domains shuttered by police in response to the growing problem of IP infringement.
City of London police have warned consumers in the past that if they buy from such sites their identities may be abused by fraudsters in the future. In 2017 it contacted 400 members of the British public to tell them their names and addresses had been used to register websites selling counterfeit or pirated goods.
The bigger problem is that goods bought from these sites are of inferior quality, possibly even dangerously so, or don’t arrive at all.
Digital skimming hackers have been in action again, this time targeting the website of a leading US gun-maker and its customers.
Springfield, Massachusetts-based Smith & Wesson was attacked on Black Friday, during one of the busiest shopping weekends of the year, according to Sanguine Security.
The security vendor’s forensics man, Willem de Groot, warned on Twitter that although the skimming code was injected into the site last Wednesday, November 27, it was still active as of Monday, December 2.
To add another layer of intrigue, the hackers have been using the Sanguine Security name as cover to legitimize their campaign.
“Skimming code & infrastructure is identical to the campaign that impersonates Sanguine Security,” said de Groot. “Hacker registered skimming domains in my name and disguises as Sanguine protection.”
Those domains were registered at sansec[.]us, sanguinelab[.]net, in a bid to ape the vendor’s legitimate sanse[.]io name.
It’s likely the attackers chose Sanguine Security deliberately, as much of its work for customers is to protect them from Magecart-style attacks.
For companies that are not prepared for such attacks, there could be severe financial repercussions. De Groot explained that the attack on Macy’s wiped $500m off its share price.
“Alas, for Smith & Wesson, the put options don't seem to be in high demand right now,” he said. “Carding has a better yield than stock manipulation?”
The gun-maker’s travails are just the latest in a long line of incidents hitting big name companies. The aforementioned Macy’s was the most recent high-profile brand to have its website infected, leading to the exfiltration of an unspecified number of customers’ card data over the period of a week.
Earlier this year Sanguine Security discovered what it described as the biggest single automated campaign to date, hitting over 960 e-commerce sites in just a day.
Tens of millions of Americans may have been caught in another data leak after business SMS provider TrueDialog left a massive database exposed online, according to researchers.
The team at vpnMentor discovered the Oracle Marketing Cloud database hosted on Microsoft Azure in the US. It was apparently left wide open, exposing 604GB — or one billion entries — of sensitive information.
“It’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways. It’s rare for one database to contain such a huge volume of information that’s also incredibly varied,” vpnMentor claimed.
“The database contained entries that were related to many aspects of TrueDialog’s business model. The company itself was exposed, along with its client base, and the customers of those clients.”
TrueDialog’s clients are mainly businesses and higher education institutions, which use its services to send out bulk marketing missives and alerts to their customers/students.
The leak exposed the full names, email addresses and phone numbers of SMS recipients as well as the content of messages, plus clear-text and easily decryptable base64-encoded account log-ins for TrueDialog clients.
This could theoretically have been used in account takeover (ATO) attacks targeted at those TrueDialog business clients, plus identity fraud/phishing and even blackmail efforts against SMS recipients. The TrueDialog service allows for two-way communication between business and customer, so texts contained plenty of personal information sent by the latter, according to vpnMentor.
Although the SMS giant fixed the issue a day after being contacted by the researchers, it offered no response to them.
The firm apparently works with nearly 1000 mobile phone operators and reaches more than five billion subscribers around the world.
Kelly White, CEO of RiskRecon, argued that every service provider is a potential source of data exposure today.
“It’s a trade-off that most enterprises make a thousand times in order to more effectively run their business, but putting blind trust into a service provider and assuming they’ll keep sensitive data safe is a recipe for disaster,” he added.
“That’s why it’s so important for companies to extend their ability to safeguard data across the networks of any third or fourth party with whom they interact, which means asking questions like whether service providers have taken the necessary precautions to keep sensitive data under lock and key. That includes using cloud storage that isn’t internet-facing in order to reduce unnecessary exposure.”
An American health services provider has agreed to pay a fine of $2.175m after refusing to properly notify Health and Human Services of a data breach.
In April of 2017, a complaint regarding Sentara Hospitals was received by the Department of Health and Human Services (HHS). The complainant said that they had received a bill from Sentara Hospitals containing another patient’s protected health information (PHI).
An investigation launched by the Office for Civil Rights (OCR) determined that Sentara had merged the billing statements for 577 patients with 16,342 different guarantors' mailing labels, resulting in the disclosure of the PHI of 577 individuals.
Information exposed by the breach included patient names, account numbers, and dates of services they had received.
Sentara reported this incident as a breach affecting only eight individuals. The health services provider had incorrectly concluded that unless a disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred.
A spokesperson for HHS said: "Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR."
The OCR also determined that Sentara Hospitals provides services involving the receipt, maintenance, and disclosure of PHI for its member-covered entities, but did not enter into a business associate agreement with its business associate Sentara Healthcare until October 17, 2018, well after the breach.
Sentara manages 12 acute-care hospitals with more than 300 sites throughout Virginia and North Carolina. The health services provider agreed to take corrective action and pay $2.175m to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.
Roger Severino, OCR director, said: "HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.
"When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR."
In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. As part of the plan, Sentara will have to develop, maintain, and revise, as necessary, their written policies and procedures to comply with federal standards.
The number of cybercrimes recorded by the Scottish police has more than tripled in a year, according to Scottish newspaper The Herald.
In an article published yesterday, the paper said that new statistics released by the force show that from April to September this year, 4,495 cybercrimes were recorded, including stalking, sexual crimes, and fraud.
The figures represent an increase of 315% when compared to the same time period in 2018.
The total figure of recorded cybercrimes could climb higher as data has not yet been received from all divisions.
Police told the Scottish newspaper that the jump in recorded cybercrimes could be down to better detection and identification techniques rather than a sudden electronic crime-wave.
"We did not have the means with some of the legacy technology to adequately capture the digital element of all the things that are happening. Now with a bit more sophistication, we can capture the digital nature of a whole series of different crimes," said Deputy Chief Constable Malcolm Graham.
The Scottish police are currently running a "Tag it, Mark it, Log it" campaign to encourage officers and staff to identify and mark any crimes that are found to have a cyber-element.
Graham said: "There is not an offense of cybercrime, so we are looking at other crimes that have a digital element."
Graham said that cybercrime had moved far beyond the public perception of targeted attacks and was now closely interwoven with almost all forms of criminality.
"It's without boundaries. The victims and the perpetrators are not necessarily going to be in the same place. It might be domestic abuse, it might be an organized crime group based in the same area."
"But the growing experience is that the victims and the perpetrators are dislocated, nationally, and potentially internationally, so a big element of this is our ability to work with other national and international law enforcement agencies, the National Crime Agency, the security services, and to grow that cooperation to sharing info we need so people in other jurisdictions can be held to account."
According to Graham, of all the crimes the modern police face, "the vast majority" feature an electronic or digital element either in their execution or in their detection.
"Every crime type certainly could have a digital footprint. I am not saying every single crime would. But there is always going to be some element of evidence that is digital," said Graham.
The European Union Agency for Cybersecurity (ENISA) today published a report containing recommendations to establish an EU-wide cybersecurity certification scheme for cloud service providers.
The report was created by the Cloud Service Provider Certification Working Group (CSPCERT WG) at the request of the European Commission. Instead of proposing a completely new certification scheme, the working group has advised giving guidance for a program "based on existing practices/schemes/standards used by the industry and internationally recognized."
CSPCERT WG recommends the introduction of a cloud security certification scheme featuring three levels of assurance: "basic," "substantial," and "high." The assurance level awarded would be commensurate with the level of risk associated with the intended use of the ICT product, service, or process, in terms of the probability and impact of a cybersecurity incident.
A risk analysis would be performed to define the requirements of a particular level of certification, taking into account the benefits versus cost, the risk level, and the impact of a cyber-incident on the cloud service.
According to the report, the certification program should be designed to allow a cloud service provider to bundle services into a single certification, as long as those services are transparently included in the original or subsequent audit cycles and meet the required assurance for that certification level.
ENISA said: "A single European cloud certification is critical for enabling the free flow of non-personal data, which allows for the unrestricted movement of data across borders and information systems within the EU.
"The cybersecurity certification of cloud services will bring enhanced trust and legal certainty in the security of cross-border data processing, as acknowledged by the Free Flow of Data Regulation. Certified cloud services will reinforce the impact of this regulation helping the EU data economy to further contribute to GDP growth."
The report, entitled CSPCERT WG—Recommendations for the Implementation of the CSP Certification Scheme, was published ahead of plans to launch a call for applications to select members for a corresponding Ad-Hoc Working Group for Cloud Cybersecurity Certification. The call will be posted soon on the ENISA website.
SAP has been forced to apologize after an internal error leaked the personal data of tens of thousands of gun owners to dealerships in New Zealand.
The German software giant is supporting a government gun buyback scheme introduced in the wake of the deadly mass shootings in Christchurch earlier this year.
As part of this policy, owners can return their firearms to accredited dealerships as well as police stations, registering their weapons first on a dedicated website.
However, problems with an SAP update appear to have led to highly sensitive details being made accessible to scores of those dealers. It’s thought that they included names, addresses, dates of birth, firearms licence numbers and bank account details — with as many as 38,000 potentially affected.
“As part of new features intended for the platform, security profiles were to be updated to allow certain users to be able to create citizens records,” a reported statement from the firm explained.
“A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP... We unreservedly apologize to New Zealand Police and the citizens of New Zealand for this error.”
Police have apparently shut down the database temporarily after receiving reports of the privacy snafu from dealers, and will continue to manage the process manually.
Unsurprisingly, gun lobbyists have gone on the offensive.
“It’s a shopping list for criminals,” argued Nicole McKee of the Council of Licensed Firearms Owners, adding that gun owners considering the buyback scheme are “now being told they have to comply with a system that cannot be trusted.”
There are fears that Kiwi gun owners could now have their properties targeted by criminals.
British streaming service Mixcloud has been hacked and the personal data of tens of millions of users put up for sale on the dark web, it has emerged.
The service issued a brief statement on Saturday confirming the incident.
“We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems,” it noted.
“Our understanding at this time is that the incident involves email addresses, IP addresses and securely encrypted passwords for a minority of Mixcloud users. The majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords.”
One saving grace is that the firm doesn’t store full credit card details, or mailing addresses.
Another is that the encryption used for those who had signed up with passwords rather than Facebook authentication is SHA-2, a set of NSA-designed cryptographic hash functions which are thought to be almost impossible to crack.
Although Mixcloud hasn’t revealed the true scale of the attack, the alleged hacker told various news sources that the trove contained details of at least 20 million customers, which they have put up for sale on the dark web for 0.5 Bitcoin ($3650).
“Whilst we have no reason to believe that any passwords have been compromised, you may want to change yours, especially if you have been using the same one across multiple services,” the firm concluded.
Users should also be on the lookout for follow-on phishing attempts as fraudsters use their breached personal information to craft convincing-looking scam emails designed to elicit more info.
It’s unclear whether the breach came as a result of deficient internal security policies, but given Mixcloud is a UK-based company, the Information Commissioner’s Office (ICO) will be keen to take a look.
The number of global breaches (+54%) and exposed records (52%) both grew significantly from the first half of 2018 to the first six months of this year, according to Risk Based Security.
Global police executed 85 warrants last week in a coordinated operation to shut down notorious remote access Trojan (RAT) Imminent Monitor.
An investigation led by the Australian Federal Police (AFP), was coordinated internationally by Europol and involved law enforcement and judicial authorities in Europe, Colombia and Australia.
It began with warrants issued in June to search an alleged employee and developer of the IM-RAT. The operation was followed by last week’s raids in Australia, Colombia, the Czech Republic, the Netherlands, Poland, Spain, Sweden and the UK.
Some 13 of the RAT’s “most prolific users” were arrested and 430 devices seized, according to Europol.
Many came in the UK, where 21 search warrants led to the arrest of nine individuals and the recovery of 100 items.
Police have also dismantled the infrastructure behind IM-RAT so that it’s no longer online.
The RAT’s relatively low price ($25) and ease-of-use made it a particularly serious threat to the general public, providing would-be hackers with all the capabilities they needed to bypass users’ anti-virus in order to spy on them via hijacked webcams, record keystrokes and steal data.
“The illicit use of IM-RAT is akin to a cyber-burglary, with criminals stealing data, including images and movies, secretly turning on web cams, monitoring key strokes and listening in to people’s conversations via computer microphone,” argued detective inspector Andy Milligan from the North West Regional Organised Crime Unit (NWROCU).
“Cybercrime is not an anonymous victimless crime as some believe. There are real world consequences to people’s actions in cyber space and the international activity this week has shown how serious the UK treats this sort of criminality.”
He urged computer users to ensure operating systems are always up-to-date, that they use anti-virus and they don’t click on links or attachments in suspicious emails.
IM-RAT was thought to have been used in 124 countries and sold to more than 14,500 buyers.
A new risk index has named Alaska as the state most vulnerable to cybercrime.
The company analyzed state-by-state statistics on four of the most prominent types of online crime—credit card fraud, identity theft, personal data breaches, and phishing scams that involve phishing, vishing, smishing, and pharming.
For each crime type, the number of instances per 100,000 residents was calculated, and each state was then ranked from 1 to 50, with 50 being the riskiest. The totals were then combined to give an overall risk index figure.
Despite boasting one of the nation’s smallest populations, Alaskans face the biggest risk of falling victim to online fraud of any state in the United States. Out of a possible worst-case scenario score of 200, Alaska came in at 195 on the risk index.
Alaska accumulated 48 out of 50 points for credit card fraud and identity theft, 49 for personal data breaches, and 50 out of 50 for phishing.
At just one point behind Alaska, Nevada was found to be the second riskiest state for cybercrime, scoring 50 out of 50 for identity theft and personal data breaches and 49 out of 50 for credit card fraud.
The Silver State only managed to slink into second place by the width of an eyelash for being slightly safer when it came to phishing, scoring 45 out of 50 on the risk index for crimes of this type.
In January 2019, Alaska’s Division of Public Assistance sent letters to 87,000 people—11.7% of the state’s entire population—notifying them that personally identifiable information such as names, Social Security numbers, and healthcare details may have been accessed by cyber-attackers.
Seven months later, 650,000 Nevada students were the victim of a data breach, which resulted in the exposure of dates of birth and email addresses.
The safest state on the risk index, with an overall risk score of just 12 out of 200, was Iowa.
"There were only 53 reports of credit card fraud in Iowa, resulting in a tiny ratio of 1.68 reports for every 100,000 residents," said a spokesperson for Cardconnect.
"This Midwestern state ranked in second place for credit card fraud, eighth place for phishing, and rated as the safest state of all for identity theft and personal data breaches."
Cybersecurity has been listed as one of the challenges facing the United States Postal Service (USPS) in a semi-annual report to Congress by the Office of the Inspector General (OIG).
The report, which was released on Monday, outlines the most critical management issues with which the service has had to contend during the six-month period from April 1 to September 30, 2019.
Modernization, IT, and cybersecurity were all flagged as challenges, along with the long-running problem of illegal narcotics being sent through the mail.
In the report, USPS inspector general Tammy Whitcomb wrote: "The use of the mail system to ship illicit narcotics continues to demand our attention both in our audit work and our investigations. While narcotics allegations are rapidly becoming our greatest investigative area of focus, our special agents cover a wide swath of areas: health care fraud (claimant and provider); mail theft; contract fraud; and financial fraud."
During the six-month period covered by the report, the USPS completed 1,362 investigations that led to 436 arrests and nearly $1.48bn in fines, restitutions, and recoveries. Of that total, more than $77m was returned to the Postal Service.
Whitcomb highlighted the difficulties of meeting the demands of the customer base in an increasingly digital world.
Whitcomb wrote: "A modern information technology network with sufficient capacity is critical to the success of the Postal Service. Customers and businesses demand timely, relevant, and accurate information and data as part of their digital experience.
"The network must have the ability to meet these demands as well as the flexibility to continually adjust to the ever-changing business and regulatory environment. As information technology and the cyber-threat landscape evolves, security continues to be an ongoing challenge."
A review of the cybersecurity of the USPS conducted in November 2018 found a lack of long-term planning in which ongoing costs such as software licenses and contractor support had not been considered. This in turn had led to overspending.
In the review, the OIG recommended that the USPS "create and execute a program/administrative budget to adequately plan and administer an ongoing cybersecurity program." The current target implementation date for fulfilling this recommendation is March 2020.
American cybersecurity firm Palo Alto Networks has suffered a data breach after a third-party vendor accidentally published personal data regarding the firm's employees online.
The privacy of seven current and former employees of Palo Alto Networks was compromised in the incident, which took place in February of this year. Details shared on the internet for all to see included names, dates of birth, and Social Security numbers, which were contained in a database of company employee details.
News of the breach came to light after a former Palo Alto Networks employee disclosed the breach to Business Insider. The American financial and business news website has kept the identity of the story's source under wraps.
In their testimony, the former employee said that the incident had been undetected for months.
Palo Alto Networks, which is headquartered in Santa Clara, California, has more than 60,000 customers in over 150 countries. Upon being contacted, the global cybersecurity company confirmed that the breach had taken place and said that the contract with the third-party vendor that inadvertently published the data had been terminated.
The decision to dissolve the contract and send a clear message out to other vendors of what is expected of them was made by CEO of Palo Alto Networks, Nikesh Arora.
A Palo Alto Networks spokesperson said: "We took immediate action to remove the data from public access and terminate the vendor relationship. We also promptly reported the incident to the appropriate authorities and to the impacted individuals.
"We take the protection of our employees' information very seriously and have taken steps to prevent similar incidents from occurring in the future."
Precisely which third-party vendor ensnarled Palo Alto Networks in this embarrassing data exposure has been revealed by neither the firm nor—assuming that they were in fact privy to this particular piece of information—Business Insider.
Absent also from the press reports on the incident are exact details of how the breach came to occur. All that's revealed is that the data was exposed as a result of a security error on the part of the third-party vendor.
It is unknown whether the exposed data ended up on the dark web as a result of the breach.
Security researchers are warning of an information stealing malware campaign that has already impacted hotel guest data in 12 countries worldwide.
The RevengeHotels operation has been running since 2015 but recently expanded its presence this year, according to Kaspersky.
It refers to the activities of at least two groups, dubbed “RevengeHotels” and “ProCC,” which target hotel front desks with remote access Trojan (RAT) malware.
“The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and then installing customized versions of RevengeRAT, NjRAT, NanoCoreRAT, 888 RAT and other custom malware such as ProCC in the victim’s machine,” explained the report.
“One of the tactics used in operations by these groups is highly targeted spear-phishing messages. They register typo-squatting domains, impersonating legitimate companies. The emails are well written, with an abundance of detail. They explain why the company has chosen to book that particular hotel. By checking the sender information, it’s possible to determine whether the company actually exists. However, there is a small difference between the domain used to send the email and the real one.”
Once malware has been installed, cyber-criminals could sell subscription-based access to the infected machine on the dark web. That means fraudsters could get access to guest details, including credit card data copied from online bookings during the charging process, Kaspersky warned.
Over 20 hotels in 12 countries have so far been confirmed with victims in Latin America, Asia and Europe. However, many others may have accessed the malicious link in the phishing emails, the Russian AV vendor claimed.
“As users grow wary of how protected their data truly is, cyber-criminals turn to small businesses, which are often not very well protected from cyberattacks and possess a concentration of personal data,” argued Dmitry Bestuzhev, head of Kaspersky’s Global Research and Analysis Team, LatAm.
“Hoteliers and other small businesses dealing with customer data need to be more cautious and apply professional security solutions to avoid data leaks that could potentially not only affect customers, but also damage hotel reputations as well.”
Private security giant Prosegur has become the latest multi-national to suffer operational problems after being struck by ransomware.
The Spanish firm — which produces building alarms, and offers physical security services including cash transit vans — has over 60,000 employees around the globe and declared profits of €118m ($130m) for the first nine months of 2019.
However, it posted a statement to its Twitter account on Wednesday claiming the company had been struck by the Ryuk variant. Prosegur added that it had “enabled maximum security measures” to prevent the spread of the malware, including the “restriction of all communications.”
Security researchers monitoring the incident claimed in a series of tweets that the impact was severe, with the firm's websites taken offline in various regions.
“Prosegur appear to be in a hell of a mess, I’ve been monitoring social media posts and staff outside Spain in multiple offices report Ryuk ransomware on systems and outage of all services, so I’m guessing they have a common AD domain,” said UK-based Kevin Beaumont.
“Prosegur incident is just over a day old, customers and resellers are taking to Twitter saying alarms aren’t working and resellers saying they’re getting abusive calls from their customers. An entire ecosystem of security and cash handling services are up in the air.”
A statement from the firm on Thursday appeared to suggest it was on top of things.
“The ransomware, Ryuk, has been fully contained and the company has already deployed all the necessary mitigatory controls. Likewise, Prosegur has already begun the process of restoring its services,” it said.
“In addition to restricting its communications, the company initiated an investigation to determine the typology of the incident, its behavior, evaluation of the scope and definition of containment and recovery procedures, all of them included in the response plan for incidents of information security.”
The firm said it is also in contact with the “competent authorities” and is providing relevant technical information to “other actors” — stressing the need for collaboration to fight an ever evolving cyber-threat.
Users of one of the world’s most popular e-commerce marketplaces have been informed that their account information may have been stolen after a data breach at the firm.
The Adobe-owned Magento Marketplace offers thousands of free and premium extensions and themes for users to customize online stores built on the open source platform for e-tailers.
However, the Magento team “became aware of” a vulnerability in the marketplace on November 21, according to a brief statement from Jason Woosley, vice-president of commerce product & platform in Adobe’s experience business.
“We temporarily took down the Magento Marketplace in order to address the issue. The Marketplace is back online. This issue did not affect the operation of any Magento core products or services,” he continued. “We have notified impacted Magento Marketplace account holders directly.”
In an email to affected customers, Magento Marketplace support described the vulnerability as allowing an unauthorized third party to access information including: name, email, MageID, billing and shipping address and phone number, and “limited commercial information.”
Although no passwords or financial information were disclosed, the haul would still allow scammers to attempt follow-on phishing or identity fraud.
It’s unclear how many users were affected, but Woosley claimed the Magento Marketplace is “the largest open source community in e-commerce.”
Magento is no stranger to security incidents: many of the infamous Magecart digital skimming attacks are designed to harvest card data from companies running implementations. In fact, Magento was forced to patch over 30 bugs in an urgent security update earlier this year.
One security company warned earlier this month that slated end-of-support for Magento 1, which powers around 12% of the world’s e-commerce sites, could provide hackers with even more opportunities to target exposed sites.
Companies that fail to set their IT security teams targets that directly correlate with overall business performance are causing problems for their CEOs, according to new research from Thycotic.
The privileged access management solutions provider surveyed more than 100 UK IT security decision-makers, with 61% admitting that there are implications for the CEO if security teams are unable to meet targets set to them.
With regards to the types of consequences they can face, the respondents noted facing a hard time from shareholders (44%), longer hours spent at work (40%) and even more serious implications such as penalties including lost bonus payments (37%) and threats to job security (35%).
Of particular note though, Thycotic’s research discovered that, when asked to describe what success looks like to them, IT security teams felt that being valued by the company (45%) was of more importance than achieving targets set by the board (42%). That suggests that CEOs risk repercussions if they set targets that do not effectively inspire IT and security professionals in their work.
Joseph Carson, chief security scientist and advisory CISO at Thycotic said: “The data breach at TalkTalk ushered in a new era where CEOs can and will be held accountable for IT security failures that occur on their watch. Today, when cybersecurity teams do not meet their targets, it impacts the CEO with longer hours, shareholder pushback, job insecurity and bonus reductions.”
To minimize the risks, he added, CEOs need to set IT security professionals proactive measures and appropriate budgets that demonstrate the positive contribution they make to overall business performance.
“A good example is to appoint an IT security professional with good communication skills in charge of cross-departmental co-operation. This has the dual advantage of putting IT security on a more proactive footing and increasing the chances of spotting/remediating digital risks early before they can escalate and cause trouble at board level.”