Info Security

Subscribe to Info Security  feed
Updated: 34 min 17 sec ago

Cybersecurity Firm OPORA Announces $7m Seed Funding

Thu, 06/11/2020 - 11:18
Cybersecurity Firm OPORA Announces $7m Seed Funding

Cybersecurity firm OPORA has announced seed funding of $7m led by Jerusalem Venture Partners (JVP) and private investors.

OPORA was founded by Yuval Diskin, the former head of Israel’s Internal Security Agency, and uses pre-attack adversary behavior analytics to deliver pre-emptive adversary threat protection against the most persistent, organized and largely uncontested cyber-criminals operating today. OPORA will use the seed funding for product development, sales and marketing efforts.

The company, led by CEO Chris Bell, a serial cybersecurity entrepreneur who was a co-founder of Securonix, also announced two new board members, JVP founder and chairman, Erel Margalit, and JVP principal, Julia Kagan.

Bell said: “We started OPORA because we realized that to get control over cybersecurity and the largely uncontested adversaries behind the chaos, IT Security teams need a pre-emptive advantage. OPORA customers change the balance of power between them and their adversaries, gaining a pre-emptive advantage that translates into adversary level prevention, containment and control.”

Margalit added that it is time to move from defense to offense and track cyber-criminals in their territory before they move to attack.

“Israel has brought the three big cyber-paradigms to the world. The first, firewalls created by Check Point Software, the second being CyberArk’s solution, preventing attackers from within, and now the third – OPORA’s technology is stopping criminals on their home turf before they even attack.”

Categories: Cyber Risk News

FBI Warns of Surge in Mobile Banking Attacks

Thu, 06/11/2020 - 10:30
FBI Warns of Surge in Mobile Banking Attacks

The FBI has issued a warning to users of mobile banking apps that they may be at increased risk of compromise, as cyber-criminals look to exploit surging use of the technology under lockdown.

The Bureau’s Internet Crime Complaint Center (IC3) public service announcement claimed that industry figures show over three-quarters (75%) of Americans used mobile banking last year, and that usage has soared by 50% since the start of the year.

“With city, state and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting branch locations,” it continued.

“The FBI expects cyber-actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking Trojans and fake banking apps.”

Banking Trojans are often hidden inside legitimate-looking apps like games or news readers. They lie hidden on the user’s device until they visit their banking app, at which point they spring into action, often using an overlay to harvest log-ins and trick the bank’s back-end fraud screening.

Other variants pose as banking apps themselves and directly harvest log-in and personal data from the victim.

Kacey Clark, threat researcher at Digital Shadows, argued that fake banking apps can also be used for other malicious ends.

“Banking Trojans can be used as a ‘dropper’ to install malware onto a user’s phone, particularly spyware,” she said.

“Once installed on a device, spyware can remain undetected while managing and accessing everything on a victim’s device including sensitive information such as the target device’s camera and microphone, text messages, passwords, contact lists, stored or typed payment card details and geolocation.”

Chris Hazelton, director of security solutions at Lookout, added that mobile phishing is often used to trick users into downloading these apps from fake websites, or steal log-ins directly. He claimed that 46% of Lookout users encountered a mobile phishing attack in the past three months, up from 33% in the middle of 2019.

“Almost all users use a case to protect their phones from physical threats, but they should also protect the digital side of their smartphones to protect from malicious apps,” Hazelton argued. “They should also install mobile security software to protect their data and identities. Many services are free to use, and can easily be upgraded for even more protections.”

The FBI recommended users only download apps from official app stores and banking websites, use password managers with strong credentials, and if possible switch on two-factor authentication.

Categories: Cyber Risk News

Phishing and BEC Surge as #COVID19 Attackers Prioritize Email

Thu, 06/11/2020 - 09:15
Phishing and BEC Surge as #COVID19 Attackers Prioritize Email

Email remains the vector of choice for cyber-criminals, with half of firms (51%) suffering a ransomware attack and even more (58%) seeing an increase in phishing over the past year, according to Mimecast.

The security vendor’s annual State of Email Security report is based on data collected from over 1000 global IT decision makers over February and March, and so is heavily influenced by the COVID-19 crisis.

In fact, while 60% of respondents said they experienced an increase in impersonation attacks (including BEC) over the past year, there was a 30% spike in the first 100 days of the pandemic alone (Jan-April 2020).

Downtime (82%) and data loss (31%) were two of the most common impacts of email attacks and an overall lack of cyber-resilience.

“The increase in remote working due to the global pandemic has only amplified the risks businesses face from these threats, making the need for effective cyber-resilience essential,” said Joshua Douglas, vice-president of threat intelligence at Mimecast. “It’s likely that cyber-resilience strategies are lacking key elements, or don’t have any at all, depending on the organization’s maturity in cybersecurity.”

Interestingly, 60% of respondents claimed that they had suffered an attack which spread from one infected user to other employees, highlighting the importance of enhanced staff training to stop that first attack.

Unfortunately, the report claimed that over half (55%) of those polled don’t provide awareness training on a frequent basis.

Perhaps unsurprisingly, the vast majority (85%) of IT leaders said they expected web and email spoofing volumes to stay the same or increase over the coming year, while 60% believe it is inevitable or likely they will suffer an email-borne attack.

“Security leaders need to invest in a strategy that builds resilience moving at the same pace as digital transformation,” argued Douglas.

“This means organizations must apply a layered approach to email security, one that consists of attack prevention, security awareness training, roaming web security tied to email efficacy, brand exploitation protection, threat remediation and business continuity.”

Categories: Cyber Risk News

Google Warns of Emerging #COVID19 Cyber-Threat Hotspots

Thu, 06/11/2020 - 08:30
Google Warns of Emerging #COVID19 Cyber-Threat Hotspots

Google has warned of a rise in COVID-19 threats in specific parts of the world, as cyber-criminals adapt their campaigns regionally.

The tech giant’s Gmail security product manager, Neil Kumaran, and lead security PMM for G Suite and GCP, Sam Lugani, explained that they’re blocking more attacks of late in India, the UK and Brazil.

These malware, phishing and spam threats “use regionally relevant lures, financial incentives and fear to create urgency and entice users to respond,” they said yesterday.

In the UK, for example, attackers are impersonating the government with reference to the Small Business Grant Fund and other schemes designed to support organizations through the crisis. This chimes with what others are seeing: a recent phishing campaign was spotted targeting those interested in the Self-Employment Income Support Scheme (SEISS).

Other attacks blocked by Google in the UK spoofed the firm itself in messages designed to access personal information.

In Brazil, Google warned of an uptick in phishing attacks spoofing streaming services, with some using a more aggressive approach, by claiming the recipient will be fined if they don’t respond.

In India, there has been an increase in the volume of malicious emails purporting to come from established health insurance companies, providers of COVID-19 symptom tracking services and the government’s Aarogya Setu initiative, designed to connect citizens to essential health services.

Google didn’t provide specific threat data on the scale of the increase in specific regions, but its update should be a reminder that COVID-19 scams are still very much active around the world. Last month the firm revealed that it was blocking 18 million daily malware and phishing emails and over 240 million spam emails targeting its Gmail users.

Kumaran and Lugani urged organizations to adopt DMARC to help prevent spam and abuse of their brand.

It’s a message echoed by US-based industry body the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) this week.

Categories: Cyber Risk News

Alabama City to Pay Cyber-Ransom

Wed, 06/10/2020 - 16:30
Alabama City to Pay Cyber-Ransom

An Alabama city is paying over a quarter of a million dollars to cyber-criminals to recover data encrypted in a ransomware attack.

Florence became a victim of the DoppelPaymer ransomware gang on June 5 in an attack that shut down the city's email system. The gang demanded 38 bitcoin, equivalent to USD $378,000, and threatened to publish or sell data stolen from Florence if the city didn't pay up.

A security firm hired by Florence in the wake of the attack was able to negotiate the ransom down to 30 bitcoin, worth around $291,000. 

City mayor Steve Holt said that Florence had elected to pay the ransom despite not knowing for certain what data the cyber-criminals had stolen and encrypted.  

“Do they have our stuff? We don’t know, but that’s the roll of the dice,” Holt said.

The mayor theorized that attackers gained access to the city's computer system via a phishing attack. 

Holt told KrebsOnSecurity that the DoppelPaymer gang appeared to have compromised the networks of four further victims within an hour of striking Florence, including another municipality that he declined to name.

Krebs contacted Holt's office in late May after receiving a tip from Hold Security that Florence's information technology systems had been infiltrated by hackers who specialize in deploying ransomware. 

The Wisconsin cybersecurity firm had discovered that a Windows 10 system in the city's IT infrastructure, seemingly linked to the city's manager of information systems, had been taken over by malicious actors on May 6. 

Following the tip-off, the city took swift action to isolate the computer and hacked Windows network account. Nevertheless, Florence was unable to fend off the ensuing cyber-attack. 

Ransomware is a major problem in the United States. According to Mimecast’s 2020 State of Email Security report that was released today, 32% of respondents in the public sector said that ransomware has impacted their operations in the last 12 months.

On average, public-sector victims reported experiencing 2 to 3 days of downtime as a result of being attacked with ransomware. For 9% of these victims, attack-induced downtime ended up lasting over a week.

Categories: Cyber Risk News

Minimal Techno DJ Arrested in Berlin on Cyber-Crime Charges

Wed, 06/10/2020 - 16:12
Minimal Techno DJ Arrested in Berlin on Cyber-Crime Charges

DJ and music producer Denis Kaznacheev has been arrested in Berlin on cyber-crime charges at the request of the US government.

Long-term Berlin resident Kaznacheev is co-founder of Nervmusic records and half of minimal techno duo Easy Changes, who have amassed a sizable following since 2007 with releases on Grow Vinyl, Sleep Is Commercial, FoundSound, and Arma. 

The United States has accused Siberian-born Kaznacheev of "money laundering and dark web activities," according to a post on his Facebook page. German police detained the musician on May 30 on behalf of the US Department of Justice, which is seeking his extradition to America. 

Kaznacheev's manager confirmed to Trommel that the musician is currently being held in Berlin's Moabit prison.

Supporters of Kaznacheev relayed the following message from the musician on social media: "Make noise! I am innocent here. Please get me out of here! Everybody, I need your help! Please help me!"

petition has been started to secure the release of the DJ, whose supporters believe has become embroiled in a case of mistaken identity.

In a June 6 Facebook post, a supporter wrote: "We stand by Denis's innocence, and chances are his identity was stolen and used for criminal activities.

"Germany should stand by Denis's innocence and fair civil treatment, and defend him to avoid extradition, as so far, there's no proof that he is guilty of any of the charges. The USA can't unlawfully arrest and destroy the life of a person without evidence."

A GoFundMe page set up to help pay for the artist's legal costs has so far raised €7,982 out of a €10,000 goal.

Donor Bruno Santos wrote: "Denis is a humble, hard-working person and a friend. He's also an admired artist all around the world. This whole thing seems like a terrible mistake, and he needs our support."

Kaznacheev's artist agency has set up a Justice for Denis website through which supporters can sign the petition and make a donation. Supporters have been asked to send letters or postcards to the musician at Moabit prison to keep up his spirits as he waits for his fate to be determined. 

Categories: Cyber Risk News

Cost of US Cyber Command Program Quintuples

Wed, 06/10/2020 - 15:03
Cost of US Cyber Command Program Quintuples

A new cyber weapon system being created by the United States Air Force will cost over five times more than originally estimated, according to a government watchdog.

The United Platform program was initiated in August 2018 as part of the Department of Defense's Joint Cyber Warfighting Architecture. Its mission is to develop a federated software platform to consolidate service-specific capabilities and data processing, sharing, and storage.

According to a report published June 3 by the Government Accountability Office (GAO), initial estimates for how much the completed program will cost fell considerably short of the mark. The GAO's Defense Acquisitions Annual Assessment found that the original pricing for the project had not been independently assessed.

"The program’s cost estimate was more than five times its initial estimate at program initiation, which had not been independently assessed," states the GAO report.

"UP did not have several key elements of its business case approved at the time of program initiation, such as approved requirements, a cost estimate informed by independent analysis, or a formal schedule risk assessment."

In 2018, the Air Force asked for $29.8m for the Unified Platform program in its research and development budget for fiscal 2019. A further $10m was requested for fiscal year 2020, and an additional $6m in fiscal year 2021.

To date, the United Platform program has received $152.19m in funding. The GAO report states that a further $436.79 million is required to complete the program.

"The new cost estimate includes costs beyond the completion of this middle-tier acquisition. Program officials attribute this cost increase to new US Cyber Command requirements," reported the GAO.

In October 2018, the program awarded a contract to Northrop Grumman to act as the system coordinator. Then in March 2019, the program awarded contracts to five different companies for software development.

Under the program, developers are tasked with coming up with new distinguishing software characteristics described as "features." Every three months, all the newly completed features are demonstrated to US Cyber Command, who decide which ones to accept for deployment. 

Program officials told the GAO that in the first four three-month increments of the program, 32 features had been delivered and accepted.

Categories: Cyber Risk News

Healthcare Provider Babylon Reports Data Breach

Wed, 06/10/2020 - 14:45
Healthcare Provider Babylon Reports Data Breach

Healthcare provider Babylon has reported a data breach of its GP video appointment app.

Whilst the company said it has fixed an issue where video recordings of other patients' consultations could be accessed, and notified regulators, one UK-based user found he had access to 50 videos in the Consultation Replays section of the app, and one contained footage of another person's appointment.

According to BBC News, Babylon allows its members to speak to a doctor, therapist or other health specialist via a smartphone video. 

In a statement, Babylon said it was able to identify and resolve the issue within two hours, and blamed a software error. “Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients' consultations through a subsection of the user's profile within the Babylon app."

Babylon told the BBC it had already been in touch with everyone involved to inform them and apologize, and had contacted the Information Commissioner's Office regarding the incident.

The ability to identify and resolve the issue within two hours was commended by cybersecurity commentators.

Tony Pepper, CEO, Egress, said vendors like Babylon offering technology to support new ways of working must ensure data security is core to anything they're developing, and “this includes fully authenticating users before they access data and making sure data isn't deposited, replicated or transferred into portals or insecure areas where it can be subject to unauthorized access.”

Brian Higgins, security specialist at, added that, as the NHS operates its own App Store, any platforms offered by NHS services including GPS etc. are rigorously tested before they are certified for use. He said: “Babylon Health have clearly explained that this issue was caused by an internal software update and not by any malicious or criminal activity. They have also followed their ICO reporting responsibilities. In short, they appear to have done everything right. 

“What this case highlights is that developing technology is fluid and what might be deemed safe and secure at the point of sale needs regular monitoring to ensure that it stays that way.”

Kelvin Murray, senior threat researcher at Webroot, said: “Anyone who develops an app that handles sensitive customer data should ask themselves two important questions – is it secure and is it really necessary? We’re seeing that breaches such as these are all too common and anyone looking to save time and money by moving to a digital system should take risks such as these into consideration.

“This is especially important in the healthcare industry which is at particular risk of cyber-attacks and data breaches, as information such as health records is very valuable to criminals. It will always command high prices on the dark web as it can be used for criminal activities such as fraud, extortion and in the drug trade.”
Aman Johal, lawyer and director of Your Lawyers, said with doctors difficult to access due to COVID-19 restrictions, many people are relying on technological solutions like Babylon Health. “Data breaches like this show that there is still much more that needs to be done to ensure we can trust in the use of such technology. Healthcare organizations can be particularly vulnerable to data breaches due to the wealth of highly sensitive information they hold, and firms operating in this sector must go the extra mile to ensure data is protected, or face the consequences.”

Categories: Cyber Risk News

Places Open for World’s First AI and Data Science Conversion Courses

Wed, 06/10/2020 - 14:15
Places Open for World’s First AI and Data Science Conversion Courses

Applications are now open for the world’s first artificial intelligence (AI) and data science conversion courses, which start in autumn 2020, the UK government has announced. The program will give 2500 people the opportunity to learn new digital skills or retrain in order to find employment opportunities in the AI and data science sectors.

The government has partnered with the Office for Students, universities and industry partners to raise £24m to fund these master’s courses. The fund has been awarded to 18 universities who are working with partner providers to deliver courses in 28 universities and colleges across England.

The move is part of efforts to boost the UK’s technology sector, with the government aiming to increase research and development investment to 2.4% of GDP by 2027. Last month, the UK government launched an online cyber-school to help develop a new generation of cybersecurity professionals.

Places will be available to graduates from a variety of subjects, including science, technology, engineering, maths or social sciences. Applicants could include those returning to work after a career break and looking to retrain in a new profession. The course is expected to enable opportunities to pursue careers in roles such as machine learning engineers, data scientists, research scientists and AI architects.

The program is also seeking to diversify the UK’s tech sector, with 1000 scholarships reserved for students from underrepresented backgrounds, specifically female, black and disabled demographics.

Successful applicants can study flexibly, fitting the course around their daily lives, and will undertake paid work placements to help maximize their employment opportunities at the end of their course.

Digital secretary Oliver Dowden commented: “It is vital we increase diversity across our tech sector and give everyone with the aptitude and talent the opportunity to build a successful career. This will help make sure AI developed in the UK reflects the needs and make-up of society as a whole which will also help mitigate the risk of biased technologies being developed.

“Through these new AI and data science conversion courses we are working with industry and academia to develop and maintain the best AI workforce in the world.”

Categories: Cyber Risk News

CSA Virtual Summit: Is Cloud Moving Too Fast for Security?

Wed, 06/10/2020 - 11:30
CSA Virtual Summit: Is Cloud Moving Too Fast for Security?

Discussing strategies for how to achieve full lifecycle cloud security at the Cloud Security Alliance European Virtual Summit, Chris Hertz, VP, and Jeremy Snyder, senior director at DivvyCloud by Rapid7, said the challenge is not just about adopting cloud services, as you cannot just secure it once as these platforms are always changing.

Snyder said he often sees “a lot of great ideas and a lot of great energy and enthusiasm for adopting cloud technology” but the reality for organizations is that they can be faced with “not getting everything that they want out of their cloud journeys.”

In particular, developers want to embrace services being created by Infrastructure-as-a-Service (IaaS) providers “as it helps them get their jobs done more efficiently and more quickly,” but the pace of change from cloud providers accelerates every year.

Hertz said that cloud services are constantly changing and IaaS providers are always evolving services and the outcomes are unpredictable, as in 2018 there were 81 major breaches down to cloud misconfigurations, and 150 in 2019.

“By our calculation, in our 2020 Misconfiguration Report, we estimate that $5trn in damages have resulted in cloud misconfigurations in 2018 and 2019, so the security achievement gap is real and it is having real impact,” Hertz said.

This means that developers are core to security in a way that they were not before, and the speakers said that is there is misalignment in the way in which security operates today. In particular, if a developer needs to get a task done, they will need to make changes to an access list and to authentication methods to do that.

Snyder added: “That is where some of the ignoring of the circumvention of security comes into place, it is not that people are malicious in anyway, but they have tasks to accomplish in new ways, and that falls into the hands of the developers.” Hertz argued that is why security has not shifted in its approach to the cloud, as security works in the world of the data center with a centralized infrastructure.

“In this new world of self service, we have democratized access but not democratized security, and you have a misalignment,” Hertz said. “Security tries to apply principles that applied in a data center world, but in the cloud security world, it doesn’t work.”

This can lead to security putting blocks in place, or a “rock in the river” as the speakers said, as, whilst developers do not act maliciously, with restrictions in place they cannot get their jobs done. “There is huge friction as security tries to operate as a data center, but eventually the water flows around the rock in the river, and instead you should move from the command and control world to a ‘trust but verify’ and ‘enable but amplify’ model,” Hertz said.

“That is why we are seeing these challenges, as culturally and organizationally, companies are not overcoming this.”

Categories: Cyber Risk News

Dark Basin: Researchers Uncover Major Hack-for-Hire Group

Wed, 06/10/2020 - 11:01
Dark Basin: Researchers Uncover Major Hack-for-Hire Group

Security researchers have uncovered a major new hacking-for-hire operation against journalists, rights groups, government officials, financial institutions and others, seemingly orchestrated by a shady Indian tech firm.

Thousands of individuals and hundreds of organizations globally were targeted with cyber-espionage tactics in a multi-year campaign by the Dark Basin group, according to Citizen Lab.

Linked to Indian firm BellTroX InfoTech Services, the group apparently worked “on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories and advocacy.”

Although the group targeted financial services and pharmaceuticals players for its clients — including one campaign against those investigating market manipulation by German payment processor Wirecard AG — it frequently focused efforts on advocacy and civil society groups.

These include Greenpeace, the Rockefeller Family Fund, Public Citizen and the Union of Concerned Scientists. Dark Basin phished for info from groups working on the #ExxonKnew campaign, which alleged ExxonMobil hid info about climate change for decades, and those involved in trying to preserve net neutrality in the US, the report claimed.

Its links to BellTrox — whose director, Sumit Gupta, was indicted in 2015 for his role in a similar hack-for-hire scheme — are numerous.

Phishing activity aligned with the Indian time zone, and several of the URL shortening services used by the group — Holi, Rongali, and Pochanchi — have associations with the sub-continent.

Even more damning is the fact that some individuals claiming to work for BellTrox list activities on LinkedIn such as email penetration, exploitation and corporate espionage.

“We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners,” the report continued.

“They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and its employees appear to use euphemisms for promoting their services online, including ‘Ethical Hacking’ and ‘Certified Ethical Hacker.’ BellTroX’s slogan is: ‘you desire, we do!’”

The investigation started when Citizen Lab was contacted by a journalist who had been targeted with phishing attempts. After tracing the URL shortener used, the investigators were able to identify almost 28,000 additional URLs containing e-mail addresses of targets.

These fairly unsophisticated phishing efforts are said to have had at least some success. 

Citizen Lab warned that its findings indicate that there’s likely a large and growing market for hacking-for-hire services like this, with powerful organizations outsourcing cyber-espionage to third parties to maintain plausible deniability of their involvement, while posing a major threat to open democratic societies.

Categories: Cyber Risk News

Working Group Calls for Greater DMARC Support and Adoption

Wed, 06/10/2020 - 10:01
Working Group Calls for Greater DMARC Support and Adoption

The industry needs to do more to prevent the sharp rise in COVID-19 phishing attempts.

In an open statement shared with Infosecurity, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) made a call for further steps to be taken to “authenticate and secure sending domains and email addresses by deploying email authentication at scale and at enforcement.”

It said preventing rampant phishing, emboldened and bolstered by the global pandemic, should be the top priority for domain owners, as email authentication is crucial to ensuring the flow of critical information.

It explained that from organizations, including those on the front lines of the battle against COVID-19 and those involved in the impending general election in the United States and the rest of the worl,d must be protected from misinformation campaigns and phishing.  

“The deployment of correct email authentication requires a careful and measured approach,” the statement said. 

M3AAWG and its members strongly encouraged domain owners, who operate email programs, to adhere to the following email authentication parameters when publishing and signing their various records:

  • Publishing SPF records with at least ~all, or -all if the domain does not send email
  • Signing all mail with aligned DKIM
  • Publishing DMARC policies for organizational domains — even non-sending ones — at enforcement: using at least p=quarantine, although p=reject is preferable, across the entire domain and all subdomains without exception

The statement warned that, during this time of pandemic, “it is more essential than ever that malicious actors are not able to impersonate trusted sources of information or assistance.” 

The full suite of email authentication protocols is the best way for a sender to establish and affirm their identity when sending email, and by creating barriers to impersonation, a sender’s identity becomes more trusted and harder to forge, thereby restoring trust because the sender is who they claim to be. 

M3AAWG acknowledged that implementing email authentication can be challenging and time consuming, current circumstances notwithstanding, so M3AAWG and it members are ready to help the sending community with resources, free tools and documented best practices to protect their brands, domains and email addresses from impersonation. 

“Combatting the assault on our inboxes is a collective endeavor, the importance of which is even more profound given the pandemic and the increased importance of achieving digital proximity while remaining physically distant,” it said.

In an email to Infosecurity, David Appelbaum, CMO of Valimail, said the company is seeing a marked rise in DMARC deployment across the board, not just from its own customers, but among all domains worldwide.

“The rash of COVID19-themed phishing attacks, many of which have spoofed those governments and NGOs left unprotected by DMARC, has absolutely contributed to an increased awareness of DMARC (not to mention DKIM and SPF),” he said.

“M3AAWG is absolutely right to recommend DMARC, and in particular, to insist on the importance of configuring it with an enforcement policy. Anything less leaves domain owners open to being spoofed by the worst kind of opportunistic criminals."

Categories: Cyber Risk News

Microsoft’s Mega Patch Tuesday is Largest Ever

Wed, 06/10/2020 - 09:30
Microsoft’s Mega Patch Tuesday is Largest Ever

Microsoft released fixes for 129 vulnerabilities in its regular monthly update round yesterday, the fourth month in a row to hit over 100 CVEs and the largest of any Patch Tuesday.

Of the 129 CVEs, only 11 are rated critical and there are no flaws being actively exploited in the wild.

Some 98 vulnerabilities can be resolved by deploying OS and browser updates, while the other 31 are spread across Office, SharePoint, Defender, Endpoint Protection and developer tools like Visual Studio, ChakraCore and Azure Dev Ops, according to Ivanti senior product manager, Todd Schell.

He argued that the COVID-related shift to mass home working is causing problems for companies reliant on VPNs to patch.

“There are many solutions that can manage updates without the need for a VPN. Another difficulty companies are facing is user connectivity,” he added.

“I had a conversation with one company that is managing updates without needing to use a VPN to access the network. Their challenge is their users have low internet speeds. Monthly updates requiring hundreds of megabytes of patches, or gigabytes in some cases, become problematic as well.”

Allan Liska, intelligence analyst at Recorded Future, said admins should start with CVE-2020-1281, a remote code execution vulnerability in Microsoft’s Object Linking & Embedding (OLE). It affects Windows 7-10 and Windows Server 2008-2019.

“The vulnerability exists in the way OLE validates user input. An attacker who sent a specially crafted file or program, or convinced a victim to download one, could execute malicious code on the victim’s machine,” he explained. “Microsoft assigned this vulnerability a CVSS score of 7.8; a similar vulnerability, CVE-2017-0199, has been widely exploited including by the Lazarus group and APT 34.”

Others pointed to a remote code execution bug in SharePoint as demanding urgent attention.

CVE-2020-1181 affects the way SharePoint processes unsafe ASP .Net web controls. Although it requires a user to be authenticated to exploit the flaw, SharePoint itself is an increasingly popular target for attackers.

Categories: Cyber Risk News

Nintendo Breach: Now 300,000 Accounts Affected

Wed, 06/10/2020 - 08:32
Nintendo Breach: Now 300,000 Accounts Affected

Nintendo has added another 140,000 accounts to those it claimed were compromised by hackers from April this year, bringing the total to 300,000.

The updated figure was given as a result of its ongoing investigation into the incident. The additional Nintendo Network ID (NNID) accounts that have been “accessed maliciously” have had their passwords reset and the relevant customers were contacted directly.

The gaming giant said back in April that 160,000 legacy NNIDs, which are associated with its now-defunct Nintendo 3DS handsets and Wii U consoles, were accessed by unauthorized third parties.

The Japanese firm said they were “obtained illegally by some means other than our service” to buy digital items from the My Nintendo Store or Nintendo eShop, using stored cards or PayPal log-ins.

This would seem to indicate that hackers potentially used credential stuffing techniques, were able to crack weak passwords or obtained them via phishing.

Experts from SpyCloud claimed at the time that they believed credential stuffing was the most likely option, after finding the source code for a bespoke account checker tool designed specifically to compromise Nintendo users.

“For enterprises like Nintendo, protecting users from account takeover poses a unique challenge. Inevitably, some portion of users will reuse passwords, putting their accounts at risk,” it said.

“To protect users from account takeover, enterprises need to secure their human attack surface by proactively monitoring user logins for credential reuse and resetting compromised passwords — before criminals have the chance to use them.”

Nintendo reiterated in its updated statement yesterday that fewer than 1% of global NNIDs were affected.

With access to users’ NNID accounts, hackers may have also been able to view their nickname, date of birth, country/region and email address.

If the NNID shared the same password as their Nintendo account, they would also have been able to view the user’s full name and gender.

Users are urged to set different passwords for NNID and Nintendo accounts and switch on two-factor authentication for the latter.

Categories: Cyber Risk News

Pentagon Issues Hacking Challenge

Tue, 06/09/2020 - 17:59
Pentagon Issues Hacking Challenge

The Pentagon research agency that helped invent the internet and GPS is inviting hackers to find flaws in its new mega-secure hardware.

Ethical hackers who spot vulnerabilities in the new technology created by the Defense Advanced Research Projects Agency (DARPA) will be rewarded with more than just a deep sense of satisfaction. For every flaw found, DARPA will be doling out a cash prize.

DARPA's July bug bounty contest is being held prior to the new technology going public in an effort to catch any weaknesses that may have been overlooked.

According to the Washington Post, the super-secure new technology is based on re-engineering hardware, such as computer chips and circuits, to make it more secure. It has been designed in this way so that hackers who rely on being able to undermine software to gain unauthorized access to systems and devices will find their attempts stymied. 

If successful and widely adopted, this approach could see the era of releasing endless software updates to patch vulnerabilities unearthed by threat actors and ethical researchers finally draw to a close. 

DARPA microsystems technology office program manager Keith Rebello said that the new hardware could declaw malicious hackers and give legitimate organizations the edge when it comes to cybersecurity.

“It [would have] a huge, huge impact,” said Rebello. “About 70 percent of all cyber-attacks are due to hardware vulnerabilities. If we can fix those permanently, we can take a large portion of the attack surface away.” 

For DARPA's new contest, bug bounty hunters will be invited to try to crack a voter registration database and a medical database containing top secret research.

Explaining the choice of models, Rebello said: “We wanted to use demonstrations that are relevant to show the impact that we can have with this technology."

The new program was started in 2017 and is officially called System Security Integration Through Hardware and Firmware, or SSITH. DARPA has funded the hardware, but its construction is being completed by researchers and academics at places like the Massachusetts Institute of Technology, the University of Michigan, and Lockheed Martin. 

SSITH will continue for one more year to allow vulnerabilities to be detected and fixed.

Categories: Cyber Risk News

Trustworthy AI Initiative Launched

Tue, 06/09/2020 - 17:00
Trustworthy AI Initiative Launched

A digital intelligence company has launched a global initiative to promote the development of trustworthy artificial intelligence (AI) technology.

ABBYY was moved to take action by the growing prevalence of AI systems in our day-to-day lives and the anticipated growth in expectation for those systems to be fair, transparent, and ethical. 

By 2025, Gartner estimates 30 percent of large enterprise and government contracts for the purchase of digital products and services that incorporate AI will require the use of explainable and ethical AI. Furthermore, three-quarters of consumers say they won’t buy from unethical companies, while 86% say they’re more loyal to ethical companies.

To get the ball rolling, ABBYY has publicized its core guiding principles on developing, maintaining, and promoting trustworthy AI technologies. The company is now advocating for other technology leaders to do likewise.

“Innovation and ethics go hand in hand. As the use of AI grows, it is important for technology leaders to adhere to and promote the use of technologies that are transparent, fair, unbiased and respect data privacy,” commented Anthony Macciola, chief innovation officer at ABBYY. 

“By adhering to high standards with regards to the performance, transparency and accuracy of our products, we are able to deliver solutions that have a tremendous impact for our customers.”

Principles that ABBYY is committed to upholding include protecting confidential customer and partner data and providing visibility into the performance characteristics and metrics of its technologies, as well as providing opportunities for product feedback.

Looking beyond financial gain, the company has sworn to deliver AI technologies that are socially and economically beneficial and has affirmed that it will actively foster a culture that promotes the ethical use of AI and its social utility.

"AI has the power to yield significant social and economic benefit,” added Macciola. “With ethics in mind, we have the ability to transform the future in a manner that promotes innovation, accelerates technological advancements, and augments human intelligence, creativity and capabilities responsibly.”

Privacy is another area of concern that ABBYY has considered. The company, which uses machine learning, natural language processing, neural networks, and optical character recognition on data, has incorporated a privacy-by-design principle as an integral part of its software development processes.

Categories: Cyber Risk News

Cyber-Incidents Surge 366% at NASA

Tue, 06/09/2020 - 16:29
Cyber-Incidents Surge 366% at NASA

Cybersecurity incidents at NASA increased by 366% last year as the organization's cybersecurity budget was slashed by $3.1m.

New research published yesterday by virtual network provider AtlasVPN found NASA suffered 315 cyber-incidents in 2018. In 2019, that figure shot up to 1,469. 

"Being one of the nation’s most important federal agencies, this is an alarming finding," wrote Atlas researchers. "Cyber incidents at NASA can affect national security, intellectual property, and individuals whose data could be lost due to data breaches."

The findings were based on data gathered by the Office of Management and Budget (OMB) in 2018 and 2019. OMB reviews government agencies annually and shoulders the responsibility for developing and overseeing the implementation of cybersecurity policies, guidelines, and standards in federal agencies.

A digital security incident is defined by the researchers as "any attempted or actual unauthorized access, use, disclosure, or destruction of information" plus digital incidents that include "interfering with operations within the organization and violations of NASA’s computing policies and regulations."

Incidents recorded as "improper usage" accounted for 90.5% of the massive increase. The term "improper use" refers to any incident whereby an authorized user violates an organization’s acceptable usage policies.

A positive finding made by researchers was that despite NASA's large size, only 15 incidents in which equipment owned by the company was lost or stolen were reported in 2019, down from 23 such occurrences in 2018. 

"It has to be noted that NASA does employ more than 17,000 people, so some of them are bound to lose or get equipment stolen, even if cybercriminals are not targeting NASA directly," wrote researchers.

NASA is one of the few major federal agencies whose cybersecurity budget was lower in 2019 than it had been in 2018 after it was cut from $170,700,000 to $167,600,000. 

The news comes just days after NASA astronauts made history by entering the International Space Station from a commercially made spacecraft (a SpaceX Crew Dragon) for the very first time. Astronauts Doug Hurley and Bob Behnken were blasted into orbit by the SpaceX Falcon 9 rocket on Saturday, May 30, from the Kennedy Space Center.

Categories: Cyber Risk News

41% of UK Workers Haven’t Received Adequate Cybersecurity Training

Tue, 06/09/2020 - 14:42
41% of UK Workers Haven’t Received Adequate Cybersecurity Training

An average of 41% of UK employees across all sectors have not received adequate cybersecurity training, which is leaving businesses and individuals vulnerable to attacks, according to a new study by Specops Software. Travel and hospitality was the sector with the worst record, with 84% of staff stating they have not received sufficient training. The findings come just weeks after easyJet suffered a data breach in which details of nine million of its customers were accessed.

The survey of 1342 businesses across 11 different sectors in the UK also discovered that 69% of workers in education and training have not received adequate cybersecurity training from their employers, with the figure 56% for those in customer service, 47% in marketing, advertising and PR, 42% for medical and health, and 37% in the creative arts and design sector.

The industries which had the highest levels of adequate cybersecurity training according to the study were legal services (16%), recruitment and HR (19%) and accountancy, banking and finance (23%).

The results are especially concerning considering the recent spike in attacks in areas such as education and, during COVID-19, healthcare. Earlier this year, the UK Information Commissioner’s Office (ICO) revealed that human error was the cause of 90% of cyber data breaches in 2019.

There does appear to have been a bigger emphasis on cybersecurity training as a result of COVID-19, with 21% of respondents stating they had been trained a lot more since the crisis began. However, the analysis also found just 29% of business sectors have initiated additional cybersecurity training since the pandemic, despite the additional risks posed by the recent surge in remote working.

Darren James, cybersecurity expert at Specops Software, commented: “The fact of the matter is that you can put as many security systems and procedures in place as you wish, but usually the weakest link is always the human being involved. Providing cybersecurity training is essential. Subjects such as password hygiene, email scam/phishing/malware awareness, social media usage etc. are important and the more attention we can bring via training at work, the less likely people in general will fall victim to these crimes.”

Categories: Cyber Risk News

Microsoft Predicts Escalation of Zero Trust in Lockdown Environments

Tue, 06/09/2020 - 13:30
Microsoft Predicts Escalation of Zero Trust in Lockdown Environments

Speaking during a Microsoft webinar, the company’s EMEA chief security advisor Cyril Voisin said he does not expect companies to “fully revert to the IT state that they were in before” COVID-19 lockdown, predicting more cloud usage in the future.

Whilst he acknowledged that this will lead to more questions about how to secure a cloud deployment, he expected more use of Zero Trust strategies. Voisin also said he expects remote working to remain an option for many companies, and he explained that there is the potential for compromises in the shift of working in an office to working from home. He acknowledged that whilst the original goal “was to make things work and security may have been an afterthought,” employees still need to be trained and receive security education.

As well as that, he said he expects VPN policies to evolve. “Companies that were already doing this notion of ‘you must use a VPN for everything you do when you are not in the office’ are starting to relax,” he said, due to latency and bandwidth issues, and he predicted companies will require more VPNs going forward.

Alongside that, he said keeping corporate resources secured whilst keeping users productive will lead to greater encryption of documents, and the deployment of endpoint detection and response (EDR) will enable that. Also, companies will invest in application management, with strategies like bring your own device (BYOD) and bring your own application important to offer more flexibility and “keep a company competitive.”

In terms of the financial impact of the COVID-19 pandemic, Voisin said companies may have to choose between investments to keep the company afloat and investing in security practices. “There will be a tension here, but I’ve had conversations with customers and they understand the need for security, and understand it is a requirement to sustain a long term business.”

Asked by Infosecurity if he had seen more companies deploy a Zero Trust approach since lockdown procedures began, Voisin said he had seen many companies “intensify what they are doing” and some were ahead of the curve, “but the people who had not done Zero Trust had started to do it slowly because they relied on a ‘VPN for everything approach’ to security and when they realized the limitations of VPN, they started to do Zero Trust.”

He said that, in some cases, people could not be armed with a laptop to work from home, and so had to use personal devices for work, “and we’ve seen adoption of Teams skyrocket, with 75 million unique users every day, so people are impacted by that and started to implement Zero Trust based on their situation.”

Categories: Cyber Risk News

CSA Virtual Summit: Future of European Cloud Services Scheme Detailed

Tue, 06/09/2020 - 12:19
CSA Virtual Summit: Future of European Cloud Services Scheme Detailed

Speaking at the Cloud Security Alliance European Virtual Summit Eric Vétillard, lead certification expert, ENISA, talked about the concept and development of a European certification scheme for cloud services as part of the EU Cybersecurity Act..

Intended to revamp and strengthen the EU Agency for Cybersecurity (ENISA) and establish an EU-wide cybersecurity certification framework for digital products, services and processes, the EU Cybersecurity Act will introduce the first EU-wide cybersecurity certification framework for ICT products, services and processes.

After the announcement of the Cybersecurity Act, ENISA was tasked in November 2019 by the European Commission to design a candidate scheme for cloud services. Vétillard said there were two missions around the establishment of a European Certification Framework: to make ENISA permanent, and to define a cybersecurity certification framework, in particular to support the drafting of new policies through certification schemes.

“The idea here is to define a framework to increase the use of cybersecurity certification throughout Europe and extending to all counties,” he said. “To do that, we need to go beyond national schemes and offer mutual recognition at the European level.”

Vétillard explained that the framework will also allow users to make “informed decisions” on cybersecurity, and ultimately only require one certificate throughout Europe. “In order for the scheme to be successful it needs to be accepted by a majority of the member states of the European Union,” he added.

He explained that the certification is being drafted by ENISA, along with the European Cybersecurity Certification Group – a member group of member states – and an advisory group, who will assist in drafting the scheme. When a scheme is selected, around 20 experts representing stakeholders, institutions and observers will work together to build a candidate scheme, which will be submitted to the next phase to get an opinion from the ECCG.

In terms of building the scheme, Vétillard said there are 22 questions to be answered, including the “specific evaluation criteria and methods to be used” which he said will represent a significant part of the work. He also said there is a mandate to monitor compliance of certified and self-assessed products.

As for what the scheme will achieve, Vétillard said this will include determining what a cloud service is. “If you look around, there are many definitions of what is meant by cloud computing” and ultimately the definition from ISO/IEC 17788 was selected “as it determines any service run on top of a cloud system.”

The next determination will be on cloud capabilities, where the same ISO standard was again used in order to determine that all cloud capabilities support some aspect of infrastructure, platform and application. Also all deployment models will be considered, including private, public and hybrid clouds.

The third consideration is three assurance levels, including “basic,” “substantial” and “high” which will be assessed by an accredited third party. Basic means that the cloud security provider has shown some intentions to implement security controls. Substantial means that the provider has correctly implemented security controls and there is some vulnerability testing, and High means that the effectiveness of the provider’s controls against attacks has been demonstrated, requiring penetration testing and intended for “critical applications in sensitive fields.”

Vétillard said the choice of the level is based on the level of risk, and the number of parameters of the activity and size of the cloud service.

ENISA’s objective is to have answers to key questions and to know the structure of the scheme by the end of June 2020 “and to know how to move forward into the writing of the scheme itself.”

By September, the first draft will be completed, and after internal reviews, the final delivery of the candidate scheme is due by the end of the year. Vétillard said this is intended to be part of a larger framework, and ultimately used to provide baselines to other schemes.

Categories: Cyber Risk News