Info Security

Subscribe to Info Security  feed
Updated: 2 hours 59 min ago

US Border Officers Humbled by Fourth Amendment Ruling

Wed, 11/13/2019 - 10:30
US Border Officers Humbled by Fourth Amendment Ruling

Privacy groups are celebrating after a federal court ruled that suspicion-free searches of travellers’ electronic devices at the US border are unconstitutional.

The original lawsuit was filed by the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF) and ACLU of Massachusetts, on behalf of 11 travellers whose smartphones and laptops were searched without suspicion on entry to the US.

According to the Boston court’s ruling, Customs and Border Control (CBP) and Immigration and Customs Enforcement (ICE) officers must now demonstrate suspicion of “illegal contraband” before being able to search an individual’s device.

According to EFF, searches at US ports have rocketed recently. It claimed that CBP carried out more than 33,000 last year, nearly four times the number from three years previously.

Esha Bhandari, staff attorney with the ACLU’s Speech, Privacy, and Technology Project, argued that travellers can now travel to the US without fear that the government will impinge on their privacy.  

“This ruling significantly advances Fourth Amendment protections for millions of international travellers who enter the United States every year,” she added. “By putting an end to the government’s ability to conduct suspicionless fishing expeditions, the court reaffirms that the border is not a lawless place and that we don’t lose our privacy rights when we travel.”

The EFF pointed to several cases where border guards had apparently abused their powers to search travellers coming into the US.

This includes one example where an officer rifled through privileged attorney-client communication on an individual’s electronic device, and another alleged case where a Harvard freshman was denied entry after the officer noted social media posts from his friends critical of the government.

Categories: Cyber Risk News

Microsoft Patches IE Zero-Day Bug

Wed, 11/13/2019 - 09:40
Microsoft Patches IE Zero-Day Bug

Microsoft released fixes for 75 vulnerabilities during this month’s patch update round, including one zero-day flaw in Internet Explorer.

The bug in question, CVE-2019-1429, exists in the way the scripting engine handles objects in memory in the browser, corrupting memory so an attacker can execute arbitrary code, according to Microsoft.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” it explained.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine."

An attacker could also take advantage of compromised websites and those that accept or host user-provided content or ads, Microsoft continued.

Another one to watch is CVE-2019-1457, a publicly disclosed vulnerability in Excel which could bypass security features.

“An attacker could embed a control in an Excel worksheet that specifies a macro should be run. Whatever is executed in the macro that was triggered by bypassing the security settings of Excel would be the real risk of this vulnerability,” explained Ivanti director of security solutions, Chris Goettl.

“This vulnerability is not currently being exploited in the wild, but since it has been publicly disclosed, threat actors have had a jump start on being able to develop an exploit to take advantage of the CVE. This puts the vulnerability at higher risk of exploitation.”

Microsoft has also issued an advisory on a flaw in some Trusted Platform Modules (TPM) chipsets from STMicroelectronics, which may require a firmware update to the TPM.

Elsewhere, Adobe issued patches for 45 critical vulnerabilities in Acrobat and Reader that should be prioritized for workstations.

Categories: Cyber Risk News

Orvis Passwords Leaked Twice on Pastebin

Tue, 11/12/2019 - 19:18
Orvis Passwords Leaked Twice on Pastebin

Internal passwords belonging to American retailer Orvis were twice leaked online in a double data breach. 

Credentials belonging to the luxury fishing equipment purveyor were posted on the website last month, according to investigative reporter Brian Krebs

A swathe of plaintext usernames and passwords relating to everything from firewalls and routers to database servers and even administrator accounts was exposed for several weeks. 

The leaked files from the Vermont-based retailer included credentials for security cameras, door controllers, door and alarm codes, and FTP credentials, and even showed the combination to a locked safe in the company's server room. 

Krebs was tipped off about the data breach in late October by Wisconsin-based security firm Hold Security. Company founder Alex Holden said an enormous file containing internal passwords relating to Orvis had been posted to Pastebin on October 4 and again on October 22.

Holden's finding was corroborated by, a company that aggregates information from leaked databases online. However, a spokesperson for Orvis would only acknowledge that one much shorter breach had occurred.

Orvis spokesperson Tucker Kimball told Krebs: "The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones. 

"We are leveraging our existing security tools to conduct an investigation to determine how this occurred."

Orvis is America's oldest mail-order retailer and was founded in 1856. The company has 69 retail stores and 10 outlets in the US plus a further 18 stores in the UK, and employs 1,700 people. 

How the passwords came to be on Pastebin is unknown, though potential sources could include an internal threat actor or a malicious or perhaps simply careless third party. 

Kelly White, CEO of RiskRecon, commented: "Security teams need to get into the mindset that their risk surface spans to all people, processes, and technology that touch their data, including subcontractors. Too often, organizations require less of their vendors and subcontractors than they do of their own personnel. 

"While employees are formally trained in handling of sensitive information and required to use corporate administered systems, subcontractors are not; no training in handling of sensitive data and allowed to use their own systems. When incidents like this happen, it is no surprise that existing security standards aren't met—the subcontractor likely wasn't even aware of them." 

Orvis did not reply to a request for further comment.

Categories: Cyber Risk News

PortSwigger Launches Web Security Academy

Tue, 11/12/2019 - 19:16
PortSwigger Launches Web Security Academy

PortSwigger has launched a free interactive training platform in an attempt to address the global shortage of cybersecurity talent. 

The makers of Burp Suite cut the ribbon on the new Web Security Academy last month following a soft launch of the platform in April 2019, which a PortSwigger spokesperson said had garnered "overwhelmingly positive user feedback."

The Web Security Academy features a vast amount of high-quality reading materials and interactive labs of varying levels of difficulty. Inside the free resource, users are able to access a safe testing environment in which to experiment without incurring any kind of legal risk.

Content will be continuously updated, with new topics and material added regularly to reflect the ever-changing nature of the cyber-threat landscape. Learning materials currently available on the site include labs on clickjacking, WebSocket, HTTP request smuggling, server-side request forgery, and XXE injection.

Users of the new platform can track their progress and indulge in a little healthy competition via live leader boards. Learning is offered at a pace set by the user and without the pressure of deadlines, although the first user to finish each freshly released lab will get their name in the Hall of Fame and win some Burp Suite swag. 

After six months of being tested out and tweaked in beta, the Web Security Academy was officially launched on October 29. 

The academy is led by PortSwigger founder and CEO and author of The Web Application Hacker's Handbook, Dafydd Stuttard, along with PortSwigger's world-renowned research team.

"There has been huge demand for a third edition of The Web Application Hacker's Handbook. After much thought, I concluded that writing another paper book wasn't the right option today. Much better to produce an online edition that is interactive, actively maintained, and accessible to everyone. The Web Security Academy is exactly that," said Stuttard.

The launch of the new free training website follows news reported last week that global IT security skills shortages have now surpassed four million. 

Research conducted by recruitment firm Outsource found that since 2014, the number of organizations reporting a problematic security skills shortage has more than doubled, from 23% to 51%.

Categories: Cyber Risk News

Aqua Security Acquires CloudSploit

Tue, 11/12/2019 - 18:35
Aqua Security Acquires CloudSploit

CloudSploit has been acquired by Aqua Security for an undisclosed sum.

Aqua Security, the leading platform provider for securing container-based, serverless, and cloud native applications, announced the acquisition of security auditing and monitoring tool CloudSploit today. 

The American company said the addition of CloudSploit will enable them to expand into cloud security posture management (CSPM) and give their customers the option of continuous security monitoring.

Co-founded by Matthew Fuller and Josh Rosenthal, CloudSploit was built on open source foundations and has benefited from the contributions of cloud users and experts since its inception in 2015. 

CloudSploit’s SaaS-based platform allows customers to monitor their public cloud accounts and access an overview of their entire estate of cloud resources. It automatically manages cloud security risk and benchmarks against industry standards to ensure compliance.

CloudSploit works as an auditing tool to check the configuration state of services in users' IaaS accounts for potential misconfigurations that lead to security breaches. The platform also monitors activity in users' accounts for suspicious behavior and insider threats in real-time. 

"We are excited to add CloudSploit to Aqua’s cloud-native security portfolio," said Dror Davidoff, CEO of Aqua Security.  

"Aqua protects the world’s largest cloud native environments; with CloudSploit our customers can now continuously monitor and manage their cloud security posture across their multi-cloud infrastructures."

CloudSploit is the second open-source investment by Aqua since August, when the company announced its acquisition of Trivy Vulnerability Scanner

A spokesperson for Aqua Security said: "With the addition of CloudSploit and VM Security, Aqua’s customers can more effectively manage risk and protect against threats for their multi-cloud environments across the full application stack, from infrastructure, application workloads and code."

Aqua has also added significant new capabilities to its Cloud Native Security Platform (CSP), deepening protection of virtual machines. Aqua CSP now protects VMs for complete cloud workload protection.   

Aqua’s VM security solution delivers file integrity monitoring, machine image assurance, network discovery, and micro-segmentation to hosts for full visibility of infrastructure and application threats. Organizations can now protect their cloud native workloads from a single control panel for improved visibility and efficient remediation.   

Categories: Cyber Risk News

Microsoft to Extend California Privacy Law US-Wide

Tue, 11/12/2019 - 12:00
Microsoft to Extend California Privacy Law US-Wide

Microsoft has announced plans to extend the privacy provisions provided in a landmark new Californian state law to users across the US.

The California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020. It’s set to offer more GDPR-like protections and rights to the Golden State’s citizens, such as the ability to find out what personal information of theirs companies are collecting and to prevent it from being sold to third parties.

However, it doesn’t go as far as the EU legislation in terms of large fines for erring companies, its definition of personal information, the need for Data Protection Officers (DPOs) and other elements.

That said, it has come under heavy criticism from tech firms that make money from selling their customers’ personal information. There have also been efforts at a federal level to draft a new law which would supersede the Californian one, but lawmakers are split down party lines.

That’s offered Microsoft an opportunity to differentiate from much of the tech sector by supporting the CCPA US-wide, just as it has done by promising to extend GDPR protections to all customers.

“While many of our customers and users will find that the data controls we already offer them through our GDPR commitment will be stronger than those rights offered by the new California law, we hope this step will show our commitment to supporting states as they enact laws that take us in the right direction,” explained Microsoft chief privacy officer, Julie Brill.

“We are optimistic that the California Consumer Privacy Act — and the commitment we are making to extend its core rights more broadly — will help serve as a catalyst for even more comprehensive privacy legislation in the US.”

Categories: Cyber Risk News

UK Labour Party Hit By “Sophisticated” and “Large-Scale” Cyber-Attack

Tue, 11/12/2019 - 10:53
UK Labour Party Hit By “Sophisticated” and “Large-Scale” Cyber-Attack

The UK Labour Party has stated that it has been hit by a “sophisticated and large-scale cyber-attack” on its digital platforms.

As report by Sky News, a party spokesperson said that the attack failed to breach any data because of the party’s robust security systems.

“Security procedures have slowed down some of our campaign activities, but these were restored this morning and we are back up to full speed,” she said. “We have reported the matter to the National Cyber Security Centre.”

It is believed that the the attack was a Distribute Deniable of Service attack.

Commenting on the news, Corin Imai, senior security advisor at DomainTools, said: “This should be a significant concern to all voters in the UK regardless of their political viewpoints. During a General Election, it is imperative that the main political parties are all given a fair and impartial hearing, and considering the importance of digital campaigning in modern election cycles, a DDoS attack such as this could give other parties an advantage.

“While there is no indication of where this cyber-attack comes from, and it is obviously encouraging that the Labour party said these attempts failed, the incident is an example of just how susceptible to cyber-criminal activity our democratic process can be.”

Dean Ferrando, systems engineer manager – EMEA, at Tripwire, added: “Political organizations should boost their security resources in this particularly sensitive election period, and make sure they implement the necessary patches, system upgrades and security measures. There is always a danger that attacks on this scale are around the corner. It just means organizations need to be one (or four) steps ahead of the attackers.”

Categories: Cyber Risk News

Just a Third of Global Firms Are PCI DSS Compliant

Tue, 11/12/2019 - 10:45
Just a Third of Global Firms Are PCI DSS Compliant

The number of global organizations fully compliant with PCI DSS regulations has fallen for the second year in a row to just under 37%, according to a new report from Verizon.

The firm’s annual Payment Security Report (PSR) has tracked compliance levels for several years. This year’s was compiled from 302 PCI DSS engagements by Verizon Qualified Security Assessors (QSAs) with a range of organizations, including Fortune 500 and large multinationals firms, in over 60 countries.

The global compliance figure fell from 53% in last year’s report — a significant drop. APAC organizations appeared to be the best prepared, with 70% fully compliant. The figure fell to 48% in Europe and a disappointing 20% in the Americas.

Rodolphe Simonetti, global managing director for security consulting at Verizon, warned that while 2010-16 saw an increase in compliance levels, the trend is now reversing.

Featuring data from Verizon’s Threat Research Advisory Center (VTRAC), the report claimed that a compliance program without proper controls has a 95% chance of not being sustainable and is therefore a major target for attack.

“Many organizations spend a lot of time and money creating data protection compliance programs, but often these are ineffective — looking good on paper but not able to withstand the scrutiny of a professional security assessment,” Simonetti explained.

“We still see CISOs focusing on how to maintain baseline control activities rather than looking at data protection competency and maturity. What is needed is a clear and easy-to-understand navigational guide to help them deliver measurable results and predictable outcomes.”

The findings chime with a Security Scorecard report from 2018 which revealed that over 90% of US retailers were non-compliant with PCI DSS, failing four or more of the key requirements of the standard. Requirement six — dealing with maintaining secure systems and applications — was a problem for 98%.

Categories: Cyber Risk News

Most Security Pros Still Don’t Get Shared Responsibility: Report

Tue, 11/12/2019 - 10:01
Most Security Pros Still Don’t Get Shared Responsibility: Report

Some 60% of global security professionals misunderstand the concept of “shared responsibility” in the cloud, potentially putting their organizations at risk, according to Centrify.

The identity and access management (IAM) vendor polled 700 cybersecurity pros to compile its new report, Reducing Risk in Cloud Migrations: Controlling Privileged Access to Hybrid and Multi-Cloud Environments.

It found that nearly two-thirds of respondents incorrectly believe that their cloud provider is responsible for securing privileged access. In fact, under the shared responsibility model espoused by Amazon Web Services, Microsoft Azure and others, the provider is only responsible for the infrastructure of the cloud itself — the hardware, software, networking and other functions.

Customers are responsible for security “in” the cloud, which includes customer data, apps, operating systems and network and firewall configurations.

The report also revealed that many organizations aren’t deploying a common security model or enforcing least privilege access, according to best practices.

What’s more, three-quarters (76%) are using more than one identity directory to manage cloud users, which Centrify claimed puts them at risk of “identity sprawl” and potential security gaps.

“As the enterprise threat-scape expands, organizations are faced with new challenges to secure modern attack surfaces, and this report makes it clear that the cloud is no exception,” said Tim Steinkopf, Centrify CEO.

“We know that 80% of data breaches involve privileged access abuse, so it’s critical that organizations understand what they are responsible for when it comes to cloud security, and take a least privilege approach to controlling privileged access to cloud environments. Too much access and privilege puts their workloads and data at risk.”

Some 60% of respondents said that security is their number one challenge when it comes to cloud migration projects. This is slightly at odds with a Nominet study from September that revealed CISOs believe the cloud to be as safe as on-premises infrastructure.

Categories: Cyber Risk News

Two New Carding Bots Threaten E-Commerce Sites

Mon, 11/11/2019 - 20:02
Two New Carding Bots Threaten E-Commerce Sites

Two new carding bots that pose a threat to e-commerce platforms have been detected at the start of the busiest shopping period of the year. 

The discovery was made by an eagle-eyed PerimeterX research team, which launched an investigation after the number of cyber-attacks against their own checkout pages surged.

One of the new carding bots, named the canary bot, specifically exploits top e-commerce platforms. The other bot, dubbed the shortcut bot, bypasses the e-commerce website entirely and instead exploits the card payment vendor APIs used by a website or mobile app.

Carding is a brute force attack on a retailer’s website using stolen credit cards or gift cards. Threat actors use carding to mass-verify millions of stolen credit cards and generate a list of valid credit cards.

The validated credit cards are then typically sold on the black market for around $45 each and exchanged for untraceable gift cards that enable the cyber-criminal to mask their identity. 

To verify the cards, the attackers usually make a low-cost purchase. Once validated, a card can then be used for big-ticket items, resulting in hefty losses, which are often covered by retailers and payment processors. 

The sophisticated canary bot identified by PerimeterX researchers is eerily good at aping human behavior. 

Describing an attack by the canary bot, researchers wrote: "In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attack—all of the steps except for the carding attack exhibit normal user behavior through a website."

As can be expected from its name, the shortcut bot takes a more direct approach, skipping out on adding products to the cart and completing the billing process in an attempt to avoid detection. 

"The shortcut carding bots exploit the card payment vendor APIs used by a website or mobile app and bypass the target e-commerce website completely," wrote researchers. "We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators."

Researchers said that they had seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications. They also witnessed an increase in these new types of attacks across multiple unrelated customers, indicating the quick evolution of these attack tools.

"This dynamic is similar to competing startups that may be running their services on the same cloud vendor, and using the same open-source libraries," wrote researchers. 

PerimeterX advised e-commerce website owners to prevent users from getting to the payment page without items in their cart to stop basic carding attacks. 

Categories: Cyber Risk News

Report Reveals Businesses Aren't Ready for 5G

Mon, 11/11/2019 - 17:17
Report Reveals Businesses Aren't Ready for 5G

A new report looking at 5G cybersecurity readiness has found that many businesses are inadequately prepared for the latest big data acceleration. 

The AT&T Cybersecurity Insights Report: Security at the Speed of 5G, published today, found that enterprises are lagging behind on expanding their virtualization and software-defined networking (SDN) capabilities and are not taking the opportunity to automate security. 

A degree of reticence was also detected when it came to the planned adoption of a shared security model that would enable certain functions to be shifted to carriers.

The report was built using data drawn from a survey of 704 cybersecurity professionals from around the globe, all of whom work for organizations with more than 500 employees. 

Nearly all respondents in the survey expect to make 5G-related security changes within the next five years, and 16% say they have already started preparing before the mainstream wave of 5G deployments arrives. 

Asked about what their preparations were focused on, the larger attack surface topped the list as a worry for 44% of respondents, followed by the greater number of devices accessing the network, which was a concern for 39%. 

Ranking third and fourth, drawing the focus of 36% and 33% of respondents, respectively, were the need to extend security policy to new types of IoT devices and the need to authenticate a larger number and wider variety of devices.

Only 29% of respondents said they plan to implement security virtualization and orchestration during the next five years.

Researchers wrote: "Most of the transitions in networking have been about faster speeds or increased capacity. 5G introduces more complex networking and is being delivered with virtualization in mind. 

"The latter appears to be a crucial gap in the way enterprises are preparing for 5G, as enterprises will need to take advantage of virtualization to make the network nimbler and more responsive, with the ability to provide just-in-time services. Many enterprises are not considering this as a possibility, according to our data."

With 5G, the size of the cyber-attack surface expands, creating more opportunities for bad actors to strike. Despite this, researchers found that enterprises did not appear to have fully considered how to boost their vulnerability management programs (both patching and mitigation) for devices at the edge, which may carry vulnerabilities that go unnoticed and unpatched.

Additionally, only 33% of enterprises surveyed had implemented multi-factor authentication, and 7% said they plan to implement it during the next five years.

A spokesperson for AT&T wrote: "To better realize how large (and vulnerable) the attack surface becomes with 5G, consider that 274 petabytes of data are currently crossing AT&T’s network each day, and with 5G this number is expected to increase by 10x."

Currently, neither 5G service nor 5G phones are available everywhere in the United States, and release dates vary for every carrier. Verizon, Sprint, Starry, AT&T, and T-Mobile are providing some coverage already, mostly in major cities, including New York, Washington, DC, Los Angeles, Houston, Chicago, Phoenix, Atlanta, Boston, Denver, and Dallas–Fort Worth.

Categories: Cyber Risk News

Texas Health Agency Fined $1.6m for Data Breach

Mon, 11/11/2019 - 16:15
Texas Health Agency Fined $1.6m for Data Breach

A fine of $1.6m has been meted out to the Texas Health and Human Services Commission for unintentionally exposing the personal health information of thousands of vulnerable people online.

The Texan commission inadvertently made the names, addresses, Social Security numbers, and treatment information of 6,617 people visible on the internet between 2013 and 2017. 

The breach occurred when an internal application was moved to a public server from a private server. A flaw in the app's software then made the sensitive information visible to the public without any need for access credentials to be entered.

According to federal agency the Office for Civil Rights (OCR), the data exposed in the breach was in the care of the Texas Department of Aging and Disability Services. Before it was reorganized into the Health and Human Services Commission in 2017, the department's role was to provide long-term care to Texans with physical and mental disabilities and to the elderly.  

The OCR said the data breach was a violation of federal health privacy laws.

"No one should have to worry about their private health information being discoverable through a Google search," said Roger Severino, director of the Office for Civil Rights.

An investigation into the breach by the OCR found the audit controls in place at the Health and Human Services Commission to be inadequate. Because of this, the federal agency was unable to come up with an exact number for how many unauthorized people had viewed the private information.

A further determination of the OCR investigation was that the Texas health agency failed to conduct a risk analysis and implement access and audit controls on its information systems as required by the Health Insurance Portability and Accountability Act, commonly known as HIPAA.

In May, the Texas Legislature approved a settlement agreement with the federal government to bring the matter to a conclusion, which included accepting the hefty $1.6m fine.

Kelli Weldon, a press officer for the Texas health agency, said officials take information security and privacy seriously.

"We are continually examining ways to strengthen our processes for the health and safety of Texans," Weldon said.

The substantial fine is the second seven-figure penalty imposed by the OCR this month after the University of Rochester Medical Center was fined $3m on November 5 for failing to encrypt mobile devices.

Categories: Cyber Risk News

Vulnerability Values Fluctuate Between White, Grey and Black Hats

Mon, 11/11/2019 - 11:55
Vulnerability Values Fluctuate Between White, Grey and Black Hats

A black hat selling vulnerabilities can make as much money as a white hat researcher using bug bounty programs, or a grey hat working for a nation state doing reverse engineering. 

Speaking at a Tenable conference in London last week, director of research Oliver Rochford said that to have people do vulnerability research is expensive, and all of the white, black and grey markets are symbiotic, as despite the difference between being legal and illegal, the different factors “mirror each other as it starts with vulnerability discovery.”

Rochford said that this “shows how professional cybercrime has become,” pointing to the fact that the main difference between criminal and legal sides are ethics. In one slide, Rochford pointed out vulnerability discovery, exploit research and development are the same for both offense and defensive sides, while the differences fall at the "operationalization" side, where offensive sides look at espionage, sabotage and fraud, while defense sides look at threat intelligence and compensating control adaptation.

In his research, Rochford showed that in some cases you can earn more as a white hat vulnerability manager than as a black hat, with a black hat able to earn around $75,000 in this sort of work. Rochford said this “is achievable and attractive” and while it was more lucrative to do it legally, if it is not “it is a way to make a living.”

Looking at the value of exploits, Rochford said that you can earn around a million dollars for an Apache or Linux vulnerability on the dark market, while an exploit broker (grey market) will pay around $500,000. WhatsApp vulnerabilities on Android can earn a million dollars on the black and grey markets. The only vulnerabilities where vendor bug bounties can be more profitable are for Safari on iOS, while general iOS bugs can earn a million dollars for a bug bounty, and $2 million on the grey market.

Pointing at Bromium’s “Web of Profit” research, Rochford said that the revenue generated by cybercrime is estimated at $1.5 Trillion, while the total size of the cybersecurity market in 2019 was $136 Billion, according to Gartner.

Rochford also said that attackers have a median seven-day window of opportunity to exploit the vulnerabilities before the defender has even assessed for the vulnerability, and that is why “companies need to harden their attack surface and raise the level of attack.” He said that reducing market supply and increasing production cost also increases the value of exclusive zero days, thus incentivizing investment again.

Speaking at the event, Jose Maria Labernia, head of IT security and internal control at the European IT Services of Lafarge Holcim said that he did believe that zero-day exploits “are important as they can compromise a system.”

He said that not many companies have the capability to patch a zero-day as the speed and level of patching required “is not a matter of a zero-day, but the number of vulnerabilities to patch.” Asked by Infosecurity if a company would patch by the severity rating, he said that it was previously just about patching Microsoft and Unix, and then Flash came along, and now “there are so many components and web apps and it is really difficult to cope with the large exposure that organizations face.”

Labernia said that agile methodologies can be applied, and part of the process is regardless of whether a technology is “legacy or not, some cannot be patched,” So an option is to come up with full isolation and control every ingress and egress of traffic, “but this is a challenge for security teams and organizations push us as we grow in transformation.”

Categories: Cyber Risk News

Surveillance Fears as Russia Proposes New App Law

Mon, 11/11/2019 - 11:30
Surveillance Fears as Russia Proposes New App Law

The Russian parliament is pushing through proposed legislation that would force PCs and mobile devices to be sold with pre-installed domestic applications, raising security concerns.

The bill is being touted by lawmakers as protecting the local technology market from foreign, presumably US, competition.

“The initiative provides domestic companies with legal mechanisms to promote their programs for Russian users,” the Duma said.

However, there could potentially be more sinister implications.

If the mandated pre-installed apps come loaded with backdoors and/or other secret functionality, they could provide security services with an opportunity to spy on the populace, for example. The government ultimately decides which apps must be installed on users’ devices.

The law may also support the Putin regime’s push for internet sovereignty.

The country has been moving towards a China model for some time, and recently passed legislation which would allow the government to filter traffic from outside Russia, potentially even cutting access to foreign servers during times of geopolitical crisis.

“Now the government can directly censor content or even turn Russia’s internet into a closed system without telling the public what they are doing or why,” said Rachel Denber, deputy Europe and Central Asia director at Human Rights Watch. “This jeopardizes the right of people in Russia to free speech and freedom of information online.”

The proposed new law relating to domestic apps could apply to virtually all computing devices capable of running applications, including smartphones, desktop PCs, tablets, laptops and even smart TVs.

It has the backing of all major political parties, meaning that it should become law next year.

Although companies that don’t comply face a fine, it currently stands at just 200,000 rubles ($3100). That said, if they repeatedly refuse the comply with the legislation, they could be banned outright from providing devices.

Some reports have suggested Apple could leave the country if forced to expose its customers to such security and privacy risks.

Categories: Cyber Risk News

Hoster SmarterASP.NET Taken Down by Ransomware

Mon, 11/11/2019 - 10:35
Hoster SmarterASP.NET Taken Down by Ransomware

A major US hosting provider has been hit by a serious ransomware attack, impacting hundreds of thousands of customers.

SmarterASP.NET claims to operate three ‘world-class’ data centers “delivering the reliability and flexibility necessary to support your mission-critical internet operations.”

However, the websites of its 440,000+ customers, as well as its own, went offline yesterday following the attack.

“Your hosting account was under attack and hackers have encrypted all your data. We are now working with security experts to try to decrypt your data and also to make sure this would never happen again,” SmarterASP.NET said in a notice dated today

“Please stay tune[d] for more info. Please know that we are getting thousands of messages in our email and we don't have enough staffs to reply them all. So please don’t email us. We will continue to put out notices on our Facebook page. Please check back soon.”

The firm tweeted earlier this morning UK time to say that it would be focusing first on restoring database servers.

“Once that's recovered, most of your sites will be up and running already. You will also be able to make DB backup right away on our control panel,” it said. “We are optimistic that everything will be back to normal no longer than 12-24 hours. We will not go home until everyone is taken care of.”

It’s unclear whether the firm has been able to decrypt the locked files, either by paying up or via a third-party key, or is restoring from backups.

As of 09:45 GMT the firm claimed to have recovered 40% of affected accounts.

SmarterASP.NET is by no means the first hosting firm to be struck by ransomware. California-based Data Resolution was forced to shut its network following an attack on Christmas Day last year, while A2 Hosting lost weeks of business from an outage in spring.

Categories: Cyber Risk News

Facebook Won’t Ban Political Ads, Despite Controversy

Mon, 11/11/2019 - 10:00
Facebook Won’t Ban Political Ads, Despite Controversy

Facebook will not remove political advertising from its platform ahead of the UK’s upcoming General Election, despite complaints that the ruling Conservative Party is already trying to influence users with misleading information.

The social network has been under pressure to ban such advertising completely, after Twitter announced plans to do so earlier this month and the Mozilla Foundation and several rights groups signed an open letter urging it and Google to follow suit.

The UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have all called for urgent legislation to regulate political advertising.

However, in an update late last week, Facebook argued that it was not in the business of censoring politicians. Although such ads will be pulled if they incite violence, share previously debunked content or spread misinformation about where, when and how to vote, they won’t be fact-checked like other content, explained head of UK public policy, Rebecca Stimson.

Instead, Facebook is making such ads more transparent, so that recipients can see who has paid for them and find out why they are seeing them.

It is also putting significant resources into tackling foreign interference by removing fake accounts, and has set up an Elections Task Force which will focus on threat intelligence, data science, engineering, operations, legal and other areas ahead of key votes, she said.

The news comes after complaints on both sides of the Atlantic that politicians are already spreading lies via political ads.

The Conservative Party was called out for doctoring a video clip of shadow Brexit secretary, Keir Starmer, in which he appeared lost for words when asked about his party’s policy. In the US, Joe Biden’s campaign was rebuffed when it requested Facebook to remove a misleading Trump ad.

Facebook claimed that its approach “is in line with the way political speech and campaigns have been treated in the UK for decades” — i.e. not regulated. However, there is arguably a difference with online advertising in that it might be micro-targeted at a small number of swing voters, thereby covertly peddling disinformation which turns elections.

That’s the argument author Jamie Bartlett made at Infosecurity Europe earlier this year when he warned that such strategies could undermine the validity of election results in many voters' eyes.

Catherine Stihler, CEO of the Open Knowledge Foundation, welcomed Facebook’s attempts to promote greater transparency on its platform.

“However, it remains the case that Facebook is still accepting money for political ads which can contain disinformation, which is why we have called for a moratorium on political ads for the duration of the campaign,” she added,

“Ultimately, the solution to this does not involve self-regulation. The only way to build a fair, free and open digital future in the UK is to update our analogue electoral laws for the digital age.”

Categories: Cyber Risk News

US Company Accused of Selling Flawed Chinese Tech as "Made in USA" to US Military

Fri, 11/08/2019 - 19:06
US Company Accused of Selling Flawed Chinese Tech as "Made in USA" to US Military

A Long Island company has been accused of selling Chinese-made security and surveillance equipment with known cybersecurity vulnerabilities as "made in USA" to the United States military. 

It is alleged that since 2006, Aventura Technologies Inc., has been falsely claiming products made in the People's Republic of China (PRC) were manufactured at its headquarters in Commack, New York. 

The security and surveillance equipment company and its senior management team have been charged with fraud, money laundering, and illegal importation of equipment manufactured in the PRC by the US Attorney for the Eastern District of New York. 

Aventura has generated over $88 million in sales revenue since November 2010, $20 million of which came from federal government contracts. 

A statement released by the Department of Justice said: "Aventura imported networked security products from PRC manufacturers with known cybersecurity vulnerabilities, and resold them to US military and other government installations while claiming that they were American-made.  

"Aventura similarly deceived private customers in the United States and abroad who paid a premium for what they believed to be American-made goods. As a result, Aventura not only defrauded its customers, but also exposed them to serious, known cybersecurity risks, and created a channel by which hostile foreign governments could have accessed some of the government’s most sensitive facilities." 

Products that Aventura imported from the PRC and then allegedly sold as made in the United States include 25 body cameras sold to the US Air Force in 2018, a $13,500 laser-enhanced night-vision camera purchased by the US Navy in 2019, and $156,000 worth of networked automated turnstiles bought by the Department of Energy in 2019. 

In some cases, cameras shipped from the PRC were pre-marked with Aventura’s logo and the phrase “Made in USA,” accompanied by an American flag. 

Aventura itself, and seven current and former employees of the company, have been charged with selling Chinese-made equipment with known cybersecurity vulnerabilities to government and private customers while falsely representing that the equipment was made in the United States and concealing that the products were manufactured in the PRC.

The individual defendants charged in the complaint are the company's managing director and de facto owner and operator, Jack Cabasso, and his wife, Frances Cabasso, the company's CEO and purported owner; senior executives Jonathan Lasker, Christine Lavonne Lazarus, and Eduard Matulik; current employee Wayne Marino; and 70-year-old recently retired former employee Alan Schwartz. 

Four defendants are also charged with defrauding the US government by falsely claiming that Aventura Technologies was owned and operated not by Jack Cabasso, 61, but by his 59-year-old wife, Frances. This lie was allegedly perpetrated so that the company could win valuable government contracts that were strictly reserved for businesses owned by women.  

The Cabassos, who live in a gated community in Northport, New York, have been charged with money laundering, and their 70-foot luxury yacht Tranquilo has been seized by the government. Twelve financial accounts containing around $3M of allegedly ill-gotten gains have been frozen.

Categories: Cyber Risk News

Accenture Opens Cyber Ranges

Fri, 11/08/2019 - 17:06
Accenture Opens Cyber Ranges

Accenture has opened a trio of practice ranges in which companies can have a crack at responding to cyber-attacks. 

The new "cyber ranges" are specifically aimed at assisting industrial companies in the oil and gas, chemicals, utilities, and manufacturing industries to improve their cybersecurity. 

Each site is a controlled, interactive, and hyper-realistic environment for cybersecurity training and software development used to assess network and other technical vulnerabilities of industrial control systems (ICS). 

Such systems are commonly used to automate processes in critical infrastructure industries, such as utilities, petrochemicals, oil and gas, and industrial manufacturing.

One of the ranges, sited inside Accenture's Industry X.0 Innovation Center in Essen, Germany, is dedicated to the utilities and chemicals industries, with a particular focus on electric distribution networks and chemical plants.

The other two ranges have been established on American soil. The first, located in Accenture’s Cyber Fusion Center in Washington, DC, is aimed specifically at helping companies in the utilities industry learn how to protect themselves from threat actors. 

The second US cybersecurity testing facility has been opened up inside one of Accenture's innovation hubs in Houston, Texas. Named the Industrial Control Systems (ICS) Cyber Range, this site is intended to support leading oil and gas companies in their cybersecurity efforts. 

Early next year, Accenture will open its first ICS Cyber Fusion Center, also in Houston, Texas. The center, which is currently under construction, is being created with the intention to help the company's clients protect their industrial networks and plants assets better.

Other Accenture Cyber Fusion Centers are already up and running in India, Prague, Tokyo, and Israel.

"The energy industry has the largest installed base of industrial control systems around the world, and the cyber risk has never been greater," said Luis Luque, ICS cybersecurity global lead at Accenture Security. 

"Securing and defending these large and complex industrial systems requires not only improving processes and tools, but also adopting cybersecurity practices for operational maintenance and resilience programs. With the expansion of our ICS cybersecurity capabilities, we can deliver the most comprehensive security solutions tailored across the ICS environment, delivered by people who understand the zero-loss time imperative our industry expects."

Categories: Cyber Risk News

Florida Police Want Access to Controversial Facial Recognition Network

Fri, 11/08/2019 - 16:19
Florida Police Want Access to Controversial Facial Recognition Network

Florida's largest police department is seeking to gain permanent access to a facial recognition network maintained by the Pinellas County Sheriff's Office.

The Face Analysis Comparison and Examination System (FACES), set up in 2001 with federal grant money, is the largest collaborative open-model facial recognition system in the United States.

The system uses a MorphoTrust algorithm to search a repository of over 33 million images captured from police mugshots and every driver's license in Florida. Users need only upload a photo and run a search of the network to be presented with a lineup of visually similar matches. 

FACES is currently accessed by 243 partner agencies, including the Federal Bureau of Investigation, Customs and Border Protection, and the IRS. Now, Florida's Miami-Dade Police Department (MDPD) wants permanent access to the network. 

In return for receiving access to FACES, the MDPD will hand over its existing cache of mugshot images to the sheriff's office for integration into the facial recognition system.

resolution to approve a Memorandum of Understanding between the Pinellas County Sheriff's Office and the Miami-Dade County PD that would grant the MPDP access to FACES is due to go before the Board of County Commissioners on November 13.  

In a memo dated forward to December 3, 2019, Mayor Carlos Gimenez has written to the Board of County Commissioners in support of the resolution.

He wrote: "The FACES software is beneficial to detectives within the MDPD as it can be used to compile facial recognition data on their subject and help identify possible matches. Additionally, the use of the FACES technology by MDPD's forensic artist is instrumental in creating composites and conducting facial recognition searches on assigned cases."

FACES has been criticized for the lack of regulation around its use. No audit system is in place to monitor the approximately 8,000 searches that are carried out on the system every month, and users aren't required to have reasonable suspicion or log the reason why they are running a search before using the network. 

According to the Tampa Bay Times, a 2016 study by the Center on Privacy and Technology at Georgetown Law warned that FACES was "subject to little oversight and lacks transparency."

The sheriff's office has issued guidelines to its deputies to only use FACES for official investigations; however, no checks are in place to ensure proper use of the network, and the guidelines do not apply to the 243 partner agencies that regularly access the system.

Categories: Cyber Risk News

Over 230 UK Police Disciplined for Computer Misuse

Fri, 11/08/2019 - 11:30
Over 230 UK Police Disciplined for Computer Misuse

Hundreds of UK police officers have been disciplined over the past two financial years for misusing computer systems, a new Freedom of Information (FOI) request has revealed.

Think tank Parliament Street received data from 23 forces across England and Wales as part of the FOI-based research.

In total, 237 officers and staff members were disciplined, with six resigning during investigations and 11 sacked.

In Gwent, three officers were fired for searching the police database for a named person, disclosing confidential information and unlawfully accessing information. In Wiltshire, three officers lost their jobs for misusing the police database.  

Surrey police has the dubious honor of being the force with the highest number of incidents, recording 50 individual cases. Next came the Metropolitan Police with 18. Here, one staffer was sacked for misusing the Crime Reporting Information System (CRIS) and four were disciplined for misusing social media.

In Cumbria, 16 incidents occurred over the two years after individuals accessed police systems without a policing purpose.

“Instilling the highest standards of IT best practice in serving officers and operational staff is critical for maintaining the integrity of our police forces. All too often these incidents arise due to a lack of training or understanding about the need for correctly handling sensitive information,” argued Sheila Flavell, COO of FDM Group.

“With cybercrime on the rise, it’s vital that those tasked with keeping us safe are proficient with technology and acutely aware of the importance of data protection rules.”

The study calls to mind a Huntsman Security report from 2017 which revealed that UK police investigated nearly 800 cases of misuse of data by staff over the previous 12 months.

In addition, a Big Brother Watch report from 2016 revealed 2315 recorded incidents of data breaches between June 2011 and December 2015. Over 800 staff and officers accessed personal info without a policing purpose and over 800 shared information “inappropriately” with third parties during the period.

Categories: Cyber Risk News