Info Security

Subscribe to Info Security  feed
Updated: 8 min 2 sec ago

Lack of Diversity Persists in Cybersecurity

Thu, 10/24/2019 - 16:35
Lack of Diversity Persists in Cybersecurity

An annual international survey has found the cybersecurity industry to be dominated by Caucasian men for the second year running.

The Exabeam Cybersecurity Professionals Salary, Skills and Stress Survey asks security professionals around the world about their job satisfaction, education level, and attitude toward innovative and emerging technologies. 

This year's survey was completed in September by 479 security professionals working in the United States, the United Kingdom, Canada, India, Australia, and the Netherlands. 

Last year, only 10% of survey respondents were female. This year, that percentage dropped to a measly 9%, indicating, at best, little change in the cybersecurity industry's gender imbalance. 

A further finding of the survey was that the majority of respondents—65%—identified as Caucasian. Asian professionals and Latino or Hispanic employees made up just 13% and 9% of respondents, respectively. 

Two of the most under-represented groups in the survey were people from the Middle East and African Americans, who made up just 4% and 3% of respondents, respectively.

While the cybersecurity industry may be lagging behind in diversity, at least it's got a balanced approach to pay. 

Exabeam researchers wrote: "Men and women reported similar wages, and minorities made some of the highest salaries. African-Americans reported the highest median salary."

Job satisfaction was found to have decreased, with 71% of respondents very satisfied at work compared with 83% last year. Despite a fizzling out of workplace joie de vivre, 78% of respondents said that they would recommend cybersecurity as a career for new professionals and graduates. 

One reason behind this readiness to encourage others to embark on cybersecurity careers may be respondents' perception of job security, as 76% reported that they felt secure in their positions.

Unchanged from 2018 were median salaries, which averaged between $75,000 and $100,000.

"The lack of diversity in this survey is a microcosm of the wider problem plaguing the cybersecurity industry,” said Trevor Daughney, VP of product marketing at Exabeam. 

"When we consider the continuous threats and external adversaries that cyber professionals face, we understand that fighting them often requires a multidisciplinary approach. Building a diverse team of people creates a more holistic view of the problem and delivers a range of valuable problem-solving skills. In that way, diversity truly improves the overall outcomes of the team."

Categories: Cyber Risk News

Chartered Institute: IT Security Industry is Stagnating

Thu, 10/24/2019 - 11:30
Chartered Institute: IT Security Industry is Stagnating

The IT security industry threatens to be overwhelmed by cyber-threats if it doesn’t relax hiring rules, the Chartered Institute of Information Security (CIISec) has warned.

In one of its first pronouncements since being awarded a prestigious Royal Charter, the industry body argued that the sector is stagnating and ill-equipped to cope with an escalating skills crisis.

Global skills shortages in the sector stand at nearly three million, including 142,000 in EMEA, according to the most recent stats. Only 24% of current infosec staff are thought to be women.

CIISec’s own survey of information security professionals revealed that 89% of respondents were male, and 89% were over 35, pointing to a major diversity issue.

Much of the problem is that employers continue to prioritize technical experience and skills when hiring, despite the fact that two-thirds (65%) of respondents to the survey claimed that learning on the job is preferable, CIISec said.

That means the industry is missing out on a potential trove of able candidates who have gained commensurate skills in other fields.

“The expectation that security is purely a technical subject has led to a focus only on very specific individuals to fulfill roles,” said Amanda Finch, CIISec CEO.

“Even if we weren’t in the middle of a skills crisis increased diversity should be a priority, but the present situation makes it critical. Expanding the industry’s horizons isn’t only essential to make sure the industry has the skills it needs. It will give a whole range of individuals the opportunity to thrive in a new career, and in the long term protect the industry from stagnation by introducing more varied backgrounds.”

To attract more diverse candidate, the industry needs to do a better PR job of explaining awareness of the opportunities on offer.

Some 86% of industry professionals said the industry will grow over the next three years and 13% predicted it will “boom”.

“Key to all this will be both organizations and individuals having a framework that can show exactly what skills are necessary to fulfil what roles,” Finch continued.

“This will not only help hire the right people. It will also mean that it the routes to progress through an individual’s career are clearly marked, ensuring that individuals who enthusiastically join the industry don’t over time become jaded or burn out due to a lack of opportunity.”

However, there have been PR setbacks: last week it emerged that Rebecca Burke, a former program lead that helped manage TalkTalk’s recovery from a major breach, was preparing to bring a landmark equal pay and unfair dismissal case.

Categories: Cyber Risk News

Action Fraud Snafu Leaves 9000 Cases Quarantined

Thu, 10/24/2019 - 10:07
Action Fraud Snafu Leaves 9000 Cases Quarantined

Thousands of cybercrime reports sent to the UK’s centralized authority have been mistakenly identified as containing malware, meaning they were not investigated, according to a new report.

The report, Cyber: Keep the light on – An inspection of the police response to cyber-dependent crime, was produced by watchdog Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services (HMICFRS).

It claimed that, although police forces and the National Crime Agency (NCA) are largely effective in tackling cybercrime, there is room for improvement.

It pointed to mistakes in the Know Fraud system, updated in October 2018, which led to a significant number of the reports normally sent to the National Fraud Intelligence Bureau (NFIB) by Action Fraud being held in quarantine.

“In some cases the automated system mistakenly identified reports as containing malicious coding. In April 2019, we were informed that approximately 9,000 reports were being treated in this way – although by July 2019 this had been reduced to approximately 6,500,” the HMICFRS report revealed.

“In these quarantined cases, victims haven’t received confirmation that their report has been received. Nor have they been reviewed for viable lines of enquiry or forwarded to forces for either victim care or investigation.”

The report urged City of London police, which runs Action Fraud, to urgently address the problem, provide the Home Office with an update and work to prevent a re-occurrence.

The report also pointed to a lack of public awareness about Action Fraud and confusion about the reporting process.

“One issue with the online tool is the reliance on victims to correctly identify the type of crime they have been a victim of. Self-reported cases often include incorrectly classified crimes and inaccurate or incomplete information,” it explained.

“The online tool also asks victims to assess how vulnerable they perceive themselves to be. This can lead to inconsistent results, which then need to be reassessed.”

In addition, 40% of calls into the Action Fraud hotline are abandoned before they are answered because of long wait times.

The report also argued that the current UK policing picture is too fragmented, and best practice knowledge isn’t shared effectively enough throughout — with too much variation between how cases are approached, and the effectiveness of local responses.

Categories: Cyber Risk News

£265m Data Breach Costs Could Have Been Avoided with £9600 Worth of Bug Bounties

Thu, 10/24/2019 - 09:29
£265m Data Breach Costs Could Have Been Avoided with £9600 Worth of Bug Bounties

New research from bug bounty and pen testing platform HackerOne has revealed that four major data breaches – British Airways (2018), Carphone Warehouse (2018), TicketMaster (2018) and TalkTalk (2015) – which cost over £265m in damages cumulatively, could have been prevented for as little as £9600 (collectively) with the use of bug bounty programs.

That estimate is based on typical bug bounty rewards paid to researchers that have discovered the same vulnerabilities that led to the above breaches. According to HackerOne, the research studied the costs, lawsuits and fines associated with the data breaches.

The firm claimed that the mammoth combined costs of the breaches could have been avoided had the vulnerabilities – which included third-party JavaScript exploits, an out-of-date WordPress interface and SQL injection – been identified and responsibly disclosed by researchers as part of a bug bounty program. HackerOne stated the victim organizations would have collectively only had to pay out between £9600-£32,000, based on average bug bounty prices.

“Attack surfaces are growing all the time, and it’s a significant challenge just trying to stay ahead of cyber-criminals. The most secure organizations realize there are many ways to identify where they are most vulnerable,” said Prash Somaiya, security engineer at HackerOne.

“By running bug bounty programs and asking hackers to find their weak spots, our customers have safely resolved over 120,000 vulnerabilities before a breach could occur. This research is a rough estimate on bounty prices, based on our existing programs across the same industries, but it does highlight that companies can save millions and reduce risk by being proactive when it comes to identifying and patching their vulnerabilities.”

Categories: Cyber Risk News

AWS Left Reeling After Eight-Hour DDoS

Thu, 10/24/2019 - 08:46
AWS Left Reeling After Eight-Hour DDoS

Amazon Web Services (AWS) customers were hit by severe outages yesterday after an apparent DDoS attack took S3 and other services offline for up to eight hours.

The attack hit the cloud giant’s Router 53 DNS web service, which had a knock-on effect on other services including Elastic Load Balancing (ELB), Relational Database Service (RDS) and Elastic Compute Cloud (EC2), that require public DNS resolution.

A status update by AWS, since replaced, claimed: “Between 10:30 AM and 6:30 PM PDT, we experienced intermittent errors with resolution of some AWS DNS names. Beginning at 5:16 PM, a very small number of specific DNS names experienced a higher error rate. These issues have been resolved.”

A message sent to customers during this time clarified that the firm’s DNS servers were indeed experiencing a DDoS attack. The outages call into question the effectiveness of the AWS DDoS-mitigation platform Shield Advanced, especially as it appeared to have made things worse for some customers.

“Our DDoS mitigations are absorbing the vast majority of this traffic, but these mitigations are also flagging some legitimate customer queries at this time,” the firm said.

In an apparently unrelated incident, the Google Cloud Platform also experienced problems at around the same time yesterday, although it clarified that DDoS was not the cause.

The issues affected Google Compute Engine, Cloud Memorystore, Google Kubernetes Engine, Cloud Bigtable and Google Cloud Storage. They included network programming and packet loss for Cloud Networking customers and packet loss for Google Compute Engine users.

Anthony Chad, global SVP for Neustar, argued that the attack on AWS must have been significant.

“Citing potential mitigation concerns, this attack should serve a reminder to security leaders to ensure they safeguard their cyber-defenses on an always-on basis across a number of levels, from the perimeter to websites and applications, underpinned by intelligence,” he added.

“Prevention is always better than the cure, and the cost of not doing so — from reputational damage to additional technology investment, compensation and possibly regulatory action — can have an undesired impact on the bottom line.”

Categories: Cyber Risk News

Bedside Robots May Have Been Used to Spy on Hotel Guests in Japan

Wed, 10/23/2019 - 18:18
Bedside Robots May Have Been Used to Spy on Hotel Guests in Japan

A Japanese travel company has apologized after failing to prevent hackers from being able to spy on hotel guests in bed via in-room robots. 

A vulnerability in 100 bed-facing Tapia robots used in the Henn na Hotel Maihama Tokyo Bay meant that hackers could watch and listen to what guests got up to in bed.

The hotel, which is owned by H.I.S. Group, is famous for being staffed by androids. Guests can be checked in by a chatty dinosaur robot or ultra-polite humanoid reception bot on arrival. Hotel rooms are unlocked using facial recognition technology, and inside each room is a bed-side bot that acts as a virtual assistant.

A security researcher claimed on Twitter that he had warned the H.I.S. Group back in July that the bedroom robots were hackable. According to the researcher, the bots have unsigned code, which means that a user can tap an NFC tag to the back of the robot's head and allow access via whatever streaming app they choose.

By exploiting this vulnerability, anyone with access to the hotel room can use the robot's cameras and microphones to spy on guests. 

The researcher publicly announced the hack on October 13 after allegedly receiving no response from the hotel group.

Japanese newspaper the Tokyo Reporter said that H.I.S. Group has apologized for ignoring warnings that the in-room robots posed a massive privacy and security risk.

According to the newspaper, the company had decided that the chance of hackers gaining unauthorized access to the bots was too low to merit any action. The robots have now been updated and are no longer vulnerable.

H.I.S. Group said on Twitter: "We apologize for any uneasiness caused."

Thomas Hatch, CTO and co-founder at SaltStack, a provider of intelligent IT automation software, commented: "This is a situation where the general populace is being violated in unsuspected ways because of the rampant introduction of centrally managed devices, like robots, TVs, toys and more.

"We end up in a situation that is new to humanity, one where we are monitored more aggressively than our predecessors imagined, and not by central authorities but by criminals."  

Hatch predicted incidents of this nature will become increasingly common. He then said: "Even large companies with large resources are struggling to keep up with securing their assets, let alone smaller companies that are pushing these devices out to the world. Many smaller companies lack the proclivity or motivation to secure such devices."

Categories: Cyber Risk News

Cash-back Websites Expose 2 TB of Sensitive Information

Wed, 10/23/2019 - 16:57
Cash-back Websites Expose 2 TB of Sensitive Information

Money-saving websites used by over 3.5 million bargain hunters have leaked 2 terabytes of sensitive information onto the dark web.

Data exposed by British website and Indian sister site includes bank details, full names, mobile phone numbers, email addresses, plain-text passwords and usernames, IP addresses, and more. Both sites are owned by PouringPounds Ltd.

The double breach was discovered by a group of Safety Detectives researchers led by hacktivist and cybersecurity expert Anurag Sen. Researchers found the sensitive data in a publicly exposed database hosted on an elastic server without any password protection.

The discovery was made during the commission of an ongoing ethical Safety Detectives web-mapping project that seeks to identify vulnerabilities and data breaches online and notify those responsible in order to improve online safety and security.

Researchers wrote: "The elastic server was publicly exposed without any password protection. Searching at a specific port, anyone could find it easily and take advantage of it maliciously. From what we can see, it was exposed since August 9, 2019."

The database of exposed sensitive information continued to grow as Safety Detectives investigated it, each day showing logs for that day plus the previous six days. 

Researchers wrote: "A bad actor could easily open an account and find the associated cash-back credit—available and ready to be transferred to any PayPal address easily. All you need to execute such a transaction would be the password which, again, we found available in plain text."

Sen informed PouringPounds Ltd of the breach on September 4 but received no response. After several more attempts to contact the company, Sen finally heard back on September 21. The database, which had been exposed for six weeks by this point, was secured later that day. 

"Some companies always deny or try to minimize leaks," said a spokesperson from Safety Detectives. "While some companies react well by securing the breach promptly, other companies do not react quick enough and when eventually cornered tend to deny the breach or minimize the impact to preserve reputation."

Categories: Cyber Risk News

US Government Agencies Outline Security Strategy for 2020 Election

Wed, 10/23/2019 - 16:01
US Government Agencies Outline Security Strategy for 2020 Election

American government agencies gathered in Washington, DC, yesterday to describe how they plan to fight interference in next year's presidential election.  

In a lengthy hearing titled Securing America's Elections Part II: Oversight of Government Agencies, high-ranking members of the Departments of Justice and Homeland Security, the US Election Assistance Commission, and the Federal Bureau of Investigation (FBI) gave testimony before the House Judiciary Committee.

A common thread in the strategies presented before the committee was the importance of collaborating with social media companies and technology companies to fight attempts by non-Americans to use social media to influence the election's outcome. 

The security strategy presented by the US Election Assistance Commission focused on collaboration and the sharing of cybersecurity information between federal, state, and local partners in order to the defend their infrastructure.

A four-pronged strategy was shared by the Cybersecurity and Infrastructure Security Agency (CISA), the cybersecurity arm of the Department of Homeland Security (DHS). CISA's action plan is to protect election infrastructure, support campaigns and political infrastructure, raise public awareness and build resilience, efficiently share actionable intelligence, and identify threats. 

"CISA, through the EI-ISAC, now provides threat alerts to all 50 states and more than 2,000 local and territorial election offices," Matthew Masterson, senior cybersecurity adviser at CISA, said in his testimony. "CISA also provides weekly vulnerability scans for 37 states, 145 local partners, one territory, and 10 private sector partners."

Meanwhile, the FBI said that they would be taking a three-pronged approach to election security comprising investigations and operations, information and intelligence sharing, and a strong partnership with the private sector.

The FBI's deputy assistant director for counterterrorism, Nikki Floris, said that the 2018 midterm elections had prompted the bureau's Foreign Influence Task Force (FITF) to review its practices. 

"As a result of this review, we further expanded the scope of the FITF. Previously, our efforts to combat malign foreign influence focused solely on the threat posed by Russia," said Floris. 

"Utilizing lessons learned over the last year and half, the FITF is widening its aperture to confront malign foreign operations of China, Iran, and other global adversaries."

Underlining the importance of collaboration in protecting the integrity of next year's presidential election, Adam Hickey, deputy assistant attorney general at the Department of Justice’s National Security Division, said: "Combating malign foreign influence operations requires a ‘whole of society’ approach that relies on coordinated actions by federal, state, and local government agencies; support from the private sector; and the active engagement of an informed public."

Categories: Cyber Risk News

NCSC Blocked 658 Incidents Including Nation State Attacks

Wed, 10/23/2019 - 11:20
NCSC Blocked 658 Incidents Including Nation State Attacks

The National Cyber Security Centre (NCSC) has confirmed that it dealt with 658 incidents in the past year, of which a significant number were “from hostile nation states.”

As the NCSC launched its third annual review, in the same month as it marks three years in operation, the NCSC disclosed that government was the sector that received the most support from the NCSC’s Incident Management team, followed by academia, IT, managed service providers and, in joint fifth, health and transport.

Speaking at the report launch at the NCSC headquarters in London, chief executive Ciaran Martin said that whatever successes it had enjoyed were based on “strong clinical sponsorship” and it was “privileged to have strong political sponsorship, strong strategy, funding and autonomy to get on with the job.”

He added that whilst some attackers “are still doing the same things over and over again and too often getting though,” there are things we and organizational leaders can do to get ahead of the problem, and these include “practical and sensible measures like two-factor authentication, strong passwords, backups and for businesses to scan for vulnerabilities.”

Praising the “excellence” of the NCSC staff and “quality of partnerships” as being “essential to everything we do,” Martin said the role of the NCSC was not just about dealing with threats, but also about its international and domestic outreach to partners and businesses. He said that 56 different countries had visited the NCSC and developed an “indicator of compromise machine” to give 1000 pieces of valuable data per month.

He went on to stress the need to look at “aging legacy systems” as we now have an aggregation of risk because of multiple connections and devices, and we need to do more to secure them. He admitted that not all of the risks will work, “but stand with us through the challenges, as if we get the basics right, we will achieve our mission of making the UK the safest place to live and do business online.”

In the past year, the NCSC has produced 154 threat assessments, delivered, along with sector and law enforcement partners, cybersecurity awareness and training sessions to more than 2700 charities, and welcomed 11,802 girls in the 2019 CyberFirst Girls Competition.

Minister for the Cabinet Office, responsible for resilience against cyber-attacks and protecting critical national infrastructure, Oliver Dowden welcomed the achievements “which shows that we are making the UK a more challenging place for our cyber adversaries to operate in."

He said: “We've made great progress on making the UK safer since launching our world-leading £1.9 billion cybersecurity strategy in 2015. Establishing the NCSC was a key part of this and has played a central role in tackling online threats posed by criminals, hacktivists and hostile nation states.”

Speaking at the launch, Dowden said that after the NCSC’s first two years, “the joint committee on national security strategy praised its impressive impact” and a year on, “there has been even more progress.” Dowden also said that this winter, the NCSC will relaunch the government's national cyber security campaign "Cyber Aware" informing the public about what they need to do to protect themselves from cybercrime.

The report features the success of the Active Cyber Defence (ACD) Programme, which was involved in the takedown of 177,335 phishing URLs 98 percent of phishing URLs, and flagging fraudulent intention against more than a million credit cards to banks. 

Categories: Cyber Risk News

Spanish Police Arrest Three in €10m BEC Bust

Wed, 10/23/2019 - 11:00
Spanish Police Arrest Three in €10m BEC Bust

Spanish police have arrested three men in connection with a €10m Business Email Compromise (BEC) ring that targeted corporate victims around the world.

The Guardia Civil revealed on Tuesday that the group allegedly targeted 12 companies in Belgium, Venezuela, Bulgaria, Norway, the United States, Germany, Luxembourg, Portugal, Chile and the UK.

Attackers phished the accounts of senior managers at the victim organizations, using access to their accounts to request wire transfers of funds to bank accounts under their control. To make their efforts appear more legitimate, they attached invoices to these emails featuring the letterhead of the company.

They are said to have run a complex network of 83 fake companies and 185 bank accounts designed to launder the funds. Money was moved frequently between these to put investigators off the scent. So far, Spanish police have only been able to recover €1.3m of the total €10.7m stolen.

The group has also ploughed some of the money into real estate, it said.

Operation Lavanco, as it is known, was carried out with help from Europol, Interpol, the FBI and other national agencies like the German BKA.

Those arrested under charges including belonging to a criminal organization and money laundering, are between 34 and 67 years of age and residents of Seville, Cuenca, Tarragona and Albacete. A fourth is currently under investigation, the Guardia Civil said.

The news comes just a month after a major global bust saw the arrest of 281 BEC suspects and the seizure of nearly $3.7m.

Operation reWired saw most arrests in Nigeria (167), with 74 in the US, 18 in Turkey and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia and the UK.

The FBI estimates that $1.3bn was lost to BEC scams last year.

Categories: Cyber Risk News

Magecart Group Linked to Dridex and Carbanak Malware

Wed, 10/23/2019 - 09:41
Magecart Group Linked to Dridex and Carbanak Malware

Security researchers have discovered close links between a digital skimming group, Dridex phishing campaigns and the notorious Carbanak malware.

Malwarebytes researchers Jérôme Segura, William Tsing, and Adam Thomas examined WHOIS data prior to GDPR taking effect to uncover those behind Magecart Group 5, they revealed in a new blog post.

Unlike many others using the notorious skimming code, the group usually attacks supply chain organizations with the hope of infecting many more websites and their customers.

Although it usually registers domains to support its activity using privacy protection services, the group appears to have made a mistake when it registered with Chinese bulletproof hoster BIZCN/CNOBIN.

The researchers’ digging revealed the name “Guo Tang,” a Beijing-based address and phone number, and a email address.

The latter has been used to register multiple domains used in phishing campaigns designed to deliver notorious banking trojan Dridex, including an efax attack on German users, and others spoofing the OnePosting and Xero brands, Malwarebytes revealed.

They also cited research by the Swiss CERT which claimed Dridex has in the past been used to deliver the Carbanak info-stealing malware.

The phone number from Magecart Group 5’s registrant information has also been linked to Carbanak group, a cybercrime operation thought to have stole hundreds of millions of dollars from global banks.

“Victimology helps us to get a better idea of the threat actor behind attacks. For instance, we see many compromises that affect a small subset of merchants that are probably tied to less sophisticated criminals, often using a simple skimmer or a kit,” concluded Malwarebytes.

“In contrast, we believe that the bigger breaches that reel in a much larger prize are conducted by advanced threat groups with previous experience in the field and with well-established ties within the criminal underground.”

Categories: Cyber Risk News

Facebook Removes Russian and Iranian Fake Accounts Ahead of 2020

Wed, 10/23/2019 - 08:31
Facebook Removes Russian and Iranian Fake Accounts Ahead of 2020

Facebook has taken down more Russian and Iranian fake accounts and Pages as part of its efforts to trawl for coordinated misinformation operations ahead of the 2020 US elections.

The three Iranian and one Russian operation targeted users in various regions of the world. The respective accounts were removed not for the content they displayed but because they coordinated activity with each other and misrepresented themselves to users, according to the social network’s head of cybersecurity policy, Nathaniel Gleicher.

Of the four campaigns, the most interesting is the Russian one. Facebook removed 50 Instagram accounts and one account on Facebook which it claimed may have been run by the notorious Internet Research Agency (IRA).

The IRA was indicted as part of Robert Mueller’s investigation of Russian interference in the 2016 Presidential election.

Ironically, the attempts of those behind the accounts to conceal their identity and location made it difficult for them to build a following among genuine users.

“The people behind this activity used fake accounts — some of which were previously detected and disabled by our automated systems as inauthentic and engaged in spam. These accounts followed, liked and occasionally commented on others’ posts to increase engagement on their own content,” explained Gleicher.

“They primarily reused content shared across internet services by others, including screenshots of social media posts by news organizations and public figures. A small portion of these accounts also repurposed and modified old memes originally posted by the IRA. The people behind this operation often posted on both sides of political issues including topics like US elections, environmental issues, racial tensions, LGBTQ issues, political candidates, confederate ideas, conservatism and liberalism.”

In total, around 246,000 accounts followed one or more of the fake Instagram accounts, most (60%) of which were located in the US.

Elsewhere, Facebook removed 93 Facebook accounts, 17 Pages and four Instagram accounts originating in Iran, targeting the US and French-speaking audiences in North Africa.

A separate take-down saw the removal of 38 Facebook accounts, 6 Pages, 4 Groups and 10 Instagram accounts originating in Iran and focusing on South American countries including Venezuela, Brazil, Argentina, Bolivia, Peru, Ecuador and Mexico.

Finally, the firm removed four Facebook accounts, three Pages and seven Instagram accounts that originated in Iran and focused mainly on the US, spreading content on political issues.

Categories: Cyber Risk News

New Alliance Aims to Scupper Cyber-attacks on Operational Technology

Tue, 10/22/2019 - 18:39
New Alliance Aims to Scupper Cyber-attacks on Operational Technology

A new global alliance has formed with the mission to protect operational technology used in critical and industrial infrastructure from cyber-threats. 

If disrupted, operational technology (OT)—the hardware and software dedicated to monitoring and controlling physical devices such as valves and pumps—can reduce productivity, cause ecological damage, and even compromise human safety. 

The new Operational Technology Cyber Security Alliance (OTCSA) will follow a five-pronged approach to reduce the risk of cyber-attacks. First, the alliance will take action to strengthen the cyber-physical risk posture of OT environments and interfaces for OT/IT interconnectivity.

Second, OTCSA will guide OT operators on how to protect their OT infrastructure based on a risk management process and reference architectures/designs that are demonstrably compliant with regulations and international standards.

Third, the new guardian group will guide OT suppliers on secure OT system architectures, relevant interfaces, and security functionalities. The fourth task on OTCSA's to-do list is to support the procurement, development, installation, operation, maintenance, and implementation of a safer, more secure critical infrastructure.

And finally, the members of the global alliance will seek to accelerate the time to adopt safer, more secure critical infrastructures.

OTCSA is the first industry group to focus specifically on improving cyber-risk posture by providing tangible architectural, implementation, and process guidelines to OT operators so that they can navigate necessary changes, upgrades, and integrations to evolving industry standards and regulations. 

These robust security guidelines will cover the entire lifecycle—procurement, development, deployment, installation, operation, maintenance, and decommissioning—and address aspects related to people, processes, and technology.

OTCSA launched today, with industry leaders ABB, Check Point Software, BlackBerry Cylance, Forescout, Fortinet, Microsoft, Mocana, NCC Group, Qualys, SCADAFence, Splunk, and Wärtsilä as confirmed members of the alliance. 

Membership is open to any company that operates critical infrastructure or general OT systems to run its business as well as companies providing IT and OT solutions.

"OT has typically been managed as individual devices, which has made it very difficult for IT to maintain its cybersecurity mandate. Senior executives are tasking operations executives to get their OT systems integrated into the overall enterprise cybersecurity governance," said Kevin Prouty, group VP for IDC energy insights and manufacturing insights.

Categories: Cyber Risk News

American High School Hack Linked to Epic Water Fight

Tue, 10/22/2019 - 17:56
American High School Hack Linked to Epic Water Fight

Students at a Pennsylvania high school are being questioned by police after allegedly hacking into a school website to gain a competitive edge in a high-stakes water gun fight.

A breach of student college and career resource website Naviance was discovered by the Downington Area School District on October 11. An investigation by the district revealed that 12,600 students' addresses, ID numbers, grade point averages (GPAs), and SAT scores had been compromised.

Downington East High School became aware of the breach after a Top 50 GPA list began circulating around the school. The Downington Area School District notified police of the breach last Tuesday and sent a letter out to parents last Thursday.  

In the letter, the district alleged that the hack was committed by a group of Downington East High School students seeking victory in a water gun fight played outside of school. The game, which is known as "senior water games" or "assassin," usually involves a cash payout to the winner. 

According to the district, the students hacked into Naviance to access the home addresses of other students playing the water fight game.

"No information was altered or manipulated in any way. There are no social security numbers for students or parents in any of our systems. No credit card information is stored in these systems, and no credit card information was compromised," wrote the district.

Multiple students are currently being questioned over the breach. 

"The consequences for these young individuals [are] likely to be severe. Cyber-hacking is a federal crime, and we are working with the proper authorities to determine the appropriate discipline and legal ramifications," wrote the district. 

In a statement released on Friday, Uwchlan Township Police Department said: "Based on the investigation by the Downingtown Area School District, and the ongoing investigation of the Uwchlan Township Police Department, determinations will be forthcoming as it pertains to any and all criminal charges for those who are responsible."

Commenting on the breach, Mike Gauntlett wrote on Facebook: "It's a shame that the school would involve the police for a matter like this, when traditionally this sort of thing would have been handled via detention.

"Based on the letter from the DASD IT Director, it seems that DASD was not following standard best practices to secure student data, making this sort of hack all but inevitable. Further, there has been no communication from the district indicating that they have taken action to fix these issues, making it almost certain that this will happen again in the future."

Categories: Cyber Risk News

McAfee Names Alexis Bledel Most Dangerous Celebrity

Tue, 10/22/2019 - 16:12
McAfee Names Alexis Bledel Most Dangerous Celebrity

McAfee revealed today that the most dangerous celebrity to search for online is American actress Alexis Bledel. 

An annual study by the security software company into which celebrity-based internet searches expose users to the most risk found more malicious websites, malware, and other risky outcomes linked to Bledel than to any other famous person. 

Bledel became a household name for her long-running role as Rory Gilmore in famously fast-talking comedy-drama Gilmore Girls. More recently, the Texas-born actress has graced TV screens as Ofglen in The Handmaid's Tale and has appeared on the big screen in the Sisterhood of the Traveling Pants movies. 

The second most dangerous celebrity in the hunt for online gossip was British comedian and actor and host of the Late Late Night talk show, James Corden OBE. 

Threat actors setting online traps for adoring fans of the rich and famous showed a slight preference for using female celebrities as bait. Of the top ten most dangerous stars to search for online identified by McAfee, six are women.  

Game of Thrones star Sophie Turner made the list at number 3, followed by actresses Anna Kendrick and Lupita Nyong'o. Rapper Nicki Minaj came in at 9, and Tessa Thompson, known for her role as Marvel's first LGBTQ superhero, was listed as number 10. 

Male celebrities who proved popular with threat actors were comedian and former SNL star Jimmy Fallon, who was number 6 on the list; martial arts master Jackie Chan, who came in at 7; and finally American rapper Lil Wayne, who was named the eighth most dangerous.  

Unlike 2018’s list of most dangerous celebrities, reality TV stars ranked low on this year’s list. Kristin Cavallari and Kourtney Kardashian, who made last year’s top 10, have now dropped to numbers 214 and 222, respectively.

"Consumers may not be fully aware that the searches they conduct pose risk, nor may they understand the detrimental effects that can occur when personal information is compromised in exchange for access to their favorite celebrities, movies, TV shows, or music," said Gary Davis, chief consumer security evangelist at McAfee. 

"Criminals use deceptive websites to dupe unsuspecting consumers into accessing malicious files or content. It is essential that consumers learn to protect their digital lives from lurking cyber-criminals by thinking twice before they click on suspicious links or download content."

Categories: Cyber Risk News

Thousands Warned Over Home Group Data Breach

Tue, 10/22/2019 - 11:00
Thousands Warned Over Home Group Data Breach

The Home Group – one of the biggest housing associations in the UK – has warned around 4000 customers that their personal details may have been stolen after the company suffered a data breach.

As reported by the BBC, Home Group said the breach involved customer names, addresses and contact information, but no financial data. The organization explained that the breach was identified by a third party cybersecurity expert and affected customers in properties in England, including those in the North East, North West and Yorkshire.

The issue was resolved within 90 minutes, according to Home Group spokespeople.

Chief financial officer, John Hudson, said: “We were made aware of a potential data vulnerability and immediately responded to and resolved the issue.

“We have a robust incident response protocol in place to deal with situations such as this, which meant the vulnerability was identified and fixed extremely quickly.

“We have contacted all customers affected and I want to reassure all our customers that their information is secure and that we follow strict guidelines and protocols when it comes to data sharing and cybersecurity.”

Commenting on the news, Javvad Malik, security awareness advocate at KnowBe4, said:“It’s unclear at this moment how the company was breached, but it is encouraging to see the company was able to quickly respond to the breach, and inform its affected customers once notified by a third party.”

However, he added, companies should be building their own detection capabilities so that they are not reliant on third parties to disclose any breaches.

“Similarly, while the company claimed to have resolved the issue within 90 minutes, that is still ample opportunity for records to be accessed and copied,” Malik argued.

Categories: Cyber Risk News

Trend Micro Tackles Cloud Misconfigurations with Latest Acquisition

Tue, 10/22/2019 - 09:48
Trend Micro Tackles Cloud Misconfigurations with Latest Acquisition

Trend Micro has announced the acquisition of Australian start-up Cloud Conformity, in a deal which will see it expand its cloud security portfolio to include mitigations for customer misconfigurations.

Following the reported $70m deal, Trend Micro is offering the Cloud Security Posture Management (CSPM) company’s solution immediately to its global customers.

Cloud Conformity offers a single pane of glass via which companies can gain complete visibility into their AWS and Azure environments, receive alerts and prioritize remediation to improve security, governance and compliance efforts.

Crucially, this will help customers get on top of a common challenge facing many today: how to correctly configure cloud deployments so as not to expose the organization to possible cyber-risk.

Trend Micro cited Gartner findings that by 2023, 99% of cloud security failures will be the customer’s fault, and that “through 2024, organizations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%.”

Incidents of data leaks resulting from such misconfigurations hit the headlines virtually every week. Just today, Infosecurity reported on an exposed database hosted on AWS which leaked the travel and personal details of US military and government employees.

“We have been laser focused on building integrated security for the cloud since its birth over a decade ago, unlike other vendors who are now attempting to stitch together disparate cloud technologies,” said Trend Micro CEO, Eva Chen.

“As more enterprises move to the cloud, our customers feel they’re operating amid a wild-west approach to cloud implementations that leave them with unmanaged risk. As an AWS technology partner of the year for 2019, Cloud Conformity understands these implementations and the risks. Its offering perfectly complements our own portfolio and provides immediate value to customers. Both the people and technology are a great fit for Trend Micro.”

Categories: Cyber Risk News

US Military Personnel Exposed in Latest Cloud Data Leak

Tue, 10/22/2019 - 09:30
US Military Personnel Exposed in Latest Cloud Data Leak

Researchers have discovered another unsecured Elasticsearch database, this time exposing data on thousands of travelers including US military and government employees.

The research team at vpnMentor discovered the online database hosted on AWS infrastructure, on September 13. It belonged to Autoclerk, a reservations management system now owned by hotel chain Best Western Hotels and Resorts Group.

The database contained over 179GB of data, often sourced from third party travel and hospitality platforms including OpenTravel, HAPI Cloud, and Synxis. Among these were hundreds of thousands of bookings and reservations, exposing personal details such as: full name, date of birth, home address, phone number, dates & costs of travel, and masked credit card details.

For ordinary travelers caught in leaks like this, there is the risk of follow-on phishing attacks and identify fraud attempts, as well as a chance that attackers could target their home while they are away.

However, there are even more concerning national security implications for the government personnel data exposed in the incident.

“One of the platforms exposed in the database was a contractor of the US government, military, and DHS. The contractor manages the travel arrangements of US government and military personnel, as well as independent contractors working with American defense and security agencies,” explained vpnMentor.

“The leak exposed the personally identifying information (PII) of personnel and their travel arrangements. Our team viewed logs for US army generals traveling to Moscow, Tel Aviv, and many more destinations. We also found their email address, phone numbers, and other sensitive personal data.”

The firm urged US government officials to urgently vet any third-party contractors to ensure they follow strict data security protocols when handling sensitive information of this kind.

The data in question was left exposed for nearly a month, until the database was closed on October 2.

Cloud database misconfigurations have become an Achilles’ heel for many organization, argued DivvyCloud CTO, Chris DeRamus.

“Companies must adopt robust security strategies that are appropriate and effective in the cloud, at the same time as adoption of cloud services — not weeks, months or years later,” he added.

“Automated cloud security solutions can detect misconfigurations such as an unprotected database in real time and trigger immediate remediation, so that Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.”

Categories: Cyber Risk News

German Automation Giant Still Down After Ransomware Attack

Tue, 10/22/2019 - 08:56
German Automation Giant Still Down After Ransomware Attack

One of the world’s biggest producers of automation tools is still crippled over a week after it was hit by a ransomware attack.

German giant Pilz was forced to notify the prosecutor’s office and Federal Office for Security in Information Technology after suffering a targeted cyber-attack the Sunday before last.

However, despite setting up an incident response team to locate the source of the attack and resolve the disruption, it warned that outages will continue for several more days.

“Since Sunday, October 13, 2019, all server and PC workstations including the communication network of the automation company have been affected worldwide. The website is currently only partially functional,” it noted in a status update.

“As a precaution, the company has removed all computer systems from the network and blocked access to the corporate network.”

The IT disruption appears to have affected delivery of shipments and communications, although email came back online around the world on Friday. The last update from the company yesterday claimed that deliveries had restarted in “certain areas.”

It’s unclear which these are, however: Pilz operates in over 70 countries around the world, across Europe, Asia Pacific and the Americas.

The firm offers a range of products vital to automate industrial environments, including: configurable safety controllers; programmable safety systems; safety sensors; operator and visualization systems; networks; system and application software; drive technology; integrated standard and safety automation systems.

Pilz is the latest in a long-line of large enterprises targeted by ransomware authors looking for a big ROI on attacks.

Back in March, Norsk Hydro, the world’s number one aluminium producer, was hit by the LockerGaga variant in an attack which is said to have cost the firm at least $41m. More recently, US mailing technology company Pitney Bowes and French media giant Groupe M6 were both caught out.

Ransomware detections grew 77% from the second half of 2018 to the first six months of this year, according to Trend Micro.

Categories: Cyber Risk News

Ad Targeting Gamers Successfully Cuts Cybercrime

Mon, 10/21/2019 - 19:20
Ad Targeting Gamers Successfully Cuts Cybercrime

An advertising campaign warning that DoS attacks are illegal has proved successful in reducing cybercrime. 

In a new study, researchers from the University of Cambridge and the University of Strathclyde looked at four different cybercrime prevention methods employed by law enforcement agencies in the US and UK. 

The results showed that while high-profile arrests caused only a two-week reduction in the number of cyber-attacks taking place, targeted messaging campaigns and the takedown of infrastructure led to a sharper and longer-term reduction in cybercrime.

Sentencing was found to have no widespread effect on reducing crime, perhaps because attackers in one country weren’t affected by sentences meted out elsewhere.

The research, which was presented today at the ACM Internet Measurement Conference in Amsterdam, focused particularly on denial of service (DoS) attacks. These attacks generate a large amount of traffic that overwhelms end users or web services, taking them offline. 

DoS attacks can be purchased easily from so-called "booter" service websites for just a few dollars. This cheap and accessible form of attack is popular within the gaming community as a way of wreaking revenge on another user. 

"Law enforcement are concerned that DoS attacks purchased from a booter site might be like a ‘gateway drug’ to more serious cybercrime," said Ben Collier from Cambridge’s Department of Computer Science & Technology, the paper’s first author. 

Collier and his colleagues from the Cambridge Cybercrime Centre used two datasets with granular data about the attacks from booter sites, and then modeled how the data correlated with different intervention tactics from the National Crime Agency (NCA) in the UK, the Federal Bureau of Investigation (FBI) in the US, and other international law enforcement agencies.

From late December 2017 to June 2018, the NCA targeted young gamers in the UK with Google adverts explaining that DoS attacks are illegal. The adverts would appear when a user searched for booter services.

"It’s surprising, but it seems to work, like a type of digital guardianship," said Collier. "At the exact moment you get curious about getting involved in cybercrime, you get a little tap on the shoulder.

"It might not work for people who are already involved in this type of cybercrime, but it appeared to dramatically decrease the numbers of new people getting involved."

Categories: Cyber Risk News