Apple has been forced to remove one of the most popular security apps on its Mac App Store after it was found to be secretly exfiltrating browser data to China.
Adware Doctor had a 4.8-star rating off the back of over 7000 user reviews and sat at the top of the list of paid utility apps.
However, despite running as an anti-malware and anti-adware product, the Mac application was also found to be engaged in some rather dubious activities.
Specifically, researchers noted it had been gathering browser history from Chrome, Safari and Firefox users, along with a list of all running processes and software downloads before sending to AWS servers administered by someone in China.
“Most of this is data that App Store apps should not be accessing, much less exfiltrating. In the case of the list of running processes, the app had to work around blockages that Apple has in place to prevent such apps from accessing that data,” explained Malwarebytes director of Mac and mobile, Thomas Reed.
“The developers found a loophole that allowed them to access that data despite Apple’s restrictions.”
Reed claimed that the app itself has a long track record of unscrupulous behaviour: it was previously called “Adware Medic” — a title which Reed said was a “rip off” of his app of the same name. Once Apple was informed of this, the developer simply changed the name to Adware Doctor.
The case seems to call into question Apple’s vetting process for apps on its official marketplace.
“We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long,” said Reed.
Other official App Store applications tracked by Reed which are actively exfiltrating user data to the developer’s servers include Open Any Files, Dr Antivirus, and Dr Cleaner.
“It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes,” concluded Reed.
“I strongly encourage you to treat the App Store just like you would any other download location: as potentially dangerous. Be cautious of what you download. A free app from the App Store may seem perfectly innocent and harmless, but if you have to give that app access to any of your data as part of its expected functionality, you can’t know how it will use that data. Worse, even if you don’t give it access, it may find a loophole and get access to sensitive data anyway.”
US voting infrastructure should return to paper ballots by the next presidential election, according to a major new report from the non-profit The National Academies of Sciences, Engineering, and Medicine.
Commissioned by the non-profit Carnegie Corporation of New York and charity the William and Flora Hewlett Foundation, the two-year report concluded that online voting apparatus is too exposed to potential compromise.
Citing Russian infiltration ahead of the 2016 presidential election, it warns that “aging equipment and a lack of sustained funding” have further undermined efforts to maintain resilience.
Ideally by the mid-terms later this year but certainly by the next presidential election in 2020, all US local, state and federal elections should return to human-readable paper ballots, the report argued. Not only this, but marked ballots should also not be sent over the internet or any connected network, as no technology can currently guarantee their “secrecy, security, and verifiability.”
These ballots could be made and counted by hand or machine, but any systems which don’t allow for independent auditing should be removed, the report continued.
It also called for “risk limiting” audits to be brought in prior to certification of results — by hand-examining several hundred ballots, auditors can use these to quickly understand if there has been any foul play.
Election officials should also routinely assess the integrity of voter registration databases, and states using electronic “pollbooks” should have back-up plans in place, the report added.
“This is a critical time for our country,” said Lee Bollinger, president of Columbia University and co-chair of the committee that conducted the research.
“As a nation, we need to take collective action to strengthen our voting systems and safeguard our democracy. In addition, the nation’s leaders need to speak candidly and apolitically about threats to election systems. The American people must have confidence that their leaders place the larger interests of democracy above all else.”
A Venafi poll of 400 global IT security pros last month revealed that 93% believe election infrastructure is at risk of attack and 81% claim hackers will target key data as it is transmitted from local polling stations to centralized points
A Croatian-born Silicon Valley CEO is facing serious jail time after pleading guilty to charges related to a $1.5m investment fraud scheme.
Renato Libric, former CEO of digital gift-card start-up Bouxtie [pronounced “bow-tie”], admitted overstating the financial prospects of the firm and forging documents that gave him authority to sell shares to investors.
The 39-year-old resident of Redwood City, California, is said to have taken several steps between August 2017 and February 2018 to persuade investors from a Las Vegas company to put over $1m into his business.
To do this he lied by claiming a large publicly traded company was interested in buying Bouxtie for $150m. Doubling down on the lie, he subsequently created a Term Sheet to back-up his claim, and forged the signature of one of the execs at the company ‘interested’ in buying his own.
He then sent that document, and a forged bank statement grossly exaggerating Bouxtie’s financial health, to the investors, according to the Department of Justice.
Although there was only $7642 in the corporate coffers, Libric falsified the statement so that the balance was over $2m.
He also placed the signatures of Bouxtie board members on another document designed to authorize him to enter into an agreement with the Vegas investors to receive $1.5m in exchange for shares.
After his antics convinced them to hand over the money, Libric is said to have immediately withdrawn over $130,000 and moved the funds to his own checking account.
Libric pleaded guilty to a May indictment of one count of wire fraud, in violation of 18 U.S.C. § 1343 and 2.
The maximum penalty for wire fraud is 20 years behind bars and a $250,000 fine, followed by three years of supervised release.
The Kaspersky Lab report, Threat Landscape for Industrial Automation Systems in H1 2018, indicated that 41.2% of ICS computers protected by Kaspersky Lab solutions were attacked by malicious software at least once in the first half of 2018, with the largest percentage of the attacks targeting Vietnam (75.1%), Algeria (71.6%) and Morocco (65%).
The data collected also showed that the safest regions for industrial machines were Denmark (14%), Ireland (14.4%) and Switzerland (15.9%). Countries that saw a significantly higher percentage of attacks were all within Africa, Asia and Latin America.
According to Kaspersky Lab experts, the percentage of ICS computer attacked was 36.61% during the first six months of 2017, which rose only slightly to 37.75% during the next six months. The continued growth, which rose to nearly 42% during 2018, is a concern for company experts.
“The percentage of cyber-attacks on ICS computers is a concern,” Kirill Kruglov, security researcher at Kaspersky Lab said in a press release. “Our advice is to pay attention to systems’ security from the very beginning of their integration when the systems’ elements are first connected to the internet. Neglecting security solutions at this stage could lead to dire consequences."
Researchers found that the primary vector of infection for ICS computer attacks came from the internet. More than one-fourth (27%) came from the web, while only 8.4% were received through removable storage media, and an even smaller percentage (3.8%) came from mail clients.
The data collected also revealed different factors that affected the security of ICS computers. “Notably, all countries that, based on our data, had minimal percentages of ICS computers attacked, were classified by the International Monetary Fund as advanced economies,” the report stated.
“In addition, six of the ten countries that had the lowest percentage of ICS computers attacked – percentage of ICS systems attacked in regions of the world ... the US, the UK, the Netherlands, Sweden, Switzerland and Israel – were among the TOP 20 countries according to Global Cybersecurity Index 2017 developed by the International Telecommunication Union (ITU).”
Germany-based researchers found a way to spoof certificates, even those protected with PKI-based domain validation, according to the Register.
With nothing more than a laptop, the group was able to steal credentials and eavesdrop on certificate authorities. “We evaluated the attack against a number of CAs and we set up a live (automated) demo against one CA,” said Dr. Haya Shulman, head of the cyber security, analytics and defenses division at the Fraunhofer Institute for Secure Information Technology.
“Essentially, many CAs that support domain validation can be attacked. We demonstrated an attack which redirects the CA to an attacker machine via DNS cache poisoning," Shulman said.
"But, other techniques can be applied, such as BGP prefix hijack. Indeed, such attacks are common and only recently MyEtherWallet users were attacked via BGP prefix hijack that was then exploited for DNS cache poisoning. Essentially this means that such attacks are happening and an important security mechanism such as the web PKI should be protected against such practical attacks.”
Researchers will present their findings, which name the affected Certificate Authorities (CAs), at the ACM’s Conference on Computer and Communications Security in Toronto on October 15-19, 2018. The goal of sharing the research is not to guard only against their attack findings but to harden the PKI against off-path attackers and to make it secure against man-in-the-middle (MitM) attackers.
“While this attack is relatively complex to pull off, it demonstrates a fundamental problem with Domain Validated (DV) certificates. DV-issued certificates offer the lowest level of identity validation, sacrificing solid identity proof in exchange for speed and automation,” said Justin Hansen, security architect at Venafi.
“The impact of this attack can be quite serious because if an attacker can successfully poison DNS for any domains owned by a targeted organization, they will be able to get a certificate for that organization, and everyone on the internet will trust it. The attacker can then do a whole range of malicious things with that domain.”
Because these types of compromises can occur, Hansen said that organizations should explore higher assurance certificates such as Organization Validation (OV) and Extended Validation (EV).
“As we also argue in the paper, certificate authorities that support Domain Validation (DV) control more than 95% of certificates market,” Shulman said.
“The reason is that the process is faster, cheaper and easier (it is mostly automated). The OV and EV certificates take long to issue, are cumbersome and more expensive (which is why most domains do not use them). It also would not completely mitigate the security issue. Essentially we recommend deploying DV.”
A state-sponsored mobile surveillance operation, similar in pattern to previous operations launched by the Iranian government against individuals, has been identified by researchers at Check Point.
The researchers have uncovered a mobile-based attack targeting Iranian citizens that operates with such a low profile it has flown under the radar of detection since 2016. The attack patterns are similar to other Iranian APT (advanced persistent threat) attacks, and researchers have dubbed this latest discovery “Domestic Kitten,” keeping in line with both “Rocket Kitten” and “Charming Kitten.” Applying the kitten term is reportedly a reflection of a low level of respect for the group's hacking methods.
The attack uses fake, decoy content to entice its targets into downloading mobile applications which are loaded with spyware. According to researchers, the malicious Android mobile apps include an ISIS-branded wallpaper changer, which apparently targets advocates of the terrorist organization.
In addition, a fake "update" app from the legitimate ANF Kurdistan News attempts to deceive targets with specious content. The content offered by the application suggests that the targets are the Kurdish ethnic group. Additionally, the actors have also used a fake version of the Vidogram messaging app.
These apps collect sensitive information about the targeted people, collecting data from the targets’ mobile devices which includes contact lists, phone call records, SMS messages, web browser histories and bookmarks, geolocation of the victim, photos, voice recordings and more.
The highly targeted individuals reportedly include Kurdish and Turkish natives and ISIS supporters. One of the strongest commonalities among the attacks is that the majority of the nearly 240 people identified are Iranian citizens.
While researchers have not identified the exact actors behind the attack, they have determined through their observations that the nature of the apps and the attack infrastructure appear to be the work of Iranian actors.
“Such surveillance programs are used against individuals and groups that could pose a threat to the stability of the Iranian regime, including internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran,” researchers wrote.
A teen hacker who was arrested earlier this week was identified by his email provider after deciding to DDoS the firm.
George Duke-Cohan, 19, pleaded guilty at Luton Magistrates Court this week to three counts of making hoax bomb threats.
Also known by the online monikers “7R1D3N7,” “DoubleParallax” and “optcz1,” Duke-Cohan was a vocal member of the infamy-seeking hacking collective known as Apophis Squad, which decided to DDoS Swiss-based secure email provider ProtonMail.
That was the group’s first mistake as it alerted the ProtonMail security team to start investigating.
“In this endeavor, we were assisted by a number of cybersecurity professionals who are also ProtonMail users. It turns out that despite claims by Apophis Squad that federal authorities would never be able to find them, they themselves did not practice very good operational security. In fact, some of their own servers were breached and exposed online,” the firm explained.
“By sifting through the clues, we soon discovered that some members of Apophis Squad were in fact ProtonMail users. This was soon confirmed by a number of law enforcement agencies that reached out to us. It seemed that in addition to attacking ProtonMail, Duke-Cohan and his accomplices were engaged in attacking government agencies in a number of countries.”
The digital trail eventually led back to Duke-Cohan, who was identified as a member of the hacking group in the first week of August.
British police held off arresting him, presumably to see if they could catch more members of the group, but the final straw came when he phoned in a bomb hoax for a United Airlines flight to San Francisco and started emailing out more bomb threats to schools.
Reports suggest there could be more charges to follow for Duke-Cohan, including a possible extradition to the US.
“Our mission is to bring privacy, security, and freedom of information to citizens around the world. However, this does not extend to protecting individuals who are engaged in criminal activities,” concluded ProtonMail. “That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime.”
The US government has turned up the heat on Pyongyang after indicting a North Korean citizen and member of the infamous Lazarus Group for the attacks on Sony Pictures Entertainment (SPE), Bangladesh Bank and the infamous WannaCry ransomware.
Filed on June 8, 2018 in Los Angeles federal court and posted today, the indictment alleges that programmer Park Jin Hyok worked for a government front company known as Chosun Expo Joint Venture, or Korea Expo Joint Venture (KEJV), which has offices in China and the DPRK.
As well as working for paying clients around the world, Park and his colleagues are said to have engaged in malicious activities on behalf of the North Korean military.
Alongside WannaCry and the sophisticated attacks on SPE and Bangladesh Bank, the group is said to be responsible for unsuccessful attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for South Korea’s THAAD missile defense system.
Other unsuccessful raids show the scale of the operation, including spear-phishing emails sent to a movie theater chain and a UK firm producing a fictional series involving a British nuclear scientist taken prisoner in North Korea.
The DoJ claims that Park and his unnamed co-conspirators were linked to the attacks through: email and social media accounts used to send spear-phishing emails; online aliases; malware “collector accounts” used to store stolen credentials; malware code libraries; proxy services they used to hide their location; and North Korean, Chinese and other IP addresses.
“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said assistant attorney general John Demers.
“The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage."
Security experts welcomed the Department of Justice action.
FireEye senior manager of cyber-espionage analysis, Benjamin Read, said the DoJ complaint was “consistent with FireEye’s analysis of both the scope and attribution of this activity.”
“While we do not have insight into all of the incidents described in the complaint, our analysis concurs with the conclusion that the actors responsible for multiple financially motivated intrusions, the WannaCry ransomware and many of the other incidents are linked by shared development resources,” he added. “FireEye has observed these malicious operations continuing at a high pace over the last two years and impacting numerous organizations.”
SonicWall CEO Bill Conner said the move should serve as a reminder for consumers and organizations to remain vigilant in cyberspace.
“In today’s connected world, it is irresponsible to operate online without strict security standards,” he added. “Total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as the securing IoT devices to prevent tampering and unauthorized access."
BA has been contacting customers after revealing a two-week raid on passengers’ personal and financial details which was finally spotted on Wednesday.
The UK carrier has taken out adverts in Friday’s newspapers apologizing for the breach, but details remain scant.
It claimed the stolen details did not contain “travel or passport details” but those affected are being urged to contact their bank as card details were taken. Reports suggest 380,000 transactions made over a 16-day period were affected.
“From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making or changing bookings on our website and app were compromised,” a note on the BA site said. “The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.”
Although BA CEO, Alex Cruz, has been playing up the sophistication of the attack, nothing is yet known about how the hackers compromised the firm’s website and app. However, BA itself did not discover the incident — instead it had to be told by a partner on Wednesday, according to reports.
Experts urged affected customers to contact their bank immediately to cancel cards and change their BA.com passwords.
Eset security specialist, Jake Moore, warned of possible follow-on phishing attacks.
"After a large-scale incident like this, fraudsters from around the world will inevitably jump at the chance to try and catch a few unsuspecting people out,” he said.
“If you receive any emails purporting to be from this incident or such like mentioning it asking for any personal information or to click on unverified links, discard them.”
Others praised BA’s incident response.
"BA's reaction is very fast. The company's transparency and frankness serve as a good example to other companies who are prone to minimizing the consequences,” said High-Tech Bridge CEO, Ilia Kolochenko. “It is, however, too early to make any definitive conclusions prior to a holistic technical investigation of the breach and its origins.”
The breach represents the first major incident that actually took place after the GDPR came into effect, so the industry will be keenly awaiting further details as they emerge.
Criminals continue to infect millions of consumers by exploiting programmatic ads despite the efforts of some publishers and platform providers that use blockers to help prevent bad ads from souring user experience. However, The Media Trust has discovered that cybercriminals have found new ways to bypass those blocker defense solutions and execute their malicious code, while staying under the radar of security teams.
These commercial blocking solutions use scripts designed to detect and obstruct malicious domains and are often installed in a content delivery network. Researchers found that ad blockers might not be the complete solution to the malvertising problem.
“Recently, The Media Trust Digital Security & Operations (DSO) team prevented bad ads from executing on a publisher’s website, protecting their audience of 900,000 per week from infection,” Chris Olson, CEO, The Media Trust wrote in a blog post.
Despite the client’s use of malware blocking solutions, malware slipped through the blocker’s cracks in “dq6375rwn2aoi.cloudfront.net,” a known malicious domain. “It was disguised in a cloak of additional code that made it unrecognizable and unreadable, a process called obfuscation."
Malvertising drives up the costs of the US digital marketing, media and advertising industry by more than $8bn each year, according to our separate email interview with Olson. “Not surprisingly, many companies have turned to products that promise a quick fix, and blocking solutions are one example.
“No sooner than these solutions hit the market do bad actors begin stepping up their game with malware that can work around them and persist, often to conduct a multi-phased attack. One technique used in about 90% of mobile redirects is obfuscation – padding malware code with more code so blockers can’t recognize it. When malware is obfuscated, blockers fail to detect and thwart them.”
The Media Trust found that another deterrent to many blockers’ effectiveness is the lag between the time that new malware hits the ecosystem and the time that blocker data is updated, which is on average about every three to five days. “If a new attack occurs every 30 seconds, at least 8,000 attacks occur between updates. A single attack can infect from one to millions of victims.”
In an effort to help organizations address specific cybersecurity challenges, Virsec has announced a new Security Expert Series in which it will bring together globally recognized cybersecurity experts to offer insight and potential solutions to the problems enterprises are facing.
The series will be streamed via live webinars, each in a one-hour briefing that explores in depth the specific cybersecurity challenges in everything from the internet of things (IoT) to critical infrastructure. The series kicks off with Maj. Gen. Robert Wheeler (USAF Ret) sharing his experiences on “Protecting Critical Infrastructure from Cyberattacks” on September 11, 2018 at 1 pm EDT / 10 am PDT. Attendees may register here.
Gen. Wheeler served as deputy chief information officer for command, control, communications and computers (C4) and information infrastructure capabilities (DCIO for C4IIC), US Air Force.
Given that critical infrastructure is under unprecedented attack with new vulnerabilities emerging daily, Virsec chose to launch the series with a focus on how to defend against these threats. In his live webinar, Gen. Wheeler will discuss “the “perfect storm” of political forces, aging infrastructure, increased automation, and advanced decentralized hacking; why outdated security models are failing; and the shift in mindset and defensive strategies essential to meeting the challenges ahead.”
The second session of the series will continue with a focus on overcoming security obstacles in IoT, but will more specifically focus on its coming together with IT systems and industrial operational technology (OT). Prith Banerjee, senior client partner at Korn Ferry and former EVP and CTO at Schneider Electric – recognizing that inadequate security puts industrial infrastructure at risk – will offer new security strategies to keep pace with convergence in IT/OT on Thursday, September 20, 2018 at 10 am PDT.
Rounding out the series on Tuesday, September 25, 2018, 8 am PDT will be renowned security experts Troels Oerting, head of Global Centre for Cybersecurity (GCC) of the World Economic Forum, and Usama Fayyad, former CIO of Barclays. The two will explore answers to the question, “Can We Rein in the Global Cybersecurity Crisis?"
Analysts in the security operations center (SOC) have long been overwhelmed with the noise coming from the increasing number of alerts. According to Demisto’s second annual State of SOAR Report, alerts are on the rise, leaving today’s security teams bombarded with 174,000 per week.
The report found that security teams were only able to review and respond to about 12,000 alerts each week, in part because they do not have enough people to keep pace with the number of alerts. Approximately 79% of survey participants said that the lack of qualified candidates leaves their mean time to respond (MTTR) for resolving incidents at an average 4.35 days.
The report also found that it takes an average of eight months to train security analysts to be effective, only to have a quarter of those professionals switch to a new company within two years.
“Today’s business landscape is a balancing act between technological progression and security. Workplace changes and technical innovations have made it easier to do business, but securing these diverse advances is an enormous task that falls upon overworked security teams,” said Rishi Bhargava, co-founder of Demisto.
In addition, the report found a lack of cohesive standards that help to streamline processes for security teams. A full 75% of respondents reported that they are fairly or very challenged by working with multiple security tools. When it comes to measuring incident response metrics, 42% of participants said they don’t have a system in place. More than half either do not have playbooks or have playbooks that are rarely updated.
“Security deployment is fractured due to innumerable specialized tools, making it difficult for security teams to manage alerts across disparate systems and locations, particularly considering the talent shortage present in security today,” said Bhargava.
“We’ve seen plenty of research that highlights the unending growth in security alerts, a widening cybersecurity skills gap, and the ensuing fatigue that is heaped upon understaffed security teams. That’s why we conducted this study – to dig deeper into these issues, their manifestations, as well as possible solutions. Our results produced captivating insights into the state of SOAR in businesses of all sizes.”
The company has become the first to invest in a dedicated printing services bug bounty scheme, and will be offering rewards of up to $10,000 for researchers who correctly report vulnerabilities – based on the severity of the flaws discovered.
The news comes at a time when cyber-criminals are increasingly targeting endpoint devices in their attacks, which was highlighted in Bugcrowd’s recent 2018 State of Bug Bounty Report. That research revealed that print vulnerabilities across the industry had increased by 21% in the last year.
“As we navigate an increasingly complex world of cyber-threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Shivaun Albright, HP’s chief technologist of print security. “HP is committed to engineering the most secure printers in the world.”
Justine Bone, CEO, MedSec and security advisory board member for HP, added: “CISOs are rarely involved in printing purchase decisions, yet play a critical role in the overall health and security of their organization. For decades, HP has made cybersecurity a priority rather than an afterthought by engineering business printers with powerful layers of protection. And in doing so, HP is helping to support the valuable role CISOs play in organizations of every size.”
The Information Commissioner’s Office (ICO) has been forced to fine yet another marketing company for breaking privacy laws by failing to gain consent from individuals before bombarding them with messages.
Stevenage-based Everything DM Ltd (EDML) sent a whopping 1.42 million emails to recipients on behalf of its clients via a direct marketing systems called Touchpoint.
That meant recipients had no clue the emails were being issued by EDML, which performed the service for clients for a fee.
“Whilst EDML have indicated that they carry out due diligence checks on the organizations that they license the data from, sight of the third party privacy policies and fair processing notices relied on by EDML for the marketing campaigns indicate that there is only reference to data being passed to unspecified ‘partners’ and/or ‘third party companies’, involved in a wide range of marketing sectors,” the ICO said in its penalty notice.
“EDML are not specifically named and in the circumstances do not appear to hold valid consent to engage in direct marketing. Furthermore there is no indication that the individuals had consented with the original list owners to receive direct marketing from the organizations for whom EDML sent direct marketing emails. The Commissioner is of the view that EDML relied wholly on indirect consent for their actions in relation to the licensed data.”
EDML has received a £60,000 fine for breaking the PECR, privacy regulations which dealing with the sending of marketing missives.
EDML is certainly not the first to be hit with a fine for email marketing. Last year Moneysupermarket.com was handed down an £80,000 penalty after bombarding customers with over seven million emails in a 10-day period, even though they’d opted out of direct marketing.
Consumer rights group Which? last month called on the government to come good on its promise of making directors of firms responsible for their PECR breaches. As it stands, many try to circumvent fines by declaring bankruptcy — leaving them free to start all over again.
Security researchers have lifted the lid on a new two-man cyber-heist outfit that has stolen $800,000 from banks around the world, with at least one member suspected of being a current or former white hat.
The Silence group was first detected by Group-IB back in 2016 when it unsuccessfully attempted to withdraw funds from AWS CBR, the automated workstation client of the Russian Central Bank.
Since then it has apparently expanded its repertoire to ATMs and card processing systems in more than 25 countries around the world, learning as it goes by analyzing other gangs’ methodologies.
The group is thought to be Russian-speaking based on the language it uses for commands, location of web hosting infrastructure and its targets.
Group-IB claimed there are just two members, a developer and an operator, which is why Silence takes so long to commit a theft: up to three months.
“One gang member — a developer — has skills of a highly experienced reverse engineer. He develops tools to conduct attacks and modifies complex exploits and software. However, in development he makes a number of errors, that are quite common for virus analysts or reverse engineers; he knows exactly how to develop software, but he does not know how to program properly,” the firm claimed.
“The second member of the team is an operator. He’s got experience in penetration testing, which means he can easily find his way around banking infrastructure. He is the one who uses the developed tools to access banking systems and initiates the theft process.”
Attacks follow a similar pattern of phishing emails sent to banking staff purporting to be from co-workers. They also register phishing domains with self-signed certificates.
“In their first operations, Silence used a borrowed backdoor — Kikothac, which makes it clear that the group began its activity without any preparation — these were attempts to test the waters,” Group-IB continued.
“Later, the group’s developer created a unique set of tools for attacks on card processing and ATMs including Silence — a framework for infrastructure attacks, Atmosphere — a set of software tools for attacks on ATMs, Farse — a tool to obtain passwords from a compromised computer, and Cleaner —a tool for logs removal.”
A Nielsen shareholder has sued the company and its CEO and CFO for damages, alleging that it made misleading statements about its GDPR readiness.
Arun Bhattacharya took the case to the District Court for the Southern District of New York last week, claiming that shareholders were misled by statements made in conference calls and via press releases and other documents.
The statements are said to have covered both the preparedness of the company to comply with the regulation and whether it would affect Nielsen’s ability to access third-party data from Facebook and other firms which it relies on to generate its own metrics.
According to the filing, these included: “GDPR, we’ve been focused on this for some time … We’re ready. And we don’t see any significant impact for our … business.”
Another noted: “We’ll still have access to all the data that we’re going to need for our products. So yes, we’re in good shape.”
However, despite these assurances, Nielsen then blamed the GDPR for poor Q2 financials this year, according to the complaint.
It claimed the firm “significantly missed” its public net income and free cash flow estimates “by a wide margin.”
“Our results are significantly below our expectations as revenues were impacted by GDPR and changes to the consumer data privacy landscape. We have several hundred clients and data partners in this space, and market changes have been disruptive,” Nielsen also said at the time.
The subsequent 25% drop in share price in July damaged shareholders, it is alleged.
Bhattacharya is seeking damages for violation of Section 10(b) and Rule 10b-5 of the Securities Exchange Act as well as certification of a Class Action pursuant to Rule 23 of the Federal Rules of Civil Procedure.
It’s another example of the long reach of the GDPR: firms not only have to get their data protection house in order but to follow the principles of the law, accountability and transparency, or risk the consequences.
Rashmi Knowles, field CTO EMEA at RSA Security, claimed the floodgates are now open for shareholder legal action against firms they feel have let them down over GDPR compliance.
“As such, it’s a final warning to all organizations that securing personal data is no longer just the responsibility of the IT team, but a board level issue that impacts every aspect of a company from profitability to shareholder confidence," she added.
“Organizations need to effectively manage digital risk by regularly asking a few critical questions. Do you have a clear understanding of what the data is, where it is and what it is used for? Have you taken a risk-based approach to categorizing the data, so that you know where the most high-risk assets reside? This is important as it informs how you go about protecting that data. When it comes to protection itself, you need to check that your data is protected from hackers externally and employees internally, with appropriate security technologies, data encryption and access permissions.”
Celebrating the success of this year’s live hacking event, HackerOne (H1) recently announced that more than $500,000 was paid in bounties during the third annual h1-702 at DEF CON 26 in Las Vegas last month.
More than 75 hackers from over 20 countries hacked five targets (including the United States Marine Corps) over the course of five days. Introduced back in August 2016 by a small group of HackerOne staff members hosting a contest over three days and nights, the live hacking event has blossomed into H1-702 2018, a five-night event that earned hackers half a million dollars combined. Additionally, hackers received a custom swag buffet for each night, which included 15,000 items.
Over the course of the five days, hackers filed 915 vulnerability reports, 66% of which were deemed valid. “Of the 607 valid reports, nearly 200 were marked as high or critical in severity. Customers cumulatively paid out $539,712 in bounties for one of the the greatest bounty weeks in HackerOne history,” the organization wrote in today’s blog post.
Different hackers were honored each night with an award, the recipient of which was chosen by customers and HackerOne staff. Each of those top hackers was to be deemed “The Vigilante” of the evening. Four overall awards were handed out on the final evening, bestowing the titles of “The Exalted,” “The Assassin,” “The Exterminator” and “The Most Valuable Hacker,” to the top four hackers.
Hosted at the W Hotel, the event included a hacker village complete with 80in. TV screens and a wet deck with hacker-equipped cabanas. To ensure hackers had the means to share their experiences on their social media channels, H1 hosted a Facebook page, where users shared an array of images, including the funky chandeliers that bedazzled the wet deck.
As part of this year’s event, HackerOne also welcomed 50 members of the Women in Security and Privacy group on Friday, August 10. One highlight of the evening was the shared insight from Jesse Kinser (@randondeduction), who talked about her experience as a hacker, as well as her take on the best tools and programs to hack on.
A recent survey of global IT and security decision-makers found that companies are exposing themselves to greater risks by excluding IT security teams from discussions on internet of things (IoT) deployment plans.
Trend Micro, in collaboration with Vanson Bourne, conducted online interviews with 1,150 IT and security decision-makers about their roles in the decision-making process for implementing and deploying IoT solutions. Participants represented organizations from Germany, France, Japan, the UK and the US. Responses revealed that 79% of companies include the IT department when choosing industrial IoT solutions, but only 38% consult their security teams.
The research also found that nearly 33% of respondents reported that the person responsible for IoT security is unknown. Yet participating organizations said that they had experienced an average of three attacks on connected devices in the past year.
“It is remarkable how IT security teams are being locked out of IoT projects, when this is clearly exposing organizations to unnecessary cyber risk,” said Kevin Simzer, chief operating officer of Trend Micro, in a press release.
“Our study shows too many organizations across the globe don’t prioritize security as part of their IoT strategy, which leaves them vulnerable. Unless security is addressed as part of the deployment, these devices will remain exposed and vulnerable since, for the most part, they were not designed to be updated or patched.”
While organizations have spent more than $2.5 million on IoT initiatives over the past year, only 56% of new IoT projects include security solution input from the CISO.
The survey also found that 93% of respondents have recognized at least one threat to critical infrastructure that has been the result of an IoT implementation. Risks to complex infrastructure and a lack of adequate security controls are among the most common threats posed by these added connections.
Protecting individual privacy as the internet of things (IOT) continues to expand is increasingly challenging. To help meet those challenges, the US Department of Commerce’s National Institute of Standards and Technology (NIST) has launched a privacy framework project.
The goal of the collaborative privacy framework effort is to help organizations manage the privacy risks inherent in their networks, which are becoming increasingly more complex. The framework will offer enterprises privacy protection strategies that will afford them flexibility while remaining effective solutions to managing risks as technologies continue to evolve.
“We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” said under secretary of commerce for standards and technology and NIST director Walter G. Copan in today’s press release. “The development of a privacy framework through an open process of stakeholder engagement is intended to deliver practical tools that allow continued US innovation, together with stronger privacy protections.”
The first public workshop will be held in Austin, Texas, on October 16, 2018, which will run concurrently with the International Association of Privacy Professionals’ Privacy. Security. Risk. 2018 conference.
So as not to understate the importance of protecting consumer privacy, the Commerce’s National Telecommunications and Information Administration, working in conjunction with the International Trade Administration, is also developing a domestic legal and policy approach to privacy protection. The goal of the coordinated effort between the two agencies is to ensure consistency with international policy objectives.
Cyber-criminals are sending more emails than ever before to defraud organizations, according a new report, Protecting People, from Proofpoint.
The firm analyzed more than 600 million emails, revealing that the number of email fraud attacks per targeted company rose 25% from the previous quarter, and 85% from the same time last year.
What’s more, in analyzing seven million mobile apps and hundreds of social media accounts, Proofpoint discovered that malicious actors are increasingly finding ways to bypass social media security tools and accurately spoofing senior staff members’ identities.
The report revealed that phishing links sent through social media platforms shot up by 30% whilst individual contributors and lower-level management made up around 60% of highly-targeted attack targets.
Workers in operations and production functions represented 23% of highly-targeted attack victims and customer-support fraud increased by 39% compared to the previous quarter, up 400% from the previous year.
Speaking to Infosecurity, Nick Frost, co-founder at Cyber Risk Management Group, said Proofpoint’s findings show that the use of email is becoming the vector of choice for cyber-crime.
“Key to this is engineering emails and spoofing email addresses to a level of sophistication that fails to alert the recipient that there is anything suspicious about the email. Techniques such as web crawling, web scraping are able to collect and collate key information about an individual that can be used in crafting an email, accompanied by a link (as part of a phishing attack) to an unsuspecting user.”
Repeated phishing simulations are therefore key in ensuring staff across organizations are consistently reminded to ‘think’ before clicking on a link or opening an attachment on an email, he added
“Whilst there are many legitimate web crawlers and many are enabled for business reasons, there may be organizations and individuals that wish for their information not be collected and shared either for legitimate or adversarial purposes. There are tools that organizations can adopt that prevent or even delay web crawlers.”