Info Security

Subscribe to Info Security  feed
Updated: 1 hour 53 min ago

#SecuringEnterprise: Facing Threats Then and Now

Wed, 10/31/2018 - 15:06
#SecuringEnterprise: Facing Threats Then and Now

At today’s Securing the Enterprise Cybersecurity Conference hosted by MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) and BT Security in Cambridge, MA, industry experts joined together to discuss the challenges of the changing threat landscape. 

Moderator Andy Ellis, CSO, Akamai Technologies, noted that the things attackers do today are not fundamentally different from what they were doing two decades ago. Given that, Ellis asked panel members what advice they would give themselves now after their years of experience in the industry. 

“I was in data analytics and usability engineering when I started out in IT,” said Michael Figueroa, executive director at the Advanced Cyber Security Center. “One of the things that was most challenging in the past that many are still struggling with is that attacks haven’t changed much, but we often think that if we don’t solve ‘that’ problem today, the sky is going to fall. History has shown us that the sky isn’t falling.

“The advice I would give myself is to keep a strategic mindset of the problem of today within a broader perspective and don’t panic.”

The panel agreed that while attackers are smart and adaptive, the attacks themselves have not really changed. “We can put up huge barriers, but attackers don’t have to overcome that barrier. They can go around,” said Dr. Hamed Okhravi, senior staff, cyber analytics and decision systems, MIT Lincoln Laboratory

“We are just shifting one threat to another, but we need to understand how much gain we will have and how much we are shifting the landscape and the adversary, then look at whether it is the right type of shift.”

That not every single threat is a phenomenon seemed to be the pervading theme in response to the question. In large part, defenders can benefit from seeing their work as a game, Okhravi said.

FBI special agent Scott McGaunn said that he sees cybersecurity as a game as well, ”a very important game. The crime is all the same. We still have bank robberies, we still have wire fraud. We have ransomware instead of ransom.

“Human nature is the same, and the need to commit criminal acts is the same, but the distance to be able to reach out and touch someone has changed. Instead of nation-states and spies, they get online and leverage the internet,” McGaunn said.

In recalling a conversation with her colleague about the ways in which her own approaches have evolved, Jen Andre, senior director, orchestration and automation at Rapid7, said, “I remember my colleague saying, ‘Once Windows fixes all the bugs, we will all be out of work.’” The absurdity of the statement evoked laughter from the audience, but to Andre’s point, that was the thinking years ago. The advice she offered after having gained experience is not to focus on fixing things one at a time.

Categories: Cyber Risk News

US Indicts Chinese Spies and Insiders for Aviation Theft

Wed, 10/31/2018 - 11:35
US Indicts Chinese Spies and Insiders for Aviation Theft

The US authorities have continued to step-up the pressure on China with the indictment of two intelligence officers, two insiders and six hackers, most of whom were allegedly involved in a conspiracy to steal aviation secrets.

Two intelligence officers, Zha Rong and Chai Meng, and a team of five hackers are said to have worked for the Jiangsu Province Ministry of State Security (JSSD), headquartered in Nanjing.

They allegedly took part in a five-year conspiracy beginning in January 2010 to obtain key technology used in commercial airliners in the US and Europe: namely a turbofan jet engine. A Chinese state-owned aerospace company was said to be working on a similar engine at the time for its own use.

JSSD hackers Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei and Ma Zhiqi are alleged to have conducted intrusions into suppliers that manufactured parts for the turbofan engine, including aerospace companies based in Arizona, Massachusetts and Oregon.

Their work included classic techniques such as spear-phishing, info-stealing malware and watering hole attacks. For example, LA-based gas turbine manufacturer Capstone Turbine suffered data loss and had its website seeded with malware to infect others.

However, the conspiracy went even further, with the JSSD convincing Tian Xi and Gu Gen, two insiders at the targeted French aerospace company who worked at its office in Suzhou, Jiangsu province.

Gen was the company’s head of IT and security in Suzhou, showing the alleged extent of the conspiracy. He is said to have tipped off the officers when foreign police notified the company of the existence of malware on its systems, malware that Tian had apparently installed at the direction of the JSSD.

A separate conspiracy involved Zhang Zhang-Gui and Chinese national Li Xiao, who are alleged to have used the JSSD malware developed to hack Capston Turbine to repeatedly attack a San Diego-based tech company for more than a year-and-a-half, causing thousands of dollars in damage.

Unlike the alleged MSS officer recently extradited to the US to face charges related to another conspiracy to steal aviation secrets, none of those indicted in this case are thought to be on US soil, making this more of a PR exercise.

However, given the alleged insider activity at the aerospace firm’s China office, it will be yet another compelling reason for foreign firms to start extricating key facilities from the country.

A report from CrowdStrike earlier this month identified China as the most prolific nation state threat actor during the first half of 2018.

Categories: Cyber Risk News

UK Law Firm Preps Cathay Pacific Class Action

Wed, 10/31/2018 - 10:36
UK Law Firm Preps Cathay Pacific Class Action

UK lawyers are preparing a class action suit against Cathay Pacific, claiming that the firm is liable for compensation “under the relevant data protection laws.”

SPG Law, which claims to draw on some of America’s top class action lawyers, has already registered the cathaydatabreach.com domain and is inviting those affected to get in touch.

Explaining that its sister law firm in the US has already won over $1bn in compensation in similar cases, the firm claimed that passengers hit by the Cathay Pacific breach earlier this year could be in line for “significant compensation in the thousands, or possibly tens of thousands, depending on circumstances.”

“The breach is even more serious than that committed by BA in September 2018 in that Cathay Pacific customers like you have suffered from far more substantial personal data being leaked,” a statement on the site noted.

“You have a right to compensation from Cathay Pacific for this data leak in accordance with data protection laws. You can be compensated for inconvenience, distress and annoyance associated with the data leak. It is time to stand up to them and take action.”

However, there’s no mention of the GDPR on the site, despite previous reports claiming the firm had cited Article 82 of the new data protection law as key.

The Hong Kong carrier has been widely criticized for its handling of the breach, which it said affected 9.4 million customers. However, the incident's timing appears to fall before the introduction of the GDPR on May 25.

The firm is said to have first noticed suspicious activity in March but confirmed data had been accessed in early May.

Either way, the new action is another reminder of the potential legal costs for firms that suffer a major breach.

Categories: Cyber Risk News

Brain Freeze: Researchers Warn Hackers Could Target Our Minds

Wed, 10/31/2018 - 10:07
Brain Freeze: Researchers Warn Hackers Could Target Our Minds

Researchers are warning that the development of cutting-edge brain implants designed to enhance key memory functions is at risk due to multiple vulnerabilities which could allow attackers to interfere.

In a piece of forward-looking threat research, Kaspersky Lab and the University of Oxford Functional Neurosurgery Group explained that development of implantable pulse generators (IPGs) or neuro-stimulators is accelerating fast. Such devices apparently target parts of the brain with electrical impulses to help treat things like Parkinson's disease, depression and obsessive–compulsive disorder.

However, both software and hardware linked to these devices is at risk, the vendor warned.

Specifically, it found one major vulnerability and several misconfigurations in an online management platform used by surgeons, which could provide hackers with access to data on treatment procedures.

Data transferred between implant, programming software and networks was found to be sent unencrypted, enabling interference by malicious third-parties. Kaspersky Lab also warned that because doctors may need quick access to implants in emergencies, they need to be fitted with a software backdoor and easy-to-guess passwords, further exposing them.

Finally, the security vendor documented insecure behavior by medical staff, such as use of default passwords.

With the first commercial IPGs potentially ready in as little as 10 years’ time, Kaspersky Lab is warning that attackers could exploit vulnerabilities to implant, erase or steal memories, or even to hold individuals to ransom by threatening to do so.

“Current vulnerabilities matter because the technology that exists today is the foundation for what will exist in the future. Although no attacks targeting neuro-stimulators have been observed in the wild, points of weakness exist that will not be hard to exploit,” explained Dmitry Galov, junior security researcher in the vendor’s Global Research and Analysis Team.

“We need to bring together healthcare professionals, the cybersecurity industry and manufacturers to investigate and mitigate all potential vulnerabilities, both the ones we see today and the ones that will emerge in the coming years.”

Laurie Pycroft, a doctoral researcher in the University of Oxford Functional Neurosurgery Group, added that what sounds like science fiction is fast becoming fact.

“Memory prostheses are only a question of time,” she added. “Collaborating to understand and address emerging risks and vulnerabilities, and doing so while this technology is still relatively new, will pay off in the future.”

Categories: Cyber Risk News

Malware Targeting Smartphones via Three DSP Providers

Tue, 10/30/2018 - 16:01
Malware Targeting Smartphones via Three DSP Providers

A new technique to escape malware detection has been used in a malicious campaign targeting smartphones, according to The Media Trust.

In today’s blog post, Michael Bittner, digital security and operations manager at The Media Trust, revealed that the campaign involved third-party code that enabled smart malware delivery. The malware, dubbed JuiceChecker-3PC by The Media Trust's digital security and operations (DSO) team, was able to bypass scanning using Base64 and has been seen in millions of page views over the last three weeks.

After bypassing the scanning, the malware checked to see whether the user agent was mobile specific, whether the battery level ranged between 20–76% and whether the referrer was specified. If these conditions were met, the malware triggered a redirect in which the ad viewer was delivered to a malicious site.

The targets included three global demand-side platform (DSP) providers, all of which traditionally see checks for similar conditions, with the exception of the battery-level range.

“In this incident, the malware was inserted into creative posing as a legitimate ad for one of the largest department store retailers in the US. The Media Trust digital security and operations (DSO) team was able to identify the malicious code and work with the DSPs to shut down the malware sources," Bittner wrote.

“Given this malware’s level of encoding, most blockers and conventional scanning techniques continue to let the malware pass through and impact millions of site and mobile app users. Nipping the attacks in the bud is particularly important given the explosion of malicious ads in the digital ad supply chain and the millions of shoppers who use their devices to browse and make transactions online."

Whether those attacks can be mitigated is questionable, though, according to a recent post on Cell Phone Security and Heads of State by Bruce Schneier. Using malware to attack the phone itself is one of two ways to eavesdrop, a technique that is favored by nation-state actors with less-sophisticated intelligence capabilities, Schneier explained.

“These attacks generally involve downloading malware onto a smartphone that then records calls, text messages, and other user activities, and forwards them to some central controller. Here, it matters which phone is being targeted,” Schneier wrote.

“Unfortunately, there's not much you can do to improve the security of your cell phone. Unlike computer networks, for which you can buy antivirus software, network firewalls, and the like, your phone is largely controlled by others. You're at the mercy of the company that makes your phone, the company that provides your cellular service, and the communications protocols developed when none of this was a problem. If one of those companies doesn't want to bother with security, you're vulnerable.

“This is why the current debate about phone privacy, with the FBI on one side wanting the ability to eavesdrop on communications and unlock devices, and users on the other side wanting secure devices, is so important.”

Categories: Cyber Risk News

Cyber Is a Boardroom Issue in 2018

Tue, 10/30/2018 - 15:31
Cyber Is a Boardroom Issue in 2018

Based on studies and interviews with corporate board members and chief information security officers (CISOs), the Cyber Balance Sheet, published by Focal Point Data Risk and produced by the Cyentia Institute, found that boardrooms are engaging in more conversations about security.

While the talks about cyber risk are more commonplace, the C-suite and security leaders are still struggling to effectively translate security risks into an effective decision-making framework that enables the business to operate within its proper risk appetite.

Not surprisingly, the report found that many organizations lack a formal cyber-risk appetite. Years of data breach headlines increase awareness, but less than half of respondents could describe their organization’s cyber-risk appetite quantitatively. This gap revealed why leaders second-guess and struggle to effectively weigh risks of new technologies, supply chains and other change factors.

In addition, metrics reportedly muddy what matters when it comes to boardroom reporting. Security leaders continue to share statistics like “compliance status” and “security program maturity.” Despite the need for decision makers to act swiftly with regard to risks from third parties and supply chains, those topics are less frequently included in the stats shared with the board.

As a result, the report found that finding the balance of topic coverage that yields the necessary return on reporting remains a problem. To fix the metrics puzzle, boards are pressing CISOs to find new reporting metrics that spur the most strategic, valuable returns in resourcing and evolving cybersecurity.

“This year’s Cyber Balance Sheet Report dispels the ‘cyber is a boardroom issue’ cliché by showing that not only have board members already received the cyber risk message loud and clear, they are actively initiating more discussion about breaches and threats that could upend their organizations,” said Andrew Cannata, Focal Point’s CISO and national cybersecurity practice leader, in a press release.

“The more important issue uncovered by the research is that this surge of interest – while commendable – seldom resolves executives’ two most important questions: ‘What is our risk appetite?’ and ‘Are we operating in or out of this comfort zone?’ When these questions are buried or unanswered, it becomes a recipe for miscalculation and false assurances. Helpfully, security teams and business leaders can use the report’s anecdotes and data to revisit how they frame risk management with leadership.”

Categories: Cyber Risk News

States Average a C- in Election Security

Tue, 10/30/2018 - 15:05
States Average a C- in Election Security

Results of the Election Cybersecurity Scorecard, published by the Center for Strategic & International Studies (CSIS), found that states average a C- in election security. In a live webcast from the CSIS headquarters today, panelists discussed the results of the scorecard and what it means for election security. The panel looked at the progress made since the 2016 election and the gaps that remain.

In evaluating election security, CSIS identified four categories: campaigns, voter registration and election management systems, voting systems and election night reporting. The scorecard ranked threats by four degrees ranging from moderate to extreme.

According to the scorecard, the greatest threats exist in the ongoing attacks that target campaigns. “In 2018, cyber attacks by Russian hackers have allegedly targeted multiple Congressional campaigns, including Senator Claire McCaskill,” the CSIS wrote. Of all four categories, campaigns had the highest risk, with a "severe" rating.

In part, the inconsistency of security is a contributing factor to the severe risk level. “Cybersecurity practices for political campaigns remain inconsistent, although efforts by Department of Homeland Security (DHS) and the FBI to provide cybersecurity training and support to campaigns have had some effect. Extremely tight budgets, mostly-volunteer staffs, poor cybersecurity awareness, and the use of distributed, ad-hoc systems by campaigns have made improving campaign security difficult in spite of significant publicity around attacks on campaigns and campaign officials, particularly for local and state elections,” the scorecard said.

In the remaining three categories, the risk is serious, though the CSIS found that security in voter registration and election management systems and voting systems is improving. However, the security of election night reporting was rated as "weak."

Overall, the CSIS found that while elections in the US are vulnerable to cyber-threats, “we are not investing in strong security.” Despite the lack of investment and the continued attempts to exploit vulnerabilities in campaigns and voting systems, progress is being made.

CSIS found that 44 states participated in a DHS exercise to practice incident response plans and information sharing. In addition, all 50 states are now members of Multi-State Information Sharing & Analysis Center (MS-ISAC), and 548 state and local election organizations are members of Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).

“The real risk here is around system vulnerabilities. The first step in protecting these critical systems is admitting that they are all vulnerable and looking for one tool or piece of software is not the answer," said Jon Check, senior director, cyber protection solutions, Raytheon. "While reports show that it would be extremely difficult for an adversary to change the outcome of a national election by hacking into voting machines and changing enough votes, past hacks have proven our election integrity is far from secure. 

"But it’s not all doom and gloom. The more data we mine and conversations we start around election security, the more we can help solve the awareness issue. We need to build back confidence in the security of our systems, which will involve industry and government partnerships to harden voting systems and build up better network resiliency. It will take a combination of these partnerships, good cyber-hygiene and proven tools to ensure secured elections and restore our citizens faith in our electoral process.”

Categories: Cyber Risk News

UK Construction Firms Hemorrhage Log-Ins to Dark Web

Tue, 10/30/2018 - 12:30
UK Construction Firms Hemorrhage Log-Ins to Dark Web

Over 600,000 breached corporate log-ins belonging to staff at the UK’s leading construction, architecture and property firms are available for sale on the dark web, according to RepKnight.

The cyber intelligence firm used its BreachAlert dark web monitoring tool to locate the credentials. Over 450,000 were from construction firms, 110,00 were from architecture practices and just over 47,000 were linked to property developer businesses.

A spokesperson confirmed to Infosecurity that most of these likely found their way onto the dark web via breaches of third-party sites employees had signed up to using their corporate email.

As RepKnight warned, these log-ins could be used by hackers to access a trove of sensitive corporate IP including tenders, proposals, plans and client data.

There’s also a risk that attackers could locate stores of customer data, representing a risk to GDPR compliance.

One strategy highlighted by RepKnight was for attackers to use the log-ins to covertly access the corporate email accounts of targeted individuals, selected perhaps after some LinkedIn-based research because of the role they have with the company.

They could then set-up redirects to accounts under their control. The vendor claimed to have recently discovered a client who had over 5000 emails re-directed to a malicious third-party in just a five-day period.

“With the growth in digital information sharing across the construction project lifecycle, the possibility of a data breach occurring at some stage becomes ever more real,” argued RepKnight cybersecurity analyst, Patrick Martin.

“Because of this, these firms must ensure that they have ‘high visibility’ of their data at all times and have safety measures in place to protect it — especially because most of their sensitive data often lives outside the firewall. Monitoring for cyber-attacks or data breaches inside their corporate network is no longer enough, as it is possible that a breach can happen anywhere across the entire supply chain of your business.”

The findings call to mind separate research from the firm in January this year which revealed over one million corporate email addresses belonging to 500 of the UK’s top law firms, 80% of which had an associated password.

Alongside multi-factor authentication, use of password managers and strong authentication security policies, firms can consider dark web intelligence services to scan for compromised credentials.

Categories: Cyber Risk News

GDPR Alert as Average ICO Fines Double in a Year

Tue, 10/30/2018 - 12:05
GDPR Alert as Average ICO Fines Double in a Year

The value of fines issued by the Information Commissioner’s Office (ICO) has increased 24% in the year to September 30 versus the previous year, according to new data.

Law firm RPC calculated that the total cost of financial penalties issued by the UK’s data protection watchdog stood at £4.98m, up from £4m in the previous 12 months.

The average fine doubled, to £146,000, in another timely reminder for firms to ensure they pay attention to GDPR compliance.

The law firm believes the new EU-wide privacy law, introduced in May this year, will result in higher fines for large firms. However, SMEs should be spared, in the short-to-medium-term at least, and firms will not be picked deliberately by the ICO to make an example of.

RPC partner, Richard Breavington, described the hike in fines as a “wake-up call” to businesses.

“Given that there seems to be no slowdown in the number of cyber-attacks today businesses need to see how they can mitigate the risks to their customer when there is an attack,” he added.

“For example, businesses should ensure that they take out cyber insurance policies so that they can bring in experts to contain the impact of an attack and limit the exfiltration of data.”

Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK & Ireland, argued that the ICO fine is just one aspect of data breach costs to consider.

“We must also consider the cost that a recovery, compensation claim, reputational damage or potential loss of customers can have,” she added.  

“Changes in data protection legislation aim to give individuals more ownership and control over what’s happening to their personal data. The focus needs to be on the interests and rights of data subjects — employees, customers and all stakeholders: everyone you come into contact with. Their interests need to be the principal focus if companies are to avoid hefty fines.”

Categories: Cyber Risk News

US Bans Exports to Chinese DRAM-Maker

Tue, 10/30/2018 - 10:00
US Bans Exports to Chinese DRAM-Maker

The stand-off between the world’s two superpowers continued this week as the US banned exports to a Chinese tech manufacturer on national security grounds.

As of October 30, Fujian Jinhua Integrated Circuit Company will be added to the Entity List because it poses a “significant risk of becoming involved in activities that are contrary to the national security interests of the United States.”

The Fujian-based DRAM maker is nearing completion of a vast $5.7bn wafer-manufacturing plant, which will help drive the Made in China 2025 strategy of self-reliance. Chips are one key area where the country's leaders believe it is too reliant on US parts at the moment.

However, Fujian Jinhua is currently locked in a legal dispute with main rival, US chip maker Micron Technology over IP theft.

The Commerce Department appeared to side with Micron in its statement, claiming that the “likely U.S.-origin technology” to be produced at the new Fujian plant would threaten “the long term economic viability of U.S. suppliers of these essential components of U.S. military systems.”

“When a foreign company engages in activity contrary to our national security interests, we will take strong action to protect our national security,” said commerce secretary, Wilbur Ross. “Placing Jinhua on the Entity List will limit its ability to threaten the supply chain for essential components in our military systems.”

In many ways the issue represents a microcosm of the overall US-China dispute, in that the former is belatedly reacting to years of state-sponsored IP theft by the latter.

However, cutting off the supply chain is unlikely to change the long-term trend — if anything it will accelerate Xi Jinping’s push for China’s total self-reliance in technology.

The move calls to mind the ban on exports slapped on ZTE after it broke sanctions on sales to Iran and then lied about it. Although temporarily lifted, that imposition could have forced the telecoms firm out of business, it was claimed at the time.

Categories: Cyber Risk News

IBM to Acquire Red Hat for $34bn

Mon, 10/29/2018 - 17:14
IBM to Acquire Red Hat for $34bn

In what it is calling the “most significant tech acquisition of 2018,” IBM announced today that it will acquire Red Hat, a global provider of open source cloud software.

The two companies have finalized an agreement subject to Red Hat shareholder and regulatory approvals, which is expected to close in late 2019. According to IBM, the “acquisition will be free cash flow and grow margin accretive within 12 months, accelerate revenue growth and support a solid and growing dividend.” The total value is approximately $34bn, with IBM paying out $190.00 in cash per share. The deal is reportedly IBM’s largest deal ever and the third-largest in the US tech industry, said CNBC.

In an interview with CNBC, IBM CEO Ginni Rometty said, “This is all about resetting the cloud landscape, and this is to create the number-one company that will be the number-one cloud provider.” As more organizations continue to transition their workloads to the cloud, cloud providers will need to be hybrid and able to handle multi-cloud environments.  

As reported by IBM and confirmed by Red Hat, Red Hat will continue to operate as a distinct unit within IBM’s hybrid cloud team. Red Hat has always been and will continue to be open source, according to Jim Whitehurst, CEO of Red Hat, who will join IBM’s senior management team. In discussing the deal, Whitehurst said that Red Hat is a neutral sell that works across all platforms. For customers, the deal is not only about maintaining choice and running across all platforms but also about being able to build unique offerings.

"Open source is the default choice for modern IT solutions, and I'm incredibly proud of the role Red Hat has played in making that a reality in the enterprise," said Whitehurst in a press release. "Joining forces with IBM will provide us with a greater level of scale, resources and capabilities to accelerate the impact of open source as the basis for digital transformation and bring Red Hat to an even wider audience – all while preserving our unique culture and unwavering commitment to open source innovation."

“Linux is now the number-one platform not just on prem. It is the number-one destination in the cloud,” Rometty said. “So now we own the platform and the destination.”

Categories: Cyber Risk News

Hackers Target Fortnite with V-Buck Scams

Mon, 10/29/2018 - 16:30
Hackers Target Fortnite with V-Buck Scams

According to new research released by ZeroFOX, Fortnite has become a hotbed for scammers targeting the in-game currency of the popular online game. Between early September and early October, ZeroFOX generated more than 53,000 alerts related to Fortnite scams, of which 86% came from social media and 11% from web domains, according to today’s blog post.

Fortnite is free to play, which ZeroFOX said is a driving force for many gamers; however, players can make in-game purchases with the game’s V-Buck currency. Despite each individual transaction only costing a few dollars, Fortnite is reportedly making an estimated $300 million a month on in-game purchases, making this an increasingly attractive target for scammers, who are looking to trick users into getting their V-Bucks on the cheap or even for free. Of the games estimated 43 million players, all of whom are required to be at least 12 years old, many are falling victim to the scams, according to the research.

While the V-Bucks are only available through Fortnite, scammers have reportedly crafted fraudulent coupon sites and “V-Buck generators” to trick players into sharing personal information that includes their game credentials, credit card information and home addresses, said ZeroFOX.

“Games with a microeconomy, especially Fortnite, are prime targets for attackers to leverage their security attacks, scams and spam against,” said Zack Allen, director of threat operations at ZeroFOX. “These economies are a great way to make money without attracting too much attention to yourself because of the lack of regulation and the nuances of the economy (try describing a 'V-Buck' to any local law enforcement officer, you most likely will get a blank stare).

“Due to the professionalism of these sites and the relative ease it takes to make a new website, players should be especially aware because a scam can turn into something malicious quickly. Surrendering your username and password in a phishing attack or downloading and executing malware are not out of reach in terms of probability for these websites.”

Categories: Cyber Risk News

EFF Says DMCA Expansion Doesn't Go Far Enough

Mon, 10/29/2018 - 13:21
EFF Says DMCA Expansion Doesn't Go Far Enough

Security researchers can now examine more infrastructure and other complex systems without the fear of legal consequences, according to Zero Daily. A rule by the Library of Congress's Copyright Office has expanded the ability of security to discover vulnerabilities that threaten digital security.

The Federal Register said that the rule went into effect October 28, 2018, and gives this summary of it: “The Librarian of Congress adopts exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works, codified in the United States Code. As required under the statute, the Acting Register of Copyrights, following a public proceeding, submitted a Recommendation concerning proposed exemptions to the Librarian of Congress. After careful consideration, the Librarian adopts final regulations based upon the Acting Register's Recommendation.”

However, the Electronic Frontier Foundation (EFF) said the ruling does not go far enough, stating that the exemptions are still too narrow and complex. Before the final ruling, EFF submitted a request for exemptions and explained: “We cited a broad range of examples where Section 1201 interfered with people’s use of their own digital devices. But the Office expanded the exemption only to 'smartphone[s],' 'home appliance[s],' and 'home system[s], such as a refrigerator, thermostat, HVAC or electrical system.'”

In requesting that the Copyright Office work toward improving exemptions, EFF legal director Corynn McSherry said, “It’s absurd that a law intended to protect copyrighted works is misused instead to prevent people from taking apart or modifying the things they own, inhibit scientists and researchers from investigating safety features or security enhancements and block artists and educators from using snippets of film in noncommercial ways. The exemption process is one highly flawed way of alleviating that burden."

While EFF supports the changes, the organization remains steadfast in its position that DMCA is an unconstitutional restriction on freedom of speech and added, “EFF represents entrepreneur Andrew 'bunnie' Huang and Professor Matthew Green in a lawsuit seeking to overturn Section 1201. Having finished this year’s rule-making, we look forward to continuing that case.”

Categories: Cyber Risk News

EFF Says DMAC Expansion Doesn't Go Far Enough

Mon, 10/29/2018 - 13:21
EFF Says DMAC Expansion Doesn't Go Far Enough

Security researchers can now examine more infrastructure and other complex systems without the fear of legal consequences, according to Zero Daily. A rule by the Library of Congress's Copyright Office has expanded the ability of security to discover vulnerabilities that threaten digital security.

The Federal Register said that the rule went into effect October 28, 2018, and gives this summary of it: “The Librarian of Congress adopts exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works, codified in the United States Code. As required under the statute, the Acting Register of Copyrights, following a public proceeding, submitted a Recommendation concerning proposed exemptions to the Librarian of Congress. After careful consideration, the Librarian adopts final regulations based upon the Acting Register's Recommendation.”

However, the Electronic Frontier Foundation (EFF) said the ruling does not go far enough, stating that the exemptions are still too narrow and complex. Before the final ruling, EFF submitted a request for exemptions and explained: “We cited a broad range of examples where Section 1201 interfered with people’s use of their own digital devices. But the Office expanded the exemption only to 'smartphone[s],' 'home appliance[s],' and 'home system[s], such as a refrigerator, thermostat, HVAC or electrical system.'”

In requesting that the Copyright Office work toward improving exemptions, EFF legal director Corynn McSherry said, “It’s absurd that a law intended to protect copyrighted works is misused instead to prevent people from taking apart or modifying the things they own, inhibit scientists and researchers from investigating safety features or security enhancements and block artists and educators from using snippets of film in noncommercial ways. The exemption process is one highly flawed way of alleviating that burden."

While EFF supports the changes, the organization remains steadfast in its position that DMAC is an unconstitutional restriction on freedom of speech and added, “EFF represents entrepreneur Andrew “bunnie” Huang and Professor Matthew Green in a lawsuit seeking to overturn Section 1201. Having finished this year’s rule-making, we look forward to continuing that case.”

Categories: Cyber Risk News

Girl Scouts Alerted to Possible Data Breach

Mon, 10/29/2018 - 11:15
Girl Scouts Alerted to Possible Data Breach

Thousands of members of the Girl Scouts in California may have had their personal information stolen after one of its official email accounts was accessed by an unauthorized third party last month.

Reports suggest that as many as 2800 girl scouts in Orange County may have been affected in an incident which lasted just a day.

Affected information could include names, email and home addresses, driver’s license details, insurance policy numbers and health history information.

Those hit by the breach were contacted last week.

They were told that the attack began on September 30 when an unauthorized third party gained access to an official Girl Scouts Orange County Travel email account, which was used to “send emails to others” — presumably phishing emails.

“Some of the emails stored in this account, which included emails with dates as far back as 2014 through October 1, 2018, contained information about our members,” the note explained. “Out of an abundance of caution, we are notifying everyone whose information was in this email account.”

The anonymous third party had access to the account for only one day from September 30 to October 1 this year.

Identity data belonging to children is particularly attractive to hackers as it can often be monetized more easily before the alarm is raised.

That’s because there are often limited financial records associated with the identities of minors, making it easier to open new fake accounts in their name.

In 2017, over a million US children were affected by identity fraud, resulting in losses of $2.6 billion and families forced to pay $540 million, according to research from Javelin Strategy & Research earlier this year.

The report claimed that 60% of child identity fraud victims know the fraudster, versus just 7% of adult victims.

Categories: Cyber Risk News

Canadian Crypto-Exchange Shutters After $6m ‘Hack’

Mon, 10/29/2018 - 10:23
Canadian Crypto-Exchange Shutters After $6m ‘Hack’

Customers of a little-known Canadian cryptocurrency exchange are set to lose all their coins after hackers allegedly made off with around $6m, although some suspect an exit scam.

MapleChange took to Twitter on Sunday morning to claim that it had “sustained a hack” and was investigating the issue.

“Due to a bug, some people have managed to withdraw all the funds from our exchange. We are in the process of a thorough investigation for this,” it continued in a separate tweet soon after. “We are extremely sorry that it has to come to end like this. Until the investigation is over, we cannot refund anything.”

The firm confirmed that it was unable to refund any Bitcoin or Litecoin funds, but that it was trying to do so for other currencies, asking customers to PM their details.

“We are sending all of the coin developers the wallets containing the coins we have left. So far, LMO and CCX have been handed over the funds,” it said.

Around 913 BTC ($5.8m) was apparently ‘stolen’ in the raid, with some reports suggesting that this might actually be an exit scam.

Although the firm still appears to be active on Twitter, its domain is now defunct.

“There is no incentive for using small exchanges. Use established exchanges that are regulated, & transparent,” tweeted cryptocurrency analyst, Joseph Young.

“Small exchanges also focus on maximizing profitability, not security or investor protection.”

Changpeng Zhao, CEO of the world’s biggest Bitcoin exchange, Binance, argued that customers should steer clear of exchanges which don’t store funds in cold wallets. These are typically more secure than hot wallets as they’re not connected to the internet.

“Avoid using exchanges that doesn't have anything in their cold wallets,” he tweeted.

It’s unclear how many customers MapleChange has, but its Twitter account has less than 2,000 followers, versus 236,000 for Binance’s Zhao.

Categories: Cyber Risk News

Facebook Removes Scores of Fake Iran-Linked Accounts

Mon, 10/29/2018 - 09:43
Facebook Removes Scores of Fake Iran-Linked Accounts

Facebook revealed on Friday that it has removed 82 Pages, Groups and accounts linked to Iran which it said were spoofed to appear as if run by US and UK citizens.

In total, the social network took down 30 Pages, three Groups and 33 accounts on Facebook, as well as 16 accounts on Instagram — accusing them of “coordinated inauthentic behavior.”

“The Page administrators and account owners typically represented themselves as US citizens, or in a few cases UK citizens — and they posted about politically charged topics such as race relations, opposition to the President, and immigration,” explained head of cybersecurity policy, Nathaniel Gleicher.

“Despite attempts to hide their true identities, a manual review of these accounts linked their activity to Iran. We also identified some overlap with the Iranian accounts and Pages we removed in August.”

Facebook’s initial research seems to indicate limited exposure for the content: around one million accounts are said to have followed at least one of the Pages, around 25,000 accounts joined at least one of the Groups, and more than 28,000 accounts followed at least one of the Instagram accounts in question.

In addition, those behind the spoof accounts spent less than $100 in advertising, and of the seven events hosted, only 110 people expressed an interest in at least one event, it said.

However, separate reports claim slightly different findings: Facebook page I Need Justice Now had more than 13 million video views, the Digital Forensic Research Lab told the BBC.

The social network claimed it now has over 20,000 employees working specifically on safety and security, with AI tools also helping to detect fake accounts.

The revelations come just days before the crucial midterm elections in the US and during ongoing Brexit-related tensions in the UK.

Categories: Cyber Risk News

Election Security Is Risky at State and Local Levels

Fri, 10/26/2018 - 14:26
Election Security Is Risky at State and Local Levels

As the 2018 midterm elections near, many remain concerned about the security of election infrastructure at the national level, though Steve Grobman, CTO at McAfee, said the realistic security risk lies in an attacker tampering with information and targeting individual counties and states.

“A realistic attack wouldn’t require mass voting manipulation or the hacking of physical machines. Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels,” Grobman wrote in an October 24 blog post.

Because attackers look for the easiest point of entry that will yield the most effective results, hackers are more likely to have success by targeting specific states or congressional districts by spoofing the domains, according to Grobman. McAfee found 20 key swing states that have non-government domains, each of which could easily be spoofed to spread misinformation.

“Government websites in general are popular targets of malicious campaigns because they make bad actors’ jobs easy,” said Mike Bittner, digital security and operations manager of The Media Trust. “They are too often poorly secured, third parties/contractors that support them, who often have even poorer security measures, and the people and organizations that use them enter a lot of sensitive information.

“The root cause of these sites' insecurity is increasingly strapped budgets that prevent government organizations from replacing legacy systems and machines with new ones or making needed updates. Given the extensive use of these sites and the sensitive information they receive, county governments should thoroughly vet their third parties, audit third parties' security measures, continuously scan their sites in real time and work closely with their third parties on identifying and foiling any unauthorized activities.”

States must also protect voter registration systems, poll books, vote tabulation, publishing systems and more, said RiskSense CEO Srinivas Mukkamala. Assessing devices, applications, databases and networks for vulnerabilities, missing patches and misconfigurations is often beyond their capabilities, which is why Mukkamala proposed that AI-assisted penetration testing – a service that is already in use in some states – as a solution to the election security problem.

“While internet-connected systems used for online voter registration and election-night reporting have a significant attack surface, an end-to-end assessment of election systems is needed to understand which vulnerabilities truly matter,” said Mukkamala.

Amitai Ratzon, CEO of Pcysys, agreed but added, "Automated penetration testing is the simplest measure to help prevent election hacking. It can be implemented across networks seamlessly and with ease, is agent-less and operates 24/7."

Categories: Cyber Risk News

CISOs Challenged by Budget and Rise in Attacks

Fri, 10/26/2018 - 14:00
CISOs Challenged by Budget and Rise in Attacks

Having a lack of influence in the boardroom is one reason why 84% of CISOs in North America believe there is no way to avoid a cybersecurity breach, according to a new report from Kaspersky Lab.

Results from the report What It Takes to Be a CISO: Success and Leadership in Corporate IT Security, an annual survey conducted by PAC on behalf of Kaspersky Lab, revealed that the job of the CISO is made increasingly more difficult because cyber-threats continue to rise while organizations embark upon their digital transformation journeys. Of the 250 IT decision makers who participated in the survey, 57% said that the complexity of cloud and mobility infrastructures are their top challenges.

The second-greatest challenge was not far behind, with 54% citing managing personal data and sensitive information as a primary problem. The third-ranked top challenge reported by 50% of respondents was the continued rise in cyber-attacks.

When it comes to the threats themselves, financially motivated criminal gangs are viewed as the greatest IT security risk by 40% of respondents, while 29% are concerned about malicious insider threats, particularly as CISOs see these threats as extremely difficult to prevent.

Because they lack influence in the boardroom, CISOs reported that justifying the budgets needed to effectively protect the organization is difficult. Though the pressure to defend against cyber-threats continues to mount, CISOs are faced with significant budget challenges because they can’t guarantee a clear return on investment (ROI), the report said. As a result, 36% of CISOs are unable to secure the IT security budgets they need because they can’t promise that the spend will deliver 100% protection against cyber-attacks.

“Historically, cybersecurity budgets were perceived as a low-priority IT spend, but this is no longer the case,” said Maxim Frolov, vice president of global sales at Kaspersky Lab, in a press release.

“Today, cybersecurity risks are top of the agenda for CEOs, CFOs and risk officers. In fact, a cybersecurity budget is not just a way to prevent breaches and the disastrous risks associated with them – it’s a way to protect business continuity, as well as a company’s core profile investments.”

Categories: Cyber Risk News

Copy of Chinese Spy Chip Used in Security Training

Fri, 10/26/2018 - 13:32
Copy of Chinese Spy Chip Used in Security Training

Following reports that Chinese spies infiltrated the supply chain of servers assembled by Supermicro Computers Inc., the New York–based CYBERGYM has launched a new infrastructure-security combat training program.

Driven by the belief that threats posed by these types of supply chain and infrastructure hacks are significant, CYBERGYM said it developed the training to help organizations prepare for such an attack. In an effort to make the training as realistic as possible, the engineers and white-hat hackers at CYBERGYM developed a virtual model of the surveillance chip identified in the Bloomberg report. The virtual model emulates the actual attack scenario, which will allow participants to respond to a real-life chain of events, GYMBERGYM said.

Available in cyber-warfare arenas in the US, Europe, Asia and Australia, the training provides organizations with the strategies needed to defend against complex, hardware-based attacks, which requires advanced forensic analysis.

As such, the training program entails multiple forensic layers, including memory, network, PLC and operating system, in order to bolster the organization’s anomaly detection skill set. The training is multi-leveled and augments the critical forensics data collection skills sets of trainees so that they organization is equipped with security personnel who can effectively analyze, mitigate and remediate hardware or infrastructure level attack damages.

"Our program is based on multilayered forensics and is designed to fundamentally enhance both human training and policy implementation," said Ofir Hason, CEO of CYBERGYM, in a press release.

"The story, while contested, has nevertheless brought into sharp focus the very real likelihood of organization’s suffering infrastructure infiltration at the hands of hackers. To fight this type of core and complicated attack, organizations need to be able to quickly analyze the events, collect the relevant forensics and work collaboratively with their IT supply chain partners to mitigate and prevent escalation – processes that are benefited greatly by access to hands-on, real-world training scenarios. In this sense, time and performance are crucial.”

Categories: Cyber Risk News

Pages