Info Security

Subscribe to Info Security  feed
Updated: 37 min 17 sec ago

Sextortion Scammers Pose as Corrupt CIA Agents

Fri, 06/07/2019 - 18:34
Sextortion Scammers Pose as Corrupt CIA Agents

In a new sextortion scam, cyber-criminals are posing as corrupt officials of the CIA and demanding $10,000 from their targets whose names they claim to have found in an investigation into online pedophiles, according to Kaspersky.

Victims reportedly receive an email authored by what appears to be a corrupt CIA agent involved in “a large international operation set to arrest over 2,000 people suspected of pedophilia, in over 27 countries.”

The scope of the information the department reportedly has includes the victim’s name, phone number, and email, along with the person's home and work addresses. The scammer also claims that the CIA has information about relatives, which was reportedly obtained from a range of sources, including ISP, online chats and social networks, researchers said.

The note alleges that the victim’s contact details and those of their relatives are being held as part of the operation identified as case #45361978 (relating to possession and distribution of child pornography, or so it seems).

Credit: Kaspersky

The fake agent offers to remove all files relating to the victim in return for a payment of $10,000 in cryptocurrency, but time is of the essence, as the letter also notes that arrests will begin in two weeks' time. As a result, the sextortion payment needs to be received in nine days of receiving the letter.

“Compared with regular sextortion spam, the 'CIA' message is well-written, with grammatically correct, stylistically restrained language in a quite official-sounding tone. The scammers also took care of the layout: The message text is nicely formatted and easy to read, and the effect is amplified by the CIA emblem staring out from the screen,” researchers wrote.

“However, just because the message looks more imposing doesn’t make it more true. Don’t be offended, but the CIA is unlikely to give a hoot about you. The scammers most likely found your email address in a database leaked online, or even just came across it by chance.”

Kaspersky recommends trashy any messages immediately. “Our number one tip is don’t panic,” the researchers said. Beyond that, they advised that victims do not reply to the email and never consider paying a ransom to scammers.

Categories: Cyber Risk News

Sextortion Scammers Pose as Corrupt CIA Agents

Fri, 06/07/2019 - 18:34
Sextortion Scammers Pose as Corrupt CIA Agents

In a new sextortion scam, cyber-criminals are posing as corrupt officials of the CIA and demanding $10,000 from their targets whose names they claim to have found in an investigation into online pedophiles, according to Kaspersky Lab.

Victims reportedly receive an email authored by what appears to be a corrupt CIA agent involved in “a large international operation set to arrest over 2,000 people suspected of pedophilia, in over 27 countries.”

The scope of the information the department reportedly has includes the victim’s name, phone number, and email, along with the person's home and work addresses. The scammer also claims that the CIA has information about relatives, which was reportedly obtained from a range of sources, including ISP, online chats and social networks, researchers said.

The note alleges that the victim’s contact details and those of their relatives are being held as part of the operation identified as case #45361978 (relating to possession and distribution of child pornography, or so it seems).

Credit: Kaspersky

The fake agent offers to remove all files relating to the victim in return for a payment of $10,000 in cryptocurrency, but time is of the essence, as the letter also notes that arrests will begin in two weeks' time. As a result, the sextortion payment needs to be received in nine days of receiving the letter.

“Compared with regular sextortion spam, the 'CIA' message is well-written, with grammatically correct, stylistically restrained language in a quite official-sounding tone. The scammers also took care of the layout: The message text is nicely formatted and easy to read, and the effect is amplified by the CIA emblem staring out from the screen,” researchers wrote.

“However, just because the message looks more imposing doesn’t make it more true. Don’t be offended, but the CIA is unlikely to give a hoot about you. The scammers most likely found your email address in a database leaked online, or even just came across it by chance.”

Kaspersky recommends trashy any messages immediately. “Our number one tip is don’t panic,” the researchers said. Beyond that, they advised that victims do not reply to the email and never consider paying a ransom to scammers.

Categories: Cyber Risk News

New Adware Found in 200+ Google Play Apps

Fri, 06/07/2019 - 18:14
New Adware Found in 200+ Google Play Apps

A new adware known as BeiTaAD was found embedded in 238 applications in the official Google Play store and have been installed by 440 million Android users, according to security researcher Kristina Balaam of Lookout.

“BeiTaAd is a well-obfuscated advertising plug-in hidden within a number of popular applications in Google Play. The plug-in forcibly displays ads on the user’s lock screen, triggers video and audio advertisements even while the phone is asleep and displays out-of-app ads that interfere with a user’s interaction with other applications on their device,” Balaam wrote.

The ads displayed, which become visible at least 24 hours after the application is launched, are so pervasive that users impacted by the adware have reportedly been unable to answer calls or interact with other apps. Balaam said that on one of the Lookout test devices, the out-of-app ads did not appear until two weeks after the application, Smart Scan (com.qrcode.barcode.reader.scanner.free), was launched.

“There is a very fine – and, one could argue, diminishing – line between adware and malware. They exhibit similar behaviors for disseminating content and techniques for avoiding detection and analysis,” said Usman Rahim, digital security and operations manager for The Media Trust.

“Adware can also be vulnerable, as there is little to no incentive for developers to patch up the flaws, and can leak data. In the wrong hands, adware plug-ins can be used to distribute malicious code to commit theft and fraud on millions of users. Companies that monetize their apps by featuring ads must thoroughly vet their vendors and continuously monitor what these vendors do to users. The temptation for vendors to exploit access to users is great and can put developers at odds with current and forthcoming privacy regulations.”

Categories: Cyber Risk News

Entrust Datacard Closes on Thales' nCipher Security

Fri, 06/07/2019 - 18:00
Entrust Datacard Closes on Thales' nCipher Security

Entrust Datacard announced today that it has completed its acquisition of Thales’ General Purpose Hardware Security Module (GP HSM) business, nCipher Security.

With this acquisition Entrust Datacard enhances its existing public key infrastucture (PKI) and SSL offerings, which the company says positions itself to effectively secure customers’ sensitive information and business critical applications with the implementation of new digital initiatives, particularly those solutions using general purpose HSMs.

The hope is to better protect blockchain, crypto wallets and internet of things (IoT) manufacturing – some of the most vulnerable aspects of emerging business applications – and to help customers achieve compliance with stringent regulatory requirements such as the General Data Protection Regulation (GDPR) and electronic identification and trust services (eIDAS).

“We are extremely pleased to complete this acquisition and bring nCipher’s exceptional talent and technology into the Entrust Datacard portfolio,” said Todd Wilkinson, president and CEO of Entrust Datacard, in a press release.

“The need for secure network access and data integrity continues to multiply – from mobile devices and cloud services to connected IoT devices and digital payments. The use of HSMs is expanding across all of these domains. With nCipher now part of our solution portfolio, customers will see benefit from our expanded offerings for the most sensitive, high assurance use cases.”

For nCipher, the deal brings 300 employees in as part of the Entrust Datacard team and expands its authentication and cloud capabilities, and allows it to offer advanced solutions from Entrust Datacard’s secure hosting facilities. “nCipher is excited to join the talented Entrust Datacard team. This acquisition quickly expands the global footprint for nCipher solutions and accelerates our strategy for ‘as-a-service’ offerings,” said Cindy Provin, CEO of nCipher Security.

“HSMs provide a foundation of trust for business applications such as PKI, blockchain, mobile payments and code signing. As a single company, Entrust Datacard is positioned to effectively secure our customers’ sensitive information and business critical applications as they implement new digital initiatives.”

Categories: Cyber Risk News

Researchers Find 40,000+ Containers Exposed Online

Fri, 06/07/2019 - 10:39
Researchers Find 40,000+ Containers Exposed Online

Researchers have discovered over 40,000 Kubernetes and Docker container hosting devices exposed to the public internet through misconfigurations.

Palo Alto Networks’ Unit 42 revealed the results of its latest research in a blog post yesterday. The discovery was made via a simple Shodan search.

Some 23,353 Kubernetes containers were found in this way, located mainly in the US, as well as Ireland, Germany, Singapore, and Australia. Even more (23,354) misconfigured Docker containers were discovered exposed to the internet, mainly in China, the US, Germany, Hong Kong and France.

“This does not necessarily mean that each of these 40,000+ platforms are vulnerable to exploits or even the leakage of sensitive data: it simply highlights that seemingly basic misconfiguration practices exist and can make organizations targets for further compromising events,” explained senior threat researcher, Nathaniel Quist.

“Seemingly simple misconfigurations within cloud services can lead to severe impacts on organizations.”

This has happened several times in the past: attackers exploited weak security configurations to steal keys and tokens for 190,000 Docker Hub accounts, while poor container security also led to a major breach of 13 million user records at Ladders.

Digging down into the exposed containers they found, the Palo Alto researchers discovered unprotected databases, in one case exposing multiple email addresses.

“Misconfigurations such as using default container names and leaving default service ports exposed to the public leave organizations vulnerable to targeted reconnaissance,” Quist concluded.

“Using the proper network policies, or firewalls can prevent internal resources from being exposed to the public internet. Additionally, investing in cloud security tools can alert organizations to risks within their current cloud infrastructure.”

Some 60% of US organizations experienced security incidents related to their use of containers over the previous year, according to research from Tripwire released in January.

Categories: Cyber Risk News

GateHub Users Lose $9.7m to Hackers

Fri, 06/07/2019 - 10:10
GateHub Users Lose $9.7m to Hackers

Two cryptocurrency firms have come under attack over recent days with users of one, GateHub, suffering losses estimated at nearly $9.7m.

The cryptocurrency wallet service provider sounded the alarm in a statement on Thursday, claiming an investigation had been started after around 100 XRP Ledger wallets were compromised. The firm urged users to transfer their funds from these to a hosted wallet.

An XRP security community revealed in a separate post that, as of Wednesday, 23.2m XRP (Ripple) coins had been stolen, of which 13.1m had already been laundered.

However, the cause of the attack remains a mystery.

“API requests to the victim’s accounts were all authorized with a valid access token. There were no suspicious logins detected, nor there were any signs of brute forcing. We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys,” said GateHub.

“That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys. All access tokens were disabled on June 1 after which the suspicious API calls were stopped.”

The news comes as a separate digital currency platform managed to prevent a major theft of currency with some quick thinking.

Blockchain startup Komodo revealed it discovered an attack targeting its Agama wallet application. Hackers had uploaded malware to a supply chain provider’s software designed to steal cryptocurrency wallet seeds and other login passphrases.

“After discovering the vulnerability, our cybersecurity team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk,” Komodo said. “We were able to sweep around 8m KMD ($12.5m) and 96 BTC ($765K) from these vulnerable wallets, which otherwise would have been easy pickings for the attacker.”

Categories: Cyber Risk News

Regulator Slams Cathay Pacific Over Breach

Fri, 06/07/2019 - 09:27
Regulator Slams Cathay Pacific Over Breach

Two separate groups breached Cathay Pacific’s cyber-defenses over a four-year period, taking advantage of multiple failures in IT security, a damning new report from the Hong Kong privacy commissioner has found.

The first incident occurred in October 2014 when keylogging malware was placed on an internal system to harvest account credentials. The group used these to access Cathay’s IT system via a VPN to steal data, whilst also moving laterally to extract domain credentials from other parts of the network. This activity continued until 2018.

The second group exploited a flaw on an internet facing server back in 2017, enabling them to gain admin access, move laterally and install credential harvesting tools. These credentials were used to access data via a VPN until May 2018.

Although the exploited vulnerability was first published in 2007, the airline claimed it was unable to upgrade because of compatibility problems with an Airbus fleet manuals app.

However, a scan it ran in 2017 did not spot the bug and Cathay also claimed that its anti-malware and endpoint protection tools didn’t spot any of the malware used in the second attacks because there were no signatures available, the report revealed.

The incidents were finally uncovered when group two tried to brute force the firm in March 2018 and it brought a cybersecurity expert on board to investigate.

Four of Cathay’s 120 IT systems containing personal data were affected: a customer loyalty system, a shared back-end database used to support web apps, a reporting tool and an air miles database.

The privacy commissioner criticized the airline for multiple security failings, including: failing to identify the server flaw, scanning at too wide an interval (yearly), exposing the admin console port of the server to the internet, failing to apply multi-factor authentication for all users accessing IT systems containing personal data, generating unencrypted database backup files, failing to reduce malware risks after the 2017 incident and failing to have an effective personal data inventory.

“In all the relevant circumstances of the case in relation to personal data security, the commissioner finds that Cathay did not take all reasonably practicable steps to protect the affected passengers’ personal data against unauthorized access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening DPP 4(1) of Schedule 1 to the Ordinance,” the commissioner concluded.

The airline also kept Hong Kong ID card details of affected passengers for longer than was necessary, it said.

Some 9.4 million passengers were affected by the breach, which Cathay Pacific finally revealed in October 2018.

However, while all had their names stolen by attackers and most had flight number and date (61%) and email address (53%) compromised, far fewer had membership number (38%), address (24%), phone number (19%), nationality (12%), passport number (9%), date of birth (8%) and ID card number (6%) affected.

Just 0.004% had credit card details stolen, suggesting that the motivation for the attacks may have been non-financial, which could potentially indicate nation state involvement.

Categories: Cyber Risk News

Healthcare Orgs Hit with Destructive Attacks

Thu, 06/06/2019 - 16:54
Healthcare Orgs Hit with Destructive Attacks

Increasingly, healthcare organizations are the target of cyber-criminals looking to profit from the treasure trove of personal data these companies possess, according to a new report from Carbon Black.

The Healthcare Cyber Heist in 2019 report surveyed industry CISOs to understand the ways that threats to the industry have evolved. A vast majority (83%) of healthcare organizations reported an increase in cyber-attacks over the past year. “Invariably, when we talk to these CISOs, almost all of them are saying that the number of relevant and actionable security alerts they are receiving continues to climb year over year,” the report stated.

In addition, 66% admitted they were the target of a ransomware attack in the past year. “In targeting healthcare organizations, ransomware attackers are taking advantage of the 'do no harm' principle. Meaning, when forced to decide between paying a ransom or being unable to access critical patient files, the healthcare provider has no choice – they have to pay, lest a patient potentially incur great harm or loss of life,” the report said.

While 66% of healthcare organizations reported that cyber-attacks have grown more sophisticated over the past year, 84% also said that they have provided cybersecurity best-practices training to their employees.

“The potential, real-world effect cyber-attacks can have on healthcare organizations and patients is substantial,” said Rick McElroy, Carbon Black’s head of security strategy in a press release. “Cyber attackers have the ability to access, steal and sell patient information on the dark web. Beyond that, they have the ability to shut down a hospital’s access to critical systems and patient records, making effective patient care virtually impossible.”’

Despite their healthcare organizations being the target of cyber-attacks, CISOs reported that their top security concerns are actually related to compliance (33%), budget and resource restrictions (22%), loss of patient data (16%), vulnerable devices (16%) and inability to access patient data (13%).

For nearly half (45%) of participating healthcare organizations, attacks were targeted and intended to cause an extensive destruction of data, the report said. “These attackers aren’t just committing simple burglary or even home invasion – they’re arsonists. These attacks are often carried out by punitive and malicious nation-states, including Russia, China and North Korea,” the report said.

Categories: Cyber Risk News

NSA Warns Windows Users to Upgrade, STAT

Thu, 06/06/2019 - 16:49
NSA Warns Windows Users to Upgrade, STAT

Microsoft Windows administrators and users are being urged by the National Security Agency (NSA) to verify that they are using a patched and updated system in order to protect against cyber-threats.

In a June 4 advisory, the NSA referenced recent warnings by Microsoft of a potentially 'wormable' remote code execution vulnerability (CVE-2019-0708), dubbed “BlueKeep,” that could spread across the internet without user interaction.

Despite Microsoft having issued a patch, the NSA said that potentially millions of users remain vulnerable.

“We have seen devastating computer worms inflict damage on unpatched systems with wide-ranging impact, and are seeking to motivate increased protections against this flaw...in Remote Desktop Services (RDS) on legacy versions of the Windows® operating system,” the advisory stated.

“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation tools are widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.”

While newer versions of Windows are reportedly protected against this vulnerability, several versions remain at risk if not patched, including: Windows XP, Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

In a May 14 blog post, Microsoft noted that it has not yet observed any exploitation of this vulnerability, though there is a high likelihood that “malicious actors will write an exploit for this vulnerability and incorporate it into their malware.” However, an anonymous researcher has already published a proof-of-concept (PoC).

“Businesses who fail to heed the NSA's warning ignore it at their peril. Anyone looking for evidence to justify patching or moving off of legacy systems need only look at the damage left in the wake of NotPetya and WannaCry,” said Rick Holland, CISO, vice president of strategy at Digital Shadows.

“Maersk's financial statements clearly show the potential costs of 'wormable' vulnerabilities. In the short term, businesses should isolate the systems that must run legacy software. More strategically, companies must have a plan to retire unsupported systems, even if it takes several years.”

Categories: Cyber Risk News

Australian Police Collect 9K+ Docs in ABC Raid

Thu, 06/06/2019 - 16:32
Australian Police Collect 9K+ Docs in ABC Raid

Outrage over the Australian Federal Police (AFP) raid at the Australian Broadcasting Corporation (ABC) continues to mount as a question of national security versus freedom of the press plays out between journalists and law enforcement.

In response to allegations that ABC had published classified information related to stories reported in 2017, the AFP raided ABC’s headquarters in Sydney and seized several documents, according to John Lyons, executive editor at ABC news, who was allowed in the room as several police officers combed through thousands of emails.

“They have downloaded 9,214 documents. I counted them,” Lyons told ABC news in a live interview. “They have set up a huge screen and they are going through email by email. It’s quite extraordinary. I’ve never seen an assault on the media as savage as this one I’ve seen on ABC.”

“The AFP have the power now to be going through those documents and essentially deleting anything they want. They can change material,” said Lyons who live-tweeted events as they unfolded.

The news is the second raid on members of the press in Australia in less than 24 hours. Combined with the recently passed Assistance and Access Bill, also known as the anti-encryption law, these raids are especially troubling. “Australia is heading down a path that leads to its citizens not being able to speak freely nor privately,” said Paul Bischoff, privacy advocate with Comparitech.com.

“When members of the press are targeted by their own governments, it's important for journalists to step up their cybersecurity and protect sources. If you cannot depend on the law to protect press freedoms, then journalists must take care to secure their communications, notes, drafts, data, documents and other materials. Most importantly, they need to encrypt their phones and laptops, connect to reputable virtual private networks (VPNs) and use secure communication channels with end-to-end encryption.”

Categories: Cyber Risk News

Australian Police Collect 9K+ Docs in ABC Raid

Thu, 06/06/2019 - 16:32
Australian Police Collect 9K+ Docs in ABC Raid

Outrage over the Australian Federal Police (AFP) raid at the Australian Broadcasting Corporation (ABC) continues to mount as a question of national security versus freedom of the press playing out between journalists and law enforcement.

In response to allegations that ABC had published classified information related to stories reported in 2017, the AFP raided ABC’s headquarters in Sydney and seized several documents, according to John Lyons, executive editor at ABC news, who was allowed in the room as several police officers combed through thousands of emails.

“They have downloaded 9,214 documents. I counted them,” Lyons told ABC news in a live interview. “They have set up a huge screen and they are going through email by email. It’s quite extraordinary. I’ve never seen an assault on the media as savage as this one I’ve seen on ABC.”

“The AFP have the power now to be going through those documents and essentially deleting anything they want. They can change material,” said Lyons who live-tweeted events as they unfolded.

The news is the second raid on members of the press in Australia in less than 24 hours. Combined with the recently passed Assistance and Access Bill, also known as the anti-encryption law, these raids are especially troubling. “Australia is heading down a path that leads to its citizens not being able to speak freely nor privately,” said Paul Bischoff, privacy advocate with Comparitech.com.

“When members of the press are targeted by their own governments, it's important for journalists to step up their cybersecurity and protect sources. If you cannot depend on the law to protect press freedoms, then journalists must take care to secure their communications, notes, drafts, data, documents and other materials. Most importantly, they need to encrypt their phones and laptops, connect to reputable virtual private networks (VPNs) and use secure communication channels with end-to-end encryption.”

Categories: Cyber Risk News

#Infosec19: Mitigating Risks and Managing Third Party Threats

Thu, 06/06/2019 - 14:41
#Infosec19: Mitigating Risks and Managing Third Party Threats

Speaking at Infosecurity Europe 2019 on 'Effective Steps to Reduce Third Party Risk,' Scott W. Coleman, director of product management at Owl Cyber Defense, said that the average number of connections to a facility is 583. “Most are legitimate, but how many are appropriate” he asked.

He said that there are “vendors and companies and entities who need access to your plant, enterprise or base” and while many have a good reason to have access, you need to be sure that they are not presenting a risk that you don’t need.

Coleman recommended determining what you need to protect, which connectors and disaster recovery systems you need to protect, and which vendor service level agreements you need to maintain “but be subversive on what needs to have access.”

He encouraged companies to focus on the following when evaluating a third party: which products and services require access; which companies have a higher level of personnel turnover; who have been involved in breaches themselves “as a lot of the time, a company has a third party connecting” so depending on their level of cybersecurity.

Looking at strategies for mitigation, Coleman asked if many people will know who the 583 people are, and what access they have if you have a good handle on what they are doing? “Understand and measure what they are doing as it is hard to protect against them,” he said.

Next, he recommended looking at what value and risk is presented and added to you by third party access, and apply resources to the highest risk and which assets are being touched. He said you should seek to reduce your footprint and the number of things you focus your resources on, and apply this posture to things the third parties affect.

“The bottom line is segmenting and least privilege,” he said. “The biggest problem is coming in laterally and if you put in segmentation and proper privilege, prevent movement and what all have access to. “

He said that the final way to mitigate is to use a zero trust approach, and the problem is that “trust but verify” is hard to achieve in practise. “The problem is when you take your eye off it, you no longer have the trust factor.”

He concluded by pointing to the Department of Homeland Security’s strategies for mitigating risk for third parties. These are recommend as:

  • Reduce/eliminate connections in/out the network
  • Convert two-way connections to one-way out of the plant
  • Convert two-way connections to one-way into the plant
  • Secure remaining two-way connections
Categories: Cyber Risk News

#Infosec19: MITRE ATT&CK Framework Effective in Defending CNI

Thu, 06/06/2019 - 14:10
#Infosec19: MITRE ATT&CK Framework Effective in Defending CNI

Speaking at Infosecurity Europe 2019 Andrew Habibi-Parker, director – professional services, EMEA & APJ at LogRhythm, explored security risks surrounding critical national infrastructure (CNI) and outlined why the MITRE ATT&CK Framework can be pivotal in defending and protecting critical infrastructures.

Habibi-Parker explained that there are some critical elements of national infrastructure such as assets, facilities, systems and networks which, in the event of a compromise, can be targeted by attackers to effect the integrity or delivery of essential services, resulting in significant impact on national security, national defense or the functioning of the state.

He said the “UK Government’s cyber strategy and NIS Directive is playing a key role in helping improve cybersecurity in UK CNI organizations” but added that the rapid emergence of new vulnerabilities and malicious actors’ smarter tactics make it “impossible to completely secure CNI networks and systems.” A focus on reducing detection and response times is therefore crucial, Habibi-Parker explained, and that’s where the MITRE ATT&CK Framework can be very effective.

That’s because MITRE ATT&CK “uses real world intelligence on the TTPs used by APT groups.” It’s a great way to validate and improve your detection, incident handling and continuous monitoring capabilities, Habibi-Parlker said.

However, Habibi-Parker was quick to point out that MITRE ATT&CK is not “a replacement for cybersecurity best practices” nor is it a list of fully-achievable objectives. It may also not be the right choice for an organization that does not have a SOC, he added, and “implementing monitoring of endpoints and behavioral analytics is critical to success.”

Categories: Cyber Risk News

#Infosec19: Passwords Are Here to Stay, Warns Troy Hunt

Thu, 06/06/2019 - 13:29
#Infosec19: Passwords Are Here to Stay, Warns Troy Hunt

Five years from today there will be more passwords in use than at present – despite their inherent security failings – according to HaveBeenPwned founder Troy Hunt. 

Presenting the Infosecurity Hall of Fame Annual Lecture on the last day of Infosecurity Europe today, Hunt sought to dispel some common misconceptions about cybersecurity.

HaveIBeenPwned started as a “fun project” back in 2013 and the free site now has over 7.8bn compromised accounts listed, which users can check to see if they have been breached.

Unfortunately, passwords are here to stay despite the emergence of solutions like multi-factor authentication which are far more secure, Hunt warned.

“They may be good technical solutions … but every single person in this room knows how to use a password, as bad as it is security wise,” he argued.

This usability will always trump security concerns, but organizations can and should make log-ins more robust by enhancing passwords with password managers and U2F keys, he added.

The dark web is often blamed for providing a platform for cyber-criminals to trade such credentials online, but the surface web is also a major offender, Hunt claimed.

He showed a screenshot of a single Twitter account which posted MEGA links to the notorious “Collection” combo lists, publicly exposing billions of unique emails and passwords, for example.

That’s not all: YouTube is awash with “hundreds” of how-to videos, detailing the simple steps budding cyber-criminals can take to launch SQLi attacks, credential stuffing and more, Hunt claimed.

Some of those he played on stage appeared to be voiced by teens, highlighting another misconception about cybercrime: that it tends to be the work of hardened, organized gangs.

One former law enforcer was quoted following the TalkTalk attack as suggesting it was the work of “Russian Islamic cyber jihadis,” for example. In reality, the breach, which cost the telco £77m, was mainly down to a 17-year-old boy.

“The damage [kids] can do is massive. So many children have access to this [hacking] information that anyone can use it without knowing the problems it can cause,” he argued. “We’ve got to do more to set kids back on the right path.”

The National Crime Agency’s Cyber Choices campaign highlights the scale of the problem, and the need to raise awareness among parents of what their kids may be up to.

Categories: Cyber Risk News

#Infosec19: “We Can Build Safe 5G Networks Irrespective of Supplier” – NCSC

Thu, 06/06/2019 - 13:19
#Infosec19: “We Can Build Safe 5G Networks Irrespective of Supplier” – NCSC

Governments and industry need to “focus on fixes, not fear,” and work out how to build safer 5G networks rather than obsessing about national security concerns leveled at suppliers, according to the National Cyber Security Centre (NCSC).

NCSC boss, Ciaran Martin, told attendees on day three of Infosecurity Europe this morning that the next generation of network infrastructure can be architected in a way that mitigates risks posed by vendors.

Referring to a tabloid headline which claimed Huawei could theoretically turn off all the household appliances in UK smart homes if allowed to build 5G, he argued: “We don’t have to build 5G networks that way and I’d argue we shouldn’t.”

Martin added: “We have to get 5G network security right, and that is a much bigger issue than the national identity of suppliers.

“It would be a real shame if we allowed fear back into cybersecurity. People need to understand the risks, and we, as experts, need to understand and explain how network security can be [implemented] to give a satisfactory level of assurance.”

The UK government has worked hard over the past few years to move from a fear-based approach to cybersecurity to a pragmatic one, he claimed.

Part of the journey towards a more mature approach to cybersecurity means promoting pragmatic ways to tackle threats rather than glamorizing attacks.

“Cybersecurity is not something we should be scared of and not something we should scare people about,” argued Martin. “The first step is to understand that and the diversity of it and [not promote] cybersecurity as a big technical ball of risk that non-technical people can’t understand.”

To help in this, the NCSC has produced a “five questions for boards” document, so that business leaders are better equipped to discuss issues in-depth with CISOs.

“You don’t all have to be cyber experts, but you need to know how to talk to cyber experts,” Martin added.

Quick wins could be had from focusing on improving baseline security, he added, claiming that the notorious state-sponsored Cloudhopper attackers managed to infect some victims using a 19-year-old virus because they were running outdated systems and flat networks.

Martin concluded on a note of optimism, claiming that, unlike the start of the digital revolution 20 years ago, industry experts can see a lot of what’s coming down the road. By working “seriously, dispassionately and transparently,” progress can be made to eradicate structural vulnerabilities, he argued.

Categories: Cyber Risk News

#Infosec19: DNS Rebinding Attacks Could Hit Billions of IoT Devices

Thu, 06/06/2019 - 13:12
#Infosec19: DNS Rebinding Attacks Could Hit Billions of IoT Devices

DNS rebinding attacks are a real threat that could hit the billions of internet of things (IoT) devices in people’s homes, according to Craig Young, principal security researcher at Tripwire.

Young was speaking in the Geek Street Theatre on day three of the Infosecurity Conference at London’s Kensington Olympia.

During the session, Young explained the impact of the threat – which turns a victim’s browser into a proxy for attacking private networks – within IoT. “Over the years, I have found countless vulnerabilities in IoT products,” he said.

This is partly because IoT often uses HTTP, which is vulnerable to DNS rebinding. In the future, the consequences could be significant: Rebinding also opens new doors for botnets, according to Young.

“The problem is, defenders seem to discount this as a real threat, but in the future, someone might want to create a botnet and there will be more hosts to target,” he said.

During his research, Young found devices including the Google Home smart speaker were vulnerable to DNS rebinding attacks. “I was able to ask the Google Home to give me IP addresses of nearby access points so I could tell where devices were,” he explained.

Another class of devices vulnerable to DNS rebinding are IoT units using standards-based web services access protocol SOAP. “You can use this to steal data, disable devices and brick them,” he said.

Young said vulnerable IoT devices included the Belkin Wemo smart outlet and the Sonos connected speaker – the latter of which allowed him to play false content and rename or reset the device.

In order to prevent DNS rebinding attacks, Young advises mitigation at the DNS layer, segmenting networks, using the NoScript extension for Firefox or “various adblockers.”

At the same time, Young said: “Devices and everything else should be using HTTPS – which is not affected by DNS rebinding. All apps need authentication: Even if it’s a home network, it should have some kind of credential mechanism.”

Categories: Cyber Risk News

#Infosec19 Dark Web Sales Offer Network Access for $10,000

Thu, 06/06/2019 - 12:05
#Infosec19 Dark Web Sales Offer Network Access for $10,000

Access to FTSE 100 and Fortune 500 corporate networks has increased on the dark web.

According to research by Bromium and the University of Surrey, presented at Infosecurity Europe, four in ten dark net vendors are selling targeted hacking services aimed at FTSE 100 and Fortune 500 businesses, while there has been a 20% rise in the number of dark net listings in the last three years, specifically “with a direct potential to harm the enterprise.”

The most heavily targeted industries were identified as banking (34%), ecommerce (20%), healthcare (15%), and education (12%). Also, with threats tailored to specific industries or organizations outnumber off-the-shelf varieties by a ratio of 2:1.

“Almost every vendor offered us tailored versions of malware as a way of targeting specific companies or industries,” said Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey. “The more targeted the attack, the higher the cost, with prices rising even further when it involved high-value targets like banks. The most expensive piece of malware found was designed to target ATMs and retailed for approximately $1,500.”

Access to corporate networks is sold openly; 60% of vendors approached by researchers offered access to more than ten business networks each and 70% of dark net vendors engaged invited researchers to talk on encrypted messaging applications, like Telegram, to take conversations beyond the reach of law enforcement.

Speaking to Infosecurity, Bromium president and co-founder Ian Pratt said that dark web “stores” are often just a “shop window” to sell services, and most transactions usually take place over encrypted communication channels like Signal and Telegram.

“The dark web is not an index, but a bunch of sites separate from the regular web,” Pratt said. He also said that access to networks is commonly sold for around $10,000, but it is not too hard to determine what a company uses. “Also it is not even zero-days, it is bypassing detection-based systems,” he said.

Pratt also said that many cyber-criminals now have separate supply chains to provide language services, and tailored malware for the attack. One example is the Emotet banking Trojan, which is often used as an initial dropper for the initial malware infection, and then command and control access is sold, while the payload scrapes the credentials while the Trojan is re-used for cryptojacking.

Aside from access to financial services and e-commerce, healthcare information was targeted by 15% of actors. Pratt explained that commonly, the information is held for ransom and if the ransom is not paid, the details are released.

“The methods for providing access varied considerably,” Dr. McGuire explained. “Some involved stolen remote access credentials that are for sale for as little as $2, others involve backdoor access or the use of malware. Illicit remote access tools appear to be most popular – we were offered Remote Access Trojans at least five times more often than keyloggers.

“Enterprises, researchers, and law enforcement must continue to study the dark net to get a deeper understanding of the adversaries that we are dealing with, and better prepare ourselves for counteracting the effects of a growing cybercrime economy.”

Categories: Cyber Risk News

Tennessee Valley Authority Isn't Compliant with Federal Directives

Wed, 06/05/2019 - 17:41
Tennessee Valley Authority Isn't Compliant with Federal Directives

The Tennessee Valley Authority (TVA) inspector general has reported that 115 TVA registered domains were found not meeting the Department of Homeland Security (DHS) standards for cybersecurity during an audit earlier this year. A memo published by the TVA Inspector General's Office on May 29, 2019, reported that internal auditors also found that encryption requirements were inadequate on 20 TVA websites. 

The review was part of an annual audit plan to ensure that the TVA was compliant with two federal directives that require website and email security controls. These controls had to comply with the Office of Management and Budget’s (OMB) memorandum M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services, and DHS's binding operational directive (BOD) 18-01, Enhance Email and Web Security, regarding website and email security practices.

According to David Wheeler, the assistant inspector general for audits and evaluations, the TVA was found not to be compliant with OMB A-15-13 and DHS BOD 18-01. "In addition, we found that TVA's web site inventory was incomplete." These findings were formally communicated to TVA management on March 26, 2019.

The fieldwork for the audit was carried out from November 2018 to March 2019.  The team obtained and reviewed TVA's website inventory from the TVA's cybersecurity personnel and compared it to the population of identified publicly accessible websites, according to the memo from Wheeler. Internet domain listings were also collected. These findings were then scanned using tools to determine compliance with OMB A-15-13 and DHS BOD 18-01 requirements. Out of 116 domains, 115 did not meet requirements, with encryption requirements inadequate on 20 out of 55 TVA websites. 

This left TVA emails and websites open to attacks, such as phishing. Research by IRONSCALES found that secure email gateways (SEG) failed to 99.5% of all nontrivial email spoofing attacks. A two-year analysis of more than 100,000 verified email spoofing attacks found that the most common spoofing techniques included sender name impersonations and domain look-alike attacks, bypassing SEG technology on a regular basis. 

In his memo, Wheeler recommended that email security policies for domains needed to be updated to meet requirements, reviewing them on a periodic basis for compliance. He also wrote: "Update websites that were not compliant with OMB M-15-13 and DHS BOD-18-01 requirements, and review on a periodic basis for compliance" as well as review website inventory.

TVA management agreed with the audit findings and recommendations in this report, according to the memo. 

Categories: Cyber Risk News

UK Hasn't Made Sufficient Progress in National Security Strategy

Wed, 06/05/2019 - 17:31
UK Hasn't Made Sufficient Progress in National Security Strategy

The Public Accounts Committe has found that the UK government has not made sufficient progress on developing long-term objectives for the National Security Strategy.

According to the announcement made today, a weak evidence base and a lack of a business case for the National Cyber Security Programme made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.

The National Cyber Security Centre (NCSC) has dealt with over 1100 cybersecurity incidents since it was established in October 2016. CSC chair Meg Hillier says that the UK will need to protect itself against risks created by more and more services going online, but there is concern that consumers do not know how well they are protected: "We welcome the National Cyber Security Strategy but are concerned that the program designed to deliver it is insufficient," she explained. 

"As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the program were grounded in business cases – despite being allocated £1.9bn funding.

"Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy."

Since 2011, the Cabinet Office has managed two five-year national cybersecurity strategies. According to the report, it is beginning to make progress in meeting the strategic outcomes of the current one, the 2016–2021 National Cyber Security Strategy, after a poor start.

But the report has also found that as well as a weak evidence base, it is also unclear whether the money allocated at the start of the program was the right amount, making it more difficult to judge value for money. 

A third (£169m) of the program’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counterterrorism activities, according to the Public Accounts Committee. Some £69m of this funding will not be returned to the program, which seems at odds with the government’s claim that cybersecurity is a priority.

The recommendations made include the Cabinet Office ensuring another long-term coordinated approach to cybersecurity is put in place in advance of the current one, which finishes in March 2021. Further, it has suggested that a business case should be produced. 

The CSC has asked the Cabinet Office to write to it by November 2019, setting out what progress it is making in using evidence-based decisions in prioritizing cybersecurity work. This includes plans for undertaking robust "lessons learned" exercise.

It is also expected that the Cabinet Office will publish its costed plan for the strategy in autumn 2019. 

Categories: Cyber Risk News

UK Hasn't Made Sufficient Progress for National Security Strategy

Wed, 06/05/2019 - 17:31
UK Hasn't Made Sufficient Progress for National Security Strategy

The Commons Select Committee (CSC) has found that the UK government has not made sufficient progress on developing long-term objectives for the National Security Strategy.

According to the announcement made today by the CSC, a weak evidence base and a lack of a business case for the National Cyber Security Programme made it difficult for the Cabinet Office to assess whether it will meet all its objectives by 2021.

The National Cyber Security Centre (NCSC) has dealt with over 1,100 cybersecurity incidents since it was established in October 2016. CSC chair Meg Hillier says that the UK will need to protect itself against risks created by more and more services going online, but there is concern that consumers do not know how well they are protected: "We welcome the National Cyber Security Strategy but are concerned that the program designed to deliver it is insufficient," she explained. 

"As it currently stands, the strategy is not supported by the robust evidence the department needs to make informed decisions and accurately measure progress. On top of this, neither the strategy or the program were grounded in business cases – despite being allocated £1.9 billion funding.

"Looking longer term, we are disappointed that the department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy."

Since 2011, the Cabinet Office has managed two five-year national cybersecurity strategies. According to the report, it is beginning to make progress in meeting the strategic outcomes of the current one, the 2016–2021 National Cyber Security Strategy, after a poor start.

But the report has also found that as well as a weak evidence base, it is also unclear whether the money allocated at the start of the program was the right amount, making it more difficult to judge value for money. 

A third (£169 million) of the program’s planned funding for the first two years was either transferred or loaned to support other government national security priorities, such as counterterrorism activities, according to the CSC. Some £69 million of this funding will not be returned to the program, which seems at odds with the government’s claim that cybersecurity is a priority.

The recommendations made by the CSC include the Cabinet Office ensuring another long-term coordinated approach to cybersecurity is put in place in advance of the current one, which finishes in March 2021. Further, it has suggested that a business case should be produced. 

The CSC has asked the Cabinet Office to write to it by November 2019, setting out what progress it is making in using evidence-based decisions in prioritizing cybersecurity work. This includes plans for undertaking robust "lessons learned" exercise.

It is also expected that the Cabinet Office will publish its costed plan for the strategy in autumn 2019. 

Categories: Cyber Risk News

Pages