Info Security

Subscribe to Info Security  feed
Updated: 47 min 17 sec ago

Two New Carding Bots Threaten E-Commerce Sites

Mon, 11/11/2019 - 20:02
Two New Carding Bots Threaten E-Commerce Sites

Two new carding bots that pose a threat to e-commerce platforms have been detected at the start of the busiest shopping period of the year. 

The discovery was made by an eagle-eyed PerimeterX research team, which launched an investigation after the number of cyber-attacks against their own checkout pages surged.

One of the new carding bots, named the canary bot, specifically exploits top e-commerce platforms. The other bot, dubbed the shortcut bot, bypasses the e-commerce website entirely and instead exploits the card payment vendor APIs used by a website or mobile app.

Carding is a brute force attack on a retailer’s website using stolen credit cards or gift cards. Threat actors use carding to mass-verify millions of stolen credit cards and generate a list of valid credit cards.

The validated credit cards are then typically sold on the black market for around $45 each and exchanged for untraceable gift cards that enable the cyber-criminal to mask their identity. 

To verify the cards, the attackers usually make a low-cost purchase. Once validated, a card can then be used for big-ticket items, resulting in hefty losses, which are often covered by retailers and payment processors. 

The sophisticated canary bot identified by PerimeterX researchers is eerily good at aping human behavior. 

Describing an attack by the canary bot, researchers wrote: "In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attack—all of the steps except for the carding attack exhibit normal user behavior through a website."

As can be expected from its name, the shortcut bot takes a more direct approach, skipping out on adding products to the cart and completing the billing process in an attempt to avoid detection. 

"The shortcut carding bots exploit the card payment vendor APIs used by a website or mobile app and bypass the target e-commerce website completely," wrote researchers. "We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators."

Researchers said that they had seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications. They also witnessed an increase in these new types of attacks across multiple unrelated customers, indicating the quick evolution of these attack tools.

"This dynamic is similar to competing startups that may be running their services on the same cloud vendor, and using the same open-source libraries," wrote researchers. 

PerimeterX advised e-commerce website owners to prevent users from getting to the payment page without items in their cart to stop basic carding attacks. 

Categories: Cyber Risk News

Report Reveals Businesses Aren't Ready for 5G

Mon, 11/11/2019 - 17:17
Report Reveals Businesses Aren't Ready for 5G

A new report looking at 5G cybersecurity readiness has found that many businesses are inadequately prepared for the latest big data acceleration. 

The AT&T Cybersecurity Insights Report: Security at the Speed of 5G, published today, found that enterprises are lagging behind on expanding their virtualization and software-defined networking (SDN) capabilities and are not taking the opportunity to automate security. 

A degree of reticence was also detected when it came to the planned adoption of a shared security model that would enable certain functions to be shifted to carriers.

The report was built using data drawn from a survey of 704 cybersecurity professionals from around the globe, all of whom work for organizations with more than 500 employees. 

Nearly all respondents in the survey expect to make 5G-related security changes within the next five years, and 16% say they have already started preparing before the mainstream wave of 5G deployments arrives. 

Asked about what their preparations were focused on, the larger attack surface topped the list as a worry for 44% of respondents, followed by the greater number of devices accessing the network, which was a concern for 39%. 

Ranking third and fourth, drawing the focus of 36% and 33% of respondents, respectively, were the need to extend security policy to new types of IoT devices and the need to authenticate a larger number and wider variety of devices.

Only 29% of respondents said they plan to implement security virtualization and orchestration during the next five years.

Researchers wrote: "Most of the transitions in networking have been about faster speeds or increased capacity. 5G introduces more complex networking and is being delivered with virtualization in mind. 

"The latter appears to be a crucial gap in the way enterprises are preparing for 5G, as enterprises will need to take advantage of virtualization to make the network nimbler and more responsive, with the ability to provide just-in-time services. Many enterprises are not considering this as a possibility, according to our data."

With 5G, the size of the cyber-attack surface expands, creating more opportunities for bad actors to strike. Despite this, researchers found that enterprises did not appear to have fully considered how to boost their vulnerability management programs (both patching and mitigation) for devices at the edge, which may carry vulnerabilities that go unnoticed and unpatched.

Additionally, only 33% of enterprises surveyed had implemented multi-factor authentication, and 7% said they plan to implement it during the next five years.

A spokesperson for AT&T wrote: "To better realize how large (and vulnerable) the attack surface becomes with 5G, consider that 274 petabytes of data are currently crossing AT&T’s network each day, and with 5G this number is expected to increase by 10x."

Currently, neither 5G service nor 5G phones are available everywhere in the United States, and release dates vary for every carrier. Verizon, Sprint, Starry, AT&T, and T-Mobile are providing some coverage already, mostly in major cities, including New York, Washington, DC, Los Angeles, Houston, Chicago, Phoenix, Atlanta, Boston, Denver, and Dallas–Fort Worth.

Categories: Cyber Risk News

Texas Health Agency Fined $1.6m for Data Breach

Mon, 11/11/2019 - 16:15
Texas Health Agency Fined $1.6m for Data Breach

A fine of $1.6m has been meted out to the Texas Health and Human Services Commission for unintentionally exposing the personal health information of thousands of vulnerable people online.

The Texan commission inadvertently made the names, addresses, Social Security numbers, and treatment information of 6,617 people visible on the internet between 2013 and 2017. 

The breach occurred when an internal application was moved to a public server from a private server. A flaw in the app's software then made the sensitive information visible to the public without any need for access credentials to be entered.

According to federal agency the Office for Civil Rights (OCR), the data exposed in the breach was in the care of the Texas Department of Aging and Disability Services. Before it was reorganized into the Health and Human Services Commission in 2017, the department's role was to provide long-term care to Texans with physical and mental disabilities and to the elderly.  

The OCR said the data breach was a violation of federal health privacy laws.

"No one should have to worry about their private health information being discoverable through a Google search," said Roger Severino, director of the Office for Civil Rights.

An investigation into the breach by the OCR found the audit controls in place at the Health and Human Services Commission to be inadequate. Because of this, the federal agency was unable to come up with an exact number for how many unauthorized people had viewed the private information.

A further determination of the OCR investigation was that the Texas health agency failed to conduct a risk analysis and implement access and audit controls on its information systems as required by the Health Insurance Portability and Accountability Act, commonly known as HIPAA.

In May, the Texas Legislature approved a settlement agreement with the federal government to bring the matter to a conclusion, which included accepting the hefty $1.6m fine.

Kelli Weldon, a press officer for the Texas health agency, said officials take information security and privacy seriously.

"We are continually examining ways to strengthen our processes for the health and safety of Texans," Weldon said.

The substantial fine is the second seven-figure penalty imposed by the OCR this month after the University of Rochester Medical Center was fined $3m on November 5 for failing to encrypt mobile devices.

Categories: Cyber Risk News

Vulnerability Values Fluctuate Between White, Grey and Black Hats

Mon, 11/11/2019 - 11:55
Vulnerability Values Fluctuate Between White, Grey and Black Hats

A black hat selling vulnerabilities can make as much money as a white hat researcher using bug bounty programs, or a grey hat working for a nation state doing reverse engineering. 

Speaking at a Tenable conference in London last week, director of research Oliver Rochford said that to have people do vulnerability research is expensive, and all of the white, black and grey markets are symbiotic, as despite the difference between being legal and illegal, the different factors “mirror each other as it starts with vulnerability discovery.”

Rochford said that this “shows how professional cybercrime has become,” pointing to the fact that the main difference between criminal and legal sides are ethics. In one slide, Rochford pointed out vulnerability discovery, exploit research and development are the same for both offense and defensive sides, while the differences fall at the "operationalization" side, where offensive sides look at espionage, sabotage and fraud, while defense sides look at threat intelligence and compensating control adaptation.

In his research, Rochford showed that in some cases you can earn more as a white hat vulnerability manager than as a black hat, with a black hat able to earn around $75,000 in this sort of work. Rochford said this “is achievable and attractive” and while it was more lucrative to do it legally, if it is not “it is a way to make a living.”

Looking at the value of exploits, Rochford said that you can earn around a million dollars for an Apache or Linux vulnerability on the dark market, while an exploit broker (grey market) will pay around $500,000. WhatsApp vulnerabilities on Android can earn a million dollars on the black and grey markets. The only vulnerabilities where vendor bug bounties can be more profitable are for Safari on iOS, while general iOS bugs can earn a million dollars for a bug bounty, and $2 million on the grey market.

Pointing at Bromium’s “Web of Profit” research, Rochford said that the revenue generated by cybercrime is estimated at $1.5 Trillion, while the total size of the cybersecurity market in 2019 was $136 Billion, according to Gartner.

Rochford also said that attackers have a median seven-day window of opportunity to exploit the vulnerabilities before the defender has even assessed for the vulnerability, and that is why “companies need to harden their attack surface and raise the level of attack.” He said that reducing market supply and increasing production cost also increases the value of exclusive zero days, thus incentivizing investment again.

Speaking at the event, Jose Maria Labernia, head of IT security and internal control at the European IT Services of Lafarge Holcim said that he did believe that zero-day exploits “are important as they can compromise a system.”

He said that not many companies have the capability to patch a zero-day as the speed and level of patching required “is not a matter of a zero-day, but the number of vulnerabilities to patch.” Asked by Infosecurity if a company would patch by the severity rating, he said that it was previously just about patching Microsoft and Unix, and then Flash came along, and now “there are so many components and web apps and it is really difficult to cope with the large exposure that organizations face.”

Labernia said that agile methodologies can be applied, and part of the process is regardless of whether a technology is “legacy or not, some cannot be patched,” So an option is to come up with full isolation and control every ingress and egress of traffic, “but this is a challenge for security teams and organizations push us as we grow in transformation.”

Categories: Cyber Risk News

Surveillance Fears as Russia Proposes New App Law

Mon, 11/11/2019 - 11:30
Surveillance Fears as Russia Proposes New App Law

The Russian parliament is pushing through proposed legislation that would force PCs and mobile devices to be sold with pre-installed domestic applications, raising security concerns.

The bill is being touted by lawmakers as protecting the local technology market from foreign, presumably US, competition.

“The initiative provides domestic companies with legal mechanisms to promote their programs for Russian users,” the Duma said.

However, there could potentially be more sinister implications.

If the mandated pre-installed apps come loaded with backdoors and/or other secret functionality, they could provide security services with an opportunity to spy on the populace, for example. The government ultimately decides which apps must be installed on users’ devices.

The law may also support the Putin regime’s push for internet sovereignty.

The country has been moving towards a China model for some time, and recently passed legislation which would allow the government to filter traffic from outside Russia, potentially even cutting access to foreign servers during times of geopolitical crisis.

“Now the government can directly censor content or even turn Russia’s internet into a closed system without telling the public what they are doing or why,” said Rachel Denber, deputy Europe and Central Asia director at Human Rights Watch. “This jeopardizes the right of people in Russia to free speech and freedom of information online.”

The proposed new law relating to domestic apps could apply to virtually all computing devices capable of running applications, including smartphones, desktop PCs, tablets, laptops and even smart TVs.

It has the backing of all major political parties, meaning that it should become law next year.

Although companies that don’t comply face a fine, it currently stands at just 200,000 rubles ($3100). That said, if they repeatedly refuse the comply with the legislation, they could be banned outright from providing devices.

Some reports have suggested Apple could leave the country if forced to expose its customers to such security and privacy risks.

Categories: Cyber Risk News

Hoster SmarterASP.NET Taken Down by Ransomware

Mon, 11/11/2019 - 10:35
Hoster SmarterASP.NET Taken Down by Ransomware

A major US hosting provider has been hit by a serious ransomware attack, impacting hundreds of thousands of customers.

SmarterASP.NET claims to operate three ‘world-class’ data centers “delivering the reliability and flexibility necessary to support your mission-critical internet operations.”

However, the websites of its 440,000+ customers, as well as its own, went offline yesterday following the attack.

“Your hosting account was under attack and hackers have encrypted all your data. We are now working with security experts to try to decrypt your data and also to make sure this would never happen again,” SmarterASP.NET said in a notice dated today

“Please stay tune[d] for more info. Please know that we are getting thousands of messages in our email and we don't have enough staffs to reply them all. So please don’t email us. We will continue to put out notices on our Facebook page. Please check back soon.”

The firm tweeted earlier this morning UK time to say that it would be focusing first on restoring database servers.

“Once that's recovered, most of your sites will be up and running already. You will also be able to make DB backup right away on our control panel,” it said. “We are optimistic that everything will be back to normal no longer than 12-24 hours. We will not go home until everyone is taken care of.”

It’s unclear whether the firm has been able to decrypt the locked files, either by paying up or via a third-party key, or is restoring from backups.

As of 09:45 GMT the firm claimed to have recovered 40% of affected accounts.

SmarterASP.NET is by no means the first hosting firm to be struck by ransomware. California-based Data Resolution was forced to shut its network following an attack on Christmas Day last year, while A2 Hosting lost weeks of business from an outage in spring.

Categories: Cyber Risk News

Facebook Won’t Ban Political Ads, Despite Controversy

Mon, 11/11/2019 - 10:00
Facebook Won’t Ban Political Ads, Despite Controversy

Facebook will not remove political advertising from its platform ahead of the UK’s upcoming General Election, despite complaints that the ruling Conservative Party is already trying to influence users with misleading information.

The social network has been under pressure to ban such advertising completely, after Twitter announced plans to do so earlier this month and the Mozilla Foundation and several rights groups signed an open letter urging it and Google to follow suit.

The UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have all called for urgent legislation to regulate political advertising.

However, in an update late last week, Facebook argued that it was not in the business of censoring politicians. Although such ads will be pulled if they incite violence, share previously debunked content or spread misinformation about where, when and how to vote, they won’t be fact-checked like other content, explained head of UK public policy, Rebecca Stimson.

Instead, Facebook is making such ads more transparent, so that recipients can see who has paid for them and find out why they are seeing them.

It is also putting significant resources into tackling foreign interference by removing fake accounts, and has set up an Elections Task Force which will focus on threat intelligence, data science, engineering, operations, legal and other areas ahead of key votes, she said.

The news comes after complaints on both sides of the Atlantic that politicians are already spreading lies via political ads.

The Conservative Party was called out for doctoring a video clip of shadow Brexit secretary, Keir Starmer, in which he appeared lost for words when asked about his party’s policy. In the US, Joe Biden’s campaign was rebuffed when it requested Facebook to remove a misleading Trump ad.

Facebook claimed that its approach “is in line with the way political speech and campaigns have been treated in the UK for decades” — i.e. not regulated. However, there is arguably a difference with online advertising in that it might be micro-targeted at a small number of swing voters, thereby covertly peddling disinformation which turns elections.

That’s the argument author Jamie Bartlett made at Infosecurity Europe earlier this year when he warned that such strategies could undermine the validity of election results in many voters' eyes.

Catherine Stihler, CEO of the Open Knowledge Foundation, welcomed Facebook’s attempts to promote greater transparency on its platform.

“However, it remains the case that Facebook is still accepting money for political ads which can contain disinformation, which is why we have called for a moratorium on political ads for the duration of the campaign,” she added,

“Ultimately, the solution to this does not involve self-regulation. The only way to build a fair, free and open digital future in the UK is to update our analogue electoral laws for the digital age.”

Categories: Cyber Risk News

US Company Accused of Selling Flawed Chinese Tech as "Made in USA" to US Military

Fri, 11/08/2019 - 19:06
US Company Accused of Selling Flawed Chinese Tech as "Made in USA" to US Military

A Long Island company has been accused of selling Chinese-made security and surveillance equipment with known cybersecurity vulnerabilities as "made in USA" to the United States military. 

It is alleged that since 2006, Aventura Technologies Inc., has been falsely claiming products made in the People's Republic of China (PRC) were manufactured at its headquarters in Commack, New York. 

The security and surveillance equipment company and its senior management team have been charged with fraud, money laundering, and illegal importation of equipment manufactured in the PRC by the US Attorney for the Eastern District of New York. 

Aventura has generated over $88 million in sales revenue since November 2010, $20 million of which came from federal government contracts. 

A statement released by the Department of Justice said: "Aventura imported networked security products from PRC manufacturers with known cybersecurity vulnerabilities, and resold them to US military and other government installations while claiming that they were American-made.  

"Aventura similarly deceived private customers in the United States and abroad who paid a premium for what they believed to be American-made goods. As a result, Aventura not only defrauded its customers, but also exposed them to serious, known cybersecurity risks, and created a channel by which hostile foreign governments could have accessed some of the government’s most sensitive facilities." 

Products that Aventura imported from the PRC and then allegedly sold as made in the United States include 25 body cameras sold to the US Air Force in 2018, a $13,500 laser-enhanced night-vision camera purchased by the US Navy in 2019, and $156,000 worth of networked automated turnstiles bought by the Department of Energy in 2019. 

In some cases, cameras shipped from the PRC were pre-marked with Aventura’s logo and the phrase “Made in USA,” accompanied by an American flag. 

Aventura itself, and seven current and former employees of the company, have been charged with selling Chinese-made equipment with known cybersecurity vulnerabilities to government and private customers while falsely representing that the equipment was made in the United States and concealing that the products were manufactured in the PRC.

The individual defendants charged in the complaint are the company's managing director and de facto owner and operator, Jack Cabasso, and his wife, Frances Cabasso, the company's CEO and purported owner; senior executives Jonathan Lasker, Christine Lavonne Lazarus, and Eduard Matulik; current employee Wayne Marino; and 70-year-old recently retired former employee Alan Schwartz. 

Four defendants are also charged with defrauding the US government by falsely claiming that Aventura Technologies was owned and operated not by Jack Cabasso, 61, but by his 59-year-old wife, Frances. This lie was allegedly perpetrated so that the company could win valuable government contracts that were strictly reserved for businesses owned by women.  

The Cabassos, who live in a gated community in Northport, New York, have been charged with money laundering, and their 70-foot luxury yacht Tranquilo has been seized by the government. Twelve financial accounts containing around $3M of allegedly ill-gotten gains have been frozen.

Categories: Cyber Risk News

Accenture Opens Cyber Ranges

Fri, 11/08/2019 - 17:06
Accenture Opens Cyber Ranges

Accenture has opened a trio of practice ranges in which companies can have a crack at responding to cyber-attacks. 

The new "cyber ranges" are specifically aimed at assisting industrial companies in the oil and gas, chemicals, utilities, and manufacturing industries to improve their cybersecurity. 

Each site is a controlled, interactive, and hyper-realistic environment for cybersecurity training and software development used to assess network and other technical vulnerabilities of industrial control systems (ICS). 

Such systems are commonly used to automate processes in critical infrastructure industries, such as utilities, petrochemicals, oil and gas, and industrial manufacturing.

One of the ranges, sited inside Accenture's Industry X.0 Innovation Center in Essen, Germany, is dedicated to the utilities and chemicals industries, with a particular focus on electric distribution networks and chemical plants.

The other two ranges have been established on American soil. The first, located in Accenture’s Cyber Fusion Center in Washington, DC, is aimed specifically at helping companies in the utilities industry learn how to protect themselves from threat actors. 

The second US cybersecurity testing facility has been opened up inside one of Accenture's innovation hubs in Houston, Texas. Named the Industrial Control Systems (ICS) Cyber Range, this site is intended to support leading oil and gas companies in their cybersecurity efforts. 

Early next year, Accenture will open its first ICS Cyber Fusion Center, also in Houston, Texas. The center, which is currently under construction, is being created with the intention to help the company's clients protect their industrial networks and plants assets better.

Other Accenture Cyber Fusion Centers are already up and running in India, Prague, Tokyo, and Israel.

"The energy industry has the largest installed base of industrial control systems around the world, and the cyber risk has never been greater," said Luis Luque, ICS cybersecurity global lead at Accenture Security. 

"Securing and defending these large and complex industrial systems requires not only improving processes and tools, but also adopting cybersecurity practices for operational maintenance and resilience programs. With the expansion of our ICS cybersecurity capabilities, we can deliver the most comprehensive security solutions tailored across the ICS environment, delivered by people who understand the zero-loss time imperative our industry expects."

Categories: Cyber Risk News

Florida Police Want Access to Controversial Facial Recognition Network

Fri, 11/08/2019 - 16:19
Florida Police Want Access to Controversial Facial Recognition Network

Florida's largest police department is seeking to gain permanent access to a facial recognition network maintained by the Pinellas County Sheriff's Office.

The Face Analysis Comparison and Examination System (FACES), set up in 2001 with federal grant money, is the largest collaborative open-model facial recognition system in the United States.

The system uses a MorphoTrust algorithm to search a repository of over 33 million images captured from police mugshots and every driver's license in Florida. Users need only upload a photo and run a search of the network to be presented with a lineup of visually similar matches. 

FACES is currently accessed by 243 partner agencies, including the Federal Bureau of Investigation, Customs and Border Protection, and the IRS. Now, Florida's Miami-Dade Police Department (MDPD) wants permanent access to the network. 

In return for receiving access to FACES, the MDPD will hand over its existing cache of mugshot images to the sheriff's office for integration into the facial recognition system.

resolution to approve a Memorandum of Understanding between the Pinellas County Sheriff's Office and the Miami-Dade County PD that would grant the MPDP access to FACES is due to go before the Board of County Commissioners on November 13.  

In a memo dated forward to December 3, 2019, Mayor Carlos Gimenez has written to the Board of County Commissioners in support of the resolution.

He wrote: "The FACES software is beneficial to detectives within the MDPD as it can be used to compile facial recognition data on their subject and help identify possible matches. Additionally, the use of the FACES technology by MDPD's forensic artist is instrumental in creating composites and conducting facial recognition searches on assigned cases."

FACES has been criticized for the lack of regulation around its use. No audit system is in place to monitor the approximately 8,000 searches that are carried out on the system every month, and users aren't required to have reasonable suspicion or log the reason why they are running a search before using the network. 

According to the Tampa Bay Times, a 2016 study by the Center on Privacy and Technology at Georgetown Law warned that FACES was "subject to little oversight and lacks transparency."

The sheriff's office has issued guidelines to its deputies to only use FACES for official investigations; however, no checks are in place to ensure proper use of the network, and the guidelines do not apply to the 243 partner agencies that regularly access the system.

Categories: Cyber Risk News

Over 230 UK Police Disciplined for Computer Misuse

Fri, 11/08/2019 - 11:30
Over 230 UK Police Disciplined for Computer Misuse

Hundreds of UK police officers have been disciplined over the past two financial years for misusing computer systems, a new Freedom of Information (FOI) request has revealed.

Think tank Parliament Street received data from 23 forces across England and Wales as part of the FOI-based research.

In total, 237 officers and staff members were disciplined, with six resigning during investigations and 11 sacked.

In Gwent, three officers were fired for searching the police database for a named person, disclosing confidential information and unlawfully accessing information. In Wiltshire, three officers lost their jobs for misusing the police database.  

Surrey police has the dubious honor of being the force with the highest number of incidents, recording 50 individual cases. Next came the Metropolitan Police with 18. Here, one staffer was sacked for misusing the Crime Reporting Information System (CRIS) and four were disciplined for misusing social media.

In Cumbria, 16 incidents occurred over the two years after individuals accessed police systems without a policing purpose.

“Instilling the highest standards of IT best practice in serving officers and operational staff is critical for maintaining the integrity of our police forces. All too often these incidents arise due to a lack of training or understanding about the need for correctly handling sensitive information,” argued Sheila Flavell, COO of FDM Group.

“With cybercrime on the rise, it’s vital that those tasked with keeping us safe are proficient with technology and acutely aware of the importance of data protection rules.”

The study calls to mind a Huntsman Security report from 2017 which revealed that UK police investigated nearly 800 cases of misuse of data by staff over the previous 12 months.

In addition, a Big Brother Watch report from 2016 revealed 2315 recorded incidents of data breaches between June 2011 and December 2015. Over 800 staff and officers accessed personal info without a policing purpose and over 800 shared information “inappropriately” with third parties during the period.

Categories: Cyber Risk News

UK Government Spends £2M on Anti-Drone Projects

Fri, 11/08/2019 - 10:37
UK Government Spends £2M on Anti-Drone Projects

The UK government is set to spend £1.8m developing anti-drone capabilities, as threats from the skies increase.

The Ministry of Defence’s Defence and Security Accelerator (DASA) this week announced funding for 18 projects, which will each receive around £100,000. Successful organizations included University College London, Thales UK, QinetiQ, Northumbria University and BAE Systems Applied Intelligence.

Projects include developing methods to detect 4G and 5G-controlled drones, AI sensors to automatically identify aerial vehicles and low-risk ways of stopping drones through electronic interception.

The first, proof-of-concept, phase will run until summer 2020 and will be followed by a second phase focused on maturing these projects into integrated solutions.

“The introduction of Unmanned Air Systems (UAS), often referred to as drones, has been one of the most significant technological advances of recent years and represents a shift in capability of potential adversaries,” explained competition technical lead, David Lugton.

“The threat from UAS has evolved rapidly and we are seeing the use of hostile improvised UAS threats in overseas theatres of operation. There is a similar problem in the UK with the malicious or accidental use of drones becoming a security challenge at events, affecting critical infrastructure and public establishments; including prisons and major UK airports.”

Drones famously forced hundreds of flights to be cancelled at London’s Gatwick Airport last Christmas, with tens of thousands of passengers stranded. In fact, the number of near-misses involving UAS in the UK soared by over a third from 2017 to 2018.

However, drones could also represent a growing threat not just to physical safety but also network security.

Just this week, defense contractor Booz Allen Hamilton warned that 2020 could see hackers use UAS as rogue access points — landing them in concealed places on corporate property while they harvest credentials, perform man-in-the-middle attacks against employees and carry out network reconnaissance.

Categories: Cyber Risk News

New Study: Hospital Breaches Could Be Killing Patients

Fri, 11/08/2019 - 09:51
New Study: Hospital Breaches Could Be Killing Patients

Data breaches at hospitals appear to be having a serious impact on patient care, increasing mortality rates for years after an incident, according to new research.

Researchers at Vanderbilt University and the University of Central Florida analyzed breach data for 3000 hospitals from 2012-2016 in an attempt to estimate the relationship between breach remediation efforts and care quality. Department of Health and Human Services (HHS) breach data and Medicare Compare's public data on hospital care measures provided the data sources.

What they found was shocking: an increase in 30-day mortality rate for heart attacks that translated to 36 additional deaths per 10,000 heart attacks per year. Mortality rates apparently continued to rise for about three years after a breach before tapering off.

Breaches also had a worrying impact on the time it took staff to hook up a patient in the emergency room to an electrocardiogram (EKG). Time-to-EKG rose by 2.7 minutes following a breach.

Although the research wasn’t able to determine what changes led to these delays and outcomes, it pointed the finger at the post-breach delay while an incident is investigated and security updates are applied.

“This long time-frame tells us that in breached hospitals, it’s the remediation efforts — not the breach itself, but the post-breach remediation efforts — that are impacting these time-sensitive processes and patient outcome measures,” said report co-author, Eric Johnson.

“Security solutions designed to prevent future breaches may require usability assessment or include some sort of ‘break glass in case of emergency’ functionalities to ensure providers can quickly get the information they need when they need it most.”

There is no information in the report on ransomware, as it was relatively rare prior to 2016 and thus not covered.

However, the authors warned: “Our findings suggest that ransomware attacks might have an even stronger short-term negative relationship with patient outcomes than the long-term remediation efforts studied here.”

The UK’s NHS famously suffered major outages as a result of the WannaCry ransomware worm in 2017. Estimates suggest 19,000 operations and appointments were cancelled, and some cases critical patients had to be diverted to other hospitals.

Categories: Cyber Risk News

Amazon Doorbell Camera Lets Hackers Access Household Network

Thu, 11/07/2019 - 17:15
Amazon Doorbell Camera Lets Hackers Access Household Network

A vulnerability detected in Amazon doorbell cameras made it possible for hackers to gain access to the owner's household computer network.

The weakness in the Ring Video Doorbell Pro IoT device was discovered by researchers at Bitdefender in June of this year. Researchers found that the credentials of the local wireless network were being sent through an unsecured channel using plain HTTP during the doorbell's setup process. 

By exploiting the flaw, an attacker physically near the device could get hold of the doorbell owner's Wi-Fi password and use it to interact with all the devices in the owner's household network. 

With the ability to communicate with devices such as security cameras and NAS storage devices, an attacker could access and steal private photos, videos, emails, and documents. It would also make it possible for an attacker to mount man-in-the-middle attacks. 

According to Bitdefender chief security researcher Alexandru “Jay” Balan, the vulnerability could even have allowed a particularly determined hacker to gain physical access to a property. 

Balan told Infosecurity Magazine: "With access to a user's Wi-Fi password and, implicitly, access to the user's home network, there's a lot that can be done since devices are less secure on the inside.

"It's possible that someone could hack a local system that can output sounds (like a computer or a sound system) and make it say 'Alexa, open the front door'; however, this is admittedly a stretch." 

The video doorbell is an immensely popular home security device, with almost 17,000 reviews and more than 1,000 answered questions on the website.

Bitdefender disclosed the vulnerability to Amazon on June 24. Amazon began implementing a fix on September 5, and as of now, all Ring Doorbell Pro cameras have received a security update that fixes the issue.  

This isn't the first time Bitdefender has found flaws in a security device. 

"We uncovered vulnerabilities in Guardzilla indoor security cameras last year that showed significantly bigger issues," said Balan. 

"There's no escaping someone finding security flaws in your products, no matter who you are."

Worryingly, more than half of vendors alerted to vulnerabilities in their products take no action to resolve them. 

"We actually appreciate Ring's response. They deployed the patch quickly," said Balan.

"In more than 60% of the notifications we have sent to vendors we have received no response whatsoever."

Categories: Cyber Risk News

Trend Micro Employee Sells Customer Data

Thu, 11/07/2019 - 16:10
Trend Micro Employee Sells Customer Data

An employee of trusted cybersecurity firm Trend Micro has been fired after illegally accessing and selling customer data to a malicious third party. 

An estimated 68,000 English-speaking customers were affected by the insider threat incident, which was disclosed by Trend Micro on Tuesday. 

Trend Micro's suspicions were first aroused in early August 2019, when customers running the company's home security solution began reporting that they had received calls from scammers purporting to be Trend Micro support personnel. 

In a statement shared on the company website, a Trend Micro spokesperson wrote: "The information that the criminals reportedly possessed in these scam calls led us to suspect a coordinated attack."

An investigation was "immediately launched" by Trend Micro, but it wasn't until October 2019 that the company was able to say for sure that the scam phone calls had stemmed from an insider threat.

Information that ended up in the hands of the criminal scammers included names, email addresses, and telephone numbers. 

The identity of the malicious third party who bought the information from the rogue Trend Micro employee, and how much they paid for the stolen data, is currently unknown.  

A Trend Micro spokesperson wrote: "A Trend Micro employee used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers.  

"There are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers was improperly accessed."

Upon discovering the wounding betrayal by one of their own, Trend Micro immediately disabled the unauthorized account access and fired the insider threat culprit. The incident is currently under investigation by law enforcement. 

In a statement released on their website, Trend Micro reminded their customers that the company never makes unsolicited phone calls to consumers. 

A company spokesperson wrote: "If a support call is to be made, it will be scheduled in advance. If you receive an unexpected phone call claiming to be from Trend Micro, hang up and report the incident to Trend Micro support."

Categories: Cyber Risk News

PayPal Tops List of Most Imitated Brands

Thu, 11/07/2019 - 16:06
PayPal Tops List of Most Imitated Brands

PayPal has knocked Microsoft off the top spot to become the brand most imitated in phishing attacks.

The payment facilitator was accorded this dubious honor today with the publication of Vade Secure's Phishers' Favorites report for Q3 2019.

Researchers analyzed data from more than 600 million protected mailboxes worldwide to determine which organizations email scammers deign to pose as most frequently. The resulting report lists the 25 most aped organizations.

Pole position was tenaciously held by Microsoft for five consecutive quarters before PayPal bumped the famous software vendor down to second place in the third quarter of 2019. 

"You can no longer identify phishing based on poor design, typos, or bad grammar; they’re well designed and well written," Adrien Gendre, Vade Secure’s chief solutions architect, told Infosecurity Magazine. 

"When I speak at conferences, I like to show a slide with two Office 365 login pages: one is real and the other is phishing. Most of the time, the audience picks the wrong one. And the reason is because phishers often pull JavaScript, CSS, and other resources directly from the legitimate Microsoft website." 

Cozying up into third position is streaming giant Netflix, which has been impersonated more and more with each passing quarter over the past year and a half. Gendre speculated that the increase in the number of attacks is tied to the company's content release schedule. 

"Cybercriminals certainly have their finger on the pulse of current events and social trends, and they create and time their attacks accordingly," said Gendre. 

"Leading up to the launch of a new iPhone, we typically see a spike in Apple phishing. And it’s probably not a coincidence that Netflix phishing grew in Q3, when Stranger Things Season 3, the most watched Netflix show this year, was released."  

The most impersonated industry in this year's third quarter was finance, with ten different financial services brands making it into the top 25 list of phishers' favorites. On its own, finance accounted for a whopping 37.9% of all URLs. 

Phishers mailed out 79.1% of their email scams on weekdays, with Mondays and Wednesdays proving to be the most popular days on which to cast a virtual line. 

Asked if scammers are ditching big-dream bait like wealth and romance in favor of more banal hooks, Gendre said: "We still see a fair share of wealth and romance scams. For phishing, though, the hook is less about romance and more about creating fear, uncertainty and doubt (FUD), combined with a sense of urgency. 

"For example, 'your Netflix account has been suspended because your payment wasn’t processed.' The combination of fear and urgency is intended to drive targets to click without thinking or scrutinizing the email."

Categories: Cyber Risk News

SecureData CTO Names Three Pillars of Active Defense

Thu, 11/07/2019 - 14:40
SecureData CTO Names Three Pillars of Active Defense

Speaking at a SecureData event in London, CTO Etienne Greeff identified the three pillars of active defense.

He listed these as: observe the landscape, understand where your vulnerabilities are and detect attacks and where you can be compromised. However, he warned that there is “no point in doing them if you are not doing them consistently.”

On the subject of addressing security issues, Greeff said that “keeping machines up-to-date is difficult,” as is dealing with vulnerabilities, and attacks “make it extremely hard to be good guys fighting bad guys.”

He said that to deal with the challenges, as defenders, “we need to understand the threat landscape and what attackers are targeting,” as well as understand offensive actions, vulnerabilities, our attack surface and what is out there. 

The attack surface is where the “most gain is made” Greeff stated, pointing out that unlike the threat landscape, the attack surface is under your control and offers a bigger opportunity to focus your security spending.

Greeff said that there is too much focus on “things that are trivial” as often threat intelligence is “not as useful as you think” – too often, small a proportion of intelligence is malicious. “We focus too much on the enemy and not on ourselves, and we need to understand the network and learn from it.”

Looking at how to have a better defense, Greeff said that this is achieved by working in a “meticulous and consistent way” by collecting data and correlating it to make sense of it. Then using it so you know what it contains and what you need to act upon, and “then analyze the data to know what to do, and measure it.”

He concluded by saying that “all of you will have a security issue” at some point, and knowing how to deal with an attack and learn from an assault will aid you. He said: “We face overwhelming odds and security is not an easy task and we complicate it with interconnected systems and face a sophisticated adversary – but focus on knowing yourself, your attack surface and behaviors and vulnerabilities.” 

Categories: Cyber Risk News

Magento 1 End-of-Life Offers Opportunities for Hackers

Thu, 11/07/2019 - 13:44
Magento 1 End-of-Life Offers Opportunities for Hackers

A popular Content Management System (CMS) software version is soon set to be retired, potentially exposing hundreds of thousands of companies to the risk of digital skimming attacks.

Launched in 2007, Magento 1 currently powers around 12% of global e-commerce stores, or 250,000 active sites, according to security firm Sucuri.

However, with end of support set to land in June 2020, there will be new opportunities for attackers to compromise these websites to access sensitive customer data.

All eyes will be on the groups using the infamous Magecart skimming code to harvest card details as they are entered into e-commerce website payment pages.

“It’s no secret that a CMS without support will develop vulnerabilities. Eventually, these lead to a compromised website — which cripples any e-commerce business,” explained Sucuri’s Art Martori.

“When you consider the popularity of the Magento e-commerce platform, it’s easy to see how their announcement of the Magento 1 end of life could leave a significant portion of e-commerce retailers scrambling for new solutions.”

By exploiting Magento 1 vulnerabilities that emerge but are no longer patched after June 2020, these hackers could therefore theoretically implant the malicious JavaScript on even more sites next year.

They have already compromised an estimated hundreds of thousands of sites and millions of users, possibly many more.

Hackers have even sought to exploit misconfigured Amazon Web Services (AWS) S3 buckets to implant the code onto more sites.

Sucuri recommended web application firewalls (WAFs) as a useful way to protect end-of-life platforms like Magento 1 while potentially easing the pain of migration.

Categories: Cyber Risk News

US: Saudi Government Recruited Twitter Staff to Spy

Thu, 11/07/2019 - 11:00
US: Saudi Government Recruited Twitter Staff to Spy

The Saudi Arabian government recruited two former Twitter employees to spy on prominent critics of the regime, a new US complaint has alleged.

Prosecutors claimed in the newly released court documents that US citizen Ahmad Abouammo and Saudi Ali Alzabarah accessed personal information in over 6000 Twitter accounts back in 2015.

These included government critic and noted journalist, Omar Abdulaziz, who has over one million followers and was close to Washington Post columnist Jamal Khashoggi — who was murdered in the Saudi consulate in Istanbul last year, despite being a US citizen.

Although the duo’s jobs did not require access to user information, they were able to look up email addresses and even associated IP addresses, giving the Saudi government information on where the users were geographically located.

Abouammo was a media partnership manager for Twitter’s Middle East region, while Alzabarah was a site reliability engineer. Their intermediary is said to have been a Saudi named Ahmed Almutairi, who worked as a social media adviser to the royal family.

Reports suggest that the Saudi Crown Prince Mohammed bin Salman, implicated in the Khashoggi murder, is linked to the plot.

The complaint also alleged that the two defendants were paid handsomely for their efforts, in designer watches and tens of thousands of dollars placed into secret bank accounts.

After Alzabarah allegedly admitted to his boss that he had been spying on Twitter users, he was escorted out of the office. However, he is said to have flown to Saudi Arabia the next day with his family and not returned.

Twitter released a statement thanking the FBI and Department of Justice for their support with the investigation, and claiming that it limits access to sensitive account info “to a limited group of trained and vetted employees.”

“We recognize the lengths bad actors will go to to try and undermine our service,” it noted. “We understand the incredible risks faced by many who use Twitter to share their perspectives with the world and to hold those in power accountable.”

Categories: Cyber Risk News

Cybersecurity Skills Shortage Tops Four Million

Thu, 11/07/2019 - 10:31
Cybersecurity Skills Shortage Tops Four Million

Global IT security skills shortages have now surpassed four million, according to (ISC)2.

The certifications organization compiled its latest Cybersecurity Workforce Study from interviews with over 3200 security professionals around the world.

The number of unfilled positions now stands at 4.07 million professionals, up from 2.93 million this time last year. This includes 561,000 in North America and a staggering 2.6 million shortfall in APAC.

The shortage of skilled workers in the industry in Europe has soared by more than 100% over the same period, from 142,000 to 291,000.

The report estimated the current global workforce at 2.93 million, including 289,000 in the UK and 805,000 in the US.

Nearly two-thirds (65%) of responding organizations reported a shortage of cybersecurity staff, with a lack of skilled or experienced security personnel their number one workplace concern (36%).

(ISC)2 claimed the global security workforce needs to increase by a staggering 145% to cope with a surge in hiring demand. In Europe, this has come particularly in smaller companies with one-99 employees, as well as those with over 500 employees.

Unsurprisingly, over half (51%) of cybersecurity professionals said their organization is at moderate or extreme risk due to staff shortages.

The report pointed to four key strategies to help organizations tackle such shortages. These include in-house training and development and setting applicant qualification requirements at the right level to ensure as wide a net as possible is cast.

(ISC)2 also stressed the need to attract new workers from other professions, or recent graduates with tangential degrees, as well as seasoned professionals from consulting and contracting sectors. Finally, organizations should look to strengthen from within by cross-training existing IT professionals where appropriate.

Categories: Cyber Risk News