Info Security

Subscribe to Info Security  feed
Updated: 18 min 23 sec ago

Botnet Abusing Android Debug Bridge, SSH is Back

Mon, 06/24/2019 - 17:32
Botnet Abusing Android Debug Bridge, SSH is Back

A new cryptocurrency-mining botnet malware is abusing Android Debug Bridge (ADB) and SSH, according to Trend Micro.  

“This attack takes advantage of the way open ADB ports don’t have authentication by default, similar to the Satori botnet variant. This bot’s design allows it to spread from the infected host to any system that has had a previous SSH connection with the host," the researchers wrote.

"The use of ADB makes Android-based devices susceptible to the malware. We detected activity from this malware in 21 different countries, with the highest percentage found in South Korea.”

The attack vector is one that has been abused before. Last year Juniper Threat Labs identified some of the vendors that had shipped ADB enabled.

“The number of publicly vulnerable devices has declined from about 40,000 devices one year ago to about 30,000 devices today. Most of the remaining vulnerable devices are located in Korea, Taiwan, Hong Kong and China,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

“It should be noted that some of the vulnerable devices are set-top boxes used for IPTV, not mobile phones. It is our speculation that most of the phones are, or become, vulnerable due to enabling the Android Debug Bridge during device rooting, a process which allows a locked down device to move freely between service providers.”

Because Android devices are beholden to their carriers or device manufacturers, Sam Bakken, senior product marketing manager, OneSpan, said it can be difficult for the general user to keep devices secure.

“Even if they wanted to harden their device with security updates or more secure configurations they simply can’t. The general layperson is becoming more aware of security and privacy issues as it relates to the mobile devices and apps they use,” Bakken said.

“Security is becoming a more important criterion in consumer decisions about which devices and apps they will and will not use. Savvy organizations are responding, building security into their mobile apps with technologies, such as app shielding and other in-app protections. This not only protects a developer’s intellectual property/app but also provides at least one safe haven for their users so they can rest easy knowing at least their usage of that one app is secure and protected."

Categories: Cyber Risk News

Incomplete Fix Leads to New Kubernetes Bug

Mon, 06/24/2019 - 17:11
Incomplete Fix Leads to New Kubernetes Bug

A new high-severity Kubernetes vulnerability has been discovered, according to security announcement on Securelists.org.

As part of the ongoing Kubernetes security audit sponsored by the Cloud Native Computing Foundation, the Kubernetes product security team announced a new high-severity vulnerability (CVE-2019-11246) that impacts kubectl, the command line interface used to run commands against Kubernetes clusters.

“Another security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited. The issue is high severity and upgrading kubectl to Kubernetes 1.12.9, 1.13.6, and 1.14.2 or later is encouraged to fix this issue,” wrote Joel Smith.

To determine whether you are vulnerable, Smith said to run kubectl version --client. Any versions other than client version 1.12.9, 1.13.6 or 1.14.2 are vulnerable and should be updated.

“This vulnerability stems from incomplete fixes for a previously disclosed vulnerability (CVE-2019-1002101). This vulnerability is concerning because it would allow an attacker to overwrite sensitive file paths or add files that are malicious programs, which could then be leveraged to compromise significant portions of Kubernetes environments,” said Wei Lien Dang, co-founder and vice president of product at StackRox.

“This type of exploit shows how a client-side vulnerability could be used to potentially compromise production environments, especially since we have observed that best practices to mitigate against this type of threat vector are not always followed. For example, users may be running kubectl on production nodes or without appropriate role-based access control to limit access to the entire cluster or with elevated local system permissions."

Because upgrades depend on the actions of individuals users, the fix can be harder to enforce, and Dang expects that this will not be the only vulnerability disclosed as a result of the security audit.

“These disclosures, along with the work by the Kubernetes product security team and broader community, will ensure that Kubernetes continues to be the most secure container orchestration platform.”

Categories: Cyber Risk News

Incomplete Fix Leads to New Kubernetes Bug

Mon, 06/24/2019 - 17:11
Incomplete Fix Leads to New Kubernetes Bug

A new high-severity Kubernetes vulnerability has been discovered, according to security announcement on Securelists.org.

As part of the ongoing Kubernetes security audit sponsored by the Cloud NativeComputing Foundation, the Kubernetes product security team announced a new high-severity vulnerability (CVE-2019-11246) that impacts kubectl, the command line interface used to run commands against Kubernetes clusters.

“Another security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited. The issue is high severity and upgrading kubectl to Kubernetes 1.12.9, 1.13.6, and 1.14.2 or later is encouraged to fix this issue,” wrote Joel Smith.

To determine whether you are vulnerable, Smith said to run kubectl version --client. Any versions other than client version 1.12.9, 1.13.6 or 1.14.2 are vulnerable and should be updated.

“This vulnerability stems from incomplete fixes for a previously disclosed vulnerability (CVE-2019-1002101). This vulnerability is concerning because it would allow an attacker to overwrite sensitive file paths or add files that are malicious programs, which could then be leveraged to compromise significant portions of Kubernetes environments,” said Wei Lien Dang, co-founder and vice president of product at StackRox.

“This type of exploit shows how a client-side vulnerability could be used to potentially compromise production environments, especially since we have observed that best practices to mitigate against this type of threat vector are not always followed. For example, users may be running kubectl on production nodes or without appropriate role-based access control to limit access to the entire cluster or with elevated local system permissions."

Because upgrades depend on the actions of individuals users, the fix can be harder to enforce, and Dang expects that this will not be the only vulnerability disclosed as a result of the security audit.

“These disclosures, along with the work by the Kubernetes product security team and broader community, will ensure that Kubernetes continues to be the most secure container orchestration platform.”

Categories: Cyber Risk News

Ethics and Compliance Programs Growing More Mature

Mon, 06/24/2019 - 16:13
Ethics and Compliance Programs Growing More Mature

Ethics and compliance programs are trending up, driven in large part by strong support from top executives, according to the 2019 Definitive Corporate Compliance Benchmark Report, published by NAVEX Global.

The research revealed that when leadership buys in to the strategic value of ethics and compliance programs, there is not only a greater likelihood of success but also an increased perception of organizational ethics. Strong executive backing also leads to greater program maturity and enables adoption of ethics and compliance technologies that improve program performance.

When asked whether the organization was "always ethical," only 25% of respondents with basic ethics and compliance programs said yes, and only 48% of all respondents noted that senior managers valued ethics and compliance as an important part of a comprehensive risk management strategy that has a proven return on investment.

The other 52% said that their programs were viewed primarily as an insurance policy or a necessary evil. While 85% of respondents reported using one or more automated solutions in their programs, organizations that use up to five of these solutions report increased ability to prevent violations.

In addition, 85% of respondents said a “centralized repository with easy access to the most current versions” was valuable or very valuable, and 78% rated “improved version control, reduced redundancy or increased accuracy of policies” equally as valuable, according to the report.

“It’s obvious to employees when leadership believes in the strategic value and measurable ROI of ethics and compliance programs. Leaders who view compliance programs as insurance policies or necessary evils – as many do, particularly within less-mature organizations – are sending the wrong message to their workforce,” said Carrie Penman, chief compliance officer and senior vice president, advisory services, NAVEX Global.

Additionally, 71% of respondents overall and 91% of those organizations with advanced programs offered an anonymous reporting channel, which is widely considered something every organization should have at this point.

Categories: Cyber Risk News

US Adds AMD Joint Venture to Entity List

Mon, 06/24/2019 - 10:40
US Adds AMD Joint Venture to Entity List

The US Department of Commerce has added five more Chinese organizations onto the same Entity List as Huawei over national security fears, including an AMD joint venture.

The department’s Bureau of Industry and Security (BIS) said the changes to the list, which will prevent US firms from doing business or selling components to them, will take effect from today.

That will be a headache especially for AMD, which set up a JV with Tianjin Haiguang Advanced Technology Investment Company (THATIC), aka Higon, back in 2016 to sell its x86 chips in China.

Two other companies on the list — Sugon and the Wuxi Jiangnan Institute of Computing Technology — build exascale supercomputers which the US government believes have military purposes. The latter is owned by the 56th Research Institute of the General Staff of the PLA, with a mission “to support China's military modernization,” according to the US government.

“Under § 744.11(b) (Criteria for revising the Entity List) of the EAR, entities for which there is reasonable cause to believe, based on specific and articulable facts, have been involved, are involved, or pose a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States, and those acting on behalf of such persons, may be added to the Entity List,” the notice said.

Sugon is said to be the majority owner of Higon, while the two remaining entities on the list are: Chengdu Haiguang Integrated Circuit (aka, Hygon and Chengdu Haiguang Jincheng Dianlu Sheji) and Chengdu Haiguang Microelectronics Technology (aka HMC and Chengdu Haiguang Wei Dianzi Jishu).

The new organizations join Huawei and ZTE on the list, which can be seen in the wider context of the Trump administration’s ramping up of pressure on the Chinese government over trade and national security.

Last week, the US Consumer Technology Association (CTA) complained that Trump’s much-derided tariffs would hit US consumers hardest, rather than the Chinese firms the US President wants to punish.

It claimed the average smartphone imported from China would increase in price by $70 (22%) if another proposed tariff of 25% on $300bn of Chinese goods is introduced.

“Tariffs are taxes, paid by American consumers —and these new tariffs would be a burden on American families just as they start back-to-school shopping,” said Gary Shapiro, CEO of the CTA.

“US consumers, not China, pay the price for tariffs — what more proof does the White House need? It’s time for this administration to put American small businesses, workers and families first and make a deal with China.”

Categories: Cyber Risk News

Phishing Attack Exposes PII on 645,000 Oregonians

Mon, 06/24/2019 - 09:45
Phishing Attack Exposes PII on 645,000 Oregonians

Over 600,000 Oregon residents have been told their personal information may have been compromised after a successful phishing campaign against employees of the state’s Department of Human Services (DHS).

The agency is sending 645,000 clients breach notices following a January 2019 incident, it said in a statement last week.

Nine DHS employees clicked through in a phishing email sent early on in the month, giving hackers access to their accounts.

“Beginning January 9, 2019, these nine employees started reporting problems. All affected accounts were located and access to the nine affected accounts was stopped by January 28, 2019,” it continued. “On January 28, 2019 the department and the Enterprise Security Office Cyber Security team confirmed that the phishing incident was a data breach.”

Although no additional malware was downloaded and no further accounts were compromised, investigators determined that the incident may have exposed as many as two million emails to the attackers.

“Most client information involved in the breach was in email attachments, like reports. The exposed client information includes first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information, and other information used in DHS programs,” the DHS notice continued.

“The personal health information includes ‘Protected Health Information,’ or PHI, covered under the Health Insurance Portability and Accountability Act (HIPAA). Not all of these information types was exposed for each person.”

Although the DHS claimed to regularly patch systems, complete independent security assessments and even regularly train staff, the incident highlights the challenge of mitigating the phishing threat.

Verizon claimed in its most recent Data Breach Investigations Report (DBIR) that a third (32%) of breaches were linked to phishing attacks last year.

Categories: Cyber Risk News

US Warns of Destructive Iranian Cyber-Attacks

Mon, 06/24/2019 - 08:30
US Warns of Destructive Iranian Cyber-Attacks

A US government security agency has ratcheted up tension with Iran by warning that escalating state-sponsored attacks could turn destructive.

The Cybersecurity and Infrastructure Security Agency (CISA) director, Christopher Krebs, said in a statement dated Saturday that Iranian “regime actors and proxies” had ramped up malicious cyber-activity against US government agencies and industries of late.

“We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe,” he continued.

“Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you've lost your whole network.”

Iran has indeed been pegged for several destructive cyber-attacks over recent years, most notably the Shamoon attack of 2012 on Saudi state oil giant Saudi Aramco which is said to have wiped the hard drives of over 30,000 machines.

Tensions between the US and Iran have risen since Donald Trump tore up the previous administration’s nuclear deal with the Islamic Republic and imposed economic sanctions which have emboldened hardliners in Tehran.

After Iran shot down an unmanned US drone last week the world is waiting for an American military response. A new report citing “two former intelligence officials” claimed that a retaliatory strike came online on Thursday evening.

It targeted a cyber-espionage group linked to the Iranian Revolutionary Guard Corps, the report claimed.

“In times like these it's important to make sure you've shored up your basic defenses, like using multi-factor authentication, and if you suspect an incident — take it seriously and act quickly. You can find other tips and best practices for staying safe online here,” concluded Krebs.

Categories: Cyber Risk News

66% of Homes in North America Have Multiple IoT Devices

Fri, 06/21/2019 - 18:19
66% of Homes in North America Have Multiple IoT Devices

North American homes have the highest density of internet of things (IoT) devices of any region in the world, according to researchers at Stanford University and Avast.

Together, Stanford University and Avast have published findings of their research in a paper entitled All Things Considered, which analyzes the global state of IoT. The survey was based on “data collected from user-initiated network scans of 83M devices in 16M households,” the report said.

“Home IoT is better characterized by smart TVs, printers, game consoles, and surveillance devices – devices that have been connected to our home networks for more than a decade,” the report said.

“These are the kinds of devices that still support weak credentials for old protocols: work appliances are the device type with the highest fraction of weak FTP credentials; surveillance devices are the worst for telnet credentials. Improving the security posture of these devices remains just as important as ensuring that new technologies are secure – our home networks are only as secure as their weakest link.”

Notably, 66% of homes in North America possess at least one IoT device, more than a quarter more than the global average of 40%. Additionally, 25% of North American homes boast more than two devices.

With more than 14,000 IoT manufacturers the world over, 94% of all IoT devices are manufactured by as few as 100 vendors.

When looking at devices such as game consoles, there was little variance across the world in the most popular vendors, with Microsoft and Nintendo taking the top two spots. Open or weak FTP credentials were the top vulnerability. The research found that over 7% of all IoT devices still support these and telnet protocols, making them especially vulnerable.

“There already exists a complex ecosystem of Internet-connected embedded devices in homes worldwide, but that these devices are different than the ones considered by most recent work,” the researchers wrote.

Categories: Cyber Risk News

Dell Advises PC Users to Update SupportAssist

Fri, 06/21/2019 - 17:31
Dell Advises PC Users to Update SupportAssist

Dell has released a security alert letting customers know that they should update SupportAssist for both business and home PCs.

The vulnerability was discovered by SafeBreach security researcher Peleg Hadar, who wrote that the OEM software vulnerability puts multiple laptops at risk.

PC-Doctor, which makes and maintains the software-repair tool wrote that it had recently learned of the vulnerability, adding, “In our opinion, it would be very rare for one to have both permissions and the ability to exploit this vulnerability.

“To exploit this vulnerability, an administrative user or process would have to change the system’s PATH environment variable to include a folder writable by non-admin users, and craft a DLL that exploits PC-Doctor’s administrative privileges. It is not possible to exploit this vulnerability without modifying default Windows settings.”

“According to Dell's website, SupportAssist is preinstalled on most of Dell devices running Windows. This means that as long as the software is not patched, the vulnerability affects millions of Dell PC users,” Hadar wrote.

The vulnerability in SupportAssist was originally report on April 29, 2019. “In our initial exploration, we targeted the 'Dell Hardware Support' service based on the assumption [that] such a critical service would have high permission level access to the PC hardware as well as the capability to induce privilege escalation,” Hadar said.

If exploited, attackers could load and execute malicious payloads by a signed service, which could also be abused for execution and evasion.

On May 28, the fixes provided by PC-Doctor for the affected versions of Support Assist were released by Dell.

Noting that the PC-Doctor CVE-2019-12280 vulnerability received a high severity rating, Dell’s security advisory said, “The PC Doctor component in Dell SupportAssist for Business Systems and Dell SupportAssist for Home PCs has been updated. The vulnerability affects the Dell SupportAssist for Business PCs version 2.0.1 and Dell SupportAssist for Home PCs version 3.2.2.”

Categories: Cyber Risk News

Desjardins Insider Accessed Data of 2.9m Members

Fri, 06/21/2019 - 17:02
Desjardins Insider Accessed Data of 2.9m Members

Canada's largest credit union and one of the world’s largest banks, Desjardins, published a security advisory after a former employee gained unauthorized access to the data of 2.9 million members.

The former employee was fired as a result of the security breach. In a statement posted on its website, the bank said, “The investigation quickly traced the leak to a single source: an ill-intentioned employee who acted illegally and betrayed the trust of their employer. That person was fired. In light of these events, additional security measures have been put in place to ensure all our members' personal and financial data remains protected.”

The bank also noted that it has not been the target of a cyber-attack, nor did the malicious employee access customers’ AccèsD passwords, security questions or PINs.

“The bank is saying that credit card numbers, security questions and so on were not taken. Is this supposed to make it OK?” said Dan Tuchler, CMO at SecurityFirst. “I’m sure those whose personal information was revealed are going to be concerned. Enterprises, especially banks, need to take both technical steps and human process steps to prevent this type of breach.”

In addition to monitoring all activity in member accounts, Desjardins also stated, “We're taking additional steps to confirm our members' and clients' identities when they call their Desjardins caisse or our AccèsD call centre.”

That one employee was able to gain access to such a vast amount of confidential data suggests that some internal security controls are broken, according to Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

“Human factor remains the largest and probably the most dangerous risk than cannot be fully remediated. Most companies considerably underestimate human risk and then face disastrous consequences. Employee awareness and continuous education programs, as well as properly implemented internal security controls, can greatly reduce risk of human mistake and ruin even the most sophisticated phishing attacks.

“However, a malicious employee is a much more complicated case. First of all, security teams are already overloaded with tasks, processes and endless alerts and therefore frequently disregard incidents caused by presumably trusted colleagues. Worse, some of the employee’s malicious activity is technically undistinguishable from the legitimate daily work. Nonetheless, major incidents akin to this one are usually easily detectable and preventable.”

Categories: Cyber Risk News

NCSC Stresses 5G's Challenges Outweigh China Threat

Fri, 06/21/2019 - 10:13
NCSC Stresses 5G's Challenges Outweigh China Threat

While the debate on the 5G rollout has focused on Huawei, the work has been much wider and had to consider attacks and technical precision, according to the NCSC.

Presenting at Chatham House in London, NCSC CEO Ciaran Martin said that “there is a structural and sustained problem” in the way that telecommunications markets have worked in the past, which has not incentivized sufficiently good cybersecurity.

The most significant attack on UK telcos in recent years was suspected as being from Russia “and we don’t have any Russian owned or flagged kit in our telco networks,” said Martin. 

Martin said that the opportunity of 5G needs to be taken to fundamentally change the way we do telecommunications security to bake in cybersecurity and resilience into our infrastructure. “So, there’s much more to 5G security than Huawei,” he said.

Martin also said that technical precision matters in getting 5G security right. While it is “an important innovation”, he said, it is not magic and doesn’t change the laws of science or immutable concepts of security, but is an extremely complicated set of engineering and technological capabilities and architectures.

He said: “Don’t get me wrong: there are some very real security risks in 5G that we have to get right. But given the complexity, it’s easy for the debate to slip into areas where some of the arguments just don’t technically stack up.”

He cited two examples: firstly the ability to safeguard classified information, including those of the UK’s closest foreign partners, but he said that “the way we do classified information protection has nothing to do with how we construct public 4G or 5G networks and completely outside the scope of the DCMS review.”

Martin said that classified information sharing between partners depends on mutually agreed, ultra-cautious and rigorously policed standards; "always has, always will. It just isn’t relevant to the discussion about public 5G network security.”

The other example referred to what risks are run from foreign vendors from hostile states, which he acknowledged is a “completely legitimate concern to analyze” but not one that should be analyzed in isolation.

He considered that if Huawei are part of a 5G access network that would allow the Chinese state to cause major disruption like turning out the lights - and there is no way of mitigating that - what that means is that networks are constructed in such a way that the compromise of an external supplier causes catastrophic damage which can’t be contained. He said that if such a case is true, then all of the following must also be true:

  • The risk from accidental failure because of an operational mistake by a western vendor cannot be mitigated;
  • The risk that a hostile state could insert and exploit malicious code covertly into a western vendor cannot be mitigated;
  • The risk that a hostile state could place a human operative into a western vendor and exploit that access to cause the same disruption cannot be mitigated.

“In other words, if this sort of disruption is possible via Huawei, then it’s possible in all sorts of other ways too that should also be of grave concern,” he said. “And it means we’ve built the networks the wrong way. The technical job of the NCSC is to make sure they are built in the right way.”

In conclusion, Martin said that a decade since the first UK cybersecurity strategy, there is now a lot more clarity about what Government should be doing to promote cybersecurity and responsible behavior in cyber space.

Categories: Cyber Risk News

Warning Made on Cross-Platform Cryptominer

Fri, 06/21/2019 - 09:39
Warning Made on Cross-Platform Cryptominer

ESET has warned of cross-platform software which is used to mine cryptocurrency.

Named LoudMiner, the malware uses virtualization software – QEMU on macOS and VirtualBox on Windows – to mine cryptocurrency on a Tiny Core Linux virtual machine. LoudMiner is distributed in pirated copies of audio software called VST (Virtual Studio Technology) and once an endpoint is infected, LoudMiner uses the compromised machines to mine cryptocurrency and uses SCP (Secure File Copy) with an embedded username and private SSH key to self-update.

ESET researchers said that the miner itself is based on XMRig (Monero) and uses a mining pool, and therefore it is impossible to retrace potential transactions.

“At the time of writing, there are 137 VST-related applications (42 for Windows and 95 for macOS) available on a single WordPress-based website with a domain registered on 24th August, 2018,” researchers said.

“The first application – Kontakt Native Instruments 5.7 for Windows – was uploaded on the same day. The size of the apps makes it impractical to analyze them all, but it seems safe to assume they are all Trojanized.”

In particular, LoudMiner targets audio applications which would be expected to have good processing power and high CPU consumption, and “are usually complex” to enable attackers to camouflage their VM images. 

Marc-Etienne M.Léveillé, senior malware researcher, ESET. “These applications are typically complex and have a high CPU consumption, so users will not find this activity unusual. Using virtual machines instead of another leaner solution is quite remarkable, and is not something we have typically seen before.”

Categories: Cyber Risk News

High-Risk Vulnerabilities in iOS, Android Apps

Thu, 06/20/2019 - 16:00
High-Risk Vulnerabilities in iOS, Android Apps

The vast majority of mobile apps store data insecurely, according to Positive Technologies researchers who discovered high-risk security vulnerabilities in 38% of iOS apps and 43% of Android apps.

“But this difference is not significant, and the overall security level of mobile application clients for Android and iOS is roughly the same. About a third of all vulnerabilities on the client side for both platforms are high-risk ones,” according to the annual report Vulnerabilities and Threats in Mobile Applications, 2019.

Researchers analyzed mobile apps tested last year and found that 76% of mobile apps store data insecurely. While insecure data storage was the most common vulnerability, 89% of the vulnerabilities discovered could be exploited by malware.

“Developers pay painstaking attention to software design in order to give us a smooth and convenient experience. People gladly install mobile apps and provide personal information, but rarely stop to think about the security implications,” the report said.

Rooted and jailbroken devices had a higher risk of infection, even though malware has the ability to escalate privileges and access user data or even send data to the attackers if permission is granted.

“In 2018, mobile apps were downloaded onto user devices over 205 billion times. Developers pay painstaking attention to software design in order to give us a smooth and convenient experience and people gladly install mobile apps and provide personal information,” said Leigh-Anne Galloway, cyber-security resilience lead at Positive Technologies.

“However, an alarming number of apps are critically insecure, and far less developer attention is spent on solving that issue. Stealing data from a smartphone usually doesn’t even require physical access to the device.”

Mobile users are advised to pay closer attention when applications request access to phone functions or data because cyber-criminals rely on user’s inattention, which enables them to escalate privileges. Additionally, the report noted that "protection mechanisms are the weak spot in mobile applications. Most of the discovered vulnerabilities were introduced during the design stage and result from failure to 'think through' security-related questions."

Categories: Cyber Risk News

California Suffered Highest Number of Breaches

Thu, 06/20/2019 - 15:39
California Suffered Highest Number of Breaches

Over the past decade, California has had the highest number of data breaches and the greatest number of records exposed, according to new research from Comparitech.

In the new report, Protected: Which States Have the Most Data Breaches?, researchers analyzed data on the last 10 years’ worth of data breaches and found that California suffered the most data breaches, with New York and Texas following somewhat far behind.

Since 2008, there have been 1,493 data breaches in California, which have exposed approximately 5.6 billion records in total, the report said. New York saw less than half of that, with only 729 total breaches exposing 239 million records.

“Similar to California, New York is home to a huge number of companies with big, valuable databases. The total number of records exposed, however, isn’t as high as for some states with a fraction of the number of breaches,” the report said.

Though the second-largest state, Texas had the third-highest number of data breaches. Its totals trailed those of New York, with only 661 breaches that accounted for 288 million records exposed.

“The majority of records exposed through data breaches in Texas came out of the Epsilon breach in 2011. The email marketing firm leaked 50 million to 250 million email addresses and names. It worked with several big-name US retailers and financial companies like Kroger, Walgreens, Marriott Rewards, Capital One, and Citibank,” the report said.

While the entire US has suffered 9,696 data breaches since 2008, a handful of states – South Dakota, North Dakota, Wyoming, West Virginia and Hawaii – each had under 30 data breaches in total over the entire decade, according to the report. All told, those 9,696 breaches resulted in more than 10.7 billion records being exposed.  

Even though Georgia had only 300 data breaches since 2008, “Georgia is home to what is possibly the most infamous data breach in history: Equifax. In May 2017, the Atlanta-based credit bureau announced a data breach involving 145.5 million Americans’ names, Social Security numbers, birth dates, addresses, and more. That doesn’t even include the non-Americans involved. Despite the breach having occurred more than two years ago, the data has yet to surface, leading some to believe it was a nation-state attack.”

Categories: Cyber Risk News

US CERT Warns of DHS Phishing Scam

Thu, 06/20/2019 - 14:56
US CERT Warns of DHS Phishing Scam

An email phishing scam tries to dupe its victims by appearing to be from the Department of Homeland Security (DHS). According to a June 18 US CERT alert, the email lures users into downloading malware through a malicious attachment.

“The Cybersecurity and Infrastructure Security Agency (CISA) is aware of an email phishing scam that tricks users into clicking on malicious attachments that look like legitimate Department of Homeland Security (DHS) notifications. The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert,” CISA wrote.

CISA cautioned people to be wary of fraudulent emails, even if the sender is someone known to the receiver, particularly as these sophisticated phishing attacks can compromise enterprise security if end users mistakenly click on malicious links.

“We live in an interconnected digital economy, one where businesses are increasingly vulnerable to online attacks that target users, the traditional ‘weak link’ in cybersecurity. The rise of convincing phishing campaigns like those purporting to be from the DHS brings the problem into sharp focus,” said Sherban Naum, SVP of corporate strategy and technology for Bromium.

Increasingly it is becoming more difficult for the average person to identify phishing emails, which is why security practitioners should rethink their security awareness and training programs. “Expecting employees to spot these threats and prevent a breach puts high-value assets at risk. This approach means that hackers need to only get it right once, because there is always someone who might click to open a malicious attachment on a phishing email,” Naum said.

“We need to accept that it doesn’t matter how much user education is in place, hackers will always find ways to dupe employees and get around enterprise defenses. We can’t continue to put the onus of security on users and expect them to spot these threats; it’s not their job to be the last line of defense.”

Categories: Cyber Risk News

DCMS Pushes Porn Age Verification Deadline Back “Indefinitely”

Thu, 06/20/2019 - 11:20
DCMS Pushes Porn Age Verification Deadline Back “Indefinitely”

The planned age verification scheme, which would have prevented access to pornographic material to anyone who was unable to prove their age, is to be delayed indefinitely.

According to Sky News, Department for Digital, Culture, Media and Sport (DCMS) Secretary Jeremy Wright is expected to announce the delay later today. The verification system was due to come into force on July 15, with website visitors expected to prove their age and identity by uploading scans of passports or driving licenses, or by using age-verification cards sold by newsagents.

Privacy lobbyists the Open Rights Group said “that the scheme provides little assurance to the 20 million adults that are estimated to watch porn in the UK” calling it a “privacy timebomb” as it would lead to a central database of identities which need to be maintained.

The Open Rights Group also said that as the standard was voluntary, there was no obligation for age verification providers to apply it, and no penalties for those verifiers who sign up to the standard and fail to meet its requirements.

Its executive director Jim Killock said: “While it’s very embarrassing to delay age verification for the third time, this is an opportunity for the Government to address the many problems that this ill-thought through policy poses.

“Age verification providers have warned that they are not ready; the BBFC’s standard to protect data has been shown to be ineffective. The Government needs to use this delay to introduce legislation that will ensure the privacy and security of online users is protected.”

Mishcon de Reya's Cyber Intelligence director Mark Tibbs said that while this is seemingly a good idea on the face of it, introducing a “porn block” based on age verification is likely to have a number of unintended consequences which could create more problems than it solves.

“If the Ashley Madison hack taught us anything, it's that a company which holds personal information about millions of users' sex lives will be a prime target for hackers and extortionists, regardless of how good security is,” he said.

“Underage porn seekers and even adults not wanting to give over their personal information are likely to quickly find services to hide their true identities and bypass the controls. It will possibly even drive determined porn seekers onto alternative platforms such as the dark web, which are harder for governments to regulate, and may be more likely to expose users to illegal content. It may even stimulate an illicit black market of stolen accounts and identities, giving budding hackers even more reason to steal online identities."

Infosecurity was joined by Jim Killock and psychotherapist Ronete Cohen for a discussion around the ethics of the age verification scheme during our last Online Summit. Listen again here.

Categories: Cyber Risk News

Florida City Pays $600K to Ransomware Authors

Thu, 06/20/2019 - 10:50
Florida City Pays $600K to Ransomware Authors

A Florida city has agreed to pay cyber-criminals $600,000 to regain access to computer systems encrypted with ransomware, highlighting the continued threat to organizations from extortion-based attacks.

The Riviera Beach City Council voted unanimously to pay off the hackers, after security consultants hired to help recommended the extreme course of action, which runs at odds to advice from law enforcement.

The council had already voted to spend $900,000 on new computers after the attack struck three weeks ago, bringing the total outlay for the city of 32,000 residents to $1.5m.

The attack appears to have begun with a classic phishing email which a city employee clicked on. According to AP, the unnamed ransomware variant crippled email systems, forced city employees and suppliers to be paid by cheque, and even interfered with 911 dispatches.

The incident is just the latest in a long line of successful ransomware attacks targeting US cities. Most recently, Baltimore suffered major outages which are said to be costing the city $18m. Another ransomware blitz forced employees in Del Rio back to pen and paper.

However, both of those cities refused to pay the ransom. Paying up is generally discouraged by law enforcers as there’s no guarantee that victims will regain access to their data and it means they may be singled out as easy targets in future raids.

According to the FBI, there were just 1493 reported victims of ransomware last year with attacks costing them a little over $3.6m. However, these figures are likely to be a significant under-estimate, given many attacks won’t be reported and the figure for losses doesn’t include “lost business, time, wages, files, equipment, or any third party remediation services acquired by a victim.”

Cyber-criminals appear to be focusing their efforts increasingly on businesses. The number of ransomware detections targeting consumers dropped 10% quarter-on-quarter in Q1, whereas attacks against corporates surged 195%, according to Malwarebytes.

Categories: Cyber Risk News

UK Identity Fraud Jumps 8% to New All-Time High

Thu, 06/20/2019 - 09:29
UK Identity Fraud Jumps 8% to New All-Time High

Identity fraud rose by 8% in the UK last year to hit an all-time high, with both the very young and old experiencing the biggest increases, according to Cifas.

The anti-fraud non-profit’s latest Fraudscape report for 2018 was compiled as always from the 350 organizations that submit data to its National Fraud Database.

These members recorded nearly 324,000 cases of fraud overall last year, a return to the highs of 2015 and 2016 after a dip in 2017. A Cifas official confirmed to Infosecurity that 87% of all identity fraud was committed online during last year, up from 84% the previous year.

The number of over-60s suffering identity fraud shot up 34% over the previous year, while the number of under-21s experiencing impersonation attacks jumped by 26%.

Online use was blamed for a large part of the rise, especially for the elderly, more of whom are using the internet at home, the report claimed. Younger victims’ large social media presence also exposes them to the risk of scams, it said.

There was a 41% in scams targeting plastic cards: again, older members of society are increasingly being targeted here as they’re perceived to be more likely to be approved for credit, Cifas said.

The report also detailed another sharp rise in the fraudulent use of bank accounts. The volume of cases jumped 26%, indicating a rise in money mule activity.

Often, the proceeds being laundered through these accounts come from authorized push payment (APP) scams, an increasingly popular fraud tactic in which the victim is tricked into sending money to the scammer or a third party under their control.

Incidents of APP shot up 90% between 2017 and 2018, costing victims an estimated £354m, according to UK Finance.

The largest number of money mules are in the age group 21-30, followed by under-21s, although all age ranges showed an increase in activity, Cifas found.

Categories: Cyber Risk News

UK Identity Fraud Jumps 8% to New All-Time High

Thu, 06/20/2019 - 09:29
UK Identity Fraud Jumps 8% to New All-Time High

Identity fraud rose by 8% in the UK last year to hit an all-time high, with both the very young and old experiencing the biggest increases, according to Cifas.

The anti-fraud non-profit’s latest Fraudscape report for 2018 was compiled as always from the 350 organizations that submit data to its National Fraud Database.

These members recorded nearly 324,000 cases of fraud overall last year, a return to the highs of 2015 and 2016 after a dip in 2017.

The number of over-60s suffering identity fraud shot up 34% over the previous year, while the number of under-21s experiencing impersonation attacks jumped by 26%.

Online use was blamed for a large part of the rise, especially for the elderly, more of whom are using the internet at home, the report claimed. Younger victims’ large social media presence also exposes them to the risk of scams, it said.

There was a 41% in scams targeting plastic cards: again, older members of society are increasingly being targeted here as they’re perceived to be more likely to be approved for credit, Cifas said.

The report also detailed another sharp rise in the fraudulent use of bank accounts. The volume of cases jumped 26%, indicating a rise in money mule activity.

Often, the proceeds being laundered through these accounts come from authorized push payment (APP) scams, an increasingly popular fraud tactic in which the victim is tricked into sending money to the scammer or a third party under their control.

Incidents of APP shot up 90% between 2017 and 2018, costing victims an estimated £354m, according to UK Finance.

The largest number of money mules are in the age group 21-30, followed by under-21s, although all age ranges showed an increase in activity, Cifas found.

Categories: Cyber Risk News

CISOs Struggling With 50+ Separate Security Tools

Thu, 06/20/2019 - 08:26
CISOs Struggling With 50+ Separate Security Tools

Organizations are struggling to gain real-time visibility into their security technologies and suffering from an excessive number of tools running across the enterprise, according to new research from Panaseer.

The security monitoring firm polled 200 enterprise CISOs to better understand their key strategic challenges, as part of its first Security Leader’s Peer Report.

It revealed that 87% are struggling to gain any meaningful insight into trusted data, while a sizeable minority (31%) are concerned this may impact their ability to comply with key regulations.

Complex, siloed IT systems are compounding these challenges, the report found.

On average, responding organizations are running 57 separate security tools. Over a quarter (27%) claimed to be running a staggering 76+ discrete security products.

These aren’t necessarily making the organization any safer – in fact, they may be working to do the opposite. Over 70% of respondents admitted that they don’t even evaluate their security tools based on how effectively they reduce cyber risk.

The result is that enterprises are often flying blind when it comes to security, with security teams forced to spend much of their valuable time producing reports manually. This was cited by over a third (36%) of respondents.

The administrative burden of formatting and presenting data, working with spreadsheets and compiling data for regulators and the board is an overhead that stretched security teams can ill afford, according to Panaser CTO Charaka Goonatilake.

Instead of deploying scarce cyber-experts to improve security in the business, they’re wasting their talents on manually constructing reports in an attempt to provide visibility into security posture,” he told Infosecurity.

He argued that automation is an opportunity to accelerate decision making, reduce error and enhance visibility.

Automating the end-to-end process of creating a complete, accurate and up-to-date view of an organization's security posture on a daily basis requires collection, cleansing and analysis of data from dozens of sources followed by formatting and presenting the generated insights,” Goonatilake added. 

“Manual reports are so prone to error, as they can only give a single snapshot in time and are then out of date almost immediately.”

Categories: Cyber Risk News

Pages