In addition to combing through thousands of intelligence reports from commercial clients, researchers also sought feedback from analysts. Attempting to identify the top challenges organizations are likely to face this year, the report found that the top threat to organizations is that they may find themselves caught in the cross hairs of information warfare.
“This activity encompasses a wide range of tactics, from orchestrating targeted breaches followed by data leaks to employing troll armies to push disinformation. So far, states have mainly used these capabilities for political and military purposes, like nudging voters and enflaming cultural conflict,” the report said.
“Booz Allen believes in 2019, states will increasingly use their growing information-warfare methods applied to economic conflict and will likely aim to generate investor, regulatory, consumer, or political backlash against targeted sectors and companies by fabricating or inflaming public relations and legal controversies.”
Certainly social media has created a pathway for companies to get caught in a misinformation web. “Increasingly, nation-states and other entities use the power of social media to support information warfare campaigns,” said Pravin Kothari, CEO, CipherCloud.
“Social media can be deployed as a cannon of misinformation to damage corporate reputations, attack government institutions and their policies, attack individual politicians and organizations, and in general obfuscate the truth and confuse the public.”
Though the additional key threats are legitimate concerns to both governments and businesses, some threats – especially the lack of security in many IoT devices and connected cars – do apply to consumers, according to Byron Rashed, vice president of marketing at Centripetal Networks.
"Combating these threats is difficult, especially cyber-threats from nation-states that have no budgetary limits. Keeping IT assets (security and infrastructure) up to date with the latest versions of software and patches will help to curb some threats that may find their way into the network,” Rashed said.
Graphic novel fans, particularly those Kindle readers who adore the popular John Wick series, may have unknowingly downloaded fake ebooks promising them the opportunity to stream the third film installment prior to its release in May, according to Malwarebytes.
The empty promise could do more than disappoint fans, though. According to researchers, the ebooks, which varied in price, actually sent the reader down a rabbit hole of malicious links to illicit sites claiming to offer streaming services.
It’s not unheard of for scammers to target the Kindle store, but historically the goal has been to steal authors’ content. This new tactic of packaging fake movie links in ebooks poses a different kind of threat.
“Roughly 40 or more individual items were uploaded from around January 25 to February 2, each one from a different 'author.' At first glance, you might think you’re looking at movies, thanks to the play button icon on each image preview. The fact that each entry is called something along the lines of “John Wick 3: free movie HD” probably helps, too,” wrote Malwarebytes lead malware intelligence analyst Chris Boyd.
Infosecurity contacted Amazon, which reportedly addressed the issue internally, though battling fake ebooks is nothing new for the online megastore. In his February 4 blog post, Boyd said, “It’s tricky to flag dubious content on the Kindle store, as you have to report each title individually and give reasons. We contacted Amazon customer support and have been informed these e-books have been escalated to the appropriate teams.”
As of today, search results appear to have been removed, but Boyd said, “We've also since found references to a similar eBook claiming to be a 'Spider-Man far from home' HD movie, which has also been removed. It's quite possible the scammers behind this may start taking aim at other big name film titles. Kindle owners should always check out a preview whenever possible, and not waste their money on anything proving nothing but a link to a streaming website."
The overall number of breaches fell in 2018, but the number of compromised records skyrocketed, resulting in a 126% increase, according to the 2018 End-of-Year Data Breach Report.
The Identity Theft Resource Center tracked the data breach events of 2018 and published a 180-page report in which it found that the total number of records compromised last year was 446,515,334, up from 197,612,748 in 2017.
The study also found that “vulnerabilities in software platforms and human error and susceptibility to increasingly sophisticated phishing scams are exploited by individuals trying to steal information. As consumers, we need to protect our information when companies that house our data are the target of breaches.”
According to the report, the majority of 2018's 1,244 data breaches were the result of hacking, with the business sector suffering the largest number of breaches (571) and the healthcare sector not far behind (363).
“Attackers will use one of many techniques, such as account manipulation, bash history, brute force, credential dumping, registry- based credentials, forced authentication, hooking, input capture, kerberoasting, and keychain attacks and many more,” said Anthony James, chief strategy officer, CipherCloud.
Three major breaches exposed more than 100 million records. The Facebook data breach resulted in hackers gaining access to the tokens for 50 million accounts, while Google’s two data breaches impacted 53 million users.
“A security bug allowed third-party developers to access public user profile data since 2015. If a user gave permission to an app to access their public profile data, the bug also let developers pull non-public profile fields for the user and user’s friends including: full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status,” the report said.
In addition to user error, third-party vendors have significantly multiplied the risks that both consumers and businesses face, according to Colin Bastable, CEO of cybersecurity test and training company, Lucy Security.
"The fewer moving parts we have between us and our data, the safer we are. By making login more convenient for users, for example by using Facebook, Google or another intermediary, organizations are exposing consumers to significant, chronic risk."
In advance of today's Safe Internet Day, Google surveyed a pool of 3,000 consumers to understand people’s beliefs and current behaviors around online security. According to the new Harris Poll data, two in three people recycle the same password across multiple accounts.
Of all the participants, who were aged 16 and older, 51% admitted that they use one particular "favorite" password for the majority of their accounts. In addition, a third of respondents (31%) said they either don’t know whether they are using two-factor authentication (2FA) or or intentionally choose not to use it.
Still, a whopping 69% of respondents gave themselves an A or B grade for their ability to protect their online accounts. Indeed, 59% said they are better than the average person at keeping their accounts safe from cyber-threats.
While 79% of participants understand that updating security software is a key part of staying safe online, only 67% said they regularly update (or know if they update) their applications.
When asked to define phishing, password manager and two-step verification, only 32% of respondents correctly defined all three terms.
Only 24% of survey respondents said they use a password manager, with those who are older than 50 being less likely to use a password management tool, though the 50-plus group is more likely to use a different password for each account. Those respondents ages 16-24, however, are more likely to use 2FA but are less likely to have changed their passwords within the past year.
In a blog post advising users of what they can do right now to improve online safety, Google wrote, “Create a unique password for each account to eliminate this risk. Make sure that each password is hard to guess and better yet, at least eight characters long.”
Google also recommended setting up 2FA, which “requires you to take a second step each time you sign in to your account on top of your username and password. Examples of second verification steps include: an SMS text message, a six-digit code generated by an app, a prompt that you receive on a trusted device or the use of a physical security key.”
The UK government is claiming to have a £6m pot of cash set aside for the winners of a new IoT security competition.
The Technology Strategy Board, also known as Innovate UK, will only choose projects including an element of artificial intelligence or machine learning and those that have “a clear plan for commercialization.”
They must focus on at least one of: technologies to protect and recover data, intelligent control systems for buildings and smart home protection. Projects could also look at “complementary technologies” like 5G or blockchain, the government claimed.
The idea is apparently to encourage companies to collaborate with the research community to drive new ideas in IoT security.
The initiative is part of the UK Research and Innovation Strategic Priorities Fund, and can be seen as part of a wider push by the government to enhance the UK’s position as a world leader in cybersecurity.
It comes after a £70m investment announcement last week through the Industrial Strategy Challenge Fund, focused on improving security-by-design, and a £30m pledge for the Ensuring the Security of Digital Technology at the Periphery program, to improve IoT security.
It’s unclear whether this latest announcement will be funded from the latter pot of money.
To encourage firms to get on board with the latest Innovate UK competition, the government said they could receive up to 70% off project costs, as long as they fall between the £2.5m-£4m range.
UK firms of any size can participate, working alongside public and private sector bodies as well as charities, but projects must include at least one academic partner and one SME. The competition is open from February 18, with the final deadline on May 1 2019.
Projects must start by December 1 2019 and can last between 18 and 24 months. Those that pass the written application stage will be invited to an interview panel between July 1-5 to present their ideas.
Huddle House has become the latest US restaurant chain to suffer a Point of Sale (POS)-related data breach.
The casual dining and fast food operation revealed on Friday that a malware intrusion had affected an unspecified number of its “corporate and franchised locations.
“Criminals compromised a third-party POS vendor’s data system and utilized the vendor’s assistance tools to gain remote access — and the ability to deploy malware — to some Huddle House corporate and franchisee POS systems,” it said in a notice.
“Huddle House was notified by a law enforcement agency and its credit card processor that some of its corporate and franchise locations may have been victims of a malicious cyber-attack. Huddle House retained a leading IT investigation and security firm in less than 24 hours from notification, to deploy specialized software to prevent further attacks.”
The firm is still investigating and so unable to provide a definitive list of affected locations, but said that anyone who used a payment card at one of its restaurants between “August 1, 2017 and present” may be at risk.
The malware in question appears to have been classic POS-scraping code designed to harvest magnetic stripe data including cardholder name, credit/debit card number, expiration date, cardholder verification value and service code.
These attacks are less common today thanks to the growing adoption of the EMV standard in the US, which encrypts cardholder data thanks to a built-in chip on each card. This makes it virtually impossible to clone cards using stolen information.
However, hackers still try their luck from time-to-time as EMV adoption is patchy and there’s also a chance that it hasn’t been properly implemented by the store/restaurant.
Huddle House urged customers to check their card statements and contact their bank immediately if they spot anything suspicious.
The European Commission is trying to recall a German-made children’s smart watch model over security concerns that hackers could communicate with or monitor the wearer.
It issued a recall notice under the Rapid Alert System for Non-Food Products (RAPEX), claiming the risk level is “serious.”
It says that the Safe-KID-One device produced by Hamburg-based Enox Group does not comply with the Radio Equipment Directive and all models should be recalled from end users.
“The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed,” the RAPEX notice revealed.
“A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.”
The Safe-KID-One is just the latest in a long line of smart devices made for young people that has been found to have serious security and privacy vulnerabilities.
Over 800,000 user accounts and millions of voice conversations between parents and their kids were left exposed online after an issue at California-based CloudPets in 2017.
In the same year, German regulators urged parents not to buy the Cayla doll, warning that hackers could use an insecure Bluetooth device in the toy to listen and talk to the child playing with it.
In fact, UK consumer rights body Which? claimed to have found Bluetooth vulnerabilities in numerous connected smart toys, calling for such devices to be taken off the shelves.
“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,” argued MD of home products and services, Alex Neill, at the time. “Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”
Though malicious actors have been able to exploit flaws in telecommunication infrastructure for years, it’s not being reported that attacks are able to intercept codes used for banking using Signaling System 7 (SS7) attacks. According to Motherboard, the National Cyber Security Centre (NCSC) said that it is aware that cyber-criminals are exploiting a telecommunications vulnerability to target bank accounts “by intercepting SMS text messages used as 2-Factor Authentication.”
“Legacy communications protocols were often architected with utility in mind, not security,” said Matt Walmsley, EMEA director at Vectra. “We’ve seen old-school fax protocols being recently used to delivery malicious payloads into multifunction printers. Using the telephone infrastructure for illicit activity isn’t new, either."
The attack is concerning, given the widespread use of SMS as an authentication channel. “SMS is increasingly become a low-trust infrastructure, and there are other choices available to provide additional factor authentication, including local token generators and biometrics,” Walmsley said.
Because of the flaws in telco infrastructure, British telco company BT said that it is constantly upgrading its systems. According to a report from Reuters, the attack is not limited to Metro Bank but rather is a sampling of a wider attack on banks across Britain.
“Whether criminals use man-in-the-middle SS7 attacks or engage in SIM card swapping, it just goes to show that relying on a SMS-based method of two-factor authentication is not the most secure way to protect your most sensitive accounts,” said Jon Bottarini, hacker and lead technical program manager at HackerOne. “Using an Authenticator App or time-based one-time password (TOTP) for two-factor authentication is the best method to prevent against these types of attacks.”
Linux servers are the target of a new crypto-mining campaign in which a malware dubbed "Speak Up" implants a backdoor Trojan by exploiting known vulnerabilities in six different Linux distributions, according to research from Check Point.
The malware has been seen targeting servers predominantly in Asia and Latin America, including machines hosted by Amazon Web Services (AWS) and Mac devices. Because it implants a new backdoor for which there currently are no detections in VirusTotal, the backdoor is reportedly able to evade all security vendors’ anti-virus software, according to today's blog post. Researchers detected Speak Up being used to spread the XMRig crypto-miner to a machine in China, which was reported to VirusTotal on January 9, 2019.
Researchers warned that the malware's "obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive."
According to the report, the malware remains in communication with its command and control (C&C), receiving its next task instructions on what researchers called a “fixed ‘knock’ interval.” Built-in to the malware is a Python script that enables lateral movement on the network. The script also scans the local networks for open ports, forces its way into nearby systems using a list of predefined usernames and passwords and then uses one of seven exploits to take over unpatched systems.
“This is malware that targets Linux and macOS. Once this malware is on a system, it does all the same things any malware would do. It follows the attack lifecycle verbatim,” said Chris Morales, head of security analytics at Vectra. “Those behaviors include running shell commands, executing files downloaded from a remote C&C server, and updating or uninstalling itself.
“By monitoring the internal network with machine learning, the listed behaviors becomes a list of behaviors that every attack must perform, and every one of these behaviors is detectable. In fact, the more the attack does, the easier it becomes to notice.”
A malicious campaign has been targeting premium publishers using malvertising that looks like legitimate ads for popular retailers, according to The Media Trust.
Researchers today published a blog post explaining that a large-scale malicious campaign attempted to exploit 44 adtech vendors with the ultimate goal of attacking the millions of customers who visit 49 of the Alexa 500 premium publisher sites.
Nearly 80% of the devices targeted were running iOS. Of the more than 600,000 attacks that were detected and analyzed, researchers discovered that unsuspecting visitors didn’t even need to click on any of the ads. By visiting the sites, they were redirected to malicious content prompting them to enter their login credentials. This campaign is reportedly unique because of the malware’s adaptability.
“The group behind the attack had designed an adaptive campaign so that as soon as one malware and supply chain route was identified and terminated, another attack would immediately ensue using different malware and alternative supply chain routes,” researchers wrote.
“Each time attacks were identified and foiled, new ones would launch using other ad formats, fire up new supply chain routes, and employ unique code obfuscation techniques.”
Researchers also said, “combining resources that fed into the entire solution was key,” and they suspect that victims who visited less monitored sites likely had some of their credentials compromised.
“The DSO’s success in preventing further damage in an environment of increasingly sophisticated attacks speaks to the effectiveness of continuous monitoring, as well as cooperation,” said Mukul Kumar, chief information security officer and VP of cyber practice at Cavirin.
“Moving forward, in order to ensure an organization’s or site’s cyber posture, this approach must be the norm rather than the exception.”
Given that these adaptive campaigns are growing increasingly more potent and prolific, researchers advised, “the value of real-time scanning and analysis is the only way to keep abreast of these quickly morphing attacks. Anything less would have left the publishers and their vendors defenseless against the onslaught of attacks.”
The UK’s Student Loans Company (SLC) has been forced to repel nearly one million cyber-attacks over the course of the last financial year, highlighting the growing risk to organizations from hackers.
Think tank Parliament Street sent a Freedom of Information (FOI) request to the non-profit government body, which provides loans and grants to students in the UK.
It revealed the organization was hit by 965,639 separate attacks in the financial year 2017/18. There was little further info on exactly what type of attacks these were, although they included SQLi attempts.
On top of these figures, the SLC broke down a further 323 malware attempts and 235 malicious emails or calls.
Some 127 attempted attacks were not blocked and therefore treated as full blown “incidents,” compared to three attempts in financial year 2015/16 and 95 in 2016/17. However, only one attack succeeded in breaching the SLC’s defenses.
“There was a successful infection of slc.co.uk with Monero cryptocurrency mining malware via a third-party plugin,” the FOI response, sent to Infosecurity, revealed.
“Slc.co.uk is hosted by a third-party supplier, so this was run as a third-party incident. slc.co.uk hosts publicly available material only and no customer data was involved.”
Although the number of attacks sneaking through the perimeter appears to have peaked in 2017/18, the number of malware attempts spiked the previous year. In 2016/17 there were 1015 recorded.
It’s understandable that the SLC is a major target for hackers, given the trove of financial and personal data it stores on the nation’s students. The firm is also a popular target for phishers, who often spoof the organization in an attempt to trick students into disclosing their personal details.
In 2014 it received a dressing down from the ICO after sending applicants’ personal information including medical details to the wrong recipients.
“It’s no surprise that cyber-criminals are relentlessly targeting the personal financial details of students, putting the well-being of tens of thousands of individuals at risk,” said Imperva CTO, Terry Ray. “Tackling this problem means investing heavily in the latest cybersecurity measures, to keep hackers out and limit the risk of a major data breach.”
Home improvement site Houzz has announced a data breach affecting an unspecified number of customers, but claimed that follow-on identity theft is “highly unlikely.”
The firm — which claims to have over 40 million homeowners, home design enthusiasts and home improvement professionals on its books — said it learned about the incident in late December 2018. This could be an issue for GDPR regulators given it has taken over a month to notify.
The California-headquartered business said an unauthorized third party gained access to a file containing user data.
This included: user ID, prior Houzz user names, one-way encrypted passwords “salted uniquely per user,” IP address, and city and postcode inferred from IP address. Also exposed in the breach were publicly available account details like Houzz user name and/or Facebook ID.
Finally, if the user had made the following info publicly visible, then first name, last name, city, state, country and profile description could also be compromised.
The firm claimed not all customers were affected but did not disclose the number. It has emailed those who may have been affected “out of an abundance of precaution” asking them to reset their passwords.
“We do not believe that any passwords were compromised because we do not actually store passwords except in a one-way encrypted form that is salted uniquely per user,” it added. “However, we recommend changing your password on any other sites or accounts where you used the same login information that you used for Houzz. It is generally best practice to use a unique password for each service.”
No financial information or, in the US, Social Security numbers, were taken, according to the firm.
Tripwire VP, Tim Erlin, also urged users to change their log-ins.
“If you used the same password for your Houzz account that you used for a more sensitive account, then you’ve put that more sensitive account at risk as well,” he argued. “Using unique passwords is a good way to protect yourself from this type of risk. Using multi-factor authentication is another way to reduce the risk. The internet is all about connection, and sometimes those connections work to the advantage of attackers."
The Information Commissioner’s Office (ICO) has fined Leave.EU and an insurance company owned by Brexit backer Arron Banks £120,000 for serous data protection failings.
The UK’s privacy watchdog claimed that segregation of data between the two closely linked companies was insufficient, meaning data collected by Eldon Insurance on its customers was used to bombard them with online messages backing the leave vote.
The reverse was also true, with Leave.EU subscribers sent marketing missives from Eldon Insurance without having given adequate consent.
Leave.EU was fined £15,000 for illegally sending nearly 300,000 political marketing messages, while both Leave.EU (£45,000) and Eldon Insurance (£60,000) were fined for sending nearly one million emails to Leave.EU subscribers, according to the ICO.
“It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened,” said information commissioner, Elizabeth Denham, in a statement.
“We have been told both organizations have made improvements and learned from these events. But the ICO will now audit the organizations to determine how they are using customers’ personal information.”
The formal assessments by the ICO will cover data protection practices, staff training and other processes for the two organizations, which share offices.
Eldon Insurance was also served an ICO enforcement notice ordering the firm to comply with electronic marketing regulations.
Rumors of illegality have swirled around the Brexit referendum campaign for years.
Leave.EU is now the subject of a criminal investigation by the National Crime Agency (NCA), referred by the Electoral Commission, after suspicions that Banks was not the source of a multi-million pound donation as he has claimed.
The money is said to have come from one of his subsidiaries in the Isle of Man, which is illegal under UK election law.
MPs have called for the Brexit process to be suspended until the outcome of these allegations of multiple criminal offenses.
Thus far, Prime Minister, Theresa May has resisted calls for a Robert Mueller-like investigation into possible Russian interference in the referendum, despite mounting concerns over the role of firms like AIQ in targeting voters, spending irregularities and Russian social media misinformation.
A grass roots campaign, Fair Vote, is looking to mount a legal challenge to force a public inquiry.
Despite their high-ranking positions, senior executives are reportedly the weak link in the corporate cybersecurity chain with a new report from The Bunker, which finds that cyber-criminals often target this known vulnerability.
A recently published white paper, Are You the Weakest Link? How Senior Executives Can Avoid Breaking the Cybersecurity Chain, found that those at the top are guilty of a bit of grandiosity. They disregard cybersecurity threats and policies under the misguided perception that the rules don’t apply to their unique positions.
“Professional hackers and adversaries will usually do a thorough investigation into a senior executive or board level director, including full analysis which could entail in-depth monitoring of the company website and associated social media accounts,” the report said.
Most executives make the same five mistakes, according to the report. Senior executives fail to realize that they are prime targets for cybercriminals, which is potentially a result of their view that cybersecurity is an IT responsibility that doesn’t have anything to do with their executive positions.
In reality, though, the report said, “IT security has now become the remit of all individuals, especially those in the highest positions of each department and senior executives need to take ownership for IT security best practice in their day-to-day behavior.”
Another common mistake among senior executives is that they believe cybersecurity threats are attacks that happen to the business by some external malicious actor rather than being the result of internal threats or accidents.
Many top executives also reportedly believe that a cloud provider is responsible for the backup and security of all information, though they fail to use cloud hosted email securely.
However, cybercriminals know that top executives often have privileged access to company information, so hackers intentionally target their personal accounts.
“Reviewing corporate policies, with a focus on people, premises, processes, systems and suppliers will provide valuable insights into which areas to improve, and by championing a ‘security first’ corporate culture, organizations and their senior executives will be well positioned to avoid the high financial costs, reputational damage and unexpected downtime that could result from a cyber-attack or data breach,” said Phil Bindley, managing director, at The Bunker.
Two years after President Trump taking office, the Foundation for Defense of Democracies has issued its midterm assessment, The Trump Administration’s Foreign and National Security Policies, which looks in part at the administration’s cyber policies and the advances therein.
Authored by Annie Fixler, deputy director for the Center on Cyber and Technology Innovation (CCTI), and David Maxwell, senior fellow, CCTI, the section on cyber looks at current policy and makes recommendations for moving forward.
In their assessment, Fixler and Maxwell found, “The Trump administration’s cyber policy is moving away from the prioritization of law enforcement to an approach that balances law enforcement, persistent engagement with adversaries in cyberspace, and the pursuit of deterrence. The most significant expression of this shift is the administration’s September 2018 National Cyber Strategy.”
Based on a series of assertions from senior officials who testified before Congress as to the effectiveness of previous policies, the Trump administration took what Fixler and Maxwell commended as positive steps forward.
“In May 2017, the president signed an executive order requiring departments to work with the private sector to support critical infrastructure security. Seven months later, in its first National Security Strategy, the administration pledged to impose 'swift and costly consequences' on malicious cyber actors, and explicitly noted the danger of adversarial cyber-enabled economic warfare.”
The authors also noted that “while it is too early to assess the effectiveness of the Trump administration’s new National Cyber Strategy, the document has received rare bipartisan praise.”
After outlining the effective strategies taken by the administration, the FDD made six cyber-specific recommendations:
- Target those responsible for, or benefiting from, malicious cyber operations.
- Excise components from authoritarian states engaged in malicious cyber operations from U.S. and allied supply chains.
- Synchronize cyber defense capabilities and offensive options with allies.
- Use cyber and kinetic capabilities to impose costs on adversaries.
- Create secure partnerships and interoperability with the private sector.
- Recruit private sector support for U.S. national security goals.
February 1 is change your password day, an annual “holiday” established back in 2012, according to a blog post from Gizmodo, as a way to get a wide collection of end users to change their passwords together.
Over the course of the past seven years, though, passwords have continued to create enormous risks to enterprise security, with many users either crafting weak passwords or reusing passwords across multiple accounts.
According to a LastPass survey, 39% of consumers never change their password unless it is required. In all likelihood, people don’t change their passwords because the average user has nearly 200 accounts to keep track of, which makes changing passwords every month or quarter unrealistic, according to LastPass.
“It will take some time to upload your credentials into the password manager, but invest the time and use the password generator function to create complex, new passwords for your accounts. Using a passphrase with a combination of complex characters such as $ymB0LS drastically increases your security and protection of personal data,” said Joseph Carson, chief security scientist at Thycotic.
What matters most when it comes to password protection is length, which is why it has become more commonplace to see sites requiring a minimum of eight-character passwords. Still, “there is a long-running myth that complex phrases using characters, numbers and letters is secure. They are not. These are simply hard-to-remember phrases that are quickly forgotten and reused in multiple locations,” said Chris Morales, head of security analytics at Vectra.
Instead, Morales said simple phrases, rather than complex combinations of characters and numbers, make better passwords. “'The quick red fox jumped over the lazy brown dog' is a much stronger and infinitely easier to remember password than '1W33$^Adgfi*()tyu.'”
When it comes to enterprise protection, LogRhythm advised businesses to use multifactor authentication whenever possible to protect critical infrastructure, such as VPN and email access. Also, avoid shared accounts. Instead, create separate accounts for each user of an application so that any actions performed are properly attributed to a specific employee, which will also limit the risk of inadvertent password exposure.
Security researchers have uncovered a new cyber-espionage campaign against foreign diplomats in Iran, using malware linked to a well-known APT group.
Kaspersky Lab researcher Denis Legezo claimed the campaign was indicative of hackers in emerging regions using “homebrew” malware combined with publicly available tools.
In this case, they use an improved version of the Remexi backdoor first reported in 2015, enabling them to: harvest keystrokes, take screenshots, exfiltrate credentials, log-ins and browser history and execute remote commands.
Data is exfiltrated using the legitimate Microsoft Background Intelligent Transfer Service (BITS) application, saving the group time and money and complicating attribution efforts, Kaspersky Lab claimed.
“When we talk about likely state-sponsored cyber-espionage campaigns, people often imagine advanced operations with complex tools developed by experts. However, the people behind this spyware campaign look more like system administrators than sophisticated threat actors: they know how to code, but their campaign relies more on the creative use of tools that exist already, than on new, advanced features or elaborate architecture of the code,” Legezo argued.
“However, even relatively simple tools can cause significant damage so we urge organizations to protect their valuable information and systems against all level of threats, and to use threat intelligence to understand how the landscape is evolving,”
There’s no word yet on how the malware is being spread, although it has been linked to a Farsi-speaking APT group known as Chafer, whose activity goes as far back as 2014.
The group is known to focus on domestic targets, although going after foreign embassies within the Islamic Republic represents a new approach.
Legezo urged organizations to arm themselves with: corporate-grade security, including capabilities to detect targeted attacks, enhanced security awareness training for employees and up-to-date threat intelligence data.
UK car repair shop chain Kwik-Fit has suffered a serious cyber-attack which seems to have put its IT systems out of action for most of the week, angering customers.
A spokesperson told the BBC that the firm first experienced “some issues with a virus in our IT network” last weekend.
“This affected a number of our systems but in the interest of ongoing security we can't confirm the source of the problem,” the statement continued.
"We have been working to get our operational systems back up and running normally and while there is still some disruption, our centers are open as usual."
However, in a Twitter message on Thursday to one of many irate customers, the firm admitted its systems were still down, meaning the individual wasn’t able to access an online MOT booking service.
“Unfortunately we don't have a time for this, but our team are working as hard as they possibly can to get this sorted. Apologies that we can't provide any further information for you,” the message read.
Given the scale of the problem and the delay in getting systems back online, ransomware would be an obvious guess as to what kind of “virus” Kwik-Fit has been subject to.
Darren Williams, CEO and founder of BlackFog, claimed the attack has directly impacted customer trust and the firm’s bottom line, with appointments cancelled and the call center apparently overwhelmed with complaints.
“This will continue to happen as more and more firms around the globe become entirely dependent upon technology to run their business,” he added. “Hackers have become increasingly sophisticated and are attacking organizations from all directions. So, firm’s need a multi-layer defense system.”
UK consumers could undermine attempts by EU regulators to improve fraud screening, according to a new survey from FICO.
The predictive analytics firm polled 500 consumers in the UK, Germany, Spain and Sweden to better understand their attitudes to the new PSD2 banking regulations.
A key part of these rules is a new requirement on banks, card issuers and payment service providers (PSPs) to enforce so-called Strong Customer Authentication (SCA). This means that when a user comes to pay for something online, they will be challenged with an extra two-factor authentication step.
However, just half (53%) of UK consumers polled said they would give their bank their mobile number. This is necessary to support the one-time passcode systems that many lenders may choose to comply with SCA.
Among the reasons they gave were that it’s “not secure or intelligent,” would be too complicated, others could access it and that there’s poor mobile coverage where they are.
Nearly 70% said they think there’s already enough or too many security checks on card payments.
Consumers are certainly right to be wary of this kind of 2FA. Hackers have grown increasingly adept at circumventing security by intercepting one-time codes sent by SMS. This happened to Reddit administrators last August, allowing attackers to compromise staff accounts en route to sensitive customer data.
The FICO poll’s findings seem to suggest that pushing customers into choosing a particular authentication method could be a mistake.
“While it is true that the majority would comply in providing their mobile phone, those that choose a different course of action could have a considerable negative impact on the business,” the firm argued. “A successful SCA strategy should allow customers choice whenever possible and shouldn’t deprive them of service if they are unable or unwilling to adopt a particular method.”
However, not all transactions have to be covered by SCA. Exemptions apply for those under €30, recurring transactions,and those deemed “low risk,” among other types.
Another option would therefore be to invest in sophisticated fraud prevention tools which can monitor and report on transaction risk levels, screening each one to minimize the number of times customers must go through SCA.
This is the Holy Grail for banks, PSPs and merchants: delivering low friction and fraud and maximizing sales in the process.
The new SCA rules take effect in September this year.
Leaders of six US intelligence agencies testified in front of the Senate Intelligence Committee on January 29, asserting that cyber-threats have evolved, particularly coming from China and Russia.
At issue is the collection and protection of data that can be leveraged in cyber-warfare, a concern expressed by the US Air Force as well. “We are now living in a new age – a time characterized by hybrid warfare and weaponized disinformation, all occurring within the context of a world producing more data than mankind has ever seen,” said Sen. Richard Burr (R-NC), chairman of the Senate Select Committee on Intelligence, according to Air Force Magazine. “Tomorrow, it’s going to be deep fakes, artificial intelligence, and a 5G-enabled internet of things with billions of internet-connected consumer devices.”
In his prepared opening stated, director of national intelligence Dan Coats wrote, “Our adversaries and strategic competitors will increasingly use cyber capabilities – including cyber espionage, attack and influence – to seek political, economic and military advantage over the United States and its allies and partners.”
Among the foreign adversaries that have expanded their cyber-espionage and intelligence activities are China, Russia, Iran and North Korea. According to Coats, China and Russia pose the greatest threats to the US, though Iran and North Korea remain paramount concerns.
“At present, China and Russia pose the greatest espionage and cyber attack threats, but we anticipate that all our adversaries and strategic competitors will increasingly build and integrate cyber espionage, attack and influence capabilities into their efforts to influence US policies and advance their own national security interests,” Coats wrote.
Those threats also extend to the US military and critical infrastructure. “China remains the most active strategic competitor responsible for cyber espionage against the US Government, corporations, and allies. It is improving its cyber attack capabilities and altering information online, shaping Chinese views and potentially the views of US citizens.”
The potential that adversaries will again attempt to meddle in the 2020 presidential election remains a top concern among intelligence leaders who anticipate that “US adversaries and strategic competitors almost certainly will use online influence operations to try to weaken democratic institutions, undermine US alliances and partnerships and shape policy outcomes in the United States and elsewhere.”