Info Security

Subscribe to Info Security  feed
Updated: 2 hours 14 min ago

Googlers Fired for Breaking Security Policy

Thu, 11/28/2019 - 11:02
Googlers Fired for Breaking Security Policy

Tensions at Google have kicked up another notch this week after four employees were fired for apparently breaking data security policy, in what others have claimed is a witch hunt.

The four ex-staffers were accused of breaking policy by spying on colleagues’ work, including calendars and email. The back story appears to be that those they were monitoring were working on projects they didn’t approve of, such as a collaboration with the US Customs and Border Protection.

According to reports they repeatedly scoured through these colleagues’ data and distributed it to others despite this being “outside the scope of their jobs.”

“We have always taken information security very seriously, and will not tolerate efforts to intimidate Googlers or undermine their work, nor actions that lead to the leak of sensitive business or customer information,” a Google statement noted.

“This is not how Google’s open culture works or was ever intended to work.”

However, former colleagues and defenders of the four have claimed that what they did was in keeping with the tech giant’s code of conduct, which states: ​​​​​​​“And remember… don’t be evil, and if you see something that you think isn’t right — speak up.”

They argued that Google had ulterior motives in firing the four because they were involved in union organizing at the firm.

“Here’s how it went down: Google hired a union-busting firm. Around the same time Google redrafted its policies, making it a fireable offense to even look at certain documents. And let’s be clear, looking at such documents is a big part of Google culture; the company describes it as a benefit in recruiting, and even encourages new hires to read docs from projects all across the company,” they wrote in a blog post.

“Which documents were off limits after this policy change? The policy was unclear, even explicitly stating the documents didn’t have to be labelled to be off limits. No meaningful guidance has ever been offered on how employees could consistently comply with this policy. The policy change amounted to: access at your own risk and let executives figure out whether you should be punished after the fact.”

The incident comes at a time of unprecedented employee unrest at the tech goliath, with accusations that it has been too slow to tackle sexual harassment and has a problem with unequal pay.

Categories: Cyber Risk News

US Man Charged with Stealing 100+ Songs from Recording Artists

Thu, 11/28/2019 - 10:54
US Man Charged with Stealing 100+ Songs from Recording Artists

A Texas man has been charged for his part in an alleged conspiracy to steal music tracks from 20 recording artists and release them online.

Christian Erazo, 27, from Austin, has been charged with aggravated identity theft, conspiracy to commit computer intrusion and conspiracy to commit wire fraud.

Between 2016 and 2017 he’s alleged to have worked with three others to target two music management companies in New York and LA.

The group is said to have obtained employee log-ins which enabled them to access the companies’ cloud storage accounts and steal over 100 songs from 20 artists that had not yet been released. They illegally accessed one company’s trove over 2300 times in just a few months, the DoJ said.

Erazo is also accused of hacking the social media account of an LA-based musician and producer and using it to send messages to recording artists and producers asking them for tracks.

The music obtained from these ventures was later released online in public forums, causing the victims financial losses, the court documents allege. In one case an entire album that had been in production for a year was effectively scrapped, potentially costing its creator $2m in lost sales.

The conspirators then allegedly tried to pin the blame for the attacks on someone else. A member of the group emailed one of the management companies claiming that an unnamed “Individual-1” was hacking the firm’s cloud storage accounts.

Erazo and others are said to have repeated the allegations to undercover officers posing as music executives, claiming he was helping them “for the love of the artists.”

He’s later alleged to have sent an email to one of the conspirators claiming the scheme was the “perfect cover-up.”

Music is big business. In June this year, world-famous band Radiohead revealed that a hacker stole lead singer Thom Yorke’s minidisc archive and was asking $150,000 in return for not releasing it. The band subsequently decided to publish the 18 hours of music themselves and donate the proceeds to a climate change group.

Categories: Cyber Risk News

Cryptocurrency Exchange UpBit Loses $52m in Attack

Thu, 11/28/2019 - 09:53
Cryptocurrency Exchange UpBit Loses $52m in Attack

One of the world’s biggest cryptocurrency exchanges has been forced to suspend account withdrawals and deposits after being hit by a major online heist.

South Korea’s UpBit issued the temporary suspension notice on Wednesday followed by a message from Lee Seok-woo, CEO of company owner Dunamu.

At around 1pm local time on Wednesday, 342,000 ETH ($52) were transferred from an UpBit hot wallet to an unknown recipient, he said.

Affected users will have their losses covered by the company, which has transferred all other cryptocurrency into the company’s cold wallet for improved security.

“It is estimated that it will take at least two weeks for the deposit and withdrawal to resume. I'll tell you again when this is done,” said Lee.

UpBit’s travails are the latest in a long line of successful cyber-attacks targeting cryptocurrency exchanges over recent months.

These included US firm Coinbase, which spotted double spend attacks topping $1m, Japan-based Bitpoint, which lost $32m, Singaporean company Bitrue, which was robbed of $4.5m and Malta-headquartered Binance.

Peter Wood, CEO of CoinBurp, argued that the latest hack should be a warning to investors about the importance of operating only on secure and reliable trading platforms.

“This is particularly important when it comes to cryptocurrency, as it is virtually untraceable and there is often no governing body to insure or refund any losses,” he added.

“However, potential investors should not be deterred by this catastrophic error, as UpBit, and other Korean crypto-exchanges have been the target of hackers before. It is important that all individuals properly research the security protocols and measures before operating on any crypto trading platform.”

North Korea was earlier this year blamed by the UN for using its growing hacking capabilities to target cryptocurrency exchanges in a bid to fill the state coffers. It's said to have amassed $2bn from such attacks.

Categories: Cyber Risk News

Minor Arrested for Jack Dorsey Twitter Hack

Wed, 11/27/2019 - 18:36
Minor Arrested for Jack Dorsey Twitter Hack

A former member of the Chuckling Squad is presumably not laughing now after being arrested for hacking the Twitter account of Twitter CEO Jack Dorsey. 

The alleged hacker, who is a minor, is said to be part of a group that used a SIM-swapping technique to hack into Dorsey's account in August of this year and send out multiple tweets containing racial slurs. They also tweeted bomb threats and retweeted anti-Semitic material. 

The group, known as the Chuckling Squad, have claimed responsibility for a number of high-profile social media hacks, including one perpetrated against actress Chloe Grace Moretz. 

The threat group was able to carry out the hack after gaining access to Dorsey's phone number and transferring that number to a new SIM card. Following the hack, Twitter has updated its two-factor authentication so that users no longer have to give their phone number. 

"We applaud the efforts of all the law enforcement agencies involved in this arrest," said the Santa Clara County District Attorney's Office, which manages the Regional Enforcement Allied Computer Team (REACT).

"REACT continues to work with and assist our law enforcement partners in any way we can. We hope this arrest serves as a reminder to the public that people who engage in these crimes will be caught, arrested, and prosecuted."

Hacker Debug, a leader of the Chuckling Squad, told Motherboard that the minor was arrested about two weeks ago after being kicked out of the threat group in October. 

"He was a member of Chuckling Squad but not anymore. He was an active member for us by providing celebs/public figure [phone] numbers and helped us hack them," Debug said. 

After the minor furnished the group with Dorsey's number, other squad leaders known as Aqua and NuBLoM tricked a wireless provider into giving them control of the phone number. They were then able to receive two-factor authentication SMS codes. 

Guidelines issued by the Federal Trade Commission on how to protect yourself from a SIM-swap attack include recommendations to limit the personal information you share online and set up a PIN or password on your phone account. Phone users are also advised never to reply to calls, emails, or text messages that request personal information, as they may be phishing attempts.

Categories: Cyber Risk News

Hackers Demand Beer

Wed, 11/27/2019 - 17:50
Hackers Demand Beer

An unusual demand was issued to a Ugandan beer manufacturer whose website was hacked on Tuesday. 

Threat actors targeting Nile Breweries Limited removed the contents from the organization's website nilebreweries.com before demanding that a secret beer recipe stored on the brewery's servers be put into production.

To persuade the brewery to comply with their demands, the unidentified cyber-criminals threatened to expose the classified recipe to the public.

Visitors to the brewery's homepage were confronted with looped video footage of an unidentifiable assailant dressed in a black hoodie. The video depicts the threat actor vocalizing the following curious missive in an electronically disguised voice:

"This is a message to Nile Breweries. I have gone through your servers and discovered that you have been sitting on a beer formula. So, here is my demand. Produce this beer immediately, or the formula goes public. You have 24 hours."

According to the website TechJaja, some digital pundits have speculated that the hack was a creative marketing ploy by Nile Breweries. The company, which is best known for making Eagle Lager, Club Beer, and Nile Special beers, is reported to be on the cusp of releasing a new tipple.  

However, The EastAfrican states that Nile Breweries has confirmed that the hack was indeed real. According to the newspaper's website, Nile Breweries Limited said yesterday that it "is taking swift action to regain control over its website." 

The newspaper reports that Nile Breweries' legal and corporate affairs manager, Mr. Onapito Ekomoloit, confirmed the hack on the company's website in a statement released on Tuesday and said that they were taking the matter very seriously. 

Ekomoloit said: "We have seen the video circulating on our website this morning at our Head Office in Luzira, Kampala. We are taking this matter very seriously and are moving quickly to establish the details.

"We have mobilised a response team and will provide further updates as soon as the information we receive can be verified." 

Following the hack, leaders of the brewery were reported to have held a crisis meeting in the company's offices in Kampala. 

Nile Breweries is Uganda's largest beer manufacturer. The company was founded in 1951 and had an estimated 52% share of the Ugandan beer market in 2013. 

Categories: Cyber Risk News

Finns Label Cyber-Secure IoT Devices

Wed, 11/27/2019 - 15:49
Finns Label Cyber-Secure IoT Devices

Finland has become the first European country to issue cybersecurity labels to networking smart devices.

The new labeling system was announced yesterday by Traficom, the Finnish Transport and Communications Agency. IoT devices that bear a cybersecurity label are guaranteed to have basic information security features.

By introducing the labeling system, Traficom aims to raise consumer awareness of information security and the safe use of connected devices.

Labels are only awarded to networking smart devices that meet certification criteria based on EN 303 645, a document outlining security specifications for IoT devices that was created by ETSI, the European standards agency.

“The security level of devices in the market varies, and until now there has been no easy way for consumers to know which products are safe and which are not," said National Cyber Security Centre Finland (NCSC-FI) director Jarkko Saarimäki yesterday.

"The Cybersecurity label launched today is a tool that makes purchase decisions easier by helping consumers identify devices that are sufficiently secure."

Plans to create the cybersecurity label date back to late 2018, when it was developed as a pilot project led by the NCSC-FI in collaboration with Cozify Oy, DNA Plc, and Polar Electro Oy. 

The first cybersecurity labels have now been awarded to the Cozify Hub for smart homes, DNA’s Wattinen smart heating system, and the Polar Ignite fitness smartwatch.

Basic information about the cybersecurity label and how businesses can apply for it can be found on the new website tietoturvamerkki.fi. On the website also is a list of all products that have been awarded with a label to date.

Research conducted by IRO Research Oy on behalf of Traficom suggests that there will be an appetite for the new cybersecurity label in Finland. 

In the fall of 2019, IRO Research Oy carried out a consumer survey to gauge the opinion of the Finnish general public regarding the cybersecurity of IoT devices. 

A total of 1,000 Finns aged 15 or older were interviewed, all of whom said that they were concerned about the information security of smart devices.

Two of every three respondents said that it is very important for there to be easy-to-understand information available on the information security of devices.

Categories: Cyber Risk News

UK IT Pros: Brexit Will Increase Skills Shortages

Wed, 11/27/2019 - 12:05
UK IT Pros: Brexit Will Increase Skills Shortages

Over 90% of UK IT professionals believe Brexit will make chronic industry skills shortages even worse, according to new research from RedSeal.

The security vendor polled 502 IT professionals to gain greater insight into the skills challenges facing the country.

In total, 87% of CIOs and senior IT pros admitted that they are struggling to find cybersecurity professionals with the right expertise. In addition, 73% argued that Brexit-related uncertainty is adding to the challenge of hiring from outside the UK, and even more (95%) said that leaving the EU will only widen the current skills gap.

It’s a challenge that could have a major impact on the economic and social prosperity of the nation: 81% of respondents said they’d been hit by a cybersecurity breach in the past 12 months, and two-fifths admitted that their business doesn’t have a plan in place to respond to one.

“Further and higher education in cybersecurity needs continuing support in order to keep pace with the ever-changing threat landscape that UK business is facing right now. Engaging young people and mid-career changers in developing skills and knowledge through high-level technical and computing education is more important than ever before,” argued Peter Komisarczuk, head of the information security department at Royal Holloway University of London.

“There are significant career opportunities in cybersecurity — the average annual salary for jobs in cybersecurity is £72,500 and we are seeing our graduates getting significantly more that the average graduate salary of £23,000 on leaving with their degree. Moreover, the potential to contribute to economic growth is huge, as well as support UK business against a very real cyber-threat.”

Globally, skills shortages in cybersecurity have now surpassed four million, including 291,000 in Europe, which experienced an increase in shortages by more than 100% from 2018 to 2019, according to (ISC)2.

With the Conservative Party commanding a large lead in current opinion polls ahead of the December General Election, the UK seems to be heading unequivocally towards Brexit.

Categories: Cyber Risk News

Google Sends 12,000 State Phishing Warnings in Three Months

Wed, 11/27/2019 - 10:12
Google Sends 12,000 State Phishing Warnings in Three Months

Google was forced to deliver more than 10,000 warnings of government-backed attempts to spear phish its global users over just a three-month period earlier this year, the firm has revealed.

In an update from the tech giant’s Threat Analysis Group (TAG), director Shane Huntley explained that from July to September this year his team sent 12,000 warnings to users in 149 countries. From a heat map attached to the blog post, it appears as if most were located in the US, South Korea, Pakistan and Vietnam.

“Over 90% of these users were targeted via ‘credential phishing emails’ ... These are usually attempts to obtain the target’s password or other account credentials to hijack their account,” he added.

“We encourage high-risk users — like journalists, human rights activists, and political campaigns — to enroll in our Advanced Protection Program (APP), which utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings. APP is designed specifically for the highest-risk accounts.”

TAG tracks over 270 targeted and government-backed threat groups across 50+ countries in an attempt to weed out intelligence collection efforts, IP theft, targeting of dissidents and activists, destructive cyber-attacks, and spreading coordinated disinformation.

Aside from the phishing campaigns referenced earlier, Huntley revealed more details on a campaign from the Russian Sandworm group using malicious Android apps published on Google Play to target Ukrainian developers.

He also detailed efforts to detect and remove coordinated influence operations by Russian state hackers in Africa using “inauthentic news outlets to disseminate messages promoting Russian interests in Africa.” A total of 15 YouTube channels were removed as a result.

Similar efforts in the Indonesian province of Papua led to the removal of 28 channels.

Categories: Cyber Risk News

Healthcare Execs Charged in $1Bn Fraud Scheme

Wed, 11/27/2019 - 10:00
Healthcare Execs Charged in $1Bn Fraud Scheme

Six former executives and employees of a US healthcare start-up have been charged with running a fraud scheme that’s said to have made them $1bn.

The men — who include the co-founder, president, COO/CFO and EVP of business operations — worked for a tech firm called Outcome Health which provides digital medical information and advertising in doctors’ offices.

It’s alleged they sold tens of millions of dollars of advertising inventory that did not exist, inflating the company’s financials so that they were able to raise nearly $1 billion in financing in 2016 and 2017.

Co-founder and CEO Rishi Shah, 33, of Chicago, Illinois; co-founder and president, Shradha Agarwal, 34, of Chicago; and COO Brad Purdy, 30, of San Francisco, are charged with various counts of mail fraud, wire fraud and bank fraud. 

Senior analyst Kathryn Choi, 29, of New York, and analyst Oliver Han, 29, of Chicago, are each charged with one count of conspiracy to commit wire fraud.

According to the Department of Justice, the group sold pharmaceuticals clients ad inventory that they didn’t have, and under-delivered on ad campaigns, before falsifying performance data and patient engagement metrics.

It’s also alleged that several of those indicted falsified data shared with auditors, which led to the latter approving over-inflated revenue figures for 2015 and 2016.

This enabled them to raise $110m in debt financing in April 2016, $375m in December 2016 and nearly $488m in early 2017, with Shah and Agarwal allegedly splitting dividends of nearly $263m between them.

“Outcome’s former executives and employees allegedly deceived lenders, investors, and their own auditors by falsely representing revenue for additional profit,” said principal deputy assistant attorney general John Cronan of the Justice Department’s Criminal Division. 

“The charges announced today demonstrate that lies and deception cannot serve as the basis for any company, including start-up companies, to falsely grow revenue for additional capital and private gain.”

Categories: Cyber Risk News

Optiv Security Confirms Downsizing of European Operations

Wed, 11/27/2019 - 09:40
Optiv Security Confirms Downsizing of European Operations

Optiv Security has confirmed that it is “downsizing” its London-based organic operations.

In a statement sent to Infosecurity, a statement said that after it expanded its global footprint to the UK in January 2018, the company has conducted a comprehensive strategic review and made the decision to downsize. “We remain committed to serving the European market, clients, partners and prospects.”

The statement added: “Optiv has a proud history of serving clients in Europe and in 70+ countries around the world, and that is not changing. We plan to consider M&A opportunities again in the future.”

This included operations and investment in Canada and India, which are being expanded, with Optiv’s first Canadian-based security operations center (SOC) set to open in Q1 2020.

“We remain 100% committed to our international strategy and to delivering innovative cybersecurity solutions that create simplicity and confidence for clients around the world,” the statement continued. 

The announcement comes just over a year since Optiv Security announced that it was expanding its security strategy, service and technology architecture in Europe, to “provide clients with worldwide expertise and experience to help them transform and simplify their cybersecurity programs.”

Categories: Cyber Risk News

European Cybersecurity Agency Publishes Report on Smart Car Security

Tue, 11/26/2019 - 20:01
European Cybersecurity Agency Publishes Report on Smart Car Security

The European Union Agency for Cybersecurity (ENISA) yesterday published a report on the cybersecurity of smart cars. 

The report aims to promote cybersecurity for connected and (semi-)automated cars by identifying emerging threats and issuing guidance on potential security measures that can help to mitigate them. 

"Smart cars already available today provide connected, added-value features in order to enhance car users’ experience or improve car safety. With this increased connectivity (that the emergence of 5G is expected to further promote) novel cybersecurity risks and threats arise and need to be managed," the report states. 

The new report presents a more in-depth analysis of the conclusions reached in ENISA’s 2017 study, "The ENISA Cybersecurity and Resilience of Smart Cars—Good Practices and Recommendations."

In their latest report, ENISA researchers note that Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) interfaces, needed for the deployment of intelligent transport systems and autonomous cars, have expanded the potential attack surface and attack vectors. They predict that as smart cars are increasingly affected by the growth of advanced machine learning and artificial intelligence, the number of risks posed by cyber-threats will rise. 

Cyber-attacks on smart cars could cause damage that goes far beyond the loss of sensitive personal information.

"Attacks targeting smart cars may lead to vehicle immobilization, road accidents, financial losses, disclosure of sensitive and/or personal data, and even endanger road users’ safety," warns the report. 

In 2015, researchers used a proof-of-concept remote attack to take control of a smart vehicle and send it off-the-road, leading to the recall of over a million cars. More recently, researchers demonstrated that it was possible to locally or remotely take control of smart cars' infotainment systems by exploiting diagnostic services to manipulate the vehicles' functions.

Smart cars have also been hijacked via their smart alarm and made to perform illegitimate actions, including cutting the engine and enabling or disabling the immobilizer. 

Interest in autonomous cars, from both end users and manufacturers, is big. A survey of 5,500 global city dwellers from all around the world found 58% of global respondents are willing to take a ride in a driverless vehicle. If optimistic predictions on the topic prove to be correct, the world may see the widespread deployment of fully automated vehicles as early as 2030.

Categories: Cyber Risk News

New Bill Could Cost US Companies Data

Tue, 11/26/2019 - 18:44
New Bill Could Cost US Companies Data

A new online privacy bill put forward by senators in the US proposes granting citizens the right to request that their personal data be deleted from companies' records. 

The Consumer Online Privacy Rights Act (COPRA) would provide consumers with foundational data privacy rights and force companies to be transparent in their use of users' personal information.

The bill was introduced today by Washington senator and Senate Commerce Committee member Maria Cantwell and sponsored by Senators Ed Markey, Amy Klobuchar, and Brian Schatz.

Cantwell's proposal would allow users to request details of what personal information a company is holding on them, along with the name of any third party to whom their data has been transferred. 

Under section 103 of the bill, a company, upon receiving a verified data-deletion request from an individual user, would have to delete (or let the individual delete) any personal information that had been gathered. The company would also have to inform any service provider or third party of the individual's deletion request. 

Companies would not be allowed to collect additional information beyond what they reasonably require if the bill becomes law. And companies would be required to get permission before collecting and sharing sensitive data, including precise locations and biometric information. 

If the bill is passed, users would gain the right to request corrections to any inaccurate data held by companies. 

Companies would be required to make available and readily accessible a privacy policy that provides a detailed and accurate representation of their data processing and data transfer activities.

Under the proposal, states would continue to issue their own privacy laws, and citizens would still have the private right of action to bring their own lawsuits.

Cantwell’s legislation also proposes the creation of a new bureau within the Federal Trade Commission to handle digital privacy enforcement. The bill mandates that the bureau be fully staffed and operational within two years of its enactment.

The privacy legislation proposals are due to be discussed at a hearing of the Commerce Committee in December. 

Steve Durbin, managing director of the Information Security Forum, commented: "There is a very real need for a Federal law to avoid States introducing their own variations and interpretations on privacy which adds a further compliance burden to already overstretched businesses looking to understand and comply with their obligations across the various regions in which they are transacting business."

Categories: Cyber Risk News

Pests Force Estonian Government Offline

Tue, 11/26/2019 - 17:47
Pests Force Estonian Government Offline

The government of Estonia lost internet access after hungry rats chewed through fiber-optic cable located underground near the country's capital, Tallinn. 

Estonian State Portal www.eesti.ee—a secure internet environment through which the country's residents can easily access state e-services and information—was forced offline for 5 hours as a result of the incident, which occurred last Wednesday. 

Speaking on Estonian radio on Thursday, head of the State Network Department Kaido Plovits said: "It was a fiber-optic data cable that is widely used in telecommunications. Rodents had damaged it in several places, and we had to replace tens of meters of cable to fix the problem. The entire state network had not collapsed, just a small part of it, whose security has not yet been automated."

While the culprits made off with full bellies, Estonians were left digitally stranded as access to several important digital services managed by the State Information Systems Authority (RIA) was interrupted. 

The furry creatures' unconventional meal choice temporarily brought down a handful of health services managed by the Estonia Health Insurance Fund (EHIF), including a digital prescriptions service. Estonians were advised to contact their physician to request an old-fashioned paper prescription or approach the Emergency Medicine Department to fill urgent requests for medicine.

The Eesti Loto website, which sells lottery tickets for the €10,000,000 prize Eurojackpot, was also kicked offline by the peckish pests. The operation of ID cards and mobile ID cards was not interrupted.

The RIA became aware that a crucial cable laid in Harju County had malfunctioned at around 4:30 p.m. on November 20. Emergency repair work was immediately instigated, and many RIA and EHIF services resumed by about 7:30 p.m. Final repair work to the cable was completed at around 9:30 p.m. 

Plovits told the daily Postimees newspaper that under normal circumstances the RIA would announce emergency maintenance work well in advance, but that the rats' activities had called for swifter action.  

Plovits said: "Since the cable was badly damaged, we had to repair it immediately otherwise the damage would be much greater."

Estonia is currently installing a parallel network of data connections to bolster the country's defenses against cyber-attacks and also, it seems, hungry rats. The small European country suffered a major cyber-attack in 2007 when Russian threat actors reacted to the removal of a Red Army soldier statue from the center of Tallinn to a military cemetery.

Categories: Cyber Risk News

#InfosecNA: Security Risks of 5G, and How to Fix Them

Tue, 11/26/2019 - 15:56
#InfosecNA: Security Risks of 5G, and How to Fix Them

A large chunk of the digital economy’s future will depend on the success of the 5G wireless services. In turn, 5G’s success will depend in good part on it’s ability to resist, survive and recover from a variety of traditional cyber-threats and, more chillingly, many new ones arising from 5G networks’ complex architecture. In his presentation titled 5G Security: New Vulnerabilities, New Solutions, William Malik provided attendees to the 2019 Infosecurity ISACA North America Expo and Conference in New York with an overview of the threat environment, and what it’s going to take to harden 5G networks against it.

Malik, VP of infrastructure strategies at Trend Micro, explained that, unlike 4G LTE, 5G is specifically architected to support an omnipresent framework for the Internet of Things (IoT) using a so-called “slicing” technique that enables network providers to create virtual end-to-end network services for various types of Machine-to-Machine (M2M) applications. For example, Ultra-Reliable Low Latency Communication (URLLC) service is intended to provide highly-reliable low-latency connectivity for critical applications including factory automation systems, autonomous vehicles and remote surgery devices. Under this new scheme, each time the network establishes a connection, it will have to refer to the user’s profile to determine which slice to use.

Malik cautioned, however, that the same technologies that give 5G networks these new capabilities also introduce new vulnerabilities at nearly every layer of the network stack.

 Another concern is that 5G networks will suffer from additional vulnerabilities because they are expected to supplement a significant fraction of their proprietary core transport infrastructure with the internet itself.

Malik also warned that, despite 5G’s enhanced security measures, smartphones, smart building controllers, and other types of user equipment would still have numerous vulnerabilities.

Whilst Malik’s presentation was primarily intended to sound the alert about 5G security issues, he closed his talk by sharing some of the countermeasures that network equipment providers and security professionals can employ to effectively address them:

  • User, device and message authentication
  • Message integrity verification
  • Data confidentiality when dealing with PII or intellectual property
  • Improved logging and diagnostics for virtual environments
  • Automated attack remediation
  • Pre-launch VM configuration validation and continuous monitoring
  • Regulatory QoS, with sanctions for non-compliance
Categories: Cyber Risk News

DevOps, Cloud and Remote Workers Dominate 2020 Risks

Tue, 11/26/2019 - 11:30
DevOps, Cloud and Remote Workers Dominate 2020 Risks

Third-party libraries, container components and even remote workers represent a major supply chain risk to organizations as they head into a new decade, according to Trend Micro.

The security giant’s new 2020 predictions report, The New Norm, warned of a growing cloud attack surface, as hackers focus their efforts on code injection attacks to steal sensitive information — either directly or via third-party libraries.

Continued user misconfigurations will exacerbate cloud security challenges, while developers’ reliance on third-party code could expose countless organizations, it continued.

The report highlighted shared container components containing vulnerabilities as exposing organizations to attacks across the IT stack.

The supply chain risk will extend to managed service providers (MSPs), especially those with multiple SMB customers, the report claimed.

Interestingly, Trend Micro also defined home and remote working environments as potential hotspots for supply chain attacks. This could cover everything from weak Wi-Fi security in public workspaces to smart home challenges posed by unsecured smart TVs, speakers and digital assistants.

“Connected home devices serving as a gateway for enterprise attacks is an unavoidable development considering how employees may find these convenient for work use as well,” the report noted. “Enterprises will have to decide on what information security policies to implement to deal with such scenarios.”

The security vendor recommended a cross-generational blend of tools and techniques to enable key controls including: behavioral monitoring; endpoint security; intrusion detection/prevention; managed detection and response; threat prevention and improved visibility.

This should be complemented by a renewed focus on due diligence of cloud providers, regular vulnerability scans of third-party code and components, and revised security policies for remote workers, it said.

“As we enter a new decade, organizations of all industries and sizes will increasingly rely on third-party software, open-source, and modern working practices to drive the digital innovation and growth they crave,” said Jon Clay, director of global threat communications for Trend Micro.

“Our threat experts predict that this fast growth and change will bring new risks of supply chain attacks. From the cloud layer all the way down to the home network, IT security leaders will need to reassess their cyber risk and protection strategy in 2020.”

Join Infosecurity on 9th January as we take an overall look at predictions for the new year and next decade. Register here

Categories: Cyber Risk News

Two-Fifths of ICO Fines Remain Unpaid: Report

Tue, 11/26/2019 - 10:31
Two-Fifths of ICO Fines Remain Unpaid: Report

The Information Commissioner’s Office (ICO) is still struggling to collect monetary penalties from many of the organizations it has fined for privacy and data protection breaches over the past few years, according to newly revealed data.

SMS API provider, The SMS Works, submitted Freedom of Information (FOI) requests to the UK’s data protection watchdog and now has a complete breakdown of paid and unpaid fines since 2015.

Since then, the ICO has fined 152 organizations a total of £16.6 million for mainly data breaches, spam and nuisance calls. Some 30% are still unpaid, which amounts to over £7 million, or 42% of the total.

All penalties raised were for incidents that took place before GDPR came into force, so the maximum possible fine was £500,000, The SMS Works director, Henry Cazalet, confirmed to Infosecurity. The recent multi million-pound BA and Marriott fines are still under appeal and so aren’t included in this research.

The prime offenders for non-payment are in the claims management sector — companies responsible for tens of millions of nuisance calls over the years. So far, 84% of fines have been left unpaid in this sector, often because the companies involved go bankrupt to avoid payment.

In fact, by category, the ICO has only collected 23% of nuisance calls fines, versus 64% of email spam fines and 74% for SMS spam. When it comes to data breaches, 85% of fines have been paid.

In contrast to the claims management industry, charities and public sector organizations have paid 100% of the fines levied against them.

Fortunately, changes to the law will hopefully make it harder for company directors to escape accountability for their wrongdoing in the future.

“We actively exercise our rights as a creditor to appoint professional insolvency practitioners, and work closely with the Insolvency Service in these cases, to not only seek to recover the money owed to the taxpayer but also to support action to disqualify the worst offenders from running companies in the future,” noted an ICO statement in response to the report.

“Some nuisance call directors liquidate their firms to avoid paying fines from the ICO. In December 2018, the law changed to make directors themselves responsible for nuisance marketing. This should have a real deterrent effect on those who deliberately set out to disrupt people with troublesome calls, texts and emails.”  

Categories: Cyber Risk News

Nursing Home Patients at Risk After Ransomware Attack

Tue, 11/26/2019 - 09:52
Nursing Home Patients at Risk After Ransomware Attack

An IT services company has been hit with a $14 million ransom demand after suffering a major infection which could impact crucial patient care at many of its US nursing home clients, according to reports.

Milwaukee-based Virtual Care Provider Inc. (VCPI) provides cloud hosting, IT managed services, cybersecurity and more to clients across the country, including 110 nursing homes and acute care facilities, according to researcher Brian Krebs.

However, it apparently suffered a Ryuk infection on November 17 affecting all of its clients’ data. The firm is said to manage 80,000 endpoints and servers for its care home customers.

As well as VCPI’s own billing and payroll systems the attack crucially impacted the firm’s IT services to clients including access to patient records.

In some cases, this could be a life-threatening outage, according to CEO Karen Christianson.

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she told Krebs. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done.”

The incident follows a ransomware attack on a large French hospital last week which resulted in “very long delays in care.”

Healthcare organizations and the third-party companies that serve them are seen as potentially lucrative targets for ransomware authors as they may have less to spend on cybersecurity but are running mission critical services that they simply can’t afford to lapse.

A recent report from Emisoft revealed that there had been 491 ransomware attacks on healthcare providers between Q1 and Q3 this year.

An academic study published earlier this month claimed that data breach remediation efforts by targeted hospitals effectively led to a spike in mortality rates from heart attacks. The same researchers argued that ransomware “might have an even stronger short-term negative relationship with patient outcomes than the long-term remediation efforts studied here.”

Categories: Cyber Risk News

Singapore Invokes "Fake News" Law for the First Time

Mon, 11/25/2019 - 20:21
Singapore Invokes "Fake News" Law for the First Time

A politician has become the first person to fall afoul of Singapore's new Online Falsehoods and Manipulation Act (POFMA) after posting a misleading statement on Facebook.

In the incriminating social media post published on November 13, British-born Singaporean Brad Bowyer alleged that the Singapore government had influenced decisions made by state investment firms Temasek Holdings and the Government of Singapore Investment Corporation (GIC).

In a statement released earlier today, the Singapore government wrote: "The Facebook post by Mr. Brad Bowyer contains false statements of fact and misleading statements.

"The Government does not influence, let alone direct, the individual investment decisions made by Temasek and GIC. Which companies they invest in, or divest from, is entirely the responsibility of their respective management teams. The Government likewise does not interfere in the commercial decisions of Temasek’s and GIC’s portfolio companies.

"Temasek and GIC are run on market principles, independent of the Government. Many of their portfolio companies are publicly listed. The Government’s role is to ensure that Temasek and GIC have competent boards, which ensure that their respective mandates are met. The Government also holds the boards of Temasek and GIC accountable for their respective overall performances."

Mr. Bowyer also asserted that Temasek had invested in a debt-ridden parent company that owns the chain of restaurants Salt Bae. In reality, Salt Bae is owned by D.ream International BV, which operates 60 restaurants throughout the world via four operating subsidiaries. 

In response to another allegation made by Bowyer that $4bn in investments made by GIC and related parties in Andhra Pradesh had all been doing poorly, the Singapore government wrote: "Mr. Bowyer makes this sweeping statement but gives no basis for it."

Under the new "fake news" law POFMA, Singapore's finance minister contacted Bowyer with a request to correct his erroneous Facebook post. Bowyer complied, posting a correction notice today along with a link to the government's statement in which his falsehoods were outlined.  

Along with the correction, Bowyer wrote: "I have no problem in following that request as I feel it is fair to have both points of view and clarifications and corrections of fact when necessary. I do my best to use public facts and make informed statements of opinion based on the details I have access too. [sic]

"I am not against being asked to make clarifications or corrections especially if it is in the public interest. In general, I caution all those who comment on our domestic politics and social issues to do so with due care and attention especially if you speak from any place of influence."

Categories: Cyber Risk News

UK Government Invites Bids for New Cybersecurity Platform

Mon, 11/25/2019 - 19:22
UK Government Invites Bids for New Cybersecurity Platform

The UK's Ministry of Justice is inviting bids for the creation of a single, centralized cybersecurity log collection and aggregation platform.

With a diverse digital estate and a wide variety of suppliers and technical systems, the MoJ is in need of a platform to enable log collection, aggregation, storage, analysis, and targeted forwarding capabilities.

Explaining the problem that bidders must solve, a spokesperson for the MoJ wrote: "The Ministry of Justice is currently constrained in its ability to understand the cybersecurity posture of its current estates due to security logs being held in multiple systems. 

"In many cases these systems are hard to query. The team lacks a single, centralized store of logs that can be queried to help correlate cross-system attacks and track adversarial actors' behaviors."

Contractors are invited to submit bids featuring solutions that can be implemented within 12 weeks, with the potential for a 12-week extension. Bids submitted must fall within the allocated budget of £280,000 (excluding VAT).

Previously, the MoJ Security and Privacy team created a proposed architecture for the platform based on the Ministry’s Kubernetes cloud-hosting environment on Amazon Web Services and commonly used logging tools, such as Elasticsearch, Logstash and Kibana, or Elastic stack. 

As this initial groundwork has already been approved by the technical authorities, bidders are advised to use it as the basis of their implementation.

To submit a bid, a contractor must have passed a Baseline Personnel Security Check (BPSS) as a minimum. 

So far, the project has garnered interest from around 27 bidders. The winner will bring their work to life in London's Petty France and at various supplier locations.

The shout out for assistance in creating a centralized cybersecurity log collection and aggregation platform is part of an overall commitment by the MoJ to update its current cybersecurity capabilities. 

The new project follows an invitation issued by the MoJ in August for a contractor to review and give guidance on the Ministry's current cybersecurity process. 

Thirty applicants answered the call to provide internal staff, contractors, supply chain, and external partners with a coherent risk-balanced "stack" of policies, standards, guidelines, and procedures that supports the safe and secure functioning of the MoJ.

Categories: Cyber Risk News

Marie Stopes UK Awarded Cybersecurity Certification

Mon, 11/25/2019 - 18:29
Marie Stopes UK Awarded Cybersecurity Certification

The UK branch of international contraception and safe abortion services provider Marie Stopes has earned a government-backed cyber-safety certification. 

The 43-year-old organization, which is active in 37 countries around the world, is now the bearer of the Cyber Essentials Plus Certification.

Cyber Essentials is a key part of the UK’s National Cyber Security Programme, which was designed to help organizations guard against the most common cyber-threats and ensure sensitive data is kept secure and handled correctly.

The Cyber Essentials scheme addresses the most common internet-based threats to cybersecurity but places particular focus on "attacks that use widely available tools and demand little skill." Attacks that fall under this category include phishing attacks, hacking devices connected to the internet, and manual or automated attempts to guess passwords.  

The National Cyber Security Centre (NCSC) offers two levels of certification to organizations. The first is a Cyber Essentials self-assessment option, and the other is Cyber Essentials Plus, which provides a more rigorous verification by an independent Certification Body.

The latter tests a set of five key security controls through simulated hacking and phishing attacks, including boundary firewalls and gateways, secure configuration, access control, malware protection, and patch management.

To earn a certificate, organizations must take steps to ensure the cybersecurity of devices and software that accept incoming network connections from non-trusted internet-connected hosts, establish user-initiated outbound contact with arbitrate devices via the internet, and control the flow of data between any devices and the internet. 

Stephanie Canavan, Marie Stopes UK’s head of information governance and IT systems, said: "We serve tens of thousands of women and men each year, and this badge demonstrates our commitment to keeping both them and our team members safe from online threats.

"Good cybersecurity is an absolute necessity, and this certification reflects our determination to ensure we are as resilient as possible to attack and that the sensitive data we are entrusted with is in safe hands."

A database containing details of all organizations holding a Cyber Essentials Certificate issued in the last 12 months can be accessed and searched by members of the public via the website cyberessentials.ncsc.gov.uk.

Categories: Cyber Risk News

Pages