Info Security

Subscribe to Info Security  feed
Updated: 25 min 38 sec ago

Crypto Exchange Bitrue Loses $4.5m in Cyber Raid

Thu, 06/27/2019 - 11:11
Crypto Exchange Bitrue Loses $4.5m in Cyber Raid

Bitrue has become the latest cryptocurrency exchange to suffer a major cyber-attack, losing an estimated $4.5m in customer funds in the process.

The Singapore-based company revealed the security breach in a series of tweets early this morning.

“At approximately 1am June 27 (GMT+8), a hacker exploited a vulnerability in our Risk Control team's second review process to access the personal funds of about 90 Bitrue users,” it said.

“The hacker used what they learned from this breach to then access the Bitrue hot wallet and move 9.3 million XRP and 2.5 million ADA to different exchanges.”

At current prices, that makes it around $4.25m in Ripple (XRP) coins and $225,000 in Cardano (ADA) coins.

Bitrue seems to have acted promptly to respond to and contain the incident: suspending activity temporarily on the exchange while it investigated and alerting exchanges Huobi Global, Bittrex and Change Now to freeze affected funds and accounts.

“Please note that at the time, due to uncertainty about the current situation, we stated that the exchange was going down for some unplanned maintenance. We apologize for this miscommunication with our users,” Bitrue continued.

“Once again, I want to assure everybody that their personal funds are insured, and anybody affected by this breach will have their funds replaced by us as soon as possible.”

The exchange also posted a link for users to monitor the flow of stolen funds, and alerted the Singaporean authorities of the cyber raid in an attempt to find the culprit and retrieve the stolen funds.

Most customers responding on Twitter have been sympathetic to the exchange’s plight and appreciative of its transparency — although this would no doubt change if they weren’t getting their money back.

A report from earlier this year revealed that cryptocurrency exchanges lost $1.2bn from fraud and cyber-attacks — versus an estimated $1.7bn for the whole of 2018.

Categories: Cyber Risk News

ENISA Reinforced as EU Cybersecurity Agency to Steer New Act

Thu, 06/27/2019 - 10:15
ENISA Reinforced as EU Cybersecurity Agency to Steer New Act

The EU Cybersecurity Act (CSA) comes into force from today, establishing an EU framework for cybersecurity certification under a reinforced and rebranded ENISA.

Originally proposed in 2017 as part of a wide-ranging set of measures to deal with cyber-attacks and to build strong cybersecurity in the EU, the Cybersecurity Act includes:

  • A permanent mandate for the ENISA to replace its limited mandate that would have expired in 2020, as well as more resources allocated to the agency to enable it to fulfill its goals
  • A stronger basis for ENISA in the new cybersecurity certification framework to assist member states in effectively responding to cyber-attacks with a greater role in cooperation and coordination at Union level

In addition, ENISA will help increase cybersecurity capabilities at the EU level to support capacity building and preparedness as part of its new title of the EU Cybersecurity Agency. This will see ENISA become an independent center of expertise that will help promote awareness of citizens and businesses, and also assist EU Institutions and member states in policy development and implementation helping to raise awareness of cybersecurity risks, leading on “research needs and priorities in the field of cybersecurity.”

According to the regulation, “there is a need for a comprehensive set of measures that would build on previous Union action and would foster mutually reinforcing objectives” which would include further increasing the capabilities and preparedness of member states and businesses, as well as improving cooperation, information sharing and coordination across Member States and Union institutions, bodies, offices and agencies.

“Furthermore, given the borderless nature of cyber-threats, there is a need to increase capabilities at Union level that could complement the action of member states, in particular in cases of large-scale cross-border incidents and crises, while taking into account the importance of maintaining and further enhancing the national capabilities to respond to cyber threats of all scales,” it said.

Article seven of the regulation, which deals with “operational cooperation at Union level” states that “ENISA shall support operational cooperation among member states, Union institutions, bodies, offices and agencies, and between stakeholders.” This article also states that ENISA shall support member states with respect to operational cooperation within the CSIRTs network by:

  1. Advising on how to improve their capabilities to prevent, detect and respond to incidents and, at the request of one or more member states, providing advice in relation to a specific cyber threat
  2. Assisting, at the request of one or more member states, in the assessment of incidents having a significant or substantial impact through the provision of expertise and facilitating the technical handling of such incidents including in particular by supporting the voluntary sharing of relevant information and technical solutions between member states
  3. Analyzing vulnerabilities and incidents on the basis of publicly available information or information provided voluntarily by member states for that purpose
  4. At the request of one or more member states, providing support in relation to ex-post technical inquiries regarding incidents having a significant or substantial impact within the meaning of Directive (EU) 2016/1148

ENISA will also regularly organize cybersecurity exercises at Union level, and shall support member states and Union institutions, bodies, offices and agencies in organizing cybersecurity exercises following their requests.

Commissioner Mariya Gabriel, EU Commissioner in charge of Digital Economy and Society, said that the EU Cybersecurity Act “has demonstrated the urgency to opt for an EU approach” and the reinforcement of ENISA was needed as “it is crucial for citizens, businesses and member states to feel more secure.”

“The Cybersecurity Act also enables EU-wide cybersecurity certification for the very first time, thus boosting the Single Market for cybersecurity,” Gabriel said. “Through the Cybersecurity Act, the Directive on the security of networks and information systems and the proposed European Cybersecurity Competence Centre, we have put forward a strong EU pattern, based on values and open for strengthening cooperation with international partners.”

Udo Helmbrecht, executive director of ENISA, said: “I welcome the Cybersecurity Act and thank the Council, European Parliament and Commission for their support in the drafting and passing of this important piece of cybersecurity legislation. I also welcome the reinforced role of ENISA in the European cybersecurity ecosystem and the opportunity for ENISA to support the Digital Single Market.

“I believe the European Cybersecurity Certification Framework detailed in the Act will play a leading role for the advancement and harmonization of cybersecurity certification in Europe and beyond.” 

Categories: Cyber Risk News

CISOs: We’re Losing the Skills Race With Black Hats

Thu, 06/27/2019 - 09:30
CISOs: We’re Losing the Skills Race With Black Hats

Nearly half of CISOs in the UK, France and Germany believe they’re losing the skills race with cyber-criminals, according to new research from Symantec.

The security giant teamed up with London’s Goldsmiths University to poll over 3000 IT security decision makers across the three countries. The resulting report, High Alert:Tackling Cyber Security Overload in 2019, has some alarming findings.

Over two-fifths (44%) claimed their teams lack the necessary skills to tackle threats effectively, and 37% said they are overwhelmed with heavy workloads, although these figures dropped to 38% and 23% in the UK, respectively.

Similar numbers claimed their teams are too busy to keep up with skills development (46%), and that technological change is happening too quickly for them to adapt (45%). These figures were again slightly lower (39% and 37%) in the UK.

Goldsmiths director of innovation, Chris Brauer, argued that talent and skills are now the most important weapons in the cyber-arms race.

“The vast majority find this battle of wits an exciting and deeply intellectual challenge. But, this demanding work comes with high stakes and is fought at a frenetic pace with little support,” he added.

“Add to this the relentless volume of alerts and more mundane tasks, and the job can quickly turn toxic. Highly stressed workers are far more likely to be disengaged and ultimately quit. In an industry already plagued by a skills shortage, this is a significant risk to businesses.”

In previously released findings from the report, 64% of those polled said they had considered quitting their role, while 63% said they had thought about leaving the industry completely.

This chimes somewhat with a recent Nominet report which revealed that 91% of UK and US CISOs suffer moderate or high stress.

The skills shortage in cybersecurity has reached nearly three million professionals globally, including 142,000 in EMEA.

Categories: Cyber Risk News

Payment Fraud Linked to Terrorism and Trafficking

Thu, 06/27/2019 - 08:20
Payment Fraud Linked to Terrorism and Trafficking

Payment card fraud is being used around the world to fund and launder the proceeds from organized crime, drug and human trafficking, terrorism and more, according to a new report from Terbium Labs.

The dark web intelligence firm analyzed 274 cases over the past decade across North America and Europe to compile its new report, The Next Generation of Criminal Financing: How Payment Fraud Funds Transnational Crime.

It recorded losses of over $1bn associated with those 274 cases. In North America, most were linked to identity fraud (33%), organized crime (32.5%), human trafficking (17.5%) and drug trafficking (15%). In Europe, organized crime (62%), drug trafficking (41%) and money laundering (41%) were most common.

North America also had the highest rate of terrorism-linked fraud cases, with more than seven-times as many cases as Europe, although still at a relatively low 8%.

The report detailed specific examples of stolen payment card data being used in criminal activity, including by Russian gangs, Sri Lankan criminals, Hezbollah, al Qaeda and even the Russian state.

Terbium Labs called for more to be done by financial institutions to tackle the fraud epidemic.

“Payment fraud is not just a fraud problem. It can no longer be viewed as a non-violent crime, mere annoyance, or unfortunate cost of doing business,” said Emily Wilson, VP of research at Terbium Labs. 

“Criminal justice agents must strive for a fuller understanding of the role fraud plays in serious criminal cases and the shifting landscape of the fraud economy. We're calling on the criminal justice system to create updated, standardized reporting requirements for investigations and case documentation in order to accurately and consistently track the links between payment fraud and transnational crime.”

Online payment fraud losses are set to more than double between 2018 and 2023 to reach a staggering annual figure of $48bn, according to Juniper Research.

Categories: Cyber Risk News

Second Florida City Hit by Ransomware Opts to Pay

Wed, 06/26/2019 - 14:54
Second Florida City Hit by Ransomware Opts to Pay

Another Florida city has decided to pay a ransom to the hackers who took control over its municipal computer systems. On June 25, the mayor of Lake City said the northern Florida city would pay hackers $460,000 to regain control of its email and other servers that were seized two weeks ago, according to CBS 47 Action News Jax.

With the exception of the police and fire departments, the attack has left almost all of the city’s computer systems encrypted since the June 10 attack, and Lake City and Riviera Beach are only the latest in a growing list of municipalities that have fallen victim to ransomware.

A recently published Mimecast report, The State of Email Security, found that nearly half (42%) of organizations in the public sector say ransomware has impacted their business operations in the last 12 months, and 73% in the public sector have experienced two to five days of downtime as a result.

“The obvious negative to ransom payment is that it makes ransomware even more lucrative and routine. Repeated high-profile successes incentivize criminals to continue using the tactic and open the field to newcomers. Making matters worse, it is relatively rare for the international sources of these crimes to be caught – investigation and international cooperation is costly, and many cases fall under thresholds that would make them worthwhile to pursue,” said Lesley Carhart, principal threat analyst, threat operations center at Dragos

“Ransom payment, while potentially immediately cheaper than proper disaster recovery planning, is leading us to an ugly Wild West, where paying the highwaymen is a mandatory part of yearly budgets and insurance policies. This is very unfortunate for the victims who can’t afford to pay.”

If paying the ransom becomes a trend, it would likely spur more targeted, well-planned attacks on cities or other defenseless victims, said Ilia Kolochenko, founder and CEO ImmuniWeb.

“With such lucrative and easy stakes on the table, cyber-criminals will now willingly invest to prepare sophisticated, hardly detectable and well-targeted campaigns. Worse, such cybercrimes are often not able to be investigated due to technical issues and payments in cryptocurrency. It’s a paradise for black hats.”

Categories: Cyber Risk News

Second Florida City Hit by Ransomware Opts to Pay

Wed, 06/26/2019 - 14:54
Second Florida City Hit by Ransomware Opts to Pay

Another Florida city has decided to pay a ransom to the hackers who took control over its municipal computer systems. On June 25, the mayor of Lake City said the northern Florida city would pay hackers $460,000 to regain control of its email and other servers that were seized two weeks ago, according to CBS 47 Action News Jax.

With the exception of the police and fire departments, the attack has left almost all of the city’s computer systems encrypted since the June 10 attack, and Lake City and Riviera Beach are only the latest in a growing list of municipalities that have fallen victim to ransomware.

A recently published Mimecast report, The State of Email Security, found that nearly half (42%) of organizations in the public sector say ransomware has impacted their business operations in the last 12 months, and 73% in the public sector have experienced two to five days of downtime as a result.

“The obvious negative to ransom payment is that it makes ransomware even more lucrative and routine. Repeated high-profile successes incentivize criminals to continue using the tactic and open the field to newcomers. Making matters worse, it is relatively rare for the international sources of these crimes to be caught – investigation and international cooperation is costly, and many cases fall under thresholds that would make them worthwhile to pursue,” said Lesley Carhart, principal threat analyst, threat operations center at Dragos

“Ransom payment, while potentially immediately cheaper than proper disaster recovery planning, is leading us to an ugly Wild West, where paying the highwaymen is a mandatory part of yearly budgets and insurance policies. This is very unfortunate for the victims who can’t afford to pay.”

If paying the ransom becomes a trend, it would likely spur more targeted, well-planned attacks on cities or other defenseless victims, said Ilia Kolochenko, founder and CEO ImmuniWeb.

“With such lucrative and easy stakes on the table, cyber-criminals will now willingly invest to prepare sophisticated, hardly detectable and well-targeted campaigns. Worse, such cybercrimes are often not able to be investigated due to technical issues and payments in cryptocurrency. It’s a paradise for black hats.”

Categories: Cyber Risk News

US, Australia Defend Democracy With Cyber Center

Wed, 06/26/2019 - 12:59
US, Australia Defend Democracy With Cyber Center

In collaboration with the US, Australia is endeavoring to fight the threat of fake news with the creation of a new cybersecurity center, according to The Lead.

The Jeff Bleich Centre for the US Alliance in Digital Technology, Security and Governance in Adelaide, Australia, is named after Jeff Bleich, special counsel to former President Barack Obama. From 2009 to 2013, Bleich served as ambassador to Australia. The ambassador will also be named a Flinders University Professorial Fellow.

South Australian researchers will work with the US to improve cyber-intelligence capabilities that will combat both the threat of deep fakes and the potential for foreign adversaries to meddle in national elections. 

According to the center’s website, it will provide “an Australian research hub, focused initially on social science research, for government, industries and NGOs to address current and emerging issues of digital technology, security and governance, especially in relation to the US-Australia Alliance.” 

The center will also enable Australia to strategically collaborate with and establish partnerships among and between academia, industry and defense both at home and abroad. 

Commenting on the disruptive cost of cyber-threats on democracy, Ambassador Bleich said, “We know that the advent of digital technology has fundamentally changed the way we each work, eat, shop and live. But it has also changed our societies and how we defend ourselves.

“Our nations – both separately and together – must operate in new ways to preserve our values and protect our people and allies in new battle spaces. This is the mission of the Jeff Bleich Centre for the US Alliance in Digital Technology, Security and Governance. Flinders is the ideal home for the center with its long-term track record in American studies, its focus on disruptive technologies and its successful binational programs," Bleich said.

“The center aligns with the South Australian and federal governments’ cyber-security plans and will further strengthen South Australia’s position as Australia’s defense state. It will consolidate Flinders University’s research expertise and strengths in digital technologies, security and governance and build upon Flinders existing strengths in US policy studies and the university’s strong US alliance.”

Categories: Cyber Risk News

Netanyahu Boasts of Israel's Cyber Intelligence

Wed, 06/26/2019 - 12:22
Netanyahu Boasts of Israel's Cyber Intelligence

At Israel’s Cyber Week 2019 being held at Tel Aviv University, Prime Minister Netanyahu boasted that Israel learned of and was able to stop an attacker from hijacking a flight from Sydney to Abu Dhabi because of the country’s cyber-intelligence capabilities, according to today’s press release.

“We alerted the Australian police, and they were able to prevent it. If you multiply that times 50, that would give you an idea of the contribution that Israel has made in protecting against terrorist activities, and most of those contributions were made with cybersecurity,” Netanyahu reportedly said.

“Israel has invested more than any other country proportionally,” he continued. “We invest vast sums of money, probably #2 in the western world, in our military intelligence, which goes to the army, the Mossad, to the Shin Bet [Israel Security Agency] and to other arms as well. We have created an enormous investment in human capital, people, who can deal with the internet, can deal with the ramifications of this revolution, both as workers and as entrepreneurs.”

Recognizing the challenges that Israel had to overcome to become a competitor in industries that require large-scale operations, Netanyahu spoke of the benefits of collaboration, adding, “We’re encouraging international associations. We have today unbelievable cooperation, first with our great and irreplaceable ally the USA, we’re collaborating on cybersecurity and on many other things.” 

Following Netanyahu, Yigal Unna, director general of the Israel National Cyber Directorate (INCD) took to the stage, stressing, "Iran and its proxies continue to pose a main cyber threat on the Middle East. Israel is prepared for cyber-threats and we have the capability to respond forcefully to cyber-attackers.”

Reporting on a survey conducted by INDC, in which more than 300 companies across Israel participated, Unna noted that 68% of companies reported that they had experienced at least one attempted or actual cyber-attack in the past year; however, in the majority (63%) of those incidents, the organizations said they incurred no damage. 

Categories: Cyber Risk News

Dramatic Increase in Abuse of File Sharing Services

Wed, 06/26/2019 - 10:55
Dramatic Increase in Abuse of File Sharing Services

Security researchers are warning of a “dramatic” increase in the exploitation of legitimate file sharing services to deliver malware in email-based attacks, especially OneDrive.

FireEye claimed in its latest Email Threat Report for Q1 2019 that services including WeTransfer, Dropbox, Google Drive and OneDrive are increasingly being used to host malicious and phishing files.

However, while Dropbox was most commonly used of all the services, OneDrive is catching up fast. From hardly being used in any attacks in Q4 2018, it shot up by over 60% in the intervening months.

Hackers are using such services as they bypass the initial domain reputation checks made by security tools.

Detection filters are also challenged by the use of “nested emails.” With this tactic, a first email contains a second email as attachment, which in turn contains the malicious content or URL.

FireEye also warned of a 17% increase in total phishing emails spotted over the previous quarter, with the most-spoofed brands including Microsoft, followed by OneDrive, Apple, PayPal and Amazon.

Hackers are increasingly using HTTPS in phishing attacks featuring URLs in a bid to trick users into clicking. FireEye observed a 26% quarter-on-quarter increase in the tactic, which exploits the consumer perception that HTTPS is inherently secure.

In fact, the FBI was recently forced to issue an alert warning that HTTPS and padlock icons in the address bar are not enough to prove the authenticity of sites.

It said that users should resist clicking on links in unsolicited emails, it added.

Finally, FireEye warned that cyber-criminals are expanding their repertoire when it comes to BEC attacks.

In one version they target the payroll department with requests to change the bank details of senior executives with the hope of diverting their salary. In another, they focus on accounts payable but pretend to be trusted suppliers who are owed money, instead of the CEO/CFO.

Categories: Cyber Risk News

Recipe for Disaster as Tech Support Scammers Use Paid Search

Wed, 06/26/2019 - 09:07
Recipe for Disaster as Tech Support Scammers Use Paid Search

Tech support gangs have been spotted using paid search to reel in unsuspecting victims looking for food-related content online, according to Malwarebytes.

The security vendor spotted scammers buying ads for Google and Bing which it said are designed to lure older netizens searching for food recipes.

“This scheme has actually been going on for months and has intensified recently, all the while keeping the same modus operandi,” it said. “Although not overly sophisticated, the threat actors behind it have been able to abuse major ad platforms and hosting providers for several months.”

As paid search entries are displayed at the top of search listings, users are more likely to click through. Doing so took them to specially created food blogs built by the scammers, complete with comments on the various articles.

“However, upon closer inspection, we can see that those sites have basically taken content from various web developer sites offering paid or free HTML templates,” said Malwarebytes.

In the right circumstances, the user is redirected to a browlock, or fake warning page, which is common in tech support scams. It checks for browser and OS and displays a relevant message claiming the user’s machine has been blocked because of a virus alert from Microsoft.

Calling the number, the white hats spoke to tech support scam ‘technicians’ who tried to sell them expensive support packages on the back of the fake AV alert. That company was listed as A2Z Cleaner Pro (AKA Coretel Communications).

Malwarebytes notified Google and Bing about the fraudulent ads and GoDaddy about the fake blogs and reiterated the importance of industry cooperation in tackling the tech support threat.

It’s unclear exactly how widespread the campaign was, but one URL shortening service used by one of the websites revealed over 50,000 hits in a single week in early May, mainly in the US.

Categories: Cyber Risk News

ICO Issues Notices After Met Police Contravenes GDPR

Wed, 06/26/2019 - 08:46
ICO Issues Notices After Met Police Contravenes GDPR

The UK’s privacy watchdog has been forced to issue the Metropolitan Police (MPS) with two enforcement notices after it failed in its obligations under the GDPR and the previous data protection regime.

The Met has not been responding promptly to citizens’ subject access requests (SARs) within the required calendar month, according to Information Commissioner’s Office (ICO) director of data protection complaints and compliance, Suzanne Gordon.

In fact, the police force was found to have more than 1100 open requests, with almost 680 of them over three months old.

“As people become more aware of their information rights, we recognise there has been a significant rise in SARs across all sectors, including to police forces and other law enforcement agencies. And we are also aware of the administrative impact of the increased workload on police forces in responding to these requests. But this should not come at a cost to people’s data rights,” she explained.

“We have … asked the MPS to make changes to its internal systems, procedures or policies, so that people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed.”

The Met claims to have a recovery plan in place and assured the ICO that the backlog of open SARs would be cleared within four months.

Police forces should log all requests, verbal and in writing, and make the public aware of any potential delays, Gordon explained. However, the 28-day clock only starts once all necessary information has been collected to establish the identity of the requester.

The police can also limit the amount of info they provide if it may prejudice an investigation or similar, she added.

The enforcement notices were served under the Data Protection Act 1998 and the Data Protection Act 2018, the latter of which is the UK’s version of the GDPR.

Categories: Cyber Risk News

Fake Ads that Lock Browsers Target Elders

Tue, 06/25/2019 - 18:56
Fake Ads that Lock Browsers Target Elders

A scam that was discovered last month that involved cyber-criminals invading Microsoft Azure Cloud Services reportedly remains ongoing. According to Malwarebytes’ threat intelligence team, the scam has continued but with a new trick: utilizing paid search results.

Instead of targeting victims through false emails claiming to be from Microsoft or Apple, scammers have been buying ads displayed on major internet portals to target an older demographic to drive traffic to decoy blogs that then redirects victims to a browser lock page, according to researchers. 

“To support their scheme, the scammers have created a number of food-related blogs. The content appears to be genuine, and there are even some comments on many of the articles,” the researchers wrote. 

Though it’s been going on for months and the method of deception remains the same, researchers said the scheme has intensified recently. “Although not overly sophisticated, the threat actors behind it have been able to abuse major ad platforms and hosting providers for several months,” the researchers wrote. 

Scammers tricked users into believing their computers have been compromised via these blogs. As a result, the crooks were able to convince users that they needed expensive but ultimately useless “support packages” in order to clean up their computers. These specious offerings, not surprisingly, do next to nothing when it comes to protecting a user’s computer. 

"Tech support scams are one of the top threats affecting older folks, costing consumers millions of dollars in losses. Despite many takedowns and arrests in recent years, this industry is still very active and using the same social engineering techniques via fake browser alerts,” the Malwarebytes Threat Intelligence team told Infosecurity.

“It is important to remember that those browser lockers are not harmful in and out of themselves and that they can be closed safely. Victims that ended up calling the alleged Microsoft technicians for assistance should change their passwords, scan their machine for malware, revert any payment made, as well as monitor their bank statements closely.”

Categories: Cyber Risk News

'Dashboard Act' Would Force Orgs to Disclose Data

Tue, 06/25/2019 - 18:20
'Dashboard Act' Would Force Orgs to Disclose Data

On Monday, Sens. Mark Warner (D-Va.) and Josh Hawley (R-Mo.) proposed the Designing Accounting Safeguards to Help Broader Oversight and Regulations on Data, also known as the DASHBOARD Act, which would put strict requirements on data operators, according to CNBC News.

“For years, social media companies have told consumers that their products are free to the user. But that’s not true – you are paying with your data instead of your wallet,” Warner reportedly said in a press release.

Those companies identified as data operators are defined as having more than 100 million active monthly users, which is most social media platforms and tech giants like Google. If voted into law, the new requirements would mandate that data operators “provide each user of the commercial data operator with an assessment of the economic value that the commercial data operator places on the data of that user; and in a clear and conspicuous manner.”

Data operators would also need to convey to each individual user the exact types of data that are being collected by either the company itself or a partner. “The concept of forcing large companies such as Facebook, Twitter, and Google to show their cards and actually tell people what their personal data is worth to the company is a novel one,” wrote Dennis Fisher in a June 24 blog post for Duo Security

“Most users of those companies’ services likely have little if any idea of how much data is collected by them, let alone what the monetary value of that information is. But those companies most certainly do, as their business models depend upon it,” Fisher continued.

In response to the news, CEO and president of the Internet Association Michael Beckerman wrote, “Data helps businesses – across all industries and of all sizes and business models – provide consumers with better products and services. We are encouraged by policymaker interest in addressing consumer privacy and providing Americans with greater transparency and control over how their data is used and protected. The internet industry supports a comprehensive, economy-wide federal privacy law that covers all companies – from social media sites to local grocery stores to data brokers – to give consumers the protections and rights they need to take full control of the data they provide to companies.”

Categories: Cyber Risk News

Breach at Dominion National Likely Began in 2010

Tue, 06/25/2019 - 17:42
Breach at Dominion National Likely Began in 2010

Dental and vision benefits insurer and administrator Dominion National announced a data security incident in which the personal information of members was potentially compromised.

“Safeguarding the privacy of your personal information is a top priority for us, and we make every effort to protect your information. Despite these efforts, Dominion National experienced a data security incident,” Dominion National president Mike Davis wrote in a company message.

The unauthorized access might have started as long ago as August 2010, according to the notice. “On April 24, 2019, through Dominion National's investigation of an internal alert and with the assistance of a leading cyber security firm, Dominion National determined that an unauthorized party may have accessed some of its computer servers. The unauthorized access may have occurred as early as August 25, 2010. Dominion National moved quickly to clean the affected servers.”

The company reports that it currently has no evidence that data was actually misused or wrongfully accessed. “However, we began mailing notification letters to potentially affected individuals on June 21, 2019, and we have established a dedicated incident response line to answer any questions.”

The data that was potentially accessed could include the enrollment and demographic information for current and former members. In addition to members of both Dominion National and Avalon Insurance, others who are affiliated with the organizations could have also had their data compromised. 

“The servers may have also contained personal information pertaining to plan producers and participating healthcare providers. The information varied by individual, but may include names in combination with addresses, email addresses, dates of birth, Social Security numbers, taxpayer identification numbers, bank account and routing numbers, member ID numbers, group numbers, and subscriber numbers,” according to the announcement.

Categories: Cyber Risk News

#DISummit19: Fraudsters Shifting Focus to Mobile Attacks

Tue, 06/25/2019 - 15:06
#DISummit19: Fraudsters Shifting Focus to Mobile Attacks

Speaking at the EMEA Digital Identity Summit 2019 in London Rebekah Moody, fraud and identity market planner at LexisNexis Risk Solutions, reflected on the findings of the new ThreatMetrix EMEA Cybercrime Report.

Moody discussed how the report, based on data from attacks between January-March 2019, revealed EMEA to be one of the most mobile regions in the world, with 71% of transactions originating from a mobile device in EMEA, compared to 55% globally.

That was a key factor in driving a lower overall attack rate in the EMEA region, she added, because mobile transactions are generally “safer than desktop transactions,” with attack rates on mobile five-times lower than desktop.

“However, we have started to see some really interesting shifts and evolution in the way that fraudsters are using mobile,” Moody added, explaining that fraudsters have recently begun adapting to changing consumer behaviors and are now turning their focus to mobile attacks.

“It’s really interesting how fraudsters are using mobile as a facilitator to develop different ways to attack user accounts.”

The industry that is currently most at risk from rising mobile attacks is the media industry, Moody said, explaining that “fraudsters are likely using media as an identity-testing ‘test bed’ because it’s generally an easier target than the e-commerce or financial service industries.”

Categories: Cyber Risk News

#DISummit19: Online Fraud Becoming More Complex & Sophisticated

Tue, 06/25/2019 - 13:34
#DISummit19: Online Fraud Becoming More Complex & Sophisticated

Speaking at the EMEA Digital Identity Summit 2019, Stephen Topliss, vice-president, fraud & identity at LexisNexis Risk Solutions, said that online fraud is becoming more intricate and sophisticated.

“Fraud has become much, much more complex,” he said, pointing to a particular rise in “networked fraud,” which consists of cross-border fraud, omi-channel fraud and cross-industry fraud.

“With cross-border fraud, attackers are using VPN and proxies to hide where they are originating from.

“We’re also seeing omni-channel fraud, so while in the past an attack might have focused specifically on an online banking channel, fraudsters are getting much more sophisticated and are using channels to investigate and learn more about a target or their account.”

Then there’s cross-industry fraud, Topliss added, which involves fraud attacks that first target one industry and then become stepping stones to target other industries.

There have also been recent rises in the amount of social engineering being used in fraud attacks, Topliss said. “It’s really becoming the new norm; in the financial sector, the early years of fraud really focused on third party fraud, but now there are so many layers of defense that are actually working quite well, so fraudsters have figured out that the human is the weakest link.”

Then there’s the rise in bot activity, with bots continuing to be a bigger and bigger problem within the fraud threat landscape. “It’s not just the sheer volume of them,” Topliss explained, “they are becoming more sophisticated and they’re invading traditional layers of defense. By doing that, they’re really able to do credential testing.”

Some emerging fraud opportunities have also come to light, Topliss said. “What’s interesting on the emerging fraud side of things is that we’re seeing both completely new types of fraud that are associated with new types of industries,” such as the ride-sharing industry, and fraud that targets established industries offering services “that historically were not susceptible to fraud or not targeted by fraudsters, but are suddenly becoming really, really interesting.”

Categories: Cyber Risk News

#DISummit19: Fraudsters Always React & Respond to Better Security

Tue, 06/25/2019 - 12:35
#DISummit19: Fraudsters Always React & Respond to Better Security

At the EMEA Digital Identity Summit 2019 in London, Chris Parker, ecrime and digital lead, fraud response and recovery at the Royal Bank of Scotland, warned that cyber-criminals will always react and respond to better security methods, and so industry collaboration is key to staying ahead of them.

“There’s an awful lot of change going on, and it’s a cat and mouse game,” he said. “We need to recognize that everything we do [to prevent cybercrime] will cause a reaction [amongst cyber-criminals].”

Parker explained that security efforts have always had to evolve and improve to try and keep data safe from fraudsters, but as they have, attackers have also continued to adapt with new tactics that circumvent any improvements that have been made.

Fraudsters have come to realize, as their infrastructures have been taken down or taken over by law enforcement and their profits affected, “that they are not always the best at doing everything, and so they have started outsourcing their efforts to find experts on the black market.

“It’s taken us to a place where we’ve increasingly got a much better visibility of what’s happening, but fraudsters have found ways in which they can really focus on the skills need they need.”

For that reason, an ‘us alone’ approach to security is not enough to prevent online fraud, and “we need to work across industry with law enforcement and peers.”

There is a lot of value in sharing threat intelligence data with each other, Parker added, because “we’ve seen that by sharing that intelligence and seeing what is affecting your peers before it impacts you, and vice-versa, you gain strength. Fraudsters are doing that – fraudsters are working in groups. If they can work in a collective, then we absolutely have to work as a collective to try and stop them.”

Categories: Cyber Risk News

China Blamed for APT Attacks on Global Telcos

Tue, 06/25/2019 - 10:20
China Blamed for APT Attacks on Global Telcos

Security researchers have uncovered a major new two-year state-sponsored attack against global telcos, most likely linked to China’s Ministry of State Security (MSS).

Boston-based vendor Cybereason claimed that the group used tools and techniques associated with APT10 to obtain Call Detail Records (CDRs): metadata including source, destination, and duration of calls, physical location and device details that could help them spy on individuals.

“Having this information becomes particularly valuable when nation-state threat actors are targeting foreign intelligence agents, politicians, opposition candidates in an election, or even law enforcement,” it argued in a lengthy blog post.

“Operation Soft Cell” has been ongoing since at least 2017, targeting multiple global telcos to compromise individuals in over 30 countries worldwide.

“The attack began with a web shell running on a vulnerable, publicly-facing server, from which the attackers gathered information about the network and propagated across the network. The threat actor attempted to compromise critical assets, such as database servers, billing servers, and the active directory. As malicious activity was detected and remediated against, the threat actor stopped the attack,” Cybereason explained.

“The second wave of the attack hit several months later with similar infiltration attempts, along with a modified version of the web shell and reconnaissance activities. A game of cat and mouse between the threat actor and the defenders began, as they ceased and resumed their attack two more times in the span of a four-month period.”

Among the tools used by the attackers were: the China Chopper web shell, initially detected on an IIS server; a modified Nbtscan tool designed to find NetBIOS name servers; a modified version of mimikatz to steal credentials; fileless techniques like WMI and PsExec to move laterally; the PoisonIvy RAT; and more.

Care was taken throughout to maintain persistence and stay hidden.

“The threat actor abused the stolen credentials to create rogue, high-privileged domain user accounts which they then used to take malicious action. By creating these accounts, they ensured they would maintain access between different waves of the attack,” Cybereason explained.

“Once the threat actor regains their foothold, they already have access to a high-privileged domain user account. This significantly reduces the ‘noise’ of having to use credential dumpers repeatedly, which helped them evade detection.”

Categories: Cyber Risk News

UK Firms Riddled With Vulnerable Open Source Software

Tue, 06/25/2019 - 09:02
UK Firms Riddled With Vulnerable Open Source Software

There’s been a 71% increase in open source-related breaches over the past five years, with UK firms downloading on average 21,000 software components known to be vulnerable over the past 12 months, according to Sonatype.

The DevOps automation firm’s annual State of the Software Supply Chain report features global analysis from 36,000 open source project teams, 3.7 million open source releases, 12,000 commercial engineering teams and two surveys.

It claimed supply and demand of open source components is at an all-time high, with over 146 billion download requests of Java components in 2018: a 68% increase on 2017 figures.

Yet while these downloads help to speed up DevOps, they also introduce potential risk. The report found that over 51% of Java package downloads have a known security vulnerability, as do 1 in 10 Java component releases.  

The 21,000 open source components UK firms downloaded containing known software vulnerabilities amounts to nearly 9% of all downloads made last year. More worrying still: nearly a third (30%) of these were critical vulnerabilities.

The report also highlighted the number of firms using the infamous vulnerable Apache Struts component responsible for the Equifax breach which affected an estimated half of all adult Americans.

It revealed that downloads of the component actually increased by 11% in the year following the 2017 breach — amounting to 2.1m each month.

However, there was some cause for optimism: the report revealed 295 open source projects with exemplary coding practices, using automated tools to remediate known vulnerabilities quicker and update dependencies.

"We have long advised business that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,'' said Wayne Jackson, CEO of Sonatype. “For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive.”

Categories: Cyber Risk News

Social Engineering Forum Suffers Major Breach

Tue, 06/25/2019 - 08:41
Social Engineering Forum Suffers Major Breach

An online forum focused on discussion of all things social engineering has been breached, with the details of tens of thousands of account holders compromised.

Social Engineered administrator “Snow101” explained to users in a post late last week that the hackers exploited a vulnerability in open source forum software MyBB.

The admin claimed they had been forced to move the platform over to XenForo, asking users to chip in to help pay for the migration.

The breach itself happened on June 13, 2019 and compromised 89,392 accounts, according to information on HaveIBeenPwned.

It claimed the details were published on a rival hacking forum, and included around 89,000 unique email addresses linked to 55,000 users and other tables in the same database.

“The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes,” it added.

Tripwire vice president, Tim Erlin, warned that, ironically enough, email addresses are often used in follow-on phishing raids and other social engineering attacks.

“This type of sensitive data can be used to the benefit of the attacker in a variety of ways, including identity theft and impersonation,” he added.

“MD5 is not a secure algorithm for hashing passwords. It has well-known flaws and is generally understood to be insufficient for protecting sensitive data of any kind."  

However, the very nature of the forum may well mean hackers have a hard time monetizing the data, Erlin claimed.

"If you were going to choose a user base that’s especially difficult to target with phishing and other social engineering-based attacks, this would certainly be near the top of the list,” he said.

Categories: Cyber Risk News

Pages