Over a fifth (21%) of US consumers will never return to a brand that has suffered a data breach, according to new research providing a timely reminder of the need for effective cybersecurity.
Contact center payments firm PCI Pal polled 2000 US consumers to produce a State of Security report which highlights the importance of trust and privacy to the average American.
As well as those who will never return to a business post-breach, a sizeable majority (83%) claimed they would stop spending for several months after a breach or serious incident.
In addition, 45% said they spend less with brands they perceive to have insecure data practices, and over a quarter (26%) will not give a company their business if they don’t trust it with their data.
Consumers are concerned not just about online security. Over a quarter (28%) questioned how their data is recorded over the phone and over two-fifths (42%) said they’re uncomfortable sharing sensitive data like credit card details over the phone.
The findings chime somewhat with RSA Security research from earlier this year which revealed that 69% of global consumers are prepared to boycott any company they believe does not take data protection seriously.
It also found the vast majority (62%) blame the company first in the event of a data breach, rather than the hacker.
The findings should be another reminder to organizations of the importance of a strong cybersecurity posture.
PCI Pal COO, James Barham, argued the findings reveal a change in how US consumers are prioritizing security and privacy.
“Consumer-facing brands should pay attention — not just adopting stronger security practices but incorporating them into their marketing and communications strategies if they want to keep customers loyal and spending with them,” he added.
It’s a change in consumer behavior being driven to a certain extent globally by the advent of the GDPR. Although it’s an EU law, it applies to any company processing EU citizens’ data, so the advent of the first major fine for a US company will be a significant moment in awareness raising.
Just this week, Apple CEO Tim Cook argued for a GDPR-style federal data privacy law.
Demand for cryptocurrency skills has rocketed by over 1000% over the past two years, but a disconnect between cybersecurity and the fast-emerging sector is exposing organizations to greater risk, according to Trend Micro.
The security vendor analyzed data from popular recruitment site ITJobsWatch, revealing UK demand for cryptocurrency skills has jumped by 1130% since 2016.
Similarly, crypto skills do not seem to be a priority for cybersecurity professionals, failing to make the top 30 despite emerging areas like GDPR (8%) starting to make an impact.
This security/crypto skills gap is leaving cryptocurrency exchanges dangerously open to attack, according to Bharat Mistry, Trend Micro principal security strategist.
“If cybersecurity professionals were more aware of crypto and the risks the platform is open to then they could secure or reduce the attack surface for crypto exchanges,” he told Infosecurity.
What’s more, a report from Ernst & Young earlier this year revealed that 10% of all initial coin offering (ICO) funds are lost to hackers. Experts claimed that some crypto ventures aren’t resilient enough to DDoS, phishing attacks, or web exploits, and that the underlying code of smart contracts is often riddled with vulnerabilities.
More cybersecurity expertise in the industry would help mitigate some of these risks.
Trend Micro also warned of the growing cryptojacking threat, claiming that it recorded a 956% increase in detection of this malware between 1H 2017 and 1H 2018.
The global cybersecurity skills shortage is now almost three million, according to the latest data.
British Airways is notifying an additional 185,000 passengers that their card details may have been stolen in a recently revealed Magecart digital skimming attack on its website and app.
The airline revealed in a statement on Thursday that the website-related breach discovered in September actually affected an extra 77,000 customers — with name, billing address, email address and card details including number, expiry date and CVV potentially accessed. It also hit another 108,000 customers who had the same data taken except for their card CVV.
These customers made reward bookings between April 21 and July 28, 2018, widening the time frame in which hackers had access to card data. Originally it was thought that the malicious Magecart skimming code was inserted on August 21 and sat there exfiltrating passenger card details for 16 days.
The statement implies the same actors are behind this April-July breach.
“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” BA continued. “Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.”
BA also revealed that its original estimate of 380,000 payment card details affected in the incident was too high, and that 244,000 were actually compromised. That means the total as it stands today is nearly half a million.
The airline reiterated its commitment to reimburse any customers who suffer financial losses as a result of the incident, and to offer credit monitoring to those who want it.
The firm also trumpeted the fact that there have so far been “no verified cases of fraud” as a result of the incident.
However, experts claimed that this statement should not reassure customers.
"Credit card details and supporting personal information may have already been sold on the dark web, but because this information has no clear tie to BA as the source it's impossible to track,” argued Simon Migliano, head of research at Top10VPN.com.
Jason Rebholz, senior director of strategic partnerships at Gigamon, added that until BA has completed its investigation, the full impact of the breach is unlikely to be known.
“Investigations into security incidents can take a lot of time,” he argued. “It is important that organizations have as complete information as possible when they go public, otherwise they will face a backlash when they have to continually modify their statements.”
According to the 2019 Global ICS & IIoT Risk Report published by CyberX, cyber-criminals are increasingly targeting the vulnerabilities of industrial control systems (ICSs) and the industrial internet of things (IIoT).
The report reflects the findings from data captured over the past 12 months from more than 850 production ICS networks across all industrial sectors. While the data showed that industrial and critical infrastructure organizations have improved their risk postures, major gaps still remain in key areas of their overall security strategies.
After analyzing real-world traffic from production ICS networks, researchers found that 69% of industrial sites have plain-text passwords across the network. Encryption failure in legacy protocols leaves sensitive credentials exposed, which makes the reconnaissance work of threat actors much easier.
In addition, direct internet connections and poor antivirus solutions make ICS soft targets for adversaries. The report revealed at least one direct connection to the public internet exists in 40% of sites. Now that operational technology (OT) networks are more frequently connected to corporate IT networks, leaving industrial networks connected to the public internet creates additional entryways for attackers.
Year-over-year trends revealed that the prevalence of Windows XP and other legacy Windows systems has decreased. In large part, this effort has come from top-down management since NotPetya struck. In 2017, three out of four systems remained unpatched, but the research showed a marked improvement, with only 53% of sites having outdated Windows systems like XP in 2018.
"We’re not here to create FUD, but we think it’s important for business leaders to have a data-driven view of ICS risk so they can ask the right questions,” said Dan Shugrue, senior director of industrial cybersecurity for CyberX, in a press release. “We’re definitely making progress in reducing ICS risk, but we have a long way to go. Reducing ICS risk is a journey – most of these ICS networks were designed decades ago, long before cybersecurity was a key design priority.”
Universities around the country, along with students and staff, may want to be a bit more vigilant online, warned Kaspersky Lab after researchers detected nearly 1,000 phishing attempts hitting at least 131 universities in 16 countries over the last year.
According to researchers, cyber-criminals are targeting users with fraudulent web pages designed to look identical to the university’s official page. The only distinction is a slightly different URL, making it difficult to detect. Once a user clicks on the link, they are delivered to credentials-stuffing pages, where they are asked to provide sensitive information, including university account credentials, IP addresses and location data.
Credit: Kaspersky Lab. Examples of phishing pages mimicking the login pages of the University of Washington, Harvard Business School, and Stanford University websites.
Collecting the IP addresses allows cyber-criminals to circumvent anti-fraud systems “by masquerading as account holders,” wrote Nadezhda Demidova, security researcher at Kaspersky Lab.
“Although universities are aware of the need to protect their resources, fraudsters exploit the traditional weakest link: user inattentiveness,” Demidova wrote. “Depending on the level of access (lecturer, student, research associate), personal accounts on the university site can provide access to both general information as well as paid services and research results. Moreover, a lecturer’s account, for example, can provide attackers with information about salary, schedule, etc. All this can be used for identity theft or a targeted attack.”
The majority of the 961 attacks detected across 131 schools over the last 12 months, 83 of the institutions were located in the US. The University of Washington (11.6% of attack attempts), Cornell University (6.8%) and the University of Iowa (5.1%) were top three targeted schools. Britain was a distant second, with only 21 schools targeted. In addition, researchers noted that academic institutions in Asia, Europe and Africa have also been targeted.
“As educational institutions becomes a popular target for cyber-criminals, it is essential for university IT staff to take proactive measures to prevent phishing attacks,” said Demidova in a press release. “In addition to strengthening IT security infrastructure, university leaders should also provide training resources that can help students and staff identify and avoid targeted phishing threats.”
In his keynote speech at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Brussels yesterday, Apple’s CEO, Tim Cook, argued in favor of a federal data privacy law.
Praising the EU’s General Data Privacy Regulations (GDPR), Cook said that modern technology has created a "data-industrial complex" in which our personal information is "weaponized against us with military efficiency." Cook continued, emphasizing the deeply concerning issue that “these scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold,” and that the industry can no longer “sugarcoat the consequences.”
Pointing out the ways in which technology can actually harm, not help, Cook said, “Platforms and algorithms that promise to improve our lives can actually magnify our worst human tendencies. Rogue actors and even governments have taken advantage of user trust.” One key theme of the speech was that the misuse of our personal information doesn't affect just individuals but whole sections of society.
“Silicon Valley claims to be the arbiter of all that is good for us," said Colin Bastable, CEO of Lucy Security, “but we know how that ends – badly. Social media cyber-insecurity is the “Unsafe at Any Speed” issue of our times."
“Tim Cook takes a break from virtue signaling to throw rocks at Google and Facebook because he wants to position himself and Apple as the good guys whilst the others are vulnerable,” Bastable continued. "His message is right, but Apple is also part of the problem. These players hold massive quantities of data, and we should never assume that they will ever have our best interests at heart."
Feelings about Apple aside, many agree that the message Cook's keynote is right. Noting that Cook’s comments echo the words of privacy advocates, who have long been pushing for regulations that protect consumers, Paul Bischoff, privacy advocate with Comparitech.com, said, “We're already starting to see progress in the US along those lines, such as California's Consumer Privacy Act.
“And though I agree with him in most respects, I think it's important to put his words into context. Apple can ride a moral high horse when it comes to privacy because it does not primarily depend upon targeted advertising and the collection and sharing of personal data to make money. Most of its competitors do, namely Google. Advocating for privacy laws is a practical way for Apple to indirectly lobby against Google,” Bischoff said.
The Information Commissioner’s Office (ICO) has issued a rare maximum fine of £500,000 to Facebook for data protection mistakes that led to the Cambridge Analytica scandal.
After hearing representations from the social network, the UK privacy watchdog said it decided to keep the fine amount unchanged, as per its Notice of Intent in July.
Its investigation into political campaigning revealed that Facebook had processed user information “unfairly” under the old Data Protection Act 1998. It did so by allowing developers to access this info without adequately “clear and informed consent” — and by allowing access even to users who had not downloaded an app but were friends of those who had.
The social network also failed to keep adequate checks on how this data was being secured or used by developers, a situation which led to Aleksandr Kogan harvesting info on 87 million users without their knowledge and subsequently sharing some of this with Cambridge Analytica parent SCL Group. This infamously allowed the company to target wavering voters ahead of the 2016 US presidential election.
The ICO claimed Facebook also failed to take prompt action to ensure this data was deleted when, in December 2015, it discovered what had happened. SCL Group wasn’t suspended until 2018.
Information commissioner Elizabeth Denham warned that the fine would have been “significantly higher” had the GDPR been in force at the time.
“Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better,” she added.
“Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based.”
UK Fast CEO, Lawrence Jones, also raised concerns over the impact of intelligent profiling on democracy.
“To regain trust, and recover their share price, Facebook have to now carry through on the promise of Mark Zuckerberg to investigate every Facebook app that’s mining data and ask questions about where that data is, who has access to it and what it’s being used for. They then need to be extremely clear and transparent about the findings of their investigation,” he added.
"This is now about damage limitation for them, and the only way they can limit damage is by being honest about their mistakes and regaining our trust."
A new Oxford University paper has claimed that data collection and sharing by apps linked to Google, Facebook and others is “out of control” — presenting major privacy risks to customers, who are bamboozled by policies and guidelines.
It claimed that over 88% of free apps on Google Play share information with firms owned by parent company Alphabet.
Researchers have attributed with “high confidence” industrial control system (ICS) intrusion activity known as TRITON to a Russian state-owned research institute.
FireEye claimed in a blog post on Tuesday that the activity, now known as TEMP.Veles was supported by the Moscow-based Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM).
Aside from spotting behavior patterns consistent with the Moscow time zone, the vendor claimed that “CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.”
FireEye claimed to have found a unique username contained in the code of a tested file which it linked to an individual “active in Russian information security communities since at least 2011.”
That same person was apparently a professor at CNIIHM, according to an old social media profile. FireEye dismissed the possibility of the individual acting alone as “highly unlikely.”
The vendor also said that malicious TEMP.Veles activity originated from an IP address registered to the institute. That same address had been used to monitor open source coverage of TRITON and engaged in network reconnaissance against targets of interest to the campaign.
Cyrillic names and artifacts are also widespread, the researchers said.
The CNIIHM’s two research divisions also highlight a link to TRITON.
“The Center for Applied Research creates means and methods for protecting critical infrastructure from destructive information and technological impacts,” explained FireEye. “The Center for Experimental Mechanical Engineering develops weapons as well as military and special equipment. It also researches methods for enabling enterprise safety in emergency situations.”
Airline Cathay Pacific has become the latest big-name brand to suffer a major data breach, after revealing that data on 9.4 million passengers may have been stolen.
The firm claimed on Wednesday that it discovered unauthorized access to the IT systems containing a wide range of sensitive personal information, both for its customers and those of its business unit Hong Kong Dragon Airlines.
The personal data affected is as follows: passenger name; nationality; date of birth; phone number; email; address; passport number; Hong Kong identity card number; frequent flyer programme membership number; customer service remarks and historic travel information.
However, only 403 expired credit card numbers and 27 credit card numbers with no CVV were exposed in the breach.
There’s no other info available on how the incident may have occurred, but the airline is playing down its seriousness by saying there’s no evidence of data being misused at this point.
“We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures,” said CEO, Rupert Hogg.
“We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No-one’s travel or loyalty profile was accessed in full, and no passwords were compromised.”
However, reports suggest the firm discovered suspicious activity in March 2018, and confirmed data had been accessed in May, which means it failed to inform customers for over five months.
Given the timelines, the incident is unlikely to fall under the GDPR even if, as seems likely, EU citizens’ data was compromised.
Back in April, the Hong Kong privacy commissioner explained that businesses in the Chinese SAR should “should prepare” for the legislation.
Commissioner Stephen Kai-yi Wong today expressed “serious concern” over the incident.
“Organizations in general that amass and derive benefits from personal data should ditch the mindset of conducting their operations to meet the minimum regulatory requirements only,” he said in a statement.
“They should instead be held to a higher ethical standard that meets the stakeholders’ expectations alongside the requirements of laws and regulations. Data ethics can therefore bridge the gap between legal requirements and the stakeholders’ expectations.”
Steve Malone, director of security product management at Mimecast, warned of follow-on attacks.
"Once personal information is compromised, cyber-criminals can implement highly targeted spear phishing and social engineering attacks, often via impersonation emails against friends or business contacts. These impersonation attacks are now the easiest way for criminals to steal money and valuable data,” he said.
“Notified customers should change passwords as a precaution and alert their employer’s IT security teams to help look out for attacks misusing their personal information.”
Randy Abrams, senior security analyst at Webroot, argued that airlines are increasingly in the cross-hairs of attackers.
“In recent months, Air Canada and British Airways have suffered breaches. However, the Cathay Pacific breach disclosed a feature-rich set of data, including more than 40-times more passports than the Air Canada breach, meaning it will have a much greater impact on passengers,” he added.
“In addition to potential monetary theft, having a high number of passports compromised with passenger history and information should be of significant concern to governments across the world as they try to secure their borders.”
While the report shows promise on the development side, it also analyzed flaw persistence and measured the longevity of flaws after the initial discovery. Though software security is improving, the report found that one in four flaws remains open more than a year after first being discovered.
Across all sectors, companies are addressing an enormous number of open flaws, yet there has been improvement when it comes to companies taking action. According to the report, 69% of flaws were closed through remediation or mitigation, which reflects a 12% increase since the last report.
An additional key finding was that the number of vulnerable apps remains staggeringly high. In large part, this is the result of open source components, which present significant risks to businesses, the study said.
After conducting the first scan, researchers found that in excess of 85% of all applications had at least one vulnerability, with more than 13% of applications containing at least one very high severity flaw. In addition, one in three applications were vulnerable to attack through high or very high severity flaws, according to the report.
After looking at the fix rate of 2 trillion lines of code, researchers found that persistent flaws continued to pose extended application risk exposure for businesses. The number of flaws that remained open for one month after discovery was greater than 70%, while almost 55% of all flaws remained unaddressed three months after discovery.
However, only 25% of high and very high severity flaws remained unaddressed up to 290 days after being discovered, and the same percentage was fixed within 21 days. But 25% remained open well beyond a year after discovery.
“Security-minded organizations have recognized that embedding security design and testing directly into the continuous software delivery cycle is essential to achieving the DevSecOps principles of balance of speed, flexibility and risk management,” said Chris Eng, vice president of research, CA Veracode.
“Until now, it’s been challenging to pinpoint the benefits of this approach, but this latest State of Software Security report provides hard evidence that organizations with more frequent scans are fixing flaws more quickly. These incremental improvements amount over time to a significant advantage in competitiveness in the market and a huge drop in risk associated with vulnerabilities.”
The Department of Defense (DoD) today announced that it has awarded contracts to three private-sector Silicon Valley firms in an effort to expand its Hack the Pentagon digital defense program.
As the government celebrates the second anniversary of its bug bounty initiatives, it has awarded contracts to three security firms, including Bugcrowd. To enhance the DoD’s security for sensitive, internal assets, the department will continue to build bug bounties for public-facing websites while pursuing additional crowdsourced security tactics.
The Hack the Pentagon program has been successful for the DoD, allowing the department to run assessments on a range of its assets, including hardware and physical systems. Though security checklists are helpful in determining a baseline for best practices, engaging in relationships with white hat hackers goes a step further, because they are able to simulate real threats and emulate the behaviors of an adversary.
A statement from the DoD explained: “As cyber threats persist, the Defense Department is working to identify innovative approaches to bolster security, combat malicious activities, and build trusted private sector partnerships to counter threats. Hack the Pentagon bug bounties are designed to identify and resolve security vulnerabilities across targeted DOD websites and assets and pay cash to highly vetted security researchers or ‘ethical hackers’ to discover and disclose bugs.”
The engagements will allow the DoD to run continuous assessments of its high-value assets while maintaining relationships with vetted security researchers and white hat hackers. The ability to participate in open dialogues throughout the development lifecycle of a system is an important security measure, particularly when software and other assets are so frequently updated, according to the DoD.
“We are thrilled that Bugcrowd has been selected to ‘Hack the Pentagon’ to bring the scale and expertise of our worldwide elite Crowd of white hat hackers to outsmart adversaries and strengthen our nation’s security,” said Ashish Gupta, CEO, Bugcrowd in a press release.
“Bugcrowd’s proven platform and Crowd of researchers brings a wide variety of experience and technical specialization to handle the complexity of constantly changing attack surfaces that the DoD – or any organization – will face in the coming years.”
A Washington State internet provider, Pocket iNet, left an AWS S3 server exposed online without a password, according to UpGuard. The UpGuard cyber-risk team reported that the information exposed included 73 gigabytes of downloadable data, which included passwords and other sensitive files, ranging from spreadsheets to pictures and diagrams.
Upguard discovered and reported the exposed bucket, named pinapp2, on October 11, 2018, though Pocket iNet was initially unable to confirm the exposure. After a week’s time, the exposure was secured, according to an Upguard blog post.
“Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset,” Upguard wrote.
“Internet service providers have been designated as part of the US Critical Infrastructure and represent a prime target for adverse nation-state threat groups . Finally, on October 19th the exposure was secured, preventing the exploitation of this data from any future malicious activity.”
While the bucket itself was exposed, not all of the contents were able to be downloaded. However, a folder named tech, which contained sensitive information, was downloadable within the bucket. Pocket iNet’s AWS misconfiguration also exposed several lists of plain-text passwords to multiple devices and services that belong to its employees. Included in the list of plain-text passwords were firewalls, core routers, switches, servers and wireless access points.
The issue of misconfigurations in AWS is not uncommon, but has become, “an overlooked problem that can expose massive amounts of information, harming individuals and organizations alike. It seems that leaving servers unsecured has become one of the most common security issues and, consequently, one of the most widely targeted vulnerabilities in the enterprise,” said Rich Campagna, CMO, Bitglass.
“Unfortunately, organizations of all sizes, especially smaller ISPs like Pocket iNet, have limited IT resources in terms of security tools and personnel, making them susceptible to misconfigurations. Despite this, there are tools that can help address this issue. Organizations must adopt solutions that can continuously monitor networks for misconfigurations, enforce data loss prevention policies in real time and provide user and entity behavior analytics. For organizations to succeed, it is imperative that they implement flexible, robust, cost-effective security solutions.”
Over 80% of security professionals are concerned about the prospect of attackers using artificial intelligence (AI) against their organization, according to new research from Neustar.
The global information services provider polled 301 IT and security professionals across EMEA and the US to compile its latest International Cyber Benchmarks Index.
It found that although 87% of respondents agreed AI would help them improve cyber-defenses, a similar number (82%) claimed to be nervous about the prospect of it being used by black hats against them in the future.
Some 60% claimed to be apprehensive about using AI in their organization at all, citing “security reasons.”
Respondents feared the prospect of stolen data (50%) resulting from attacks most of all, although loss of customer trust (19 percent), unstable business performance (16 percent) and extra costs (16%) all figured highly.
The findings chime somewhat with a Webroot study last December which found that 87% of US cybersecurity professionals are currently using AI to help defend their organization, but 91% feared the impact of its use by attackers.
Neustar SVP, Rodney Joffe, claimed the security industry is at a "crossroads" with AI.
“Organizations know the benefits, but they are also aware that today’s attackers have unique capabilities to cause destruction with that same technology. As a result, they’ve come to a point where they’re unsure if AI is a friend or foe,” he said.
“What we do know is that IT leaders are confident in AI’s ability to make a significant difference in their defenses. So what’s needed now is for security teams to prioritize education around AI, not only to ensure that the most efficient security strategies have been implemented, but to give organizations the opportunity to embrace — and not fear — this technology.”
That education piece appears to have been lacking so far. An ESET poll of European and US IT pros in August found a disappointing 75% believe AI is a ‘silver bullet’ to helping them tackle online threats.
Legal experts have warned organizations in certain highly regulated industries that they could be fined twice under new EU security laws with huge maximum penalties.
The GDPR has received most press since it was introduced at the end of May, but for operators of essential services (OES) and digital service providers (DSPs), there’s also a second piece of legislation to consider: the EU directive on the Security of Networks and Information Systems (NIS Directive), introduced a few weeks previously.
This means a serious breach could result in two fines for organizations in energy, health, transport, water and “digital infrastructure” sectors — i.e. providers of certain cloud and search, services and online marketplaces.
Crucially, both laws could result in maximum fines of £17m, or 4% of global annual turnover, whichever is higher.
“The NIS Directive and UK NIS Regulations say that NIS regulators should 'consult and cooperate' with data protection regulators, and the UK government had previously agreed that organizations should not be tried for the same offence twice,” explained Kuan Hon, a director in Fieldfisher's Privacy, Security and Information group.
“However, it has also said, 'there may be reason for them to be penalized under different regimes for the same event because the penalties might relate to different aspects of the wrongdoing and different impacts'.”
The ICO also recently confirmed that NIS Directive enforcement powers are separate from its own.
“In cases where a NIS incident impacts on personal data, we are able to take action under both NIS and data protection law if it is appropriate and proportionate to do so,” it said.
Hon advised EU organizations to register as OES or DSPs if required, adding that the deadline for UK DSPs is November 1. Pan-regional firms will have to comply with each member state’s individual NIS Directive legislation, while non-EU DSPs should first assess each service as to where its EU "main establishment,” or head office, is located, she added.
Magecart hackers are exploiting a long list of zero-day vulnerabilities in popular store extension software to inject the digital skimming code into targeted e-commerce sites, according to new research.
“As of today, many popular PHP applications still use unserialize(). Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not.”
With attackers actively probing vulnerable websites, de Groot issued an appeal to developers of the sites to patch quickly. According to his Twitter account, 13 out of the 20 probes/sites had been identified at the time of writing.
This Magecart group differs from some of the attackers we’ve seen before in that, rather than inject the malicious code directly into a target site payment page or third-party, it will insert a customized payment overlay.
“This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted,” de Groot explained. “Once a user enters his [card] details and clicks submit, the fake credit card form disappears and the unsuspecting user will likely try again. The fake form will not show a second time, because a cookie is set to prevent that.”
This is just the latest Magecart discovery and once again is proof that several competing groups are using the digital skimming code to harvest large troves of customer card data from e-commerce sites.
Other campaigns have hit hundreds of big-name sites around the world, including BA and Ticketmaster.
While data breaches result in huge losses for the victims, criminals are cashing out on fraudulent purchases by working with deceitful communities that offer such services as shipping labels, according to Flashpoint.
In today’s blog post, “Drop Networks, Label-Creation Services Sustain Shipments of Fraudulent Purchases,” analysts Luke Rodeheffer and Mike Mimoso detail the mechanics, methods and success rates criminals have with regard to cashing out on stolen cards and avoiding law enforcement. The success of these illicit tactics is the result of fraudulent shipping labels, mules and drop networks.
Through private, dark-web forum engagements, criminals are able to reap financial gains for their carded goods. In some cases, drop networks offer prepared shipping labels, which researchers say suggests that they might have a linked shipping services account.
Access to those shipping services accounts used in combination with the services’ APIs allows criminals to create thousands of labels for customers with a 99.9% effective rate. The labels are so essential to the process that in one underground service, customers are able to both create and distribute labels as PDFs. The customers then send the labels to mules who ship carded goods to buyers on the network. The goods are then resold in online marketplaces such as Amazon and eBay, according to Flashpoint analysts.
“These companies are often set up as limited liability partnerships (LLPs) posing as legitimate shipping or warehousing companies,” said Rodeheffer in an email interview. “Individuals are lured into working for what they believe is a legitimate reshipping operation that offers benefits such as flexible work scheduling.
"As noted, the companies claim to be freight-forwarding and -reshipping or logistics companies, and the individuals working for the companies often find advertisements on job message boards or receive spam messages offering such employment.”
Flashpoint expects that the drop networks will continue recruiting mules and expects that criminals will target financial services institutions, as well as telecommunications companies and electronic goods and consumer technology retailers.
“Label-creation services, meanwhile, will continue to be a valuable add-on for criminals with access to accounts belonging to private- and public-sector shipping services,” the analysts wrote.
Botnets have been growing more prevalent, and SophosLabs has discovered a new family of denial-of-service (DoS) bots used in distributed denial-of-service (DDoS) attacks. The family, dubbed Chalubo, has been used in attacks targeting internet-facing SSH servers on Linux-based systems, according to SophosLabs.
Using the ChaCha stream cipher, the attackers encrypt the bot and its Lua script, which researchers said is an indication of a Linux malware evolution. The anti-analysis techniques are principles more commonly used to thwart detection in Windows malware, though Chalubo does incorporate code from both the Xor DDoS and other Mirai malware families.
The Chalubo family attacked a SophosLabs honeypot on September 6, 2018, at which time researchers noted the bot attempting to brute-force login credentials against an SSH server. After gaining what they believed was access, the attackers issued a series of commands that revealed the bot’s complexity, dropping malicious components with a layered approach in an encryption not typical for Linux malware.
When it was initially analyzed, the malware had three components: a downloader, the main bot and the Lua command script. Since its detection, attackers have added commands that “retrieve the Elknot dropper (detected as Linux/DDoS-AZ), which in turn delivers the rest of the Chalubo (ChaCha-Lua-bot) package,” according to Sophos News.
“In addition, we now see a variety of bot versions that run on different processor architectures, including both 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC. This may indicate the end of a testing period, and we may see an uptick in activity from this new family.”
Throughout September, researchers observed 1,065 unique username and password combinations from 129 countries. Of those, interrogating botnets revealed 1,005 combinations of usernames and passwords in addition to those on Mirai’s default list. The combinations were used indiscriminately across IoT devices. An additional key finding of the research revealed that “attacks from bots using specific manufacturer default passwords are often perpetrated from similarly compromised devices,” NETSCOUT wrote.
Fortinet and Bitdefender are hoping that their latest acquisitions will augment their threat intelligence offerings, with each organization today announcing that it has completed an acquisition that will enhance its existing security solutions.
Fortinet has finalized its acquisition of the Scotland-based ZoneFox Limited, a privately held cloud-based insider threat detection and response company, while Bitdefender has acquired the Netherland-based RedSocks Security.
The acquisition of ZoneFox will enable Fortinet to deliver deeper visibility into endpoints and associated data flow and user behavior. Combining the existing offerings within the Fortinet Security Fabric with the capabilities available in the cloud-based ZoneFox solutions will also provide more comprehensive machine learning capabilities that are able to distill billions of events per day into threat leads to uncover blind spots and alert users of suspicious activities.
“We’re pleased to join the Fortinet team and bring together our shared vision of alleviating CISO concerns about insider threats,” said Dr. Jamie Graves, chief executive officer and founder, ZoneFox. “Integrating our solution with the Fortinet Security Fabric will allow us to extend our reach to a broad spectrum of Fortinet and third-party solutions to solve customers’ most difficult challenges in network security.”
With its acquisition of the behavior and network threat intelligence company RedSocks Security, Bitdefender will add nonintrusive, real-time breach detection solutions and incident response services, extending its existing multilayered security capabilities.
"At Bitdefender, we’re now able to offer our Bitdefender and new RedSocks customers even stronger protection from sophisticated attacks,” said Bitdefender CEO and founder Florin Talpes in today’s announcement.
“By bringing RedSocks network security analytics and threat intelligence into GravityZone, a complete endpoint prevention, detection and response platform, customers will benefit from a more comprehensive, layered approach to security and deeper visibility into their threat landscape.”
RedSocks founder Pepijn Janssen said, “When we started RedSocks in 2012, our goal was to build solutions that would serve any type of organization and offer them value for the long term. Together with Bitdefender, we will now achieve that goal. We are extremely proud to be acknowledged by and part of a visionary cybersecurity company like Bitdefender.”
The website of a Saudi Arabian investment conference hosted by the crown prince has just returned to normal after being defaced following the murder of a Washington Post journalist.
The Arab nation has now admitted Saudi national Jamal Khashoggi was murdered on a visit to his country’s consulate in Istanbul at the beginning of the month, having changed its story several times.
However, the country’s foreign minister has claimed that it was a rogue operation not ordered by the powerful prince, Mohammed bin Salman.
That’s a version of events disputed by Turkey, which says it has proof that the office of the crown prince received four phone calls from the consulate after the killing. Surveillance footage received by CNN also appears to show an imposter dressed as the journalist with fake beard and glasses leaving the consulate's back door on the day he was killed.
In response to the outrage, hackers managed to deface the website of the Future Investment Initiative, a pet project of the prince’s known as “Davos in the Desert.”
According to screen grabs taken by CBC News Network journalist, Nahayat Tizhoosh, it featured an image of the prince scything down Khashoggi with a large sword.
Also published were a list of names, phone numbers and Saudi government email addresses with the accompanying message: “thousands of terrorists and spies in the Saudi regime who perform malicious activities around the globe.”
Another statement on the defaced page read:
“For the sake of security for children worldwide, we urge all countries to put sanction on the Saudi regime. The regime, aligned with the United States, must be kept responsible for its barbaric and inhuman action, such as killing its own citizen Jamal khashoggi and thousands of innocent people in Yemen. The medieval Saudi regime is one of the sources for #Terrorism_Financing in the world.”
During the writing of this story, the website returned from a blank error page to displaying a live stream of the event.
Security researchers have spotted a new campaign using two attack frameworks and a backdoor allegedly developed by the NSA to spy on scores of targets in Russia, Iran and Egypt.
The tools were originally published in March 2017 by the Shadow Brokers, a group linked to Russian intelligence which claimed they came from the US spy agency.
They include DanderSpritz — which consists of “plugins to gather intelligence, use exploits and examine already controlled machines” — and FuzzBunch — a framework for different utilities to interact and work together which features various plugins to “analyze victims, exploit vulnerabilities, schedule tasks,” and more, according to Kaspersky Lab.
The DarkPulsar backdoor links to the two frameworks together, used with FuzzBunch to exploit vulnerabilities and gain remote access to a targeted system, before DanderSpritz is brought in to observe and exfiltrate the data.
“The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools. Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims,” the researchers explained.
“The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness. The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.”
Kaspersky Lab claimed to have found around 50 victims in Russia, Iran and Egypt, with Windows Server 2003 and 2008 typical targeted systems. The organizations in question were linked to nuclear energy, telecoms, IT, aerospace and R&D, the Russian AV vendor explained.