Microsoft has doubled the top bounty reward for vulnerabilities in its Azure cloud software to $40,000. It also introduced a hacker environment called the Azure Security Lab, which is a cloud infrastructure dedicated to letting cybersecurity researchers test out their skills in an IaaS environment.
Hackers don't get to color outside the lines. Instead, the Lab includes a series of scenario-based challenges that they can follow to try and exploit the system. They can earn up to $300,000 if they succeed, according to Microsoft's blog post announcing the Lab.
Hackers wanting access to the Azure Security Lab must request a Windows or Linux VM.
Apple is also reportedly fleshing out its existing bounty program in two ways. Forbes reports that the company will announce plans to give security researchers developer versions of its iPhone, featuring access to the underlying software and hardware that normal users don't get. These phones, which will be available only to existing participants in Apple's invitation-only bug bounty program, will let them inspect system memory, for example.
Apple will also unveil a bug bounty program for its macOS operating system, according to the report. This could mean that researchers like Linus Henze, who discovered a bug in the Mac operating system's keychain password manager earlier this year, will finally get paid. The teenager had originally planned not to privately disclose the bug to Apple because it hadn't been paying for macOS bugs.
An announcement at Black Hat 2019 this week would mark the third anniversary of Apple's original bug bounty program, in which it promised to pay up to $200,000 for the best reported security flaws.
Cloud Security Alliance has unveiled its Top Threats to Cloud Computing: Egregious Eleven report, which lists the top 11 cybersecurity problems facing cloud computing users. It is the first major update to the list since 2016, when Alliance released the Treacherous 12, although it has released reports taking a deep dive into the threats with case studies in the interim.
Data breaches still top the list, unmoved since 2016. Other perennial threats remaining on the list from last time are poor identity management, insecure APIs, account hijacking, insider threats and the abuse and nefarious use of cloud services.
That leaves room for five new threats.Weak control plane
In this scenario, the user doesn't understand how data flows in the cloud and might not have secure processes for securing and verifying it.Metastructure and applistructure failures
This risk revolves around the application programming interfaces that allow customers to extract information about security protections and operations in the cloud. Examples include logging and audit information. Cloud service providers (CSPs) must understand what to provide and customers must use this wisely, the report warns.Misconfiguration and inadequate change control
It's no wonder that this threat appeared on the list. It concerns the misconfiguration of cloud resources that could then expose sensitive information. Every accidentally exposed S3 bucket or Elasticsearch database falls into this category.Lack of cloud security architecture and strategy
The big problem here is a misunderstanding of the shared-responsibility model. Customers lift and shift their operations into the cloud assuming that the CSP will take care of all the security, without understanding their own responsibilities.Limited cloud usage visibility
This is the culprit behind shadow IT, when users buy cloud applications without informing IT and then use them insecurely.
What's interesting about this release is its increasing focus on administrator mistakes rather than purely on external bad actors and more traditional security issues. In short, the security challenges are becoming more nuanced, according to Alliance, which suggests a gradual maturing of the cloud security landscape.
As A-Level results day rolls around, UK universities are sorely lacking in cybersecurity protections, according to security company Proofpoint.
The company tested the UK's top universities, as ranked by the Complete University Guide, and found 65% of them were not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records.
DMARC is a protocol that organizations can use to decide whether email servers should accept an email, making it a useful weapon against phishers. Without it, you can't be sure that an email sent to you came from a legitimate sender rather than a phisher spoofing that domain.
Adenike Cosgrove, cybersecurity strategist at Proofpoint, said that the lack of a published DMARC record leaves universities open to impersonation attacks, which could be a problem next week when students start getting their A-Level results.
“In this particular example, cyber-criminals would spoof the university’s domain and send emails to would-be students’ consumer mailboxes (Gmail, Hotmail, etc.)," she explained. "Without DMARC, criminals can use the exact email address of the university in question. With DMARC, the university can block (with a ‘reject’ policy) any unauthorized use of its domain, communicating to receivers (i.e., the consumer ISPs in this case) that any unauthorized senders using its domains should be blocked. In essence, DMARC works to protect consumers (outbound), employees (inbound) and business partners from email fraud.”
Although 35% of the top 20 universities in the UK had published a DMARC record, only 5% of them were using the strictest settings, which are the ones that would block fake emails from reaching the students, Proofpoint warned.
Students should be extra diligent when receiving email from universities, the company warned, especially if they request log-in credentials or threaten to suspend an account if they don't click on a link. They should use strong passwords that are individual to each account, it concluded.
Losses from romance scams soared by over 71% from 2017-18, with victims increasingly recruited as money mules, according to a new public service announcement from the FBI.
The bureau’s Internet Crime Complaint Center (IC3) claimed that 15,000 victims reported romance and confidence scams in 2017, at a cost of $211m. By the following year there were 18,000 victims reporting losses of over $362m.
These figures propelled the cybercrime category to the seventh most widely reported scam and second costliest to victims last year after BEC.
The IC3 said elderly widows are particularly vulnerable to such scams. Once trust has been established, the scammer — who often masquerades as a US/European citizen living abroad — will ask for money so they can buy a plane ticket to visit the victim.
Sometimes they claim that wired funds did not reach them and request another transfer. Often when they don’t arrive they’ll claim they were arrested and ask for bail money, the notice warned.
Often the victim is persuaded to open bank accounts and/or register a limited company in their name in order to send or receive funds – sometimes to facilitate a lucrative ‘business opportunity.’
Money mules are a key link in the cybercrime chain, enabling criminals to launder money from their online schemes.
The recruitment of victims via romance scams is just one method of tricking users into handing over their bank details. Often youngsters are approached on social media or WhatsApp with ads promising them an opportunity to make some quick cash.
Despite a potential jail sentence in the UK of up to 14 years, there was a 26% rise in reports of money mules aged 21 and under between 2017 and October 2018, according to anti-fraud non-profit Cifas.
In fact, it has become such a problem that Scottish police wrote to every secondary school in the country earlier this year warning parents and guardians that pupils are increasingly being recruited by cybercrime gangs as money mules.
A new version of Matrix-themed ransomware MegaCortex is targeting organizations with demands of up to $5.8m to regain access to their encrypted data, according to Accenture researchers.
In version two, the authors have improved automation and usability and made it harder to stop, according to Leo Fernandes, senior manager of the firm’s iDefense Malware Analysis and Countermeasures (MAC) team.
One major change is the removal of a password requirement for installation. It is now hard-coded into the binary.
“The original version of MegaCortex had its main payload protected by a custom password that was only available during a live infection. As a result, this feature made the malware difficult for security vendors to analyze,” he explained.
“However, the password requirement also prevented the malware from being widely distributed worldwide and required the attackers to install the ransomware mostly through a sequence of manual steps on each targeted network.”
The ransomware has also been redesigned to self-execute, and there are some new anti-analysis features in the main module, as well as a more streamlined way to “stop and kill a wide range of security products and services.” These no longer need to be manually executed as batch script files on each host.
“The changes in version two suggest that the malware authors traded some security for ease of use and automation. With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation,” Fernandes explained.
“Indeed, potentially there could be an increase in the number of MegaCortex incidents if the actors decide to start delivering it through e-mail campaigns or dropped as secondary stage by other malware families.”
This would be bad news for businesses given the current demand for ransom money is anywhere between two and 600 Bitcoins: around $20,000-$5.8m.
First revealed in May this year, the MegaCortex ransom note contained various references to cult '90s film The Matrix, while the name itself echoes that of the company (MetaCortex) where hero Neo works .
The number of DDoS attacks detected by Kaspersky jumped 18% year-on-year in the second quarter, according to the latest figures from the Russian AV vendor.
Although the number of detected attacks was down 44% from Q1, the vendor claimed that this seasonal change is normal as activity often dips in late spring and summer. However, the spike was even bigger when compared to the same period in 2017: an increase of 25%.
Application attacks, which the firm said are harder to defend against, increased by a third (32%) in Q2 2019 and now constitute nearly half (46%) of all detected attacks. The latter figure is up 9% from Q1 2019, and 15% from Q2 2018.
Crucially, the seasonal drop in attacks has barely touched targeting of the application layer, which fell just 4% from the previous quarter.
These attacks are difficult to detect and stop as they typically include legitimate requests, the firm said.
“Traditionally, troublemakers who conduct DDoS attacks for fun go on holiday during the summer and give up their activity until September. However, the statistics for this quarter show that professional attackers, who perform complex DDoS attacks, are working hard even over the summer months,” explained Alexey Kiselev, business development manager for the Kaspersky DDoS Protection team.
“This trend is rather worrying for businesses. Many are well protected against high volumes of junk traffic, but DDoS attacks on the application layer require them to identify illegitimate activity even if its volume is low. We therefore recommend that businesses ensure their DDoS protection solutions are ready to withstand these complex attacks.”
Kaspersky also recorded the longest DDoS attack since it started monitoring botnet activity in 2015. Analysis of commands received by bots from command and control (C&C) servers revealed one in Q2 2019 lasting 509 hours, which is nearly 21 days. The previous longest attack, observed in Q4 2018, lasted 329 hours.
A BEC scammer has pleaded guilty to his part in an operation in which he and co-conspirators tricked two US universities into sending over $872,000 to their accounts.
In July 2918, the University of California San Diego (UCSD) was sent an email spoofed to come from a Dell account demanding the institution redirect its payments to the firm to a new bank account in Minnesota.
The bank account belonged to Amil Hassan Raage, who pleaded guilty to fraudulently receiving nearly $750,000 in 28 payments from the university, From August 8 to September 12 2018.
Raage apparently withdrew the money each time it was wired and transferred it to another account.
His unnamed co-conspirators played a major part in the operation, by creating the spoofed Dell email account from a base in Kenya.
They went through the same modus operandi to defraud a second US university, this time based in Pennsylvania.
According to the Department of Justice (DoJ), the group again used the fake Dell email to trick university officials into wiring funds to a different account.
In total, it sent six payments of over $123,000.
After the Wells Fargo bank in Minnesota froze Raage’s account, he fled the country in September to Kenya, only to be tracked down by local law enforcers working with the FBI’s legal attache in the African country.
He was finally arrested in May 2019 and extradited a couple of weeks after.
“Modern criminals like Raage have ditched the ski mask and getaway vehicle and opted for a computer as their weapon of choice. As this defendant has learned, we are matching wits with new-age thieves and successfully tracking them down and putting an end to their high-tech deception,” said US attorney Robert Brewer.
BEC attacks cost businesses nearly $1.3bn last year, nearly half of the total cybercrime losses recorded by the FBI.
A Mexican bookstore that exposed millions of records through a publicly accessible database has had the data stolen and ransomed by hackers.
Libreria Porrua left the 2.1 million customer records online in a MongoDB database at two separate IP addresses, according to Comparitech, who collaborated with security researcher Bob Diachenko on the case.
The company, a bookseller and publisher with a history going back over 100 years, failed to respond to Diachenko when he notified it of the discovery on July 15. Three days later, the data had been wiped and replaced with a ransom note demanding around $500 in Bitcoin.
Public access to the database was disabled the next day, but it’s unclear whether the company paid the ransom or not.
Two sets of records were included in the trove: the first featuring names, addresses, phone numbers, emails, shipping numbers, invoice details and hashed payment card info. The second featured full names, dates of birth, phone numbers, discount card activation codes and more.
“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration makes it possible for cyber-criminals to manage the whole system with full administrative privileges,” Diachenko is quoted as saying.
“Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”
Customers of the bookstore are potentially at risk from follow-on phishing attacks if the hackers decide to monetize their efforts further.
MongoDB has been a favorite target for hackers looking to capture and hold customer data to ransom over the past few years.
The volume of destructive malware attacks has risen by 200% year-on-year in the first half of 2019, according to new data from IBM X-Force.
Once the preserve of sophisticated nation state actors, it appears as if financially motivated cyber-criminals are now getting in on the act, which is bad news for a range of organizations, according to the Incident Response and Intelligence Services (IRIS) report.
Analyzing incident response data from the first six months of the year, the report claimed that such attacks now cost multi-nationals on average $239m — 61-times more than the industry average of around $3.9m.
They also take a long time to respond to and remediate — on average 512 hours — with many victim organizations using multiple companies to assist them, further increasing the time taken.
Most concerning for organizations caught out by a destructive attack: on average a single blitz destroys 12,000 machines per company.
Destructive attacks have most commonly been associated with sophisticated malware such as Stuxnet, DarkSeoul and Shamoon, as nation states go after geopolitical rivals, explained IBM X-Force in a blog post introducing the research.
“Since 2018, however, we have observed the profile of these attacks expanding beyond nation-states as cyber-criminals increasingly incorporate destructive components, such as wiper malware, into their attacks,” it added.
“This is especially true for cyber-criminals who use ransomware, including strains such as LockerGoga and MegaCortex. Financially motivated attackers may be adopting these destructive elements to add pressure to their victims to pay the ransom, or to lash out at victims if they feel wronged.”
Half of these attacks — centered around the US, Middle East and Europe — targeted manufacturing during the reporting period, with oil and gas and education sectors also hit hard.
Hackers are often inside networks for weeks or months before launching their attacks, IBM said.
“Destructive malware adversaries often gain initial entry into systems through phishing emails, password guessing, third-party connections and watering hole attacks,” it added.
“We observe them taking care to covertly preserve access to privileged accounts or critical devices for the destructive phase of their attack, using them alongside legitimate remote command services within the targeted environment, such as PowerShell scripts, to move laterally through the victim’s network.”
Defense-in-depth is the answer, with MFA, well-tested incident response plans, network monitoring, threat intelligence and regular offline back-ups essential, IBM recommended.
The organizers of BSides Manchester have hit back at accusations of corporate influence by a sponsor.
In a series of tweets, degenerateDaE highlighted the number of talks being given by employees of NCC Group, and noted that the company is also the platinum sponsor. “Out of the six organizers listed I was able to confirm at least 5/6 worked at NCC when BSides Manchester was created in 2014,” they said, pointing out that at least three still work for NCC Group.
“Figured I'd tweet about this because the link between NCC and BSides Manchester was not one that I was personally aware of, nor have I seen anyone else talk about this. It would be great to get some transpancy on this from the BSides Manchester team.”
Responding, BSides Manchester organizing committee member Matt Summers posted a statement calling the accusation “incredibly hurtful and makes us as organizers question why we do this.”
He clarified that “BSides Manchester is directed by three directors (board members) and listed as a Community Interest Company (CIC) which means that it is a not-for-profit and regulated as such.”
He went on to say that there are other directors who are not board members but who have helped organize the conference – some of whom are or have been directly employed by NCC Group. “However a few people who have remained in the shadows and who were not outed by this individual have never been employed by NCC Group. The directors and board members of the CIC have never hidden their employment from the community.”
Saying that the intention of BSides Manchester was about putting on a regional event as he “missed the camaraderie of BSides London,” and he pitched the idea of a BSides Manchester to a senior person at NCC Group. “Why? Because I needed some seed money to get the event off the ground.”
He said: “Since 2014 NCC Group consistently sponsored as a platinum sponsor with other companies coming and going as platinum sponsors, but we have never turned a company down when it came to the level of sponsorship they wanted.
“Over the last two years we have had three platinum sponsors. Over the years this has meant that we have had to rejig the layout of the venue to ensure that everyone gets what it is in the contract and every sponsor got a fair and honest slice of the pie.”
Regarding the accusations of conflict of interest and insinuations that NCC Group had gained an unfair advantage over other sponsors and speakers, Summers said he had always been forthright with people that I wear two hats, one for his employer and one for BSides “and anyone who knows me will know that I let my actions speak for me.”
He said: “This accusation is unfounded quite frankly insulting. Unfortunately, I can’t prove in any way that there is no conflict of interest. As board members and directors we insulated ourselves from the team that NCC Group put together to sponsor the event, I can’t prove this but I can say that we had a big enough job putting an event together without steering NCC Groups efforts at the event.
“There are also additional people who helped us put the event on that were not employed by NCC Group but I won’t call them out and drag them into this. NCC Group does have robust procedures about additional employment and ensuring that there are no conflicts of interest with any additional employment and I would hope that this would be enough for all parties.”
He also clarified that NCC Group is “probably the biggest employer of security people in Manchester,” and he praised them for being “incredibly supportive of those wishing to speak publicly.”
Security researcher Javvad Malik, who was one of the original organizing team of BSides London in 2011, along with Summers, praised him for being “one of the hardest workers in the room.”
Malik said: “It pains me to see accusations thrown at him, when I know he's a man of integrity and honesty. He invited me down to the first few BSides Manchesters to compere track one. I was incredibly honored. But again, I saw first hand how much of himself he puts into these events. BSidesMCR was no exception, and it was run really well.
“So the question is, does NCC have an undue influence over BSidesMCR? And if you knew Matt at all, that's a shameful question to ask. I would never believe it, and I've seen pretty close how he runs cons.”
Malik made the point that if anyone feels like there are too many NCC Group employees running the conference, “put yourself forward and offer to help run the con yourself. It'll open your eyes to a lot of things.” This was echoed by Summers, who said: “The last thing I want to say is that every year we have asked for people to join us as organizers. In fact it’s on our website that we want people to help us.
“If people want transparency, then they can join us as organizers to see for real.”
A new initiative has been announced by the Automotive Industry Action Group (AIAG) to help automotive suppliers compare their current capabilities to industry best practice.
Developed in partnership with NCQ, the Cyber Safe Bundle includes a one-time virtual audit, along with either a basic or advanced enterprise risk assessment. Together, these resources allow suppliers to evaluate their overall cybersecurity efforts and identify the most critical areas for improvement.
The audit is a remote threat analysis that searches a supplier-provided URL or domain name for known vulnerabilities using a database of more than 53,000 common configuration issues, updated in real time with the latest threats. It then identifies system weaknesses without damaging the resource being checked and provides an automated corrective action plan with practical steps the supplier can take to improve its cybersecurity.
Tanya Bolden, AIAG’s director of supply chain products and services, said: “Cyber-attacks have become so prevalent that larger companies are now spending thousands and sometimes millions of dollars to protect their systems. AIAG feels strongly about the importance of making resources developed by OEMs available to smaller companies in the automotive supply chain – companies that may not have the budget or human resources available to proactively protect themselves from cyber-attack.
“The perception is that only larger companies are targeted for cyber-attack, but the fact is that small and medium-sized companies are particularly vulnerable. A supply chain is only as strong as its weakest partner, which is why cyber-attackers go after companies that may be easier targets.”
Charles Morrison, NQC managing director, added: “We are very pleased to bring our expertise to this collaboration with AIAG, and we are confident this suite of tools will provide much needed protection to suppliers across the industry.”
Chair of the Digital, Culture, Media and Sport Committee Damian Collins MP has written to Facebook VP for global affairs and communications Sir Nick Clegg about discrepancies relating to the Cambridge Analytica investigation.
Collins asked the former Deputy Prime Minister and Liberal Democrats leader, who joined Facebook in October 2018, about who at Facebook knew what and when about Cambridge Analytica’s activities on the platform with the “this is your digital life” app, which lead to the misuse of 87 million people’s data.
Claiming that “senior executives from Facebook, including its Chief Technology Officer Mike Schroepfer and Lord Richard Allan, consistently asserted in evidence over the course of 2018 to the Committee that Facebook first learned that Global Science Research (GSR) and Cambridge Analytica had compromised Facebook user data from a Guardian article published in December 2015,” the SEC said its complaint states that Facebook employees already knew about Cambridge Analytica prior December 2015.
“We therefore request a response on whether the SEC complaint is accurate that employees did raise concerns about Cambridge Analytica before December 2015 and how these discrepancies in evidence have occurred,” Collins letter stated.
Also, despite the red flags raised by Facebook employees about Cambridge Analytica from as early as September 2015, these incidents were not reported to senior management. In a letter to the Committee dated May 14 2018, Rebecca Stimson, Facebook’s UK head of public policy, confirmed that “Mr. Zuckerberg did not become aware of allegations that Cambridge Analytica may not have deleted data about Facebook users obtained through Dr Kogan’s app until March of 2018, when these issues were raised in the media.”
Also, Collins sought guarantees on the deletion of user data held by Cambridge Analytica, as the SEC Complaint notes that several Facebook employees were also aware of data misuse throughout 2016 and beyond. On February 8 2018, Simon Milner, policy director at Facebook, denied to the Committee that Cambridge Analytica held a “large chunk of Facebook user data.”
Collins said that the Committee were requesting information on instances that concerns about Cambridge Analytica were raised by employees and why no action was taken until 2018, and why the Committee was not informed about these concerns in the sessions with Milner and Schroepfer.
Last week, the Securities and Exchange Commission fined Facebook $100m “for making misleading disclosures regarding the risk of misuse of Facebook user data.” The SEC’s complaint alleged that Facebook discovered the misuse of its users’ information in 2015, but did not correct its existing disclosure for more than two years.
Stephanie Avakian, co-director of the SEC’s Enforcement Division said: “As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused. Public companies must have procedures in place to make accurate disclosures about material business risks.”
More than 70% of organizations will be using Security-as-a-Service by 2021, according to new research from Thycotic.
The privileged access management provider surveyed IT managers and technology decision makers at the KuppingerCole European Identity & Cloud conference in Munich in May, compiling its findings in the Security as a Service on the Rise report.
Two out of three respondents said their organization is already adopting Security-as-a-Service, or will be in the next 12 months, with 70% planning to do so by 2021. Those polled cited reduced costs, faster IT services delivery and greater flexibility as reasons for opting for Security-as-a-Service solutions.
“Organizations typically use Security-as-a-Service solutions to limit or eliminate the need for on-premise hardware, software or specialized skilled resources,” said Joseph Carson, chief security scientist at Thycotic.
Respondents also indicated they are turning to cloud-based security services to help keep up with rapidly escalating threats, costs and a lack of staff resources with cybersecurity expertise.
“In another interesting result, the survey showed the security functions most frequently moved to Cloud-as-a-Service were led by Privileged Account Management and Identity Access Management,” added Carson.
Magecart groups appear to be having a busy summer so far, with one security vendor blocking 65,000 attempts to steal card details from online stores in July alone.
Malwarebytes revealed the findings in a new blog post: it shows that US shoppers account for the vast majority of those targeted, nearly 54% in total. Canadians came in second with nearly 16% and then there’s a long tail of countries including Germany (7%), the Netherlands (6%), France and the UK (5%) and Australia (3%).
The firm claimed it is becoming increasingly difficult to differentiate digital skimming groups by code types alone, as copycats reuse existing tools.
There’s also a growing trend among these hackers to use some kind of obfuscation to stay hidden.
“This is an effort to thwart detection attempts and also serves to hide certain pieces of information, such as the gates (criminal controlled server) that are used to collect the stolen data,” said Jérôme Segura, director of threat intelligence at Malwarebytes.
Visiting only larger online sites is no guarantee that consumers will be safe from digital skimmers, especially given the attacks on big-name brands like BA, Newegg and others. BA was famously issued a record £183m proposed fine last month by the ICO for breaking the GDPR.
“Combating skimmers ought to start server-side with administrators remediating the threat and implementing a proper patching, hardening and mitigation regimen. However, based on our experience, a great majority of site owners are either oblivious or fail to prevent reinfections,” argued Segura.
“A more effective approach consists of filing abuse reports with CERTs and working with partners to take a more global approach by tackling the criminal infrastructure. However, even that is no guarantee, especially when threat actors rely on bulletproof services.”
One noteworthy bulletproof hosting service was revealed last month to be operating out of a war zone in eastern Ukraine.
(ISC)2, the nonprofit membership association of certified cybersecurity professionals, announced that it has been granted Approved Professional Organizations and Learned Societies status by HM Revenue & Customs (HMRC).
This status recognizes (ISC)2 among a select number of essential professional societies and bodies that share or advance professional knowledge, maintain or improve professional conduct and competence or protect members from claims made against them while doing their job. It also allows UK members of (ISC)2 to claim tax relief on their annual maintenance fee.
The learned societies and professional associations on the list are predominantly nonprofit organizations, such as industry bodies, charter organizations and livery companies, as well as independent member associations that exist to raise standards and help their members. The inclusion of (ISC)2 on the list is recognition of its efforts to inspire a safe and secure cyber-world and advance cybersecurity knowledge and skills through training and certification.
Speaking to Infosecurity, Dr. Casey Marks, chief product officer and vice president, (ISC)2, said that the HMRC approval is validation that mission of (ISC)2 to inspire a safe and secure cyber-world is of vital importance to the UK government.
“It means that our members are now recognized by the UK’s tax authority as serving an essential professional function and as such, they can claim tax relief on their annual fees,” he added. “It will also help some of our members recoup their membership fees, as some UK employers only reimburse professional memberships if they are part of the HMRC list. The HMRC approval essentially lightens the out-of-pocket costs that these skilled professionals pay and lets them focus on defending their organizations from attacks.
“We hope that the HMRC approval incentivizes more interested professionals to pursue certification with us and build careers focused on bolstering cybersecurity defenses in both the private and public sectors.”
The number of vulnerabilities being reported and bug bounty payouts per vulnerability have increased this year.
According to Bugcrowd’s State of Crowdsourced Security in 2019 report, there has been a 92% increase in the total number of vulnerabilities reported in the last year, while the average payout per vulnerability increased this year by 83%.
Bugcrowd said that more industries are adopting crowdsourced security programs, and crowdsourced pen testing and vulnerability disclosure “are growing at breakneck pace and the number of companies running programs for multiple years has resulted in a marked increase in the number of public programs.”
David Baker, CSO and VP of operations at Bugcrowd, told Infosecurity that “this is both a good thing and proof there are always more bugs to be found.”
“More bugs are not the result of a lack of testing or poor SDLC [software development life cycle], but the shift to cloud, push to mobile apps and adoption of IoT,” he said. “Ultimately, the fact that the crowd is finding more and more P1s means that these critical bugs are being identified and resolved sooner. Finding bugs is a good thing; promoting better defense through a better offense is a great SDLC strategy.”
Bugcrowd also said that the average payout for critical vulnerabilities reached $2,669.92, a 27% increase over the last year. However, it claims that “researchers are no longer going after things like XSS, CSRF, and SSI as those are fairly easy to find by many scanners out there today” and are now doing deep testing, leading to the top five vulnerabilities over the past year as:
- Broken access control
- Sensitive data exposure
- Server security misconfiguration
- Broken authentication and session management
- Cross-site scripting
Speaking to Infosecurity, Luta Security CEO Katie Moussouris said that “broken access control” is a very broad category “that absolutely can still be quantified as low-hanging fruit” and if an organization places no authentication at all on an asset or API, that's a simple mistake, not at all indicative of deeper or more sophisticated bugs. “Same goes for information disclosure findings that lead to data exposure, the second one in that list.”
Moussouris said that even organizations with a lot of general process maturity and a strong secure development life cycle see basic XSS bugs crop up, especially in third-party developed websites.
“The fact of the matter is that while bug bounty hunting can help out," she said, "organizations cannot use them or any other external testing mechanism as a checkbox to excuse complacency in prevention of common classes of bugs, like authentication bugs.”
Moussouris went on to say that in the main some organizations view bug bounties “as a way to look busy and responsive in security, when it's actually masking underlying security negligence” and the classes of bugs most often found in bug bounties are still on the lower end of sophistication.
“Most organizations should be actively trying to prevent and detect those themselves, not outsource their detection to the luck of the bug bounty draw.”
As the attacks either directly impact e-commerce websites or a third party’s software libraries, which merchants rely upon “these service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.”
Troy Leach, chief technology officer, PCI Security Standards Council, said: “We have heard from many of our stakeholders in the payment community that these types of attacks are a growing trend for many businesses, large and small. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the retail and hospitality sector who battle these threats daily.”
The alert warned that any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. “There are ways to prevent these difficult-to-detect attacks however,” said Leach. “A defense-in-depth approach with ongoing commitment to security, especially by third-party partners, will help guard against becoming a victim of this threat.”
Carlos Kizzee, vice-president, intelligence at the Retail and Hospitality ISAC, added that these attack techniques are of increasing significance to the retail and hospitality industry, and it is important that businesses grow their awareness of the nature of these attacks and of the security controls necessary to detect and defeat them.
Kizzee said: “The bulletin we are jointly issuing today should be a call to action to those in the business community to enhance their awareness of and vigilance against these techniques. No one should presume that they couldn’t or won’t be used to target their enterprise.
“We must endeavor to ensure that focused attention, commitment and peer collaboration in e-commerce cybersecurity efforts within the retail and hospitality industry outpaces the growth and evolution of threats such as these.”
Global automobile manufacturer Honda leaked a database of company data that exposed 134 million documents, roughly 40GB of information.
In a blog post, researcher xxdesmus revealed how he discovered an Elasticsearch database without any authentication.
“The data contained within this database was related to the internal network and computers of Honda Motor Company. The information available in the database appeared to be something like an inventory of all Honda internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software. I would like to thank the security team at Honda Motor Company for their very prompt action to secure the database shortly after being notified.”
A statement from Honda to the researcher read: “The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers. We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future.”
Igor Baikalov, chief scientist at Securonix, said, “This is a hacker’s dream, a treasure trove of the most sought-after information. Whoever has it can own Honda’s network. While it is unclear if this data has already been accessed by someone maliciously, it does highlight a concerning flaw in the security practices of Honda.”
If an attacker has already gained access they could use the data to carry out further attacks and gain deeper access to Honda’s networks causing substantial damage, he added.
“This incident should be a lesson to organizations that any documents, servers or databases should be secured and at the very least password protected. What may seem like meaningless logs to an organization could actually provide a wealth of opportunity to a skilled and knowledgeable attacker.”
Dwindling resources, experience and skills are the biggest challenges facing the cybersecurity profession today, according to new research from the Chartered Institute of Information Security.
Nearly half (45%) of those polled for the institute’s annual survey, The Security Profession in 2018/19, pointed to lack of resources as the biggest issue they face, followed by lack of experience (37%) and skills shortages (31%).
The latter have been an issue for years, with global shortages estimated at nearly three million, including 142,000 in EMEA.
What industry professionals there are threaten to be swamped by the black hats: just 11% of respondents said security budgets were rising in line with, or ahead of, threat levels, while the majority (52%) said budgets were rising, but not quickly enough.
When asked to choose between people, process and technology, the vast majority of professionals polled for this report claimed that people (75%) were the biggest challenge to cybersecurity, rather than process (12%) and technology (13%).
“Clearly, this could be a shortage of skilled security architects, the fact that developers seldom create secure code, the user awareness problem where passwords and phishing emails are concerned; probably it is a combination of people related issues,” the report explained.
On the plus side, the dearth of qualified professionals led a majority of respondents to claim this is a good time to join the industry: 86% said the industry will grow over the next three years and 13% said it will “boom.”
In addition, over 60% claimed the profession is getting better – or much better – at dealing with security incidents when they occur, while less than half (48%) said the same about defending systems from attack and protecting data. In fact, 14% said the profession is getting worse at this.
This highlights a general trend of organizations being forced to broaden their approach from prevention alone to include incident response.
“IT security is a constant war of attrition between security teams and attackers, and attackers have more luxury to innovate and try new approaches,” said Amanda Finch, CEO of the Chartered Institute of Information Security.
“As a result, the industry’s focus on dealing with breaches after they occur, rather than active prevention, isn’t a great surprise – the former is where IT teams have much more control. Yet in order to deal with breaches effectively, security teams still need the right resources and to increase those in line with the threat. Otherwise they will inevitably have to make compromises.”
Cisco has agreed to pay $8.6m to settle a lawsuit filed by a client alleging the networking giant knowingly sold video surveillance kit containing serious security vulnerabilities.
US law firm Phillips & Cohen said it filed a qui tam, or whistleblower, lawsuit on behalf of James Glenn, a consultant for a Cisco partner company of Danish origin. The firm is said to have fired Glenn after he submitted a report to Cisco detailing the flaws.
Although Cisco eventually fixed the software flaws, the lawsuit alleged that the firm potentially exposed the federal and state-level agencies that used the equipment.
The settlement covers sales of Cisco’s Video Surveillance Manager from 2007 to 2014. The system allows customers to manage and connect multiple internet-connected cameras through a central server.
Whistleblower attorney, Claire Sylvia, argued that many federal and state agencies depended on Cisco’s video surveillance systems to help monitor security at their facilities.
“Our client raised important security concerns. We alleged in our complaint that the software flaws were so severe that they compromised the security of the video surveillance systems and any computer system connected to them,” said Sylvia.
“Cybersecurity products are an important piece of government spending these days, and it’s essential that those products comply with critical regulatory and contractual requirements. The tech industry can expect whistleblowers to continue to step forward when serious problems are ignored, thanks to laws that reward and protect them.”
Cisco will pay the federal government and 15 states, as well as various cities, counties and other regional US administrations. Glenn himself will receive around $1.6m.
According to Cisco, this payment settles litigation originally brought in 2011. It revealed in a blog post that the software in question came from an acquisition of Broadware in 2007.
“Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached. In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us,” explained general counsel, Mark Chandler.
“In July, 2013, we advised that customers should upgrade to a new version of the software which addressed security features. All sales of the older versions of the software had ended by September, 2014.”