Info Security

Subscribe to Info Security  feed
Updated: 14 min 32 sec ago

Hamas Uses Fake Dating Apps to Infiltrate Israeli Military

Wed, 07/04/2018 - 11:35
Hamas Uses Fake Dating Apps to Infiltrate Israeli Military

Hamas has been accused of running a sophisticated spyware operation designed to trick Israeli Defense Force (IDF) soldiers into downloading malicious apps.

Hundreds of IDF troops have been contacted by alleged fake profiles on social networking sites in what the military is dubbing Operation Broken Heart.

After building up a rapport with the soldier on WhatsApp, the ‘woman’ in question then typically sends them a link to download a convincing looking but malicious app.

These included dating apps with names like GlanceLove and ones featuring goals and live scores from the World Cup, such as Golden Cup.

One suspicious-looking profile which nevertheless had an Israeli number attached, belonged to a ‘Lina Kramer’ and was discovered in January. Those behind the campaign often try to cover up broken Hebrew by saying they’re immigrants, the IDF claimed

“Not long after the first attacker approached us, we’d already begun receiving dozens of reports from soldiers about suspicious figures and apps on social networks,” said ‘Colonel A,’ head of the IDF Information Security Department.

“Upon investigating the reports, we uncovered hostile infrastructure that Hamas tried to use to keep in contact with IDF soldiers and tempt them to download apps that were harmful, and use the soldiers to extract classified information."

The apps are said to be loaded with Trojan malware capable of switching on the mic and camera, accessing photos, phone numbers and email addresses of soldiers operating near the Palestinian border, and even gathering info on military bases.

The IT security department of the Israeli military has updated its guidance for soldiers in light of Broken Heart and is reportedly also sending fake messages to soldiers in a bid to raise awareness of the dangers of clicking on links from virtual strangers.

Categories: Cyber Risk News

Iranian Attackers Spoof Security Site for Phishing Lure

Wed, 07/04/2018 - 10:42
Iranian Attackers Spoof Security Site for Phishing Lure

An Iranian APT group has been spotted building a phishing site, using a cybersecurity company which outed it as a lure.

Charming Kitten has been in operation since 2014 and its activities were laid bare in a December report by Israeli security vendor Clearsky Security.

The firm claimed to have found more than 85 IP addresses, 240 malicious domains, hundreds of hosts, multiple fake entities and potentially thousands of victims linked to the group.

In a series of tweets this week, the firm said it had discovered the same group building a phishing site designed to capitalize on interest in the vendor’s findings.

“The fake website is clearskysecurity\.net (the real website is ). They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services,” it said.

“These sign in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate website does not have any sign in option. It seems that the impersonating website is still being built because some of the pages have error messages in them.”

One of the fake pages even displayed content of a previously outed Charming Kitten campaign, according to the firm.

The group is just one of a growing list of Iranian APT groups most likely backed by the government. These include APT34, observed most recently by FireEye back in December targeting governments in the Middle East.

Also notable is the CopyKittens group uncovered by Clearsky and Trend Micro. Dating back to 2013 it’s focused on stealing data from Western and Middle Eastern government, defense and academic organizations via custom and commercial tools. 

Categories: Cyber Risk News

Gmail Privacy Fears Emerge Over Third-Party Apps

Wed, 07/04/2018 - 10:15
Gmail Privacy Fears Emerge Over Third-Party Apps

Google is at the center of a new privacy storm after it was revealed that third-party app developers can read the content of Gmail users’ emails.

This “dirty secret,” as one source described it to the Wall Street Journal, affects users who choose to link their Gmail accounts to third-party applications for things like travel or shopping. 

In so doing they’re asked to grant permissions for the app to "Read, send, delete and manage your email." 

However, many users may not be aware that human eyes are perusing their personal emails as well as computer algorithms.  

The report claimed that in the case of marketing app Return Path, employees of the company read around 8000 Gmail users’ emails to help develop the app. Email management app developer Edison Software also allowed its employees to read "thousands" of emails to hone the Smart Reply feature.

For its part, Google claimed to have strictly vetted those firms allowed access to users’ emails and said users are asked explicitly for their permission to do so, consistent with its policies.

However, when it comes to third-party apps, user privacy has become a major issue following the Cambridge Analytica scandal in which the details of 87m Facebook users were sold by an app developer for use in targeted political advertising. 

The social network changed a policy in 2015 which allowed third party developers to access the data of app users’ friends.

Evgeny Chereshnev, CEO of privacy firm Biolink.Tech, claimed that the GDPR demands organizations improve awareness among users around how their data is being used.

“This type of access is going to going to continue, and people need to be aware that every time they connect to, or install, a third-party application on their mobile device, they are giving rights to those applications – often without even thinking about it,” he added.

“These applications gain access to users’ contacts, information about the user of the phone as well as things like GPS location, so this needs to be taken very seriously.”

Categories: Cyber Risk News

Bug Unblocks Friends for 800,000+ Facebook Users

Tue, 07/03/2018 - 13:42
Bug Unblocks Friends for 800,000+ Facebook Users

Facebook users might have seen information in their news feeds from users that had blocked them because a bug was reportedly unblocking people, the company announced yesterday.

On 2 July, Facebook started notifying more than 800,000 of its users that a bug in Facebook and Messenger had unblocked some users that had previously been blocked. Active between 29 May and 5 June, the bug did not allow a blocked user to see content within certain privacy permissions. However, if the post were public or visible to friends of friends, the blocked person could have seen the information. Users whose privacy setting were set to "friends only" when sharing content would not have had any posts revealed to a blocked friend. 

Facebook apologized for what happened and explained that the bug did not reinstate any blocked persons. The company also noted that “83% of people affected by the bug had only one person they had blocked temporarily unblocked.” The issue has been fixed, and users were encouraged to check their blocked list to make sure that their desired settings were as they should be.

It’s been a tough 2018 for Facebook, who recently announced that it had indeed continued to share data with 61 hardware and software makers even after CEO Mark Zuckerberg testified that the practice of sharing data with third parties ended in 2015.

In the wee hours of Friday 29 June, Facebook submitted 747 pages worth of answers to the questions posed by the Senate and House Committees on 10-11 April. Of the 2,000 questions asked, many related to the scraping of data from third parties brought to light by the Cambridge Analytica scandal.

“We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed. So, we’re taking additional steps to put people more in control of their privacy,” Facebook wrote.

Categories: Cyber Risk News

Concern Mounts for SS7, Diameter Vulnerability

Tue, 07/03/2018 - 13:08
Concern Mounts for SS7, Diameter Vulnerability

The same security flaws that cursed the older SS7 standard and were used with 3G, 2G and earlier are prevalent in the Diameter protocol used with today's 4G (LTE) telephony and data transfer standard, according to researchers at Positive Technologies and the European Union Agency For Network and Information Security (ENISA).

Network security is built on trust between operators and IPX providers, and the Diameter protocol that replaced SS7 was supposed to be an improved network signaling protocol. But when 4G operators misconfigure the Diameter protocol, the same types of vulnerabilities still exist.

“As society continues to leverage mobile data capabilities more and more heavily, from individual users performing more tasks directly on their smartphones, to IoT devices which use it when regular network connections are not available (or not possible), service providers need to take the security of this important communications channel more seriously,” said Sean Newman, director of product management for Corero Network Security.   

Given that the Diameter protocols are slated to be used in 5G, reports of critical security capabilities not being enabled in the Diameter protocol used for 4G mobile networks are worrisome. Of particular concern is the potential that misconfigurations that lead to the vulnerability could result in distributed denial of service (DDoS) attacks for critical infrastructure relying on mobile access. An attacker would not need to harness any large-scale distributed attack capabilities.  

“The latest generation of denial of service protection solutions are critical for any organization that relies on always-on internet availability, but this can only be effective if service providers are ensuring the connectivity itself is always-on,” Newman said.

Concerns over the threats from smartphones have even been presented to Congress with pleas that they should act immediately to protect the nation from cybersecurity threats in SS7 and Diameter.

“SS7 and Diameter were designed without adequate authentication safeguards. As a result, attackers can mimic legitimate roaming activity to intercept calls and text messages, and can imitate requests from a carrier to locate a mobile device. Unlike cell-site simulator attacks, SS7 and Diameter attacks do not require any physical proximity to a victim,” wrote Jonathan Mayer, assistant professor of computer science and public affairs, Princeton University, in his testimony before the Committee on Science, Space, and Technology of 27 June.

Categories: Cyber Risk News

Fourth Circuit Defines Standing in Data Breach Cases

Tue, 07/03/2018 - 12:34
Fourth Circuit Defines Standing in Data Breach Cases

Whether it’s news of Adidas, Ticketmaster or Typeform, the headlines have been littered with stories of yet another company hacked, which is why the United States Court of Appeals for the Fourth Circuit has weighed in on the issue of standing and the definition of the threat of future injury in data breach litigation.

Article III, Section 2, Clause 1 of the U.S. Constitution requires that that plaintiffs suffered an injury and that the injury is fairly traceable to the challenged conduct. The injuries, according to the American Bar Association, must be actual or certainly impending. 

In the case of Hutton v. National Board of Examiners in Optometry (NBEO), filed 12 June 2018, “The court held that the plaintiffs satisfied the Article III standing requirement by alleging hackers stole and misused their personally identifiable information (PII), even though no financial loss was incurred.”

Several cases have come before the court, and Beck v. McDonald from 2017 is one of particular importance to the Fourth Circuit's upholding of the Hutton ruling. In Beck, the court ruled that the plaintiffs did not have standing in the alleged “threat of future injury." The court’s position on the 2017 ruling was guided by the fact that laptops that contained personal information were stolen, but the information was not misused.

The difference found by the Fourth Circuit in Hutton is that the plaintiffs “noticed that credit card accounts were fraudulently opened in their names, which required knowledge of their Social Security numbers and dates of birth.” The NBEO never acknowledged a security breach, but the plaintiffs – who had fraudulent credit card accounts opened using their stolen information – made the case that the company was the only commonality among them; thus, their information had not been adequately protected by the NBEO.

While the NBEO filed to dismiss the case, arguing that no actual harm had been inflicted, “The court emphasized, unlike in Beck, plaintiffs were 'concretely injured' as credit card accounts were open without their knowledge or approval, qualifying as misuse, even if fraudulent charges were yet to occur.”

The floodgates for lawsuits have been opened, and it doesn’t appear that the river will dry up any time soon. With more plaintiffs filing claims that they were harmed after their personal information was compromised, the courts are trying to understand and define the actual and potential future harm that can result from unauthorized exposure.

Because of the ambiguity in determining the risk of future harm or the likelihood of misuse of stolen information versus actual harm, the circuit courts have disagreed on the issue of standing with Article III when ruling on data breach cases.

“Federal circuits across the United States are grappling with the issue of what satisfies the Article III standing requirement in data breach litigation, when often only a 'risk of future harm' exists,” wrote the National Law Review

Categories: Cyber Risk News

NHS Developer Error Leads to Data Leak

Tue, 07/03/2018 - 10:15
NHS Developer Error Leads to Data Leak

A data leak at the NHS affecting 150,000 patients has been blamed on a software developer error.

The issue revolves around so-called Type-2 opt-outs, which patients can request when they don’t want their personal information to be used for anything other than their own care.

Some 150,000 of these objections recorded in GP practices between March 2015 and June 2018 were not sent to NHS Digital by outsourcing software developer TPP’s systems.

The error is only a minor one as the data was ultimately used in clinical audit and research, which is designed in any case to help improve patient care across the NHS, according to a statement by the parliamentary under-secretary of state for health, Jackie Doyle-Price.

“NHS Digital will write to all TPP GP practices today to make sure that they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld,” she explained.

“There is not, and has never been, any risk to patient care as a result of this error. NHS Digital has made the Information Commissioner’s Office and the National Data Guardian for Health and Care aware.”

Type-2 objections have now been replaced by a national data opt-out designed to simplify the registering of an objection to wider data sharing.

However, the incident is the latest in a long-line of data leaks and breaches stemming from third-party mistakes.

Incidents at PageUp, Typeform, and Inbenta Technologies have all had a major impact on client organization’s and their customers in the past couple of months.

Mike Smart, EMEA security strategist at Forcepoint, argued that developers must integrate multiple layers of protection into their products, especially with the requirements of the GDPR front-of-mind.

“It’s a clear indicator that relying too heavily on software will cause these mistakes to happen in the future,” he added. “We can’t afford to leave out the human element when deciding how we protect sensitive data, and must involve creative and lateral thinking in the testing and final checking stage before software goes live.”

Categories: Cyber Risk News

US to Ban China Mobile on Security Concerns

Tue, 07/03/2018 - 09:51
US to Ban China Mobile on Security Concerns

The Trump administration has told the Federal Communications Commission (FCC) to block China Mobile from entering the US telecoms market on national security grounds.

The state-backed telco has been tied up for seven years on an application for a Section 214 license to offer international voice traffic from the US to foreign countries, according to the Commerce Department’s National Telecommunications and Information Administration (NTIA).

However, it has been decided that granting such a license to a carrier funded by Beijing would present “unacceptable national security and law enforcement risks.”

“After significant engagement with China Mobile, concerns about increased risks to US law enforcement and national security interests were unable to be resolved,” said David Redl, assistant secretary for communications and information, in a statement.

“Therefore, the Executive Branch of the US government, through the National Telecommunications and Information Administration pursuant to its statutory responsibility to coordinate the presentation of views of the Executive Branch to the FCC, recommends that the FCC deny China Mobile’s Section 214 license request.”

China Mobile is the world’s largest mobile phone operator with nearly 900 subscribers, but the vast majority are located within the Middle Kingdom, where it makes most of its money.

That’s why this snub will not have the kind of impact on the firm that the recent sanctions against ZTE threatened.

However, it’s yet another sign of the growing technology Cold War developing between the world’s two superpowers.

A Trump-fuelled trade war continued with promises on Friday of further tariffs on $34bn worth of Chinese goods, which Beijing said it would respond in kind to.

In the meantime, Huawei continues to be investigated for possible sanctions violations which could also see it penalized by the US authorities.

The hard line approach by the Trump administration also threatens to force an acceleration in Xi Jinping’s plans to become completely self-sufficient in the production of core technologies like processors.

Categories: Cyber Risk News

Whitbread Sounds Breach Alarm After PageUp Incident

Tue, 07/03/2018 - 09:13
Whitbread Sounds Breach Alarm After PageUp Incident

Whitbread is the latest big-name company to have been affected by a breach at a popular third-party recruitment platform provider, it has emerged.

The UK hotel and coffee shop operator has admitted that some current and prospective employees’ data may have been compromised, thanks to an incident last month at Australian supplier PageUp.

An email sent by Whitbread to those potentially affected claimed that data handed to the company during the recruitment process “may have been accessed and could potentially (in combination with other information) be used for identity theft,” according to the Irish Times.

Whitbread isn’t disclosing how many people may have been affected, although it has roughly 50,000 staff in the UK, and owns brands including Costa Coffee and Premier Inn.

According to PageUp, the details stolen in a cyber-attack revealed last month included name, email address, physical address, telephone number, gender, date of birth and employment details, more than enough to craft convincing follow-on phishing emails.

Passwords were hashed using bcrypt and salted by the Aussie provider, but Whitebread is still advising individuals to change them if they shared the same credential across other sites.

The firm has also suspended its use of the third-party recruitment platform for now.

David Kennerley, director of threat research at cybersecurity company Webroot, argued the case highlights the need for companies to vet their supply chains more rigorously.

“The fact that information like date of births and even maiden names have been stolen along with email addresses gives cyber-criminals all that they need to successfully monetize the hack, from phishing attacks to identity theft,” he added.

“Businesses of all sizes need to prioritize the security of critical and personal information, as you’re never too small or large to be a target. The key learning lesson here is making sure that not only are your own security processes up to scratch, but also that any third party dealing with sensitive data or accessing your network does so in the right way too.”

That’s especially true in the new GDPR era, where both data processors and suppliers have an equal responsibility to keep customer/employee personal data secure.

Categories: Cyber Risk News

Facial Recognition IDs Capital Gazette Shooter

Mon, 07/02/2018 - 14:09
Facial Recognition IDs Capital Gazette Shooter

Though controversial and riddled with problems of a high false positive rate, facial recognition software led to a big win for police in Annapolis, Maryland, after a mass shooting at the Capital Gazette left five journalists dead and others wounded when a gunman attacked the newsroom.

After police took the suspected gunman into custody, a fingerprint database returned no results. The man reportedly had no identification on his person and refused to speak to investigators. According to the Washington Post, investigators ran his photo in Maryland’s facial recognition database, the Maryland Image Repository System (MIRS), and the system returned a match.

Unlike other cases, the Annapolis case resulted in great success and reportedly saved time as investigators tried to both identify a suspect and determine whether there were additional culprits. Anne Arundel County police chief Tim Altomare confirmed that they identified the suspect with help from other investigative techniques using facial recognition technology and confirmed there are no other suspects.

A 2013 effort to mitigate the problem of uncooperative suspects, who provide little or inaccurate information about their identities, awarded a grant to the Automated Regional Justice Information System (ARJIS), a consortium of 82 local, state and federal law enforcement agencies. Thus began their work to develop query systems to be used by law enforcement agencies based on facial recognition.

At the time, facial recognition was a fairly new concept. Originally, the ARJIS database contained over 1, 300,000 booking photos from San Diego County and more than 93,000 images from the booking system of the Chula Vista Police Department. According to the Electronic Frontier Foundation, use has increased rapidly without meaningful oversight.

Despite the debates over the accuracy of the technology, a former lieutenant commander with the New York City Police Department’s cold case squad told the Washington Post that this case will likely embolden advocates of the technology and bring attention to the technology from law enforcement agencies. 

“The facial recognition system performed as designed,” said Stephen T. Moyer, secretary of Maryland’s Department of Public Safety and Correctional Services (DPSCS), in a statement. “It has been and continues to be a valuable tool for fighting crime in our state.”

Categories: Cyber Risk News

SAP Risk Not Understood by C-Level

Mon, 07/02/2018 - 13:00
SAP Risk Not Understood by C-Level

A new survey of executives and IT and security professionals found that far fewer executives are extremely concerned about SAP security, a stat that could be detrimental to developing sound cybersecurity strategies, according to ERP Maestro.

Given that enterprise resource planning (ERP) systems process so much transactional data and are often targets for attacks, Americas' SAP Users' Group (ASUG) conducted a May survey of C-level executives and IT and security professionals. Sponsored by ERP Maestro, the survey included responses from customers using both cloud and on-premise SAP solutions. SAP remains the dominant core ERP system used among ASUG members, and it is used to process 77% of the world’s transaction revenue.

The survey showed a sizable gap between executives and other professional groups in their perception of SAP security risks. The most substantial disparity exists between executives and those directly responsible for IT and security.

Only 25% of executives said that they were extremely concerned about security. That number is in stark contrast to the 80% of IT and security respondents whose concern level is in the range of very or extremely concerned.

“Dedicated security professionals understand the nuances of security and see it as a significant challenge. They likely have a more accurate assessment of their environment,” the report wrote. “The lack of concern among executive-level employees may indicate that more education is needed among this cohort to help increase understanding of the potential risks and insider threats.”

According to the survey, 82% of respondents said their systems have only minor vulnerabilities, while only 5% rated their systems as impenetrable and 8% did not know how to classify their systems. Additionally, of the respondents, one-third do not have a defined cybersecurity strategy.

“One of our biggest challenges, and also an objective in the work we do with SAP customers, is bridging the divide between executives and IT/security teams so that they are all on the same page when it comes to understanding their level of risk,” said Britta Simms, IBM's lead for Global Center of Competency SAP Security.

“That joint knowledge is crucial in forming comprehensive strategies and getting buy-in across the organization for the best prevention plans and tools. It’s also a competitive advantage.”

Categories: Cyber Risk News

Fortnum & Mason: 23,000 Affected by Data Hack

Mon, 07/02/2018 - 12:22
Fortnum & Mason: 23,000 Affected by Data Hack

Luxury retailer Fortnum & Mason has become the latest big brand to be involved in a significant data breach after the company admitted the details of around 23,000 competition and survey participants had been compromised.

According to a spokesperson at Fortnum & Mason “At 17.26pm on Friday 29 June, Typeform, a company that provides services that we have used in the past to collect survey responses and voting preferences, notified us that they had suffered a data breach and unfortunately some of our data had been compromised.”

Those affected were competition and survey participants who inputted into a Typeform form.

“For the majority of people, only the email address has been exposed,” the spokesperson added. “For a smaller proportion of customers, other data such as address, contact number and social handle has been included. These forms did not request bank or payment details, or require passwords.”

No-one’s bank details or passwords have been involved, and money and accounts are safe, they said. “All those affected have been contacted.”

Fortnum & Mason was also quick to point out that there had been no breach of it's website, and that all of the data it holds was unaffected by the incident.

“We have disabled any and all Typeform forms existing on our website and will not work with Typeform until we are assured that; there is no further risk, that all our data has been removed from their servers and that their security measures have been improved. We have been informed that Typeform have fixed the root cause and are undertaking forensic investigations.”

Categories: Cyber Risk News

Customer Bids Farewell to Typeform Post-Breach

Mon, 07/02/2018 - 12:06
Customer Bids Farewell to Typeform Post-Breach

Barcelona-based Typeform suffered a breach when an unknown third party accessed one of their servers and downloaded data. While the breach’s impact on the company's reputation cannot be fully measured yet, Monzo announced that they have ended their relationship with Typeform. 

On 27 June 2018, Typeform announced that an unidentified attacker reportedly downloaded a partial backup file. The file reportedly contained sensitive elector information on customers who had completed online forms before 3 May 2018. Any information collected after 3 May was not compromised. Those customers who were affected by the breach were informed via email by Typeform.

In their media alert, Monzo wrote, “Some personal data of about 20,000 people is likely to have been included in the [Typeform] breach. For the vast majority of people, this was just their email address. For a much smaller proportion of others, this may have included other data like their Twitter username or postcode.”

Even though Typeform said they responded immediately by fixing the source and preventing any further intrusion, the breach has already cost them one customer. 

“We have since been performing a full forensic investigation of the incident to be certain that this cannot happen again. The risk of reoccurrence is now deemed low enough to send out this communication,” the company wrote.

The company also confirmed that no bank details have been affected and that payment details, passwords and any customer subscription payment information remain safe. Additionally, any payment information that customers collected using Typeform’s Stripe integration has been deemed safe.

The breach has also created a potential problem for the Tasmanian Electoral Commission (TEC), who has used Typeform’s online forms for some of its election services. As the days unfold, electors will be contacted, but TEC added that the breach has no connection to the national or state electoral roll.

TEC publicly announced the breach in a 30 June media release, reporting that “Whilst some of the stolen elector data captured in some of these forms has already been made public, such as candidate statements for a local government by-election, it is believed that the breach also captured name, address, email and date of birth information provided by electors when applying for an express vote at the recent State and Legislative Council elections.”

Categories: Cyber Risk News

Two-Fifths of UK CEOs See Cyber-Attacks as Inevitable

Mon, 07/02/2018 - 10:09
Two-Fifths of UK CEOs See Cyber-Attacks as Inevitable

Less than 40% of UK CEOs believe a successful cyber-attack on their company is inevitable, far fewer than their global counterparts, according to new research from KPMG.

The global consulting firm polled 1300 CEOs of “many of the world’s largest and most complex businesses,” including 150 UK business leaders.

It found that 39% of UK CEOs now believe a cyber-attack on their firm is a case of “when” not “if.” This reveals considerably more optimism than the 49% of global CEOs who claimed the same.

While the stats indicate a growing awareness among business leaders of the scale of the cybersecurity challenge facing organizations today, the figure would ideally be higher.

Most experts are agreed that a well-resourced and determined attacker will always have the upper hand over IT security teams.

Dean Ferrando, systems engineer manager at Tripwire, argued that the first step towards improving cyber resilience is for business leaders to understand that attacks are inevitable.

“With cyber defence, getting the basics right counts for a lot and the majority of successful attacks can be prevented with foundational security controls, like ensuring systems are securely configured and managing and patching vulnerabilities,” he added.

“Organizations should also have visibility into the devices and software they have on their networks as this will give a clear indication of what assets need to be protected effectively."

The KPMG research also threw up some strange contradictions. Only 40 percent of UK CEOs claimed that customer data protection was one of their most important personal responsibilities in driving long-term growth of the customer base. That’s despite the huge uptick in boardroom-level awareness that the GDPR has helped create.

However, the survey also revealed an overwhelming majority (74%) of those same CEOs believe that a strong cybersecurity strategy is critical to building trust with key stakeholders, compared to just 55% of global CEOs. A sizeable number (45%) also claimed to see the value in cybersecurity staff.

KPMG UK vice chair, Bernard Brown, claimed that CEOs are developing a more mature understanding of cybersecurity.

“Helped by non-executive directors (NEDs), they are beginning to ask more awkward and searching questions of their IT teams: what are the challenges that face us specifically, what risks are we carrying, what do we need to be resilient to a cyber-attack?” he added.

“Organizations are spending more time planning for worst case scenarios, running simulations and thinking in detail about how they would deal with the uncertainties that arise during a cyber breach.”

Categories: Cyber Risk News

HMRC: 29% Increase in Malicious Site Deactivations

Mon, 07/02/2018 - 09:11
HMRC: 29% Increase in Malicious Site Deactivations

HM Revenue and Customs (HMRC) demanded the removal of more than 20,000 malicious sites over the past year, as its efforts to protect taxpayers from scams gained momentum.

The UK tax office claimed it had helped deactivate a record 20,750 sites, a 29% increase from the previous year.

According to the National Cyber Security Centre, HMRC is the government’s most abused brand, as scammers look to trick taxpayers into responding to phishing emails and texts offering ‘tax refunds’ and other bogus claims.

HMRC also claimed that its implementation of the DMARC protocol in November 2016 has stopped a staggering 500 million phishing emails reaching their intended recipients, while an ongoing pilot begun in April 2017 has led to a 90% reduction in people reporting spoof HMRC-related texts.

Fake HMRC sites are also created to help drive calls to premium rate phone numbers the tax office offers for free. By tackling this problem, HMRC claimed it has saved taxpayers £2.4m.

However, users need to stay vigilant and help by reporting phishing incidents, it urged.

Financial secretary to the treasury, Mel Stride, said the government is determined to stop the criminals who abuse the trust placed in ministers.

“HMRC is cracking down harder than ever, as these latest figures show. But we need the public’s help as well,” he added. “By doing the right thing and reporting suspicious messages you will not only protect yourself, you will protect other potential victims.”

Despite these best efforts, some parts of the public sector remain woefully under-protected.

An Agari report from 2017 claimed that just 1% of the NHS domains the vendor analyzed were covered by DMARC.

The protocol can be expensive and time-consuming to implement, with legacy and heterogeneous NHS IT systems making the process potentially even more challenging.

Under-25s are more than twice as likely to be caught out by phishing attacks as those over 55, according to Get Safe Online research.

Categories: Cyber Risk News

Adidas Breach Hits US Retail Site

Mon, 07/02/2018 - 08:45
Adidas Breach Hits US Retail Site

Adidas is warning customers of its US retail website that their personal details may have been compromised after a suspected data breach.

Reports suggest millions of customers could be affected by the data security incident, which the footwear giant said it first became aware of on June 26.

A brief statement on the incident claimed the firm is alerting “certain consumers” who purchased from the site.

“Adidas immediately began taking steps to determine the scope of the issue and to alert relevant consumers,” it said of the incident.

“Adidas is working with leading data security firms and law enforcement authorities to investigate the issue. According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Javvad Malik, security advocate at AlienVault, claimed the incident shows why firms need “strong monitoring and threat detection controls in place” so they can spot and respond to breaches in a timely manner.

“Without having monitoring controls in place, a company cannot say with certainty whether the claim of a breach is true or not,” he added. “This leads to any malicious party being able to claim that they have breached a company, even if they haven't, leading to unnecessary activity needing to be undertaken by the company and its customers, not to mention the potential lack of trust this creates."

The announcement is just the latest in a string of recent breach incidents including the likes of Ticketmaster UK and Under Armour.

“The Fort Knox approach of making your organization impenetrable simply doesn’t work today because so many third parties have access to your network,” argued Fred Kneip, CEO, at CyberGRX.

“It only takes a single vulnerability within any of those third parties to put sensitive data at risk.”

It’s unclear whether any EU citizens are affected by the breach, in which case the relevant GDPR regulators will be looking closely at the case.

Categories: Cyber Risk News

California Privacy Act Unanimously Approved

Fri, 06/29/2018 - 14:07
California Privacy Act Unanimously Approved

California lawmakers unanimously passed a consumer privacy bill that will dramatically change how businesses handle data. The bill, signed by Gov. Jerry Brown, grants Californians the power to hold companies accountable for abuse of their data.

Prior to the bill’s approval, tech companies and privacy rights advocates engaged in tense negotiations and landed on a “watered-down version of a more expansive initiative proposed by Alastair Mactaggart, a San Francisco real estate developer who spent more than $3 million on his campaign to qualify the measure for the ballot," the Sacramento Bee reported. The governor’s signature confirmed the unanimous approval, effectively removing the measure from ballot.

The California Consumer Privacy Act, Assembly Bill 375, allows members of the public to request that a company delete their personal information. The bill also requires that those businesses selling consumers’ information disclose the category of information they collect and that they gain opt-in consent in order to sell the data of anyone under 16.

In the event of an unauthorized breach of non-encrypted personal information, consumers can now sue companies for up to $750, a caveat criticized by Sen. Jim Neilson who still voted for the bill but expressed concerns over lawyers filing frivolous lawsuits.

Since the GDPR went into full effect, many have been expecting legislation of this kind to gain traction among consumers in the US. “Other states like New York and Massachusetts will likely follow suit and draft their own citizen-friendly data rights laws. Many individual states will not sit on their hands waiting for a federal initiative that may never come,” said Absolute’s global security strategist, Richard Henderson.

“Companies will likely have to follow the most restrictive rules and guidelines going forward. For most companies, it will be far too encumbering for them to build out systems for each unique set of guidelines as they come into being. Much like GDPR, the time for businesses to act is sooner rather than later. There are plenty of Attorneys General who will not hesitate to go after companies who thumb their noses at these rules.”

Categories: Cyber Risk News

Monitoring My Digital Behavior? Just Tell Me

Fri, 06/29/2018 - 13:20
Monitoring My Digital Behavior? Just Tell Me

In the aftermath of the Cambridge Analytica scandal with Facebook, a new Harris Poll commissioned by Dtex Systems found that less than half of the survey respondents are comfortable with their employers monitoring their digital activities in order to protect against security threats.

Only 45% of the more than 2,000 respondents are on board with being monitored at work. While 64% either somewhat or strongly agree that employers have the right to monitor employees’ digital activity on either their work-issued devices or their personal devices on which they conduct work-related transactions, 36% of respondents somewhat or strongly disagreed.

“Employees are starting to make their voices heard within their own companies, governments are enacting regulations such as the GDPR, and public and private sector organizations are recognizing the vital role privacy plays when it comes to gaining employee respect, support and trust,” Dtex Systems wrote in a 28 June blog.

A large majority (77%) of Americans, though, said that if the employer were transparent and let it be known up front that the company was monitoring employee behavior, they would be less concerned. However, 71% of Americans said they would turn down a job with a company that monitors its employees’ digital activities without letting employees know up front.

If done for security purposes and the activity data were anonymized, the majority of employees (62%) would feel more comfortable with their employer monitoring their digital activities on both work-issued and personal devices.

"The world has lost its tolerance for deceptive data practices, aggressive surveillance and privacy invasions. It's also become more lawless; Edward Snowden, Waymo vs. Uber and the insider who sabotaged Tesla are stark reminders of this reality," Christy Wyatt, CEO, Dtex Systems, said in a press release.

"This survey shows that Americans understand the situation and expect their employers to maintain a level of security that protects them and their jobs. It also shows that Americans who expect to have their privacy protected will reject legacy monitoring technologies that record their every keystroke and record everything they do."

Categories: Cyber Risk News

Americans to Local Govs: Spend on Security Now

Fri, 06/29/2018 - 12:32
Americans to Local Govs: Spend on Security Now

Weary that their local governments are ill prepared to defend against an attack on critical infrastructure or municipal services, Americans said they want to see their state and local governments start spending on cybersecurity in advance of an attack, according to a survey conducted by SecurityFirst

The goal of the survey was, in part, to begin discussions about attacks before they occur. “Civic leaders with the foresight to improve data protection may not be celebrated as a local hero, because no one talks about attacks that never happened,” said Jim Varner, CEO and president of SecurityFirst, in a press release. “But these efforts can help a government keep key services operating smoothly even in the face of a serious event such as in Baltimore, where critical 911 and 311 emergency services were offline for up to 17 hours after a cyberattack.”

Nearly two-thirds (64%) of Americans believe a ransomware attack on their local government could have long-term implications, and only 33% believe their communities are capable of keeping data safe in the event of an attack. Of the more than 1,000 Americans surveyed, only 25% were aware of the recent attack on Atlanta, from which the city is still working to recover.

“Cybercriminals are finding local government agencies to be prime targets for cyberattacks. The City of Atlanta is a recent example, where a ransomware attack is costing the city millions of dollars, after knocking out critical services and erasing years of sensitive data,” said Varner.

Despite being unaware of the extensive damages in Atlanta, 60% of respondents fear an attack like ransomware could jeopardize the critical services of their local governments. Most (77%) are concerned of the impact an attack would have on first responders. Nearly the same number (74%) worries about utilities, 68% about courts and 68% about public schools. In addition, 74% of Americans said politicians need to take data protection more seriously.

“This incident shows how, without data, our communities cease to function in any sort of fashion today’s citizens find acceptable. Data protection needs to be top of mind no matter the size of the community or agency.”

Categories: Cyber Risk News

Cyber-Attacks Caused 18 Days of NHS Downtime

Fri, 06/29/2018 - 10:19
Cyber-Attacks Caused 18 Days of NHS Downtime

More than 17% of NHS trusts experienced security-related downtime over the past three years, leading to over 18 days of IT outages, according to new Freedom of Information (FOI) data released by Intercity Technology.

The IT solutions provider received FOI responses from 80 trusts, around a third of the total in England.

Of these, 25 (31%) claimed to have experienced IT outages between January 2015 and February 2018, with 14 of them the result of a security breach. In total, the 80 responding trusts suffered 18 security incidents, leading to over 18 days of downtime.

The overall figure for IT downtime exceeded 1300 hours, which averages out to over 16 hours per trust. The number for breaches and downtime would no doubt have been even greater had more Trusts responded.

Although the WannaCry ransomware outages of May 2017 will have accounted for a large number of these “security breaches,” some responding organizations also fell victim to the Locky and Zepto variants, with the most severe attack knocking systems offline for two weeks, according to Intercity Technology.

It’s estimated that WannaCry led to the cancellation of 19,000 appointments and operations, disrupting at least 34% of trusts in England.

Ian Jackson, who is responsible for leading public and private sector partnerships at Intercity Technology, argued that the recent cybersecurity funding boost announced by the government will have a limited impact.

“The additional £150m which has recently been set aside to improve cyber defenses will merely ensure that NHS IT systems are brought up to date, and act as a sticking plaster on under-investment and the continued use of legacy operating systems. What is needed is smarter and continued investment in IT systems and security defences to ensure long-term protection,” he told Infosecurity.

“As we saw with WannaCry, a successful cyber-attack on a healthcare organization can have a massive impact on its day-to-day operations. Following this attack, it’s encouraging to see trusts across the country making strides towards improving their defenses, and the cybersecurity industry is certainly working in collaboration with these trusts to prevent future incidents.”

Categories: Cyber Risk News