Two US senators have called for an urgent investigation into whether foreign-owned Virtual Private Networks (VPNs) represent a risk to national security.
Ron Wyden and Marco Rubio signed a joint letter to the director of the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency (CISA), Christopher Krebs.
It points to the popularity of mobile data-saving and VPN apps, many of which have been downloaded millions of times by Americans despite being made by companies “in countries that do not share American interests or values.”
“Because these foreign apps transmit users’ web browsing data to servers located in or controlled by countries that have an interest in targeting US government employees, their use raises the risk that user data will be surveilled by those foreign governments,” the letter continued.
In fact, they claimed, the US has already recognized these risks, by banning federal use of Kaspersky Lab products for fear of the influence of the Kremlin, and urging that Chinese telecommunications companies be locked out of competing for major infrastructure projects in the US.
“In light of these concerns we urge you to conduct a threat assessment on the national security risks associated with the continued use by US government employees of VPNs, mobile data proxies and other similar apps that are vulnerable to foreign government surveillance,” the letter concluded.
“If you determine that these services pose a threat to US national security, we further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers.”
A study of the 30 most downloaded apps in the UK and US last year by Top10VPN found over half (59%) had links to mainland China.
“We found a few apps that explicitly stated that users’ internet activity was logged, which we have never seen anywhere else with VPNs. VPN policies usually state that they never ever log data,” explained head of research, Simon Migliano, at the time.
“We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy.”
Security experts have warned foreign firms operating in China that new laws may give the authorities more power to spy on and censor them.
Issued in November last year were updates to the country’s infamous 2017 Cybersecurity Law, dubbed: Regulations on Internet Security Supervision and Inspection by Public Security Organs.
They give the Ministry of Public Security (MPS) sweeping new powers to conduct remote pen testing and on-site inspections of any company with five or more internet-connected computers, which means virtually every foreign firm operating in the country today, according to Recorded Future.
The MPS is allowed to copy user information and check for vulnerabilities, if necessary using third-party “cybersecurity service agencies” to help them — which will increase the risk of vulnerability discovery and data leaks, the vendor argued.
The law also give the MPS the authority to audit firms for prohibited content, effectively enabling it to act as censor under the auspices of cybersecurity.
“Since the scope of inspections is not limited in these new regulations, Article 16 may also empower MPS officers to access parts of the company’s enterprise not even related to or within territorial China,” the report warned. “The implications for unlimited remote inspections on the networks of international corporations could be far-reaching and create significant risk for customers and international operations.”
The MPS is also under no obligation to notify an organization when it is under inspection or of the results of that inspection.
The updates to the law come on top of wide-reaching powers granted to the Ministry of State Security (MSS) under the original Cybersecurity Law to conduct ‘national security reviews’ of various firms — the results of which it could use to conduct espionage operations.
Recorded Future urged foreign firms in China to prioritize vulnerability scanning and patch management to prevent state inspectors from “easily gaining unwanted access or escalating privileges.”
“Recorded Future recommends that all international corporations operating in China take measures to evaluate their technology footprint within the country, their evacuation and government relations policies, and their system architecture to minimize the impact of the law and effectively address the worst-case scenario if subjected to an MPS inspection,” it added.
“Altering company system architecture to keep connections between Chinese and international operations as segmented as possible is important to prevent inspections from spilling into corporate networks or databases with no connection to territorial China. Further, keeping one’s employees safe and informed of the inspections should remain a top priority for companies operating within the country.”
Mumsnet has suffered a serious data leak affecting potentially thousands of users after a software glitch during an IT system migration to the cloud.
Justine Roberts, founder and CEO of the popular parenting forum, explained in a blog post late last week that the issue affected users for the best part of two days: from 2pm on February 5 to 9am on February 7.
“During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched,” she said.
“We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.”
The site admins also forced users to log-in again, ensuring they would be locked out of any accounts not their own.
Although passwords were encrypted and could not be changed by other users, the glitch meant that they would have been able to view other users’ email addresses, account details, posting history and personal messages.
The site was notified by users of 14 incidents as of last week, but Roberts claimed many more could have been affected: some 4000 Mumsnet user accounts were logged in at the time of the privacy snafu.
Max Heinemeyer, director of threat hunting at Darktrace, said the incident rings alarm bells over digital transformation projects.
“Organizations can outsource their IT processes, but they cannot outsource their security function altogether,” he argued.
“Cloud software is ultimately lines of code and one seemingly small mistake in that code can result in unintended risks emerging.”
Lamar Bailey, director of security research and development at Tripwire, added that poor planning is the enemy of seamless cloud migration.
"The best way to prevent these issues happening is to prepare thoroughly for cloud migration, taking into account that the process could potentially take time and resources,” he argued.
“Not rushing is paramount to maintaining the security of the enterprise, and sometimes it might be advisable to migrate services one by one, starting with the less critical, to ensure that the process is running smoothly. Organizations should also ensure that they have well trained and skilled personnel on the task.”
News has surfaced of an attempted cyber-attack on the Australian government.
As reported by the BBC, authorities in Australia are said to be investigating an effort that was made to hack into its parliament computer network.
It is believed that information was not accessed and that the passwords of politicians were reset as a precaution.
Australian Prime Minister Scott Morrison has thus far declined to comment on the incident in detail and further information on the supposed attack remains scarce, although it has been suggested by local cybersecurity experts that a foreign state was likely behind it.
Senator for Western Australia Jordon Steele-Johntook to Twitter to state “Parliament House had a cybersecurity data breach last night. ALL passwords were reset.”
He added: “We’re supposed to have faith that unprecedented, internet-breaking powers will be safe from cyber-threats.”
Alvin Rodrigues, security strategist, APAC and Sam Ghebranious, senior regional director, ANZ, Forcepoint, said: “Reports emerging today that the Australian Parliament’s computer network has been hacked are deeply concerning – and yet not surprising. The government should be lauded for their efforts to quickly identify the breach and take precautionary steps to avert any leakage of data. While investigations into the attack are still underway, the precaution taken – resetting passwords – suggests that nefarious actors may be looking to steal the digital identities/credentials of approved users, so as to operate within the parliamentary computer network without being identified.”
The Metropolitan Police force has been ‘trialing’ its controversial facial recognition cameras again and the latest deployment resulted in just one individual being charged.
The capital’s police have been using these cameras for several years but FOI responses from several forces sent to rights group Big Brother Watch last year revealed the technology is 98-100% inaccurate.
The latest two-day deployment in the Essex town of Romford last week resulted in the arrest of a 35-year-old on suspicion of breach of a molestation order, for which he subsequently received 11 weeks behind bars.
The press release issued by the Met notes a handful of other arrests during the operation, although none of the individuals were charged and these arrests were not due to individuals being detected by the facial recognition software against a pre-defined list of suspects.
In fact, the deployment caused controversy when one man tried to cover his face whilst passing a camera.
According to Big Brother Watch, whose representatives were on-site: “He protested that there was no reason to be stopped as he was surrounded by police, and when he got annoyed he was fined £90 for a supposed public order offence.”
Green Party member of the House of Lords, Jenny Jones, tweeted that she is writing to the Met police commissioner to raise her concerns about the operation.
Big Brother Watch and Jones have mounted a legal challenge to the use of the technology, which is being used in the absence of any formal legal framework to protect innocent citizens’ privacy.
The Met was criticized in December for running a similar operation in central London, claiming that anyone who declined to be scanned wouldn’t be viewed as suspicious — which seems to contradict the approach taken in Romford.
Although it claimed the operation was well publicized, reports suggested the opposite was true, right down to the use of cameras attached to unmarked vans.
Researchers have warned users of a new phishing technique which uses Google Translate to add authenticity to scams.
Akamai security researcher Larry Cashdollar explained in a blog post that he was targeted by this tactic early in the new year, receiving an email telling him his Google account had been accessed from a new Windows device.
Clicking through on the attached link would bring victims to a fake Google log-in page, with the malicious domain loaded through Google Translate.
“Using Google Translate does a number of things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses,” Cashdollar warned.
“However, while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google's older login portal), it fails completely when viewed from a computer.”
This is because on a full computer screen, users can see the true malicious domain more clearly.
However, if a user falls for the scam, they will not only have their Google log-ins harvested but then be taken to a spoofed Facebook mobile log-in page.
“It isn't every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device, but it's highly uncommon to see such an attack target two brands in the same session,” said Cashdollar.
“One interesting side note relates to the person driving these attacks, or at the least the author of the Facebook landing page — they linked it to their actual Facebook account, which is where the victim will land should they fall for the scam.”
He urged users to be more suspicious of unsolicited messages, especially if viewing them on their mobile device, and consider whether the author is trying to create a sense of urgency, fear, or authority to persuade the recipient to click.
Android users could be remotely hacked simply by viewing a legitimate-looking PNG image, Google has warned in its latest security update.
The Android Security Bulletin for February lists 42 vulnerabilities in the Google mobile operating system, 11 of which are critical.
“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” it warned.
“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”
Although there are no reports of users being actively targeted in the wild via this vulnerability, this could change as the window for individual ecosystem vendors to issue patches can run into several weeks or even months.
“Vulnerabilities like these bring to light the disparate update strategies across Android phones,” explained Tripwire VP, Tim Erlin. “While those on Google devices will receive timely security fixes, other manufacturers may wait months to protect users from attackers. Of course, users have to actually apply updates to protect themselves."
Simon Wiseman, CTO at Deep Secure, explained the criticality of the flaw.
“It means your web browser can fetch a crafted image from a website and the attacker now is in control of your browser and its environment. That means it has access to your stored passwords and you’ve given away access to all the secure sites you visit,” he said.
“The same goes for your email client — the attacker has control of your mailbox so can intercept your mail, perfect for harvesting password resets, and generate mail on your behalf, ideal for propagating the attack within your organization.”
He recommended users search for updates daily and erase all passwords from their mobile browsers as an extra precaution.
Ransomware accounted for one tenth of 1% of all malicious email content in Q4, according to a new threat report from Proofpoint.
It’s Q4 threat report found that banking trojans accounted for 56% of all malicious payloads in email in Q4, while remote access trojans (RATs) accounted for 8.4%. Proofpoint claimed that this marked a “significant change” for RATs, as in previous years they were rarely used by attackers.
The report stated that email remains the top vector for malware distribution and phishing, while email fraud, also known as business email compromise (BEC), continues to grow rapidly.
Ransomware message volumes dropped significantly from Q2 to Q4 “suggesting that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale.”
Speaking to the Risky Business podcast in November, Sherrod DeGrippo, Proofpoint’s director of threat research and detection, said that ransomware “has basically evaporated” after it was in the headlines for many months.
“I probably attribute that to the fact that cryptocurrency is so difficult for the average consumer to use, and what we’ve seen instead is, back to cryptocurrency, they are bolting on crypto-miners to just about everything: commodity banking trojans, commodity RATs and keyloggers and pretty basic crimeware stuff,” she said.
“We’re starting to see banking trojans have crypto-miners bolted on to them so they steal the money from the traditional bank account and then leave the crypto-miner behind.”
In an email to Infosecurity, Ed Tucker, CISO and co-founder of Email Auth, Byte and Human Firewall, said that this research highlights that ransomware is actually less of a prevalent threat both to the individual and business, and criminals know that trojans work.
“They have been thoroughly road tested with a widespread user base to great reward,” he explained. “Ransomware still has an issue in terms of the duped user needing a certain amount of literacy in payment terms in order to make this as financially successful as its trojan cousin.”
During Q4 of 2018, Proofpoint observed over twice as many URL messages as attachment messages. “For the entire year, malicious URLs appeared over three-times as often as messages with malicious attachments, suggesting that the pendulum may be swinging back toward attachments as it tends to do periodically,” the report claimed.
It also claimed that banking trojans, stealers and downloaders together accounted for over 90% of all initial payloads in Q4. In particular, the Emotet banking trojan, which was described by US-CERT as “among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors” was named as the main threat.
Emotet uses PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC as a disguise, and initial infection occurs when a user opens or clicks the malicious download link, PDF or macro-enabled Microsoft Word document included in the email.
Proofpoint said: “Taken together, Emotet, Panda Banker, and Ursnif comprised almost 97% of observed banking trojans in Q4.”
Tucker added: “Research such as this, more than ever, emphasizes that businesses should use evidence-based risk approaches from which to make informed decisions. This naturally incorporates a clear view of an actual threat, albeit in most cases that threat will be widespread and sporadic.
“Ransomware has been, and remains, just another factor within the overall risk management framework regardless of the hysteria that has surrounded it.”
Infosecurity’s Online Summit will take place on March 26-27, with live sessions including “The Death of Ransomware: Long Live Other Malware” and “How To: Phish Your Employees.” Registration is now open, and CPE credits are offered for the 14 sessions across the two days.
A new study from Comparitech has named Algeria the ‘least cyber-secure’ nation in the world, whilst Japan has been ranked the ‘most cyber-secure.’
The information, tools and comparisons provider studied 60 countries to gauge their ability to meet seven key criteria:
- The percentage of mobiles infected with malware
- The percentage of computers infected with malware
- The number of financial malware attacks
- The percentage of telnet attacks (by originating country)
- The percentage of attacks by crypto-miners
- The best-prepared countries for cyber-attacks
- The countries with the most up-to-date legislation
In a blog post on its website, Comparitech explained that, for each criterion, countries were given a point based on where they ranked between the highest-ranking and lowest-ranking countries. Countries with the least cyber-secure scores were given 100 points, while countries with the most cyber-secure scores were allocated zero points. All of the countries in between these two scores received a score on a percentile basis, depending on where they ranked.
Comparitech was quick to point out that it found huge variances in a number of the categories and that there was no country that came ‘top of the class’ across the board. However, “there were some countries that lacked significantly in a variety of areas and others who outperformed the majority of countries,” the company said.
“So with that in mind, we’ve created rankings for these 60 countries, from the least cyber-safe to the most cyber-safe,” Comparitech added.
Algeria was deemed the least overall cyber-secure country, being the highest-ranking nation for lack of legislation and computer malware rates, and also receiving a high score in the categories for mobile malware and preparation for cyber-attacks
Algeria was followed by Indonesia and Vietnam as the second and third least cyber-secure nations, with Tanzania and Uzbekistan ranked fourth and fifth least cyber-secure, respectively.
Conversely, countries that performed well overall in Comparitech’s research were Japan (which was ranked the most cyber-secure country in the world, scoring “incredibly low” across the majority of categories), France, Canada, Denmark and the United States. The United Kingdom was ranked the eighth most cyber-secure nation.
Speaking to Infosecurity, Paul Bischoff, privacy advocate at Comparitech, said the report findings are evidence that, generally, developed countries have better cybersecurity than developing ones.
“The reason might be because people in developing countries are less experienced with the internet and the devices they use to access it. They have less awareness of cybersecurity threats, while ISPs and online companies are not as well prepared for cyber-attacks as their counterparts in developed nations. As internet adoption ramps up, security lags behind. A New York Times report states that hackers use developing countries as test beds for new malware.”
However, there were a few surprising results to come out of the research, he added. “I was surprised to see that Germany suffered the highest number of financial malware attacks, which bucks the trend of developed nations being more cyber-secure than undeveloped ones – 3% of users in Germany were targeted by financial malware.”
Cyber-criminals are taking advantage of a little-known feature in Gmail to escalate their scam operations more efficiently, according to new research from Agari.
The email security vendor claimed in a blog post that the problem stems from what it describes as “dot accounts.”
This relates to a decision by Google to allow Gmail users to own “all dotted versions” of their address.
In the example given by Agari senior threat researcher, Ronnie Tokazowski, if a user registers a domain as ‘badguy007[at]gmail.com’ they could then use multiple versions of that same address, placing the dot in different places before the @, such as ‘b.a.d.g.u.y.007[at]gmail.com’ and ‘bad.guy.007[at]gmail.com’ and ‘ba.dg.uy.007[at]gmail.com.’
“While all dot variants of a Gmail account direct all email to the same inbox, a vast majority of the rest of the internet treats each variant as a distinctly separate email address, associated with a unique separate account and identity,” he continued.
“For example, if I sign up for a Netflix account using the email address badguy007[at]gmail.com and then again with b.adg.uy007[at]gmail.com, Netflix — like most other online services — would think that these are two different accounts linked to two different people. This is where, and how, cyber-criminals are able to take advantage.”
Fraudsters are therefore able to create multiple accounts with a single provider that all direct back to one email inbox, making their scams quicker and easier to scale and manage.
Agari said it recently spotted email scammers using Gmail ‘dot accounts’ to carry out widespread fraud.
They submitted 48 credit card applications at four US financial institutions, with at least $65,000 in fraudulent credit approved.
They also: filed 13 fraudulent tax returns, submitted 12 change of address requests with the US Postal Service, submitted 11 fraudulent Social Security benefit applications, applied for unemployment benefits under nine identities in a single US state and submitted applications for FEMA disaster assistance under three identities.
“In total, the group used 56 different dot variants of a single Gmail email address to register accounts on websites used for fraudulent purposes,” said Tokazowski.
He warned that scammers could also make use of the fact that @gmail and @googlemail addresses are routed to the same inbox, potentially doubling the permutations they have on offer.
Organizations were urged to check for excessive use of dots in newly created accounts to help mitigate this risk.
Security researchers have discovered another Chinese state-sponsored APT campaign, this time targeting a major European MSP with the likely intent of stealing IP from its customers.
Recorded Future and Rapid7 claimed in a new co-authored report that the notorious APT10 group, linked to China’s fearsome Ministry of State Security (MSS), was responsible for the campaign, running between November 2017 and September 2018.
It is said to have targeted Norwegian provider Visma, which has 850,000 customers around the globe, as well as a multi-national clothing giant and a US law firm with strong experience in IP law and clients in pharma, tech, automotive and other sectors.
The initial entry point in all three cases was stolen Citrix/LogMeIn credentials, enabling remote network access.
“The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware,” the report continued.
“During the Visma intrusion, APT10 deployed their Trochilus malware with command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers rather than the typically observed RC4 variant. On the two other victim networks, the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor, known to have only been used by APT10.”
Visma data was compressed using WinRAR and exfiltrated to a Dropbox account using the cURL for Windows command-line tool. The same account was used to store data from the other breaches.
The MSS has been previously blamed for Operation Cloud Hopper, a major multi-year campaign targeting MSPs around the world which resulted in the indictment of two suspected state hackers late last year.
“Unfortunately, this is the type of nefarious behavior we witness regularly, but there are steps organizations can take to combat these issues. For example, we recommend implementing two-factor authentication for everything,” advised Rapid7 principal MDR analyts, Eoin Miller.
“Additionally, strengthening the reviews of authentication attempts against low cost VPN providers or 'out of the norm' networks or countries for an individual user is equally important. Organizations should also consider implementing extremely strict application white-listing on sensitive systems."
South Africa’s largest electricity supplier has come under fire for apparently ignoring a serious leak of customer data.
Eskom, which claims to transmit and distribute 95% of the electricity used in the country, was called out earlier this week on Twitter by a frustrated security researcher.
“You don't respond to several disclosure emails, email from journalistic entities, or twitter DMs, but how about a public tweet?” said Devin Stokes. “This is going on for weeks here. You need to remove this data from the public view!”
The leaked data appears to include customer details including account IDs, meter information and payment details.
Only the last four digits of card numbers are visible, as are CVV numbers: certainly enough to launch convincing phishing attacks and follow-on fraud.
Unfortunately for the energy giant, which also claims to provide 45% of the electricity used in Africa, it also appears to have been hit with a seemingly unrelated malware infection.
Twitter user @sS55752750 claimed that one of the company’s user's machines was infected with a trojan, adding that “all her credentials were stolen.”
Although the utility firm initially claimed that the email address provided was “not a valid Eskom email address,” it subsequently changed its position.
“This has been investigated and the necessary actions have been taken. Thank you for bringing it to our attention,” the firm tweeted on Wednesday.
It remains to be seen what action is being taken to address the exposed database.
Paul Edon, senior director at Tripwire, argued that a company the size of Eskom should have better visibility into its systems and take a more proactive approach to security.
“There is a tendency for boardroom executives to operate with a reactive mindset, and although understandable, since attacks are difficult to visualize until they happen, it is still unacceptable,” he added. “With cybersecurity, it is critical that organizations get the basics right. Continuously monitoring the security of their infrastructure can go a long way towards preventing a successful attack or reducing the impact.”
There is a growing disconnect between how companies capitalize on customer data and how consumers expect their data to be used, a new report from RSA Security has discovered.
The firm polled more than 6000 individuals across France, Germany, the United Kingdom and United States to explore the nuances of ethical data use and consumer perceptions of data privacy, compiling its findings into The RSA Data Privacy & Security Survey 2019.
Fewer than half (48%) of respondents believed there are ethical ways that companies can use their data, whilst 57% said they blame companies above anyone else, even a hacker, in the event of a data incident.
What’s more, whilst a focus on personalized consumer experiences is often considered a means to increase user activity and purchasing, the majority of those polled were against companies using their data to create a personalized experience if it compromised their privacy. As little as 17% of respondents felt tailored ads were ethical and just 24% thought personalization to create tailored newsfeeds was ethical.
“With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, vice-president of international, RSA. “Now is the time for organizations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.”
An IT developer at a Chinese bank has been jailed for over a decade after exploiting a vulnerability in its systems to withdraw more than $1m from ATMs.
Qin Qisheng, 43, was a manager in Huaxia Bank’s technology development center in Beijing who spotted that a glitch in the lender’s core OS meant cash withdrawals around midnight weren’t recorded.
He subsequently tested his theory, deliberately hiding his activity as he did so, making withdrawals of 5,000-20,000 yuan ($740-3000) from a test bank account.
After doing so for over a year without telling his superiors, he had built a small fortune of over seven million yuan ($1m) in his own bank account, investing some funds in the stock market.
However, his luck ran out after the unusual activity in the test account was spotted at a branch in Hebei.
Amazingly, however, the bank wanted police to drop the case, believing Qin’s excuse that he was merely pen-testing.
“Qin Qisheng said that the matter was complicated and involved lots of work … he believed the bank would not pay attention even if he reported it,” a representative said in court, according to the South China Morning Post.
“We think this reason for not reporting is legitimate.”
Although Qin returned all the money he stole from the bank, it wasn’t enough to save him from a 10-and-a-half year jail sentence. This is the final appeal ruling of the Beijing Intermediate People's Court, upholding a December conviction.
“On the one hand, [the bank] said that the accused’s behavior was in violation of the rules. On the other hand he said that he could conduct relevant tests. This is self-contradictory,” the judge is reported to have said.
MPs have been targeted by a new phishing campaign after a government whip’s accounts were hacked, according to reports.
Tory MP Mike Freer told BuzzFeed News that the "parliamentary authorities are currently investigating" following the incident.
According to the report, dozens of MPs were added to a WhatsApp group named “Hack warning 1” by an account linked to Freer’s personal mobile phone number.
The MPs left the group swiftly, followed by Freer’s number.
In a Facebook update to friends, he hinted that his email account had also been compromised.
“If anyone receives a text asking them to download a viber so we can have a secure call please ignore and delete. I’ve been hacked. Ditto for any email suggesting I need overseas contacts for a government payment. Delete," it noted.
The Whips’ Office subsequently sent an alert warning of a “malicious hack that accesses your contacts list and sends texts and emails to all your private contacts.”
CensorNet CTO, Richard Walters, warned that phishing attacks remain a staple of the cyber-criminal fraternity.
“The reason is simple; it relies on manipulating people who are inherently trusting, particularly when attacks are highly targeted. It’s easy to say that there’s been a fairly sizable error in judgement by anyone who fell for it, but it really could happen to anyone,” he added.
“It would, however, be sensible for organizations — whether government or not — to make sure that people are adequately aware of the risks and not, as in this case, download anything based on the say so of a ‘contact’. A little bit of caution would always be advised.”
This isn’t the first time MPs have been targeted by a phishing campaign.
Back in June 2017, around 1% of parliamentary email accounts were cracked open by hackers, potentially after brute-forcing or guessing credentials. The attackers then launched vishing attacks in the aftermath in an attempt to trick users into handing over their log-ins over the phone. The attacks were blamed on Iran.
There have been more than 59,000 breach notifications to regulators of the GDPR since it was introduced on May 25, 2018, according to new findings from DLA Piper.
The global law firm’s report runs all the way up to Data Protection Day on January 28 2019, meaning there was an average of over 7300 breach reports each month since the legislation was introduced.
The notifications range from the minor — such as emails being accidentally sent to the wrong recipient — to major attacks affecting millions, perhaps a reference to Marriott International.
The Netherlands was the surprise at the top of the breach reporting table, with organizations there having notified the supervisory authorities around 15,400 times. Next came Germany (12,600) and the UK (10,600).
The Netherlands also wins in terms of the country with most breach notifications per capita, followed by Ireland and Denmark. The UK came tenth in this regard.
Interestingly, the report claimed that there have already been 91 reported fines, but most appear to have slipped under the radar as they were so small. Most notable was the €50m penalty levied against Google, although a €20,000 fine against a German chat app Knuddels also stood out as the first major fine by a national regulator.
In fact, with over 60 fines already levied, Germany seems to be the most prolific in this regard.
DLA Piper clarified that the high number of breach reports is likely due to the large fines for covering up an incident, but said regulators are wading through a large backlog already.
It warned that the financial penalties will only increase.
“We anticipate that 2019 will see more fines for tens and potentially even hundreds of millions of euros as regulators deal with the backlog of GDPR data breach notifications,” the report concluded.
“It is likely that regulators and courts will look to EU competition law and jurisprudence for inspiration when calculating GDPR fines and some regulators have already said they will do so. Competition lawyers are not known to shy away from imposing hefty fines and have imposed some eye-catching multi-billion Euro fines recently on large tech companies.”
The convergence of IT, operational technology (OT) and industrial internet of things (IIoT) has raised concerns about cybersecurity, safety and data privacy for many organizations, according to a new Ponemon Institute study.
Released today in partnership with TÜV Rheinland OpenSky, results of the 2019 Safety, Security & Privacy in the Interconnected World of IT, OT and IIoT study found that 62% of respondents agreed or strongly agreed that security maturity will increasingly depend upon the convergence of IT and OT control systems.
“Improving overall cybersecurity maturity will play a deterministic role in the success of a digitalization roadmap where the focus is to improve digital services in a complex and interconnected ecosystem," said Urmez Daver, global head of industrial security at TÜV Rheinland, in a press release.
"This is an area of focus for us at TÜV Rheinland OpenSky, and we were pleased to see that the outcome of the study reflects a similar prevalent opinion of cybersecurity practitioners across North America.”
Leaders are largely aware that the inability to achieve convergence will likely compromise trust with supply chain partners, but there are obstacles to achieving convergence that include a lack of strict data protection safeguards on information critical to operations.
While the majority of respondents (65%) agreed that digitalization is driving IT and OT convergence, 55% of those surveyed said that convergence is not possible in organizations with a long history of silos and "turf issues."
To achieve convergence, support needs to come from the top down. According to the survey, 73% of participants believe convergence cannot happen without the support of the CIO, while 62% said it is not possible with buy-in from C-level executives.
When asked about managing safety, 69% of respondents affirmed that their companies manage programs effectively, with 67% rating their companies as very effective in planning cybersecurity initiatives to support business priorities. An additional 66% say their leadership and governance practices are very effective.
“Fewer companies are effective in managing third party risks, compliance with regulations and standards and managing their privacy programs...Only 31% of respondents say they are very effective in managing their privacy programs, and 37% of respondents say they are very effective in complying with regulations and standards,” the report said.
Driverless vehicles and connected cars are creating a buzz in the marketplace, but as the industry races to produce the connected car of the future, it is letting cybersecurity fall to the wayside, according to new research from Synopsys.
In conjunction with SAE International, Synopsys published its report, Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices, which found that 84% of respondents have concerns that cybersecurity practices are not keeping pace with evolving technologies.
Nearly 600 professionals were surveyed as part of the study conducted by Ponemon Institute. Of those who partook in the survey, 30% reported that they do not have an established product cybersecurity program or team.
In addition, 63% said they test for vulnerabilities in less than half of their hardware, software or other technologies.
“Pressure to meet product deadlines, accidental coding errors, lack of education on secure coding practices, and vulnerability testing occurring too late in production are some of the most common factors that render software vulnerabilities,” the report said.
“Our report illustrates the need for more focus on cybersecurity; secure coding training; automated tools to find defects and security vulnerabilities in source code; and software composition analysis tools to identify third-party components that may have been introduced by suppliers.”
A large majority of respondents said they believe that an attacker could exploit a vulnerability, and 52% said they are aware of potential harms that insecure automotive technologies could cause to drivers, yet less than a third (31%) said they are capable of raising concerns that would actually be heard.
One issue that impedes the advancement of cybersecurity for automotive companies is a lack of both resources and skills. “On average, companies have only nine full-time employees in their product cybersecurity management programs. 62% of respondents say their organizations do not have the necessary cybersecurity skills. More than half (51%) say they do not have enough budget and human capital to address cybersecurity risks,” the report stated.
In addition to combing through thousands of intelligence reports from commercial clients, researchers also sought feedback from analysts. Attempting to identify the top challenges organizations are likely to face this year, the report found that the top threat to organizations is that they may find themselves caught in the cross hairs of information warfare.
“This activity encompasses a wide range of tactics, from orchestrating targeted breaches followed by data leaks to employing troll armies to push disinformation. So far, states have mainly used these capabilities for political and military purposes, like nudging voters and enflaming cultural conflict,” the report said.
“Booz Allen believes in 2019, states will increasingly use their growing information-warfare methods applied to economic conflict and will likely aim to generate investor, regulatory, consumer, or political backlash against targeted sectors and companies by fabricating or inflaming public relations and legal controversies.”
Certainly social media has created a pathway for companies to get caught in a misinformation web. “Increasingly, nation-states and other entities use the power of social media to support information warfare campaigns,” said Pravin Kothari, CEO, CipherCloud.
“Social media can be deployed as a cannon of misinformation to damage corporate reputations, attack government institutions and their policies, attack individual politicians and organizations, and in general obfuscate the truth and confuse the public.”
Though the additional key threats are legitimate concerns to both governments and businesses, some threats – especially the lack of security in many IoT devices and connected cars – do apply to consumers, according to Byron Rashed, vice president of marketing at Centripetal Networks.
"Combating these threats is difficult, especially cyber-threats from nation-states that have no budgetary limits. Keeping IT assets (security and infrastructure) up to date with the latest versions of software and patches will help to curb some threats that may find their way into the network,” Rashed said.
Graphic novel fans, particularly those Kindle readers who adore the popular John Wick series, may have unknowingly downloaded fake ebooks promising them the opportunity to stream the third film installment prior to its release in May, according to Malwarebytes.
The empty promise could do more than disappoint fans, though. According to researchers, the ebooks, which varied in price, actually sent the reader down a rabbit hole of malicious links to illicit sites claiming to offer streaming services.
It’s not unheard of for scammers to target the Kindle store, but historically the goal has been to steal authors’ content. This new tactic of packaging fake movie links in ebooks poses a different kind of threat.
“Roughly 40 or more individual items were uploaded from around January 25 to February 2, each one from a different 'author.' At first glance, you might think you’re looking at movies, thanks to the play button icon on each image preview. The fact that each entry is called something along the lines of “John Wick 3: free movie HD” probably helps, too,” wrote Malwarebytes lead malware intelligence analyst Chris Boyd.
Infosecurity contacted Amazon, which reportedly addressed the issue internally, though battling fake ebooks is nothing new for the online megastore. In his February 4 blog post, Boyd said, “It’s tricky to flag dubious content on the Kindle store, as you have to report each title individually and give reasons. We contacted Amazon customer support and have been informed these e-books have been escalated to the appropriate teams.”
As of today, search results appear to have been removed, but Boyd said, “We've also since found references to a similar eBook claiming to be a 'Spider-Man far from home' HD movie, which has also been removed. It's quite possible the scammers behind this may start taking aim at other big name film titles. Kindle owners should always check out a preview whenever possible, and not waste their money on anything proving nothing but a link to a streaming website."