Info Security

Subscribe to Info Security  feed
Updated: 23 min 43 sec ago

Honda Tackling Suspected Ransomware Infection

Tue, 06/09/2020 - 08:36
Honda Tackling Suspected Ransomware Infection

Honda is investigating a cyber-attack on its IT network in Europe which researchers are claiming is Ekans ransomware.

The carmaker has issued a brief statement after problems were uncovered on Sunday, confirming there was an issue with its network.

It said it had “experienced a disruption in its computer network that has caused a loss of connectivity, thus impacting our business operations.

“Our information technology team is working quickly to assess the situation,” it added, according to The Detroit Bureau.

However, on Twitter, security researchers were less circumspect. One, known as @milkr3am, posted several screenshots including one with purported Ekans (aka Snake) code that checks specifically for the domain, indicating that this variant has been specially customized to target the firm.

They also posted a ransom note, which requests the victim organization to get in touch with a secure Tutanota email address to discuss purchasing the private decryption key, which it says was “created specifically for your network.”

Alongside these are links to Virus Total which apparently show the code detected by 40 out of 71 vendors as Snake or Ekans ransomware.

This isn’t the first time Honda’s cybersecurity posture has come under scrutiny. Back in 2011 its American arm admitted to a data breach which compromised the personal details of over two million customers.

Then in 2019, the carmaker suffered two separate incidents. In July a researcher discovered an exposed Elasticsearch instance leaking 134 million corporate documents (around 40GB of data). Then in December, a similar incident exposed around 26,000 unique customer records from the firm’s North American business.

“Unfortunately, conventional approaches to ransomware threats tend to be minimally effective. Employee training can never completely remove the potential for human error, while software designed to stop malware rapidly becomes obsolete as threats and their identifying signatures evolve,” explained Cloudian VP of engineering, Neil Stobart.

“As such, organizations often encrypt data as a safeguard against ransomware. However, while encryption can be useful where cyber-criminals just want to access and share the data itself, in the case of ransomware, they can simply re-encrypt the data to prevent access by its rightful owner.”

Categories: Cyber Risk News

Animal Rights Group Hacked Over Exploded Elephant Comments

Mon, 06/08/2020 - 17:58
Animal Rights Group Hacked Over Exploded Elephant Comments

The website of an animal rights group has been hacked after its founder made accusations regarding the killing of a pregnant elephant in Kerala.

The 15-year-old elephant suffered a broken jaw and died on May 27 in the Velliyar River after allegedly eating a pineapple filled with firecrackers. Such traps are commonly set in India's forest fringe areas to keep boars and other wild animals from damaging crops.

Following the expectant animal's tragic demise, Indian politician, animal rights activist, and founder of the organization People for Animals Maneka Gandhi said that "action should be taken against everyone who is suspected in Malappuram."

The politician's comments were considered to be controversial since it is not yet clear who may have laid the trap and whether it was intended specifically for the elephant, or whether the incident occurred in Malappuram district or in the adjoining Palakkad district. 

According to Asian News International, Gandhi also said: "Kerala government has not taken any action in Malappuram, it seems they are scared. An elephant is killed every three days in Kerala. We have less than 20,000 elephants left in India, they are rapidly declining."

On June 4, following Gandhi's comments, a group of cyber-criminals hacked the official website of the PFA. The group, who call themselves Kerala Cyber Warriors, replaced the PFA site with a message that read "Maneka Gandhi dragged the sad death of pregnant elephant for dirty politics."

PFA trustee and wildlife activist Gauri Maulekhi said the hacked organization is now considering taking legal action against the malicious hackers. 

Gauri told THE WEEK: "This kind of bullying, trolling and one-upmanship is not going to work."

Maulekhi said the elephant's violent death had transpired as a result of the Kerala government's attitude toward the hunting of wild animals.

"Hunting was banned in the country in 1972," said Maulekhi. "The Kerala government, in a recent order, has incentivized hunting. Poor people have started hunting wild boar to make money. They are forced to kill wild animals because of the absurd and wicked policies of the state government."

Categories: Cyber Risk News

US University to Host INTERPOL Digital Forensics Conference

Mon, 06/08/2020 - 16:50
US University to Host INTERPOL Digital Forensics Conference

The International Criminal Police Organization (INTERPOL) 2020 Digital Forensics Expert Group conference is to be virtually hosted by the University of New Haven in partnership with MITRE Corporation.

The event aims to bring together leaders in digital forensics to learn about new developments in the field while also providing an opportunity for some professional networking.

INTERPOL approached Elder Family Chair and director of the university's Connecticut Institute of Technology Dr. Ibrahim Baggili and nonprofit MITRE with a hosting request last year. Baggili had planned to host the event with Cory Hall, principal cybersecurity engineer at MITRE, as his co-chair. 

However, plans to physically site the event at the university were left in tatters by the global outbreak of COVID-19. Had the conference been able to take place on site at the university as originally intended, it would have been the first time in history that the event was held in the United States. 

Eager to ensure the event went ahead despite the challenges of lockdown measures and travel restrictions designed to slow the spread of COVID-19, the university and MITRE are now hosting the conference in cyberspace.

Baggili said that in light of the increased reliance placed on technology by society in the wake of the coronavirus pandemic, cybersecurity was more important now than ever before. 

“Cyber criminals will always take advantage of people, and how we investigate these crimes is of the utmost importance,” said Baggili. “From what we have learned from COVID-19, our livelihood, at this point, depends on technology.”

Hall commented that although a physical venue might be missing from the INTERPOL event, the need for digital forensics experts to be up to speed on the latest developments in their field was not.

“Digital forensics experts worldwide still require updates on new tradecraft and a place to connect and learn from one another,” said Hall. “This is a great example of collaboration across academia, nonprofits, and international law enforcement. It shows that our human spirit will prevail against this pandemic.”

The virtual conference will take place on four days over two weeks in June. For the first time, participants will be given the chance to solve a digital forensics challenge. 

Categories: Cyber Risk News

Ransomware Strikes Third US College in a Week

Mon, 06/08/2020 - 15:56
Ransomware Strikes Third US College in a Week

Columbia College, Chicago has become the third US college in a week to fall victim to a cyber-attack involving the Netwalker family of ransomware. 

The Illinois educational establishment, along with Michigan State University and the University of California, San Francisco, was targeted by cyber-criminals and given six days to pay a ransom to recover its files.

Netwalker, also known as Mailto or as an updated version of Kokoklock ransomware, was first observed operating in September 2019. The malware works by encrypting data and renaming files with the developer's email address and an extension made up of the victim's unique ID. 

Like the attack on the University of California, the assault on Columbia occurred on June 3, exactly one week after Michigan State University was hit. On the Netwalker blog, the cyber-criminals claimed to have exfiltrated "very highly sensitive data like social security numbers and other private information" from Columbia. 

Columbia's chief of staff, Laurent Pernot, told the Columbia Chronicle on June 5 that the Netwalker attack was detected by the college's IT systems and contained to a limited number of college servers. 

“Some college, employee and student data was accessed by the perpetrators, though the exact nature and extent of that is still being determined,” wrote Pernot, adding that steps had been taken to prevent further breaches.

Updates made to the Netwalker blog yesterday suggest some of the colleges may have succumbed to the attackers' demands.

Emsisoft's Brett Callow told Infosecurity magazine yesterday: "UCSF and Columbia are no longer listed on Netwalker’s leak site, which likely means they paid (making it a lucrative week for the criminals) or that they asked to be delisted pending negotiations. So it appears only MSU is still holding out and refusing to negotiate."

Threat group REvil recently switched from publishing data if a ransom isn't paid to auctioning it off to the highest bidder. 

Asked if Netwalker's operators might follow suit, Callow said: "I wouldn’t be at all surprised if Netwalker were to adopt a REvil-like auction process for stolen information. Like other businesses, criminal enterprises adopt each other’s strategies and the introduction of mechanisms enabling stolen data to be monetized would seem to be a logical progression. We saw this with data exfiltration and publishing: the strategy was pioneered by Maze and then quickly adopted by multiple other groups."

Categories: Cyber Risk News

Open Source Software Vulnerabilities Increased By 130% in 2019

Mon, 06/08/2020 - 15:00
Open Source Software Vulnerabilities Increased By 130% in 2019

The number of open source software (OSS) vulnerabilities more than doubled in 2019 compared with 2018, a new RiskSense report has shown. Total common vulnerabilities and exposures vulnerabilities (CVEs) reached 968 last year, up from 421 in 2018, a rise of 130%. CVEs have remained at historically high levels into the first three months of 2020 too, suggesting this is a long-term trend.

The report also revealed that it takes an average of 54 days for OSS vulnerabilities to be added to the National Vulnerability Database (NVD) following public disclosure. These delays mean organizations are often exposed to serious application security risks for around two months. The lags were observed across all severities of vulnerabilities, including those rated as ‘critical’ and ones that are weaponized.

The OSS projects that had the most CVEs were the Jenkins automation server (646) and MySQL (624), each of which had 15 weaponized vulnerabilities. While HashiCorp’s Vagrant only had nine CVEs, a very high proportion (six) were weaponized. Other OSS projects that had vulnerabilities that were trending or popular in real-world attacks included Apache Tomcat, Magento, Kubernetes, Elasticsearch and JBoss.

Cross-site scripting weaknesses were the second most common form of vulnerabilities, and the most weaponized. This was followed by input validation issues, which were the third most common and second most weaponized. Additionally, the study showed that some weaknesses, such as deserialization issues (28) and code injections (16) were far less common but remained very popular in active attack campaigns.

“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations,” said Srinivas Mukkamala, CEO of RiskSense. “Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”

Categories: Cyber Risk News

CPA Canada Breach Hits Over 300,000 Accountants

Mon, 06/08/2020 - 10:50
CPA Canada Breach Hits Over 300,000 Accountants

Over 300,000 Canadian accountants and related stakeholders have been hit by a breach of a professional member association, it emerged late last week.

The Chartered Professional Accountants of Canada (CPA Canada) revealed in a statement that an unauthorized third party had managed to access personal information after compromising the organization’s website.

Over 329,000 individuals including members and others have been notified and warned of follow-on attacks.

The compromised information relates mainly to the CPA Magazine and includes names, addresses, email addresses and employer names. CPA Canada claimed that passwords and full credit card numbers were encrypted, although didn’t specify what type of algorithm was used to scramble these details.

“CPA Canada today has notified affected individuals that the information involved could be used for the purposes of targeted phishing scams,” the organization said.

“CPA Canada is encouraging affected individuals to remain vigilant about any emails they may receive asking them to provide sensitive information or click on links or attachments, even if they appear to come from CPA Canada or an individual or company they know or trust.”

Although CPA Canada said it took “immediate steps” to secure its systems and work out what had happened, in reality the breach may have taken place several months ago. The organization linked the incident to an alert it issued back in April about an apparent phishing campaign in which users were requested to change their CPA Canada passwords because of a website breach.

“We are told that these emails appear to originate from the IT department of the employer of the individual receiving the message. These emails suggest that their IT department suspects a cybersecurity compromise with the domain,” it explained at the time.

“It is important that you do not act on the directions in any such email. CPA Canada continues to monitor the security of its web platform and is not experiencing anything unusual. In addition, the integrity of our password reset process remains secure.”

Categories: Cyber Risk News

Phishers Hide #COVID19 Malware in CVs and Medical Leave Forms

Mon, 06/08/2020 - 09:40
Phishers Hide #COVID19 Malware in CVs and Medical Leave Forms

Cyber-criminals are taking advantage of the evolving jobs market and employee health situation under COVID-19 to disguise malware in various emailed documents.

The phishing campaigns spotted by Check Point over recent days center around spoofed CVs and medical leave forms. Unemployment in the US remains at levels not seen since the Great Depression of the 1930s, with close to 40 million currently without jobs due to the pandemic.

The security vendor said that the ratio of CV-related malware to all detected malicious files doubled over the past two months. One campaign featured banking Trojan Zloader hidden in malicious .xls files in emails with subject lines such as “applying for a job” or “regarding job.”

Separately, cyber-criminals have been taking advantage of interest in the US Family and Medical Leave Act (FMLA) to lure administrative staff into opening attachments.

Attachments with names like “COVID -19 FLMA CENTER.doc” have been sent via emails with subjects like “the following is a new Employee Request Form for leave within the FMLA,” according to Check Point.

Once again, the payload is info-stealing banking Trojans like Icedid or Trickbot. Different sender domains are used to try and trick email filters.

Overall, the number of COVID-19 attacks reduced in May by 7% to 158,000 per week, the vendor claimed. However, overall, attacks are starting to pick up as businesses begin to open again.

“In March, when the pandemic was at its peak, we saw a 30% decrease in malware attacks compared to January 2020. This was because many countries went into quarantine and most businesses and other organizations were shut as a result, greatly reducing the potential number of targets for attackers,” Check Point explained.

“Now that the world is seeing some relief from the pandemic as a result of the quarantine measures, things have started to open up and businesses are running again and – guess what?  – cyber-criminals are also ramping up their malicious activities. In May, we saw a 16% increase in cyber-attacks when compared to the period between March and April, when coronavirus was at its peak.”

Categories: Cyber Risk News

IT Services Firm Conduent Felled by Maze Ransomware

Mon, 06/08/2020 - 08:41
IT Services Firm Conduent Felled by Maze Ransomware

A multi-billion-dollar IT services firm has become the latest victim of the infamous Maze ransomware group after it appeared to target a widely publicized Citrix vulnerability.

New Jersey-headquartered Conduent claims to provide mission-critical services and solutions for “a majority of Fortune 100 companies and over 500 governments.”

The firm admitted in a statement that its European operations were hit by an attack on May 29, early in the morning local time.

“Our system identified ransomware, which was then addressed by our cybersecurity protocols,” it explained. “This interruption began at 12.45 AM CET on May 29 with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored.”

It said the incident resulted in only “partial interruption” to its services for customers, and an ongoing investigation is being undertaken featuring “internal and external security forensics and anti-virus teams.”

Although Conduent didn’t name its attacker, security researchers have seen Maze post stolen financial data from the firm online as proof of its raid.

Bad Packets claimed that, according to its own research, a Citrix server run by the IT services giant was left unpatched for at least eight weeks.

The Maze group has been observed previously exploiting the CVE-2019-19781 vulnerability in the ADC and Citrix Gateway products, which was first disclosed in December 2019.

The bug can allow an unauthenticated attacker to perform arbitrary code execution on a victim machine.

The Maze group also has previous in this area: hitting IT services firm Cognizant back in April in an attack which the firm admitted could cost it $70m in Q2 2020.

“Making sure you are using up-to-date operating systems and that software is running on the latest version is a critical part of cyber-hygiene,” argued CyberSmart CEO, Jamie Akhtar.

“Ransomware is a game of economics and incentives. By not protecting our systems, not backing up our files and giving into paying ransoms we increase the reward for the attackers and the general viability of these kinds of attacks. If we all do our part in reducing incentives, we can develop a kind of digital herd immunity where criminals in future may no longer feel the attacks are worth the effort."

Categories: Cyber Risk News

North Dakota Contact Tracing App Ends Data Share with Foursquare

Fri, 06/05/2020 - 15:47
North Dakota Contact Tracing App Ends Data Share with Foursquare

The operators of a North Dakota contact tracing app have had a rethink when it comes to sharing users' data with third-party services. 

Care19 was created by ProudCrowd LLC to track the spread of COVID-19 in the Peace Garden State. Following the app's launch, cybersecurity company Jumbo Privacy discovered that Care19 was sending user data to third-party services.

The information being shared was the Identifier for Advertisers (IDFA), an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.

North Dakota stated that the Care19 app "does not have any information that is tied to an individual person” and information uploaded via the app is "100% anonymous." 

However, Jumbo found that users accessing the Care19 app via the iOS on their iPhone could be unmasked through the IDFA on their device. 

One of the third-party services receiving Care19 users' IDFA data was Foursquare, a location service that provides advertisers with tools to reach people who have visited specific locations. That arrangement has now ceased.

Jumbo CEO Pierre Valade told Infosecurity Magazine: "Care19 shared with us on June 3rd that the new version of their app (v3.3) was no longer sharing users’ IDFA to Foursquare. We’ve reviewed the app and can confirm this is true."

Care19 and Foursquare told Jumbo that the IDFA data was collected automatically by using Foursquare's SDK, Pilgrim, and there was no way for developers to disable this collection. 

Valade said: "After you published our research and in response to our concerns, Foursquare made an important change to its geolocation SDK 'Pilgrim' to permit developers to disable collection of a user’s IDFA and prevent it from being shared with Foursquare."

Jumbo's CEO described the change of heart as "a big win for privacy" but said that there were still concerns about Care19 that needed to be addressed. 

"Care19’s privacy policy does not indicate how a user can exercise their privacy rights, what the officials intend to do with the data once recent contacts have been identified, and how long will this data be retained for," said Valade.

In addition, Care19 has not yet confirmed that pushing the deletion tab will also delete user data anywhere else it was stored, notably in third-party servers.

Categories: Cyber Risk News

Florida Student Discovers Flaws in Leading Doorbell Security Cameras

Fri, 06/05/2020 - 15:15
Florida Student Discovers Flaws in Leading Doorbell Security Cameras

"Systematic design flaws" have been discovered in leading internet-connected doorbell and security cameras by a Florida Institute of Technology student.

Blake Janes unearthed vulnerabilities in devices manufactured by Ring, Nest, SimpliSafe, and eight other companies relating to the removal of active user accounts. The flaws allow a shared account to remain in place and continue accessing the video feed despite appearing to have been removed.

The flaws could allow malicious actors to covertly record audio and video from vulnerable devices indefinitely, invading the privacy of victims on their very own doorsteps. In electronic stalking cases, or cases where a cohabiting couple who shared access to a device have ceased to live together, such flaws could have serious repercussions. 

The vulnerability arose from devices' being designed in such a way that decisions to grant access are completed in the cloud and not made locally on either the camera itself or the users' smartphones. 

Computer science major Janes's discovery was presented in "Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices," by the student and two Florida Tech faculty members from the university’s top institute for cybersecurity research, the L3Harris Institute for Assured Information—Terrence O’Connor, program chair of cybersecurity, and Heather Crawford, assistant professor in computer engineering and sciences.

"Our analysis identified a systemic failure in device authentication and access control schemes for shared Internet of Things ecosystems," the paper concluded. "Our study suggests there is a long road ahead for vendors to implement the security and privacy of IoT produced content."

Janes informed vendors about the vulnerabilities and also suggested several fixes. For identifying a major flaw in the Nest suite of devices, Google awarded the hard-working student a bug bounty payment of $3,133. 

Other vendors, including Samsung, have been communicating with Janes about recommended solutions to fix the vulnerability.

Janes and his co-authors found the flaws in the Blink Camera, Canary Camera, D-Link Camera, Geeni Mini Camera, Doorbell and Pan/Tilt Camera, Merkury Camera, Momentum Axel Camera, Nest Camera Current and Doorbell Current, NightOwl Doorbell, Ring Pro Doorbell Current and Standard Doorbell Current, SimpliSafe Camera and Doorbell, and the TP-Link Kasa Camera.

Categories: Cyber Risk News

Maine Community College Becomes First in State to Offer Cybersecurity Program

Fri, 06/05/2020 - 14:30
Maine Community College Becomes First in State to Offer Cybersecurity Program

Maine residents hoping to pursue a career in cybersecurity will finally be able to study the subject at community college.

Starting in fall 2020, Northern Maine Community College (NMCC) will be the first community college in the state to offer a cybersecurity program. NMCC said a group of at least 15 first-year students has already signed up to the course, which is comparable to those already available at Maine's other higher education institutions. 

The new two-year program is a revised version of NMCC's network administration and cybersecurity associate degree program. Instructor Reuben Caron said the reworking of the course reflected the changes that have occurred in the technological landscape since its creation. 

“The program began with computer electronics and evolved into computer networking and technology,” said Caron.

“As the program has evolved to meet industry needs, we knew there was a demand for graduates to be trained in network administration and security.”

NMCC’s program features a practical curriculum that will teach students how to build their own computers and private networks that will exist beyond the college's campus network. Students will learn how computers react to different cyber-attacks and experiment with various recovery tactics. 

Encompassed in the program are courses on computer security, ethical hacking, and computer forensics. 

With ethical hacking, you learn how someone might attack your network in order to understand how to better defend it,” Caron said. “Students learn how to hack in a way that doesn’t go beyond ethical hacking and into illegal situations.”

Students will end the program qualified for positions as computer technicians, network technicians, network administrators (Microsoft and Linux), and desktop support technicians. NMCC is currently pursuing accreditation for the program from the Accreditation Council of Business Schools and Programs. 

Business department chair Dwight Clayton said the new program was an excellent starting point for Mainers dreaming of a cybersecurity career, especially for those hoping to earn while they learn.

He said: "The great thing about a two-year program is that students can enter the workforce as they continue toward a bachelor’s degree."

The news follows the 2019 launch of a four-year cybersecurity program at local university the University of Maine at Presque Isle.

Categories: Cyber Risk News

Sophos Confirms Restructuring Plans, Denies Blog Closure

Fri, 06/05/2020 - 11:00
Sophos Confirms Restructuring Plans, Denies Blog Closure

Sophos has confirmed that it is implementing some internal restructuring, but denied that it plans to close its Naked Security blog.

Following reports which emerged last night about Sophos’ plans to furlough staff and close the award-winning blog, a spokesperson for Sophos has confirmed plans to restructure in response to market conditions associated with COVID-19 and “to accelerate the evolution already underway to our next-gen product portfolio, which features our most advanced cloud-managed protection capabilities and is the fastest growing part of our business.”

The spokesperson added: “A restructuring is always a difficult decision, but we believe it is necessary to position Sophos for continued growth and success in the years to come, and to continue to provide advanced, world-class protection for our customers.

“Sophos is appreciative of the contributions made by all our team members in supporting the company’s mission to protect people from cybercrime by developing powerful and intuitive products and services that provide the world’s most effective cybersecurity for organizations of any size.”

In the first quarter of 2020, Sophos grew billings 14% overall, its next-gen products represented over 63% of its business and the company grew 37% year-on-year.

Answering a question with regard to the future of the 10-year-old Naked Security blog, which earlier this week collected two European Security Blogger Awards for Best Corporate Blog and Best Overall Blog, Sophos said: “We can assure you that Naked Security will continue to be a source of information moving forward. Sophos is increasing focus on threat research and security investigations. As a result, we’ll do more original reporting and deep analysis.”

Security blogger and speaker Graham Cluley said in his blog that he had heard that Naked Security would be “mothballed” and he sent his “best wishes to old friends at Sophos facing possible redundancy.

“So many vendors over the years were jealous of the power that Naked Security commanded, and how it helped Sophos punch far above its weight in terms of brand awareness and thought leadership,” he said.

Categories: Cyber Risk News

Facebook Labels State-Controlled Media Ahead of US Elections

Fri, 06/05/2020 - 10:30
Facebook Labels State-Controlled Media Ahead of US Elections

Facebook has started labelling content from state-controlled media outlets as part of an ongoing push-back against misinformation and coordinated propaganda on the platform.

Promised last October as part of the social network’s efforts to combat attempts to influence US elections, the firm will put clear labels on content from such outlets in its Ad Library Page view, on Pages and in the Page Transparency section.

The firm will also be blocking ads from state media in a month or two “out of an abundance of caution to provide an extra layer of protection against various types of foreign influence in the public debate ahead of the November 2020 election in the US,” said Facebook head of cybersecurity policy, Nathaniel Gleicher.

He explained that Facebook had consulted 65 media, governance and human rights experts around the world to draw up the criteria for what constitutes state-controlled media. It goes beyond funding to examine whether editorial control is being exerted by a government.

Factors such as editorial guidelines, ownership structure, info on newsroom leadership and governance and accountability mechanisms were all taken into account.

News organizations wanting to claim independence must be able at a minimum to demonstrate established procedures, processes and protections and a statute in the country to protect editorial independence; as well as an independent assessment by a credible third-party organization that the statute has been complied with.

“We also consider country-specific factors, including press freedom and we consult open-source research conducted by academics and leading experts,” Gleicher explained.

Last year, Chinese state-owned news channel CGTV was forced to register as a foreign agent in the US after pressure from Washington.

It will be a tense few months coming up for social media platforms as both sides of the political debate complain of bias against them. Most recently, Twitter has drawn the ire of Donald Trump by placing fake news labels on his tweets and by hiding one post made during recent riots for incitement to violence.

That same post, which repeated an infamous phrase first uttered by a racist 1960s police chief about looters, was controversially left untouched on Facebook, prompting dismay from civil rights leaders and employees.

Categories: Cyber Risk News

Chinese and Iranian State Hackers Target Trump/Biden Campaigns

Fri, 06/05/2020 - 09:15
Chinese and Iranian State Hackers Target Trump/Biden Campaigns

Chinese and Iranian state-sponsored hackers have been caught targeting the Trump and Biden Presidential campaigns, according to Google.

Shane Huntley, director of Google’s Threat Analysis Group, revealed the news in a couple of tweets yesterday.

He confirmed that there was no sign the attacks had led to compromise.

“We sent users our govt attack warning and we referred to fed law enforcement,” Huntley added. “If you are working on a campaign this election cycle, your personal accounts may be targeted. Use the best protection you can. Two-factor authentication or Advanced Protection really can make a difference.”

Google’s Advanced Protection Program is designed to offer maximum protection for the Google accounts of journalists, activists, business leaders, campaign teams and the like who may find themselves at a high risk of targeted attacks.

It features 2FA via physical key or Android device, limited third-party app access to Google emails and Drive files, and a block on app downloads from outside Google Play.

The latest state-backed attacks were attributed to China’s APT31 (aka Zirconium, Bronze Vinewood), which has hitherto been pegged for attacks designed to compromise IP, and Iran’s APT35 group.

The latter, also known as Charming Kitten and Phosphorous, was disrupted in March 2019 when Microsoft court action allowed the firm's Digital Crimes Unit to take control of 99 of its phishing domains. It is often focused on collecting strategic intelligence from US and Middle Eastern government and military targets.

The attacks call to mind the infamous cyber-espionage campaign against Democratic Party officials ahead of the last Presidential election which led to the 'Guccifer 2.0' publication via WikiLeaks of politically embarrassing material. Hillary Clinton has since blamed the likely Russian campaign on her eventual loss to Donald Trump.

“As we have seen in recent history, APT groups targeting political campaigns is nothing new. These groups may be looking to use information that they obtain to sow discord in the country of the ongoing campaign,” said Digital Shadows security engineer, Charles Ragland.

“They may also use it for more traditional intelligence collection to inform other actions. As more and more communication is done online, this trend is likely to continue.”

Categories: Cyber Risk News

DDoS-ers Target Black Lives Matter Groups

Fri, 06/05/2020 - 08:28
DDoS-ers Target Black Lives Matter Groups

Widespread violent protests across the US over the past week have been followed by attempted DDoS attacks on several rights groups, according to Cloudflare.

The web security firm analyzed malicious HTTP requests it blocked across the weekend of April 25/26 versus a month later (May 30/31). Minneapolis resident George Floyd was killed on May 25, sparking a wave of violence and protests across the US over the succeeding days.

Cloudflare claimed to have blocked 135.5 billion such requests in the May weekend, a 17% increase on the 116.3 billion blocked in the April weekend. That’s a month-on-month increase of over 19 billion attack requests.

The firm said that Sunday May 31 recorded an even higher month-on-month increase, of 26%, in attempted attacks.

Organizations classed as advocacy groups were subject to a much higher increase: May attack volumes were 1120-times the April figure.

“In fact, those groups went from having almost no attacks at all in April, to attacks peaking at 20,000 requests per second on a single site,” wrote Cloudflare.

“One particular attacker, likely using a hacked server in France, was especially persistent and kept up an attack continuously hitting an advocacy group continuously for over a day. We blocked those malicious HTTP requests and kept the site online.”

The security provider has detailed data on these rights groups as many of them are protected by its Project Galileo initiative, designed to shield such organizations from widespread online attempts to silence them.

“There are many organizations fighting racism who participate in Project Galileo. Over the last week we’ve seen a dramatic increase in the number of cyber-attacks against them,” the firm explained.

“Unfortunately, if recent history is any guide, those who speak out against oppression will continue to face cyber-attacks that attempt to silence them.”

Advocacy groups promoting the Black Lives Matter message weren’t the only recipients of DDoS attacks during the period. Cloudflare said it also recorded a 1.8-times increase in attacks on government sites and a 3.8-times increase in malicious traffic targeting military sites during the same period.

Categories: Cyber Risk News

#Infosec20: Best Cybersecurity Practices for SMEs

Thu, 06/04/2020 - 17:05
#Infosec20: Best Cybersecurity Practices for SMEs

A panel discussion on the final day of the Infosecurity Europe Virtual Conference was dedicated to cybersecurity in SMEs, and in particular, practical methods these organizations can use to most effectively protect themselves from cyber-attacks.

Bridget Treacy, partner, Hunton Andrews Kurth, who moderated the panel, firstly outlined exactly why it is so important to talk about this topic: “We all tend to assume that cyber-threats are a risk for large organizations,” she said. “Actually, if you look at Verizon’s 2019 Data Breach Investigations Report, you will see that 43% of all cyber-attacks actually target small businesses, and SMEs often have really valuable data.”

The panellists agreed that, fundamentally, the threats faced by SMEs are similar to those of large businesses. They also face the same additional challenges as a result of the COVID-19 crisis. Nick Ioannou, head of IT at Ratcliffe Groves Partnership, said: “It’s more of the same – phishing, ransomware, but its more the focus [that’s changed] because criminals know a lot of people are working from home now…and also the way they are implemented – people get phoned up now; it doesn’t all have to be all over email because everyone is dispersed so it’s a lot harder to double check.”

For SMEs with significantly smaller budgets and internal cybersecurity expertise compared with large businesses, a more considered and targeted approach to counteracting cyber-threats is a necessity, and this is particularly so with regards to investments in security systems.

“Often organizations of all sizes and SMEs in particular hear about a new threat and they look for the technology to go and address that threat without actually giving full consideration to the risk that threat poses to them,” said Maxine Holt, senior research director, cybersecurity at Omdia. “If you look at risk rather than the threat itself, that can really help you improve your organization’s security posture because you’re just going to think about what’s going to affect you particularly.”

Additionally, a lower reliance on tech, and more emphasis on good practices among staff, is especially vital for companies with limited resources, establishing a more preventive approach to cybersecurity. Dai Davis, partner, Percy Crow Davis & Co, said: “Once you’ve identified the risk to your business, it’s a matter of getting the right people processes in place to ensure that you minimize that risk.”

This in no way means technology systems are unimportant; it must be ensured that tech that is implemented does not hinder the productivity and growth of small companies. Jason Maude, chief technology advocate, Starling Bank, explained: “As soon as your technology starts to run your users down too much, they will find ways around it.”

Another topic discussed by the panel was GDPR, and how compliance with the regulations should be approached by SMEs. In Maude’s view, it is something that should be embraced for the long-term benefits it can bring: “It’s encouraging you to be really efficient with your data to make sure that you know what data you have and to use it correctly,” he added.

Categories: Cyber Risk News

Japan to Review Cyber-Bullying Laws Following Wrestler's Suicide

Thu, 06/04/2020 - 16:38
Japan to Review Cyber-Bullying Laws Following Wrestler's Suicide

Japan is to review laws relating to cyber-bullying following the untimely death of professional wrestler and reality TV show star Hana Kimura.

Kimura killed herself on May 23 by inhaling toxic gas in her Tokyo home. The 22-year-old had been subjected to online bullying after appearing in the last season of hit reality TV show Terrace House, which aired on Japan's Fuji Television and was also streamed on Netflix.

The vivacious pink-haired wrestler's death was confirmed in a statement released by her wrestling promoter, Stardom Wrestling, on May 23.

"We are very sorry to report that our Hana Kimura has passed away," it said. "Please be respectful and allow some time for things to process and keep your thoughts and prayers with her family and friends."

Prior to her death, Kimura had posted photos on social media that implied that she was being cyber-bullied and was struggling with self-harm. Her final Instagram post, uploaded on Friday, May 22, was a photo of the star posing with her cat accompanied by a caption that simply read "goodbye." 

Terrace House follows the lives of six people as they share a house together in Tokyo's Setagaya. Before filming was halted due to the COVID-19 health crisis, Kimura had been filmed arguing with fellow cast member and comedian Kobayashi Kai after he accidentally ruined one of her expensive wrestling costumes while doing laundry.

It was this incident that had allegedly resulted in Kimura receiving a deluge of hateful messages through social media. 

Wrestling journalist Adam Pacitti, who described the death of Kimura as "an absolute tragedy," tweeted: "I hope this serves as a reminder that interactions on social media can have a serious effect on the mental health of anyone, no matter who they are. Be kind."

According to Reuters, Japan will be holding a series of hearings to consider legal changes that will help cyber-bullying victims seek justice. 

Junko Mihara, a member of the ruling Liberal Democratic Party who is leading the party’s team on online harassment, said: “People must understand where the line between constructive criticism and abuse lies."

Kimura's death comes after the outbreak of COVID-19 in Japan caused internet usage to increase.

Categories: Cyber Risk News

NATO Condemns Cyber-Attacks

Thu, 06/04/2020 - 16:00
NATO Condemns Cyber-Attacks

NATO has issued a statement condemning cyber-attacks perpetrated in the midst of the ongoing global health pandemic.

In particular, the organization slammed cyber-criminals who chose to target essential healthcare services, including hospitals caring for those infected with COVID-19 and medical research institutes trying desperately to find a cure for the novel coronavirus. 

The statement was issued yesterday in English, French, and Russian. In it, NATO said: "We condemn destabilizing and malicious cyber activities directed against those whose work is critical to the response against the pandemic, including healthcare services, hospitals and research institutes."

The organization described such digital onslaughts as life-threateningly dangerous and also injurious to global efforts to succeed against a virus that has infected 6.29 million people around the world and killed over 380,000. 

"These deplorable activities and attacks endanger the lives of our citizens at a time when these critical sectors are needed most and jeopardize our ability to overcome the pandemic as quickly as possible," stated NATO. 

Included in the statement was a message of support to those who had been impacted by cyber-assaults.

"We stand in solidarity with those who have been affected by malicious cyber activities and remain ready to assist Allies, including by continuing to share information, as they respond to cyber incidents that affect essential services," said NATO.

"In line with their national responsibilities and competences, Allies are committed to protecting their critical infrastructure, building resilience and bolstering cyber defenses, including through full implementation of NATO’s Cyber Defense Pledge."

NATO said that cyber defense was part of its core task of collective defense as stated at the 2018 Summit in Brussels and action would be taken by the organization against cyber-criminals.

"Reaffirming NATO’s defensive mandate, we are determined to employ the full range of capabilities, including cyber, to deter, defend against and counter the full spectrum of cyber threats," stated the organization. 

"NATO will continue to adapt to the evolving cyber threat landscape, which is affected by both state and non-state actors, including state-sponsored."

The statement concluded with a reminder that "we all stand to benefit from a rules-based, predictable, open, free, and secure cyberspace."

Categories: Cyber Risk News

Netizens Urged Not to Use Name as Password

Thu, 06/04/2020 - 14:20
Netizens Urged Not to Use Name as Password

Password management company NordPass has urged the general public not to include people's names in their passwords. 

Research released by the company found thousands of netizens worldwide are opting to protect their sensitive information with a password that includes a name. 

According to NordPass, the name that cropped up most frequently in passwords is "Ashley." The company discovered that the gender-neutral moniker was used 94,557 times to protect sensitive data.

The second most common name, used 78,914 times, was the similarly gender-neutral "Charlie." The third and fourth most popularly used names, employed 71,035 times and 64,992 times respectively, were Michael and Nicole. 

Other gender-neutral names that featured heavily in passwords were Jordan—used 58,698 times—and Taylor, which appeared 46,375 times.  

Traditionally gender-specific names commonly used in passwords included Jessica, Hannah, Michelle, Daniel, Justin, and Joshua. 

The names correspond quite well with the US Social Security Administration's list of 100 most popular given names for babies born from 1919 to 2018. For example, Ashley ranks 17th, Michelle ranks 21st, and Nicole ranks 39th on the list of names for girls. For boys, Michael ranks 4th, Charles ranks 10th, and Jordan comes in at 83rd. 

Passwords based around names are easier for cyber-criminals to crack as the combination of characters is more predictable. 

According to the Department of Homeland Security, "most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them."

Ruby Gonzalez, head of communications at NordVPN, said people's names were just one on a list of things that should be avoided when choosing a password. 

“While choosing your own, your girlfriend’s, or daughter’s name as a password might seem a good idea as you’ll never forget it, it’s also a great way to make a hacker's job easier. As it’s a very obvious choice, the victim’s or their relative’s name will be one of the first options hackers will try,” says Ruby Gonzalez, head of communications at NordVPN. 

“People also shouldn’t use any other obvious choices, such as their address, favorite band, sports team, pet's name, the word 'password,' and any alternations of it.”

Categories: Cyber Risk News

Personal Data of 74,000 Members of San Francisco Retirement System Exposed

Thu, 06/04/2020 - 14:15
Personal Data of 74,000 Members of San Francisco Retirement System Exposed

A data breach has occurred at the San Francisco Employees’ Retirement System (SFERS), potentially exposing the personal details of 74,000 of its members to cyber-criminals. In a data breach notification filed yesterday, SFERS said that an unauthorized person had gained access to a database hosted in a test environment one of its vendors had set up on February 24 2020.

Upon learning of the breach on March 21, the server was promptly shut down by the vendor. Although SFERS confirmed that no social security numbers or bank account numbers were included in the data file, it admitted that sensitive information such as names, addresses, date of births, beneficiary details and website usernames and security questions and answers, could have been viewed or copied.

Commenting on the breach, Michael Borohovski, director of software engineering at Synopsys, said: “A breach like this is interesting, both because it leads to almost guaranteed identity theft (if the information actually was accessed and downloaded), since it’s a treasure trove of financial information, identifying information and security questions.”

He added: “The retired employees of San Francisco need to be extremely careful and verify, personally, through existing contact info they already had, that their beneficiaries actually sent an email, should the retirees receive one.”

It is likely that the decision to place this kind of data in a testing environment will come under the spotlight, as these “are much more prone to bugs and vulnerabilities than a production environment,” according to Borohovski.

Javvad Malik, security awareness advocate at KnowBe4, added: “Test environments are usually not secured or monitored to the same level as production environments, and it is never advisable to use real data in test cases. Rather, dummy data, or heavily redacted data, should be used so that even if it is leaked or breached, it does not impact any real customers.”

The pension industry has been increasingly targeted by cyber-criminals in recent years. Last month it was reported that The Pensions Regulator faced a 148% increase in cyber-attacks in 2019.

Categories: Cyber Risk News