Info Security

Subscribe to Info Security  feed
Updated: 1 hour 13 min ago

Morrisons Loses Insider Breach Liability Appeal

Tue, 10/23/2018 - 08:57
Morrisons Loses Insider Breach Liability Appeal

Supermarket giant Morrisons has been told by the Court of Appeal that it is liable for the actions of a malicious insider who breached data on 100,000 employees, setting up a potential hefty class action pay-out.

An original High Court ruling last year said the UK chain was “vicariously liable” for the actions of former employee Andrew Skelton — a disgruntled internal auditor who published the details, which included NI numbers, birth dates and bank account data.

The firm argued at the time it was forced to pay £2m to resolve a breach that was no fault of its own.

Its lawyers subsequently argued at the Court of Appeal that the firm could not be held “vicariously liable” because the Data Protection Act 1998 — the legislation in place at the time of the incident — excludes vicarious liability.

The latest ruling could pave the way for the UK’s first data protection class action suit, with over 5000 employees seeking financial redress for the distress they suffered as a result of Skelton’s actions.

However, the Bradford-headquartered business is set to take its fight to the Supreme Court.

“Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues,” a statement noted.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”

Claire Greaney, an associate at law firm Charles Russell Speechlys, argued that the appeal court ruling could be cause for concern for UK organizations.

“Here you have an essentially compliant company on the receiving end of a class action it could have done little to avoid. In the GDPR era of mandatory notification this is even more concerning for businesses,” she argued.

“Businesses will need to look carefully at the measures they take to mitigate these risks, including the insurance arrangements they have in place in respect of data breaches and, of course, keep an eye out for an appeal to the Supreme Court.”

Simon Sharp, VP international at ObserveIT, claimed firms need to get smarter about spotting insider threats before they become a problem.
“The introduction of easy-to-follow policies coupled with effective monitoring technologies have the ability to stop rogue employees in their tracks,” he added. “This kind of approach is particularly important when staff have access to high-value information, such as payroll details.”

Categories: Cyber Risk News

Have Cybersecurity Training, Will Travel

Mon, 10/22/2018 - 17:01
Have Cybersecurity Training, Will Travel

Late last week, members of the congressional staff had an opportunity to engage in cybersecurity training through the hands-on exercises brought to them, quite literally, by IBM's X-Force command cyber-tactical operations center (C-TOC) – a first-of-its-kind mobile security operations center.

With a focus on delivering response training and preparedness, onsite cybersecurity support and education and awareness, the mobile command center will be on tour throughout 2019, attending various events, as well as visiting schools and government facilities across the U.S. before it heads to Europe.

Modeled after the military’s tactical operations centers, these mobile facilities have also been used by first responders as incident command posts. Fully operational, the IBM X-Force C-TOC is a security operations center (SOC) on wheels. 

Credit: IBM Security

A sleek, black tractor-trailer adorned with a blue "X," the C-TOC is large enough to accommodate two dozen security staff members. It comprises a gesture-controlled cybersecurity "watch floor," data center and conference facilities and can be deployed in a variety of environments with its self-sustaining power and satellite and cellular communications. In addition, the C-TOC brings both a sterile and resilient network for investigation and response and a state-of-the-art platform for cybersecurity training.

"Experiencing a major cyber-attack is one of the worst crisis a company can face, and the leadership, skills and coordination required is not something you want to test out for the first time when you're facing a real attack," said Caleb Barlow, vice president of threat intelligence, IBM Security, in a press release.

"Having a mobile facility that allows us to bring realistic cyber-attack preparation and rehearsal to a larger, global audience will be a game changer in our mission to improve incident response efforts for organizations around the world."

By engaging in real-time, simulated cyber-attacks, security teams can use the C-TOC to evaluate their incident response plans through three gamified challenges. including Ox Response Challenge, OpRed Escape and Cyber War Game.

Categories: Cyber Risk News

Facebook Is in Retail Therapy, Shopping for Security Firms

Mon, 10/22/2018 - 16:04
Facebook Is in Retail Therapy, Shopping for Security Firms

Facebook is apparently heeding the wisdom in the old adage, “When things get tough, the tough go shopping.” According to The Information, Facebook is currently shopping for a major cybersecurity firm.

After spending several months in the hot seat for its failure to protect user data, Facebook is reportedly looking to solve its cybersecurity problems by acquiring another cybersecurity company. Four inside sources have reportedly revealed that the company has engaged in acquisition conversations with several security firms, none of which have been publicly named. 

“It’s good to see such a huge consumer company looking to make a large move to improve their cybersecurity posture," said Guy Bejerano, co-founder and CEO, SafeBreach. "However, as we’ve seen on the enterprise front, improving defenses isn’t about just buying tools. For Facebook to truly move the security needle, they will also need to ensure that whatever investment they choose is deployed appropriately, configured correctly, and constantly validated to ensure their investment works as expected.”

According to The Information, the company is most likely looking to acquire a cybersecurity firm that would offer a software with features like analytics or tools that flag unauthorized access into which Facebook could wrap its own systems.

“Facebook is acknowledging two factors with the public statement about acquiring a cybersecurity firm. First, there is a shortage of cybersecurity talent. Second, the company will start making cybersecurity unique solutions part of their key business value to their customers," said Joseph Kucic, chief security officer at Cavirin.

"Obviously, Facebook could purchase products and solutions from vendors, but they want to create greater value that will be a market and product differentiator for them as they move forward with an acquisition.”

There's no word yet on when the big purchase might happen, but one unidentified source reportedly suggested a deal could be in the works by the end of the year.

Categories: Cyber Risk News

75K Files Accessed in Insurance Exchanges Breach

Mon, 10/22/2018 - 15:29
75K Files Accessed in Insurance Exchanges Breach

Early last week, the Centers for Medicare & Medicaid Services (CMS) announced some suspicious activity in the Federally Facilitated Exchanges (FFE), an agent and broker exchanges portal.

On October 13, 2018, a CMS staffer noticed the anomalous activity that resulted in the agency declaring a breach on October 16. An unauthorized user reportedly accessed the files of approximately 75,000 individuals. Since learning of the unauthorized activity, the agent and broker accounts in question have been deactivated, according to an October 19 press release

“Our number-one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS administrator Seema Verma in the press release.

“I want to make clear to the public that and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”

The breach reinforces the need for both private and public insurers to adopt the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law published in late 2017, according to Michael Magrath, director, global regulations and standards, OneSpan Inc.  

The NAIC’s Model Law doesn’t go into effect until January 1, 2019, but South Carolina was the first state to become an FFE state in May 2018 when it adopted the law with the South Carolina Insurance Data Security Act.

“Although written for states to adopt, there is nothing prohibiting the federal government from mandating tighter cybersecurity controls in its own programs, especially when it comes to protecting sensitive personally identifiable information (PII) such as health insurance information,” Magrath said.

"A key provision of the regulation is the use of multifactor authentication to protect against unauthorized access to nonpublic information or information systems, with 'nonpublic information' being the individual’s private information," he said.

Categories: Cyber Risk News

US Indicts Another Russian for Role in Info Warfare Campaign

Mon, 10/22/2018 - 10:00
US Indicts Another Russian for Role in Info Warfare Campaign

The US authorities have charged another Russian national as part of the ongoing conspiracy to interfere in its political system and attempt to undermine democracy.

Elena Alekseevna Khusyaynova, 44, of St. Petersburg is alleged to serve as the chief accountant of what the DoJ has dubbed “Project Lakhta” — an effort funded by oligarch Yevgeniy Viktorovich Prigozhin and two of his companies Concord Management and Consulting LLC and Concord Catering.

The self-styled “information warfare” effort she is alleged to have worked on had a proposed operating budget for January 2016-June 2018 of $35m, covering activities in the US, Europe, Ukraine and domestically.

Expenses she processed included payments to activists, and for social media ads, domain name registration, proxy servers and “promoting news postings” on social networks, according to the DoJ.

“Extraordinary” steps were apparently taken by the conspirators to appear as if they were everyday American voters, such as using VPNs to hide their true location and registering faked social media accounts to amplify divisive messages — using news events such as police shootings and right-wing rallies to spread further social and political discord.

Most of this is known already, from the testimony of social media companies before Congress and the DoJ’s indictment in February of 13 Russian nationals and three Russian companies, off the back of special counsel Robert Mueller’s investigation.

However, the new indictment signals the continued work of the DoJ in highlighting Russian efforts to destabilize its political system, even if Khusyaynova is unlikely ever to stand trial. These efforts are also ongoing, as the DoJ mentions $10m has been allocated for the period January-June 2018, ahead of crucial US mid-term elections next month.

“This case serves as a stark reminder to all Americans: Our foreign adversaries continue their efforts to interfere in our democracy by creating social and political division, spreading distrust in our political system, and advocating for the support or defeat of particular political candidates,” said FBI director Christopher Wray.

“We take all threats to our democracy very seriously, and we’re committed to working with our partners to identify and stop these unlawful influence operations. Together, we must remain diligent and determined to protect our democratic institutions and maintain trust in our electoral process.”

Categories: Cyber Risk News

PM Urges Sanctions in Response to Cyber-Attacks

Mon, 10/22/2018 - 09:17
PM Urges Sanctions in Response to Cyber-Attacks

Theresa May has urged the EU to adopt a new sanctions regime to punish nation states that engage in persistent cyber-attacks.

The move comes as the bloc signed up to new chemical weapons sanctions last week.

“I believe that we have an opportunity to show our collective political leadership. We have demonstrated significant steps forward against other challenging threats. And should today make clear that malicious cyber-activities are no different; we will impose costs on all those who seek to attack us, regardless of the means they use to do so,” she’s reported to have said.

“Malign cyber-activity causes harm to our economies, and undermines our democracies. As well as protecting ourselves against attack, we must impose proportionate consequences on those who would do us harm. We should accelerate work on EU restrictive measures to respond to and deter cyber-attacks, including a robust sanctions regime.”

The call can be seen as a response to a recent surge in offensive Russian efforts to probe UK critical infrastructure and interfere in referendums and elections throughout Europe.

The EU is reportedly looking to finalize several cybersecurity-related pieces of legislation before the European parliament heads into elections in May 2019.

Sean Sullivan, security advisor at F-Secure, said May was following German chancellor Angela Merkel’s lead.

“The issue appears to be concern over whether or not Italy’s leadership will go along with sanctions,” he added.

“Of course, European level action is for the best — but the UK has plenty of leverage that it can exert on its own given the amount of Russian assets that are sheltered in the UK/London. May appears to be willing to lead the way, if others signal they’ll follow. It’s harder to imagine her leading the UK on its own though.”

Malcolm Taylor, director of cyber advisory at ITC Secure, claimed the new call is a clear signal of the UK’s willingness to put pressure on states weaponizing cyber, and to continue a close relationship with the EU on matters of security.

“Both of these responses are an attempt to demonstrate that, Brexit or no, the EU, the UK, and by extension traditional allies such as the US, are and will remain united,” he said.

“There may be domestic political reasons why Theresa May will want this to be heard now, but the more important audience is Russia. Put another way, Russia may believe it succeeded in influencing the referendum and causing division and weakness in the West; May is telling them it has failed.”

Categories: Cyber Risk News

Anthem in Record $16m HIPAA Settlement

Mon, 10/22/2018 - 08:45
Anthem in Record $16m HIPAA Settlement

Healthcare insurance giant Anthem has agreed to pay a record $16m settlement to the US government after a major 2015 breach affecting nearly 79 million customers.

The Blue Cross and Blue Shield Association licensee is one of the biggest providers in the country, but apparently failed to properly secure its infrastructure as required by the Health Insurance Portability and Accountability Act (HIPAA).

Attackers managed to infiltrate the organization through spear-phishing emails sent to a subsidiary, obtaining names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

It is said to have failed to have adequately tightened access controls, conducted an enterprise-wide risk analysis, regularly reviewed system activity and put in place effective incident detection and response capabilities.

“The largest health data breach in US history fully merits the largest HIPAA settlement in history,” said Roger Severino, director of the US Department of Health and Human Services, Office for Civil Rights (OCR). 

“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information. We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Tim Sadler, CEO at Tessian, argued that machine learning technologies can help to spot phishing emails which human error might otherwise allow through.

“During the three years since the Anthem breach took place, spear-phishing attacks have increased significantly in their indistinguishability and effectiveness. Yet human error has remained inherent, inevitable and largely ignored as a security vulnerability by organizations,” he added.

“As long as these conditions continue, spear-phishing will be used, and used effectively, by bad actors.”

Categories: Cyber Risk News

Yale Faces Additional Lawsuit After 2011 Breach

Fri, 10/19/2018 - 14:46
Yale Faces Additional Lawsuit After 2011 Breach

Despite its reputation as having the top law school in the country, Yale University is facing a second lawsuit after the personal information of more than 100,000 students was stolen by hackers in a data breach, according to GazetteXtra.

Between April 2008 and January 2009, electronic records containing social security numbers, dates of birth and both email and home addresses of students was stored on a Yale database. A routine review of its servers revealed that hackers had gained access to the servers and obtained the data of thousands of students, including defendant Andrew Mason.

Because the attack took place more than a decade ago, Yale reportedly said that it would not conduct an investigation. Mason’s lawsuit claims that Yale “improperly retained personal information, which was subsequently transferred to unauthorized persons during the breach, as evidenced by its statements that the personal identification information compromised in the breach was deleted from servers in September 2011 because it was unnecessary personal data.”

Industry experts believe that more lawsuits are likely to come, not just for Yale but for any organization that has mishandled the personal information it collects. “It is just going to continue until organizations realize that doing nothing is no longer acceptable and that security must be prioritized and taken seriously,” said Joseph Carson, chief security scientist at Thycotic.

“What is clear is that this data breach is a result of poor security hygiene and poor data hygiene that resulted in thousands of victims. Offering 12 months of free identity protection services is not sufficient, as the students identities can be abused or stolen for many years after an incident has occurred. Therefore, the minimum protection should be for at least five years."

With regard to Yale's stance that attribution at this time is going to be very difficult given that so much time has passed since the data breach, Carson agreed.

“Other universities should consider this as a lesson and prioritize cybersecurity immediately and ensure that they have done a data impact assessment and a risk-based assessment to determine how exposed they might be and what actions they must take," said Carson.

"The recent EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act are both taking personal identifiable information very seriously and any similar data breach that occurs moving forward could mean universities facing massive financial penalties of $20 million or more.”

Categories: Cyber Risk News

Fin Firms: Look to Mobile, Social for Comms Risks

Fri, 10/19/2018 - 14:27
Fin Firms: Look to Mobile, Social for Comms Risks

A survey of nearly 200 financial services compliance individuals conducted throughout February and March 2018 found that organizations are struggling to keep pace with evolving technologies and have fallen behind when it comes to oversight of electronic communications, according to Smarsh.

Results of the 40-question survey were released this week in the Electronic Communications Compliance Survey Report. The survey looked at current trends in policies and practices with the usage, retention and supervision of electronic business communications, and the study revealed that companies aren’t keeping up with their retention and supervision efforts, especially when it comes to the technology used by the younger workforce.

Given that young adults rely so heavily on mobile-friendly channels, such as social media and text messaging, the report concluded that companies need to rethink their approach to the adoption and oversight of electronic communications.

Increasingly, social and mobile platforms are becoming as big a piece of the electronic communication landscape as email is. As a result, social and mobile play an important role in how firms, and investors, conduct business. Of those surveyed, 50% said they are concerned about social media, instant message/collaboration platforms and SMS/text messaging.

A majority of participants (59%) said that SMS/texts messaging poses the biggest perceived risk, coming in ahead of social media and instant messaging/collaboration platforms. However, respondents admitted that the two channels with the least supervision are SMS/text messaging and instant messaging/collaboration platforms.

In addition, the report found that a top concern for 42% of participants was the growing complexity of managing employee use of mobile devices for business communications.

“This year’s survey reveals that firms are focusing too much energy on older technologies and not enough time on the mobile and social communication channels that are growing in popularity among their customers and their advisers,” said Marianna Shafir, corporate counsel and regulatory adviser at Smarsh.

“Many don’t have archiving solutions in place for the retention and oversight of modern communications channels, such as text messages, which causes problems and significant risk when facing a regulatory examination, open records request, an investigation, e-discovery event or litigation.”

The need for comprehensive oversight policies for electronic communications is widely understood, yet the report noted that most firms are slow to formally adopt and support the governance of new channels, such as social media and mobile.

Categories: Cyber Risk News

Flaw in Libssh Grants Admin Control to Servers

Fri, 10/19/2018 - 13:54
Flaw in Libssh Grants Admin Control to Servers

Security researcher Peter Winter-Smith discovered a four-year-old authentication bypass vulnerability in the server code of libssh versions 0.6 and above. According to Winter-Smith’s tweet, “The root cause is that the libSSH server and client share a state machine, so packets designed only to be processed by and update the client state can update the server state.”

In the security advisory for CVE-2018-10933, Winter-Smith summarized, “There is a vulnerability within the server code which can enable a client to bypass the authentication process and set the internal state machine maintained by the library to authenticated, enabling the (otherwise prohibited) creation of channels.”

An attacker could authenticate without credentials by presenting the server with an SSH2_MSG_USERAUTH_SUCCESS message, rather than the expected SSH2_MSG_USERAUTH_REQUEST message, which initiates authentication, though only those versions running in server mode are vulnerable.

There is reportedly no workaround for the issue, and according to the advisory, patches have been released by Anderson Toshiyuki Sasaki of Red Hat and the libssh team that address the issue for libssh version 0.8.4 and libssh 0.7.6.

Winter-Smith told Ars Technica that the vulnerability is the result of libssh using the same machine state to authenticate clients and servers, yet only servers are affected because behaviors in the exploit are actually safe in the client side. No high-profile sites have reportedly been affected by the vulnerability. Though Github uses libssh, the company stated on Twitter that it is unaffected by the vulnerability due to how it uses the library.

When pressed for clarification on how GitHub enterprise remained unaffected despite its use of the libssh in SSH server mode, GitHub tweeted, “We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for.  Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933."

Categories: Cyber Risk News

US Voter Leak Hits Tea Party Organization

Fri, 10/19/2018 - 11:05
US Voter Leak Hits Tea Party Organization

The personal details of over half a million American voters has been leaked after yet another cloud database misconfiguration, this time by a right-wing fundraising organization.

Researchers at UpGuard found a publicly readable Amazon S3 storage bucket at the end of August, belonging to the Tea Party Patriots Citizen Fund (TPPCF).

The TPPCF is what’s known as a “super PAC” — a political action committee which can raise unlimited funds but not “contribute to or coordinate directly with parties or candidates.” It has previously endorsed controversial candidates like Alabama’s Roy Moore.

The 2GB of exposed data included full names and phone numbers, states of residence and voter ID for over 527,000 individuals, many of whom lived in key states targeted by Republicans ahead of the 2016 election. Also leaked were strategy documents including phone scripts and templates and info on how to persuade voters to go with Trump.

“A help desk coordinator replied within hours and the bucket’s permissions were changed to only allow global authenticated users. This setting is still essentially public as anyone can have an Amazon account, and thereby authenticate as an Amazon user, for free. By Friday, October 5, all access to the bucket had been removed,” explained UpGuard.

“Misconfigured cloud storage like Amazon S3 is responsible for some of the largest data exposures in recent memory. These assets are private by default, meaning the permission set must be actively altered to allow public access. However, the fact that these assets can be misconfigured inevitably means that some of them will be misconfigured. Only controlled processes that account for the risk of exposure can prevent such misconfigurations from occurring.”

Earlier this week researchers revealed that an estimated 35 million voter records from 19 states are currently up for sale on a dark web forum.

Categories: Cyber Risk News

Experts Question 'Official' Drop in Cybercrime

Fri, 10/19/2018 - 09:48
Experts Question 'Official' Drop in Cybercrime

The latest Office of National Statistics (ONS) report on UK cybercrime reveals “computer misuse” has fallen 30% over the past year, but the body itself has cautioned against drawing too many conclusions from the figures.

The stats, covering the year ending June 2018, are a combination of estimates drawn from responses to new questions introduced to the Crime Survey for England and Wales (CSEW), plus offences referred to the National Fraud Intelligence Bureau (NFIB) by the public-facing Action Fraud.

The fall of 30% in computer misuse – defined as any unauthorized access to computer material  – was driven by a drop in computer viruses of 43% since the year ending June 2017. There was no significant increase in “unauthorized access to personal information.”

However, there are major caveats to both sources: CSEW questions cover the UK’s household population, rather than businesses and organizations, while Action Fraud figures on computer misuse “represent only a small fraction of all computer misuse crime, as many incidents are not reported,” according to the ONS.

“As this comparison is based on two data points only, caution must be taken in drawing conclusions about trends at this early stage,” it warned.

In fact, Action Fraud figures showed a rise in computer misuse crime of 4% during the period, driven by an increase in the “hacking – social media and email” category of 42%.

Mark Nicholls, director of cybersecurity at Redscan, agreed that the findings should be taken “with a pinch of salt.”

“We can’t overlook the fact that, for a variety of reasons, many digital crimes go under-reported. In many cases, criminal activities such as phishing are difficult to identify – people can be unaware they have been victimized. Cryptomining attacks, where criminals steal the processing power of computers to harvest cryptocurrency, are also becoming increasingly hard for people to detect,” he explained.

“We’ve seen a string of colossal data and privacy breaches this year, most recently Facebook and British Airways. These cases will impact millions of UK citizens, even if they don't consider themselves to be a direct victim of crime."

Categories: Cyber Risk News

Secret Comment Crew Code Spotted in New Attack

Fri, 10/19/2018 - 09:05
Secret Comment Crew Code Spotted in New Attack

Researchers have spotted the first stage of a new advanced persistent threat (APT) campaign targeting mainly South Korean victims and borrowing code from the notorious Chinese hacking group Comment Crew.

Operation Oceansalt is the first time white hats have seen code associated with the group, also known as APT1, since it was outed in 2013. Crucially, that code was never made public, according to McAfee.

The campaign uses spear phishing tactics to deliver booby-trapped Office documents to several targets: those with knowledge of South Korean public infrastructure projects and their expenses, the Seoul-backed Inter-Korean Cooperation Fund and various targets in the US and Canada in a variety of sectors including healthcare, telecoms and agriculture.

Those behind the campaign appear to have good working knowledge of the Korean language.

The malware delivered to victims is designed to take full remote control of any targeted machine and associated network, with McAfee speculating the spear phishing emails may be a precursor to a major financially motivated attack on a bank or similar.

As for the Comment Crew cross-over, there are three possible options: code-sharing between a former member of the group and another actor; someone has managed to access code from the original APT1 operation; or a false flag operation to make it appear China and North Korea have collaborated on this campaign.

“One thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous research from the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor — offering up considerably more malicious assets,” explained McAfee chief scientists Raj Samani and senior analyst, Ryan Sherstobitoff.

“We often talk about partnerships within the private and public sector as the key to tackling the cybersecurity challenges facing society. The bad actors are not putting these initiatives on PowerPoint slides and marketing material; they are demonstrating that partnerships can suit their ends, too.”

Categories: Cyber Risk News

GreyEnergy Potential Successor of BlackEnergy

Thu, 10/18/2018 - 14:30
GreyEnergy Potential Successor of BlackEnergy

GreyEnergy, a subgroup of the advanced persistent threat (APT) group known as BlackEnergy, has been attacking the energy sector for the past three years, according to ESET.

Back in December of 2015, when approximately 230,000 people suffered a blackout after the APT group BlackEnergy attacked a power grid in Ukraine, researchers at ESET reportedly detected another malware framework, which they dubbed GreyEnergy.

Since then, the group has been attacking energy companies and other high-value targets in Ukraine and Poland. Unlike other attacks on power grids, the attacks of GreyEnergy have not resulted in mass destruction, which ESET said might be one reason why the APT has not been documented until now.

The stealthy attackers have remained undetected while focusing on espionage and reconnaissance, which ESET presumed is an indication that the group is either preparing for future cyber-sabotage attacks or laying the groundwork for an operation run by some other APT group.

ESET researchers have observed the behavior of the malware framework being used for espionage and reconnaissance purposes and have noted that GreyEnergy is strikingly similar to BlackEnergy in the construction of its malware framework, which means that a particular combination of modules is necessary for it to upload to each of the targeted victim systems.

Additionally, the fact that GreyEnergy emerged in the wild at the same time BlackEnergy disappeared leads researchers to believe that there is a link between the APTs. Both target the energy sector, and the two share at least one victim.

“It should be no surprise that threats like BlackEnergy are morphing into new variants,” said Ray DeMeo, co-founder and chief operating officer at Virsec. “There is a large arsenal of advanced hacking tools, many developed by the NSA, now readily available.

“These are difficult to detect because they manipulate legitimate application processes in run-time memory and create new variants, which further evades signature-based detection. More disturbing is that many of these attacks are targeted at disrupting critical infrastructure. Many of these ICS/SCADA systems have outdated security, designed for isolation, which is increasingly disappearing as IT and OT systems connect and converge.”

Categories: Cyber Risk News

Consumers Forgive Post-Breach, Want Privacy Rules

Thu, 10/18/2018 - 14:06
Consumers Forgive Post-Breach, Want Privacy Rules

In a recent survey of more than 1,000 consumers, nearly half of the respondents said that when a company immediately discloses a data breach, they are open to forgiving the brand.

The Consumer Attitudes Toward Data Privacy and Security Survey, published by Janrain, showed that of the 1,079 participants, 42% are at least open to forgiving the brand, while only 7% of respondents said a breach is unforgivable. Many consumers might not shop elsewhere in the aftermath of a breach, but they do want to see GDPR-like rules implemented in the US.

The greatest concern for 44% of respondents is protecting their financial data more than any other form of personal data. For 25% of consumers protecting passwords is the top concern.

“When asked whether they'd walk away from a business that requires personal information up front (like a phone number or email address) in order to conduct business, 15% of those surveyed said "yes" while 24% said "probably." Fifty-four said it depends on whether the business is trusted or the only option,” Janrain wrote in a press release.

More than half of consumers (59%) feel that consumers, businesses and governments need to work together and offer shared support in order to achieve data security. To that end, 66% of respondents said they would like to see GDPR-like rules implemented in the US. While the majority of respondents feel such rules would be effective, 9% said regulations would be ineffective, with only 6% saying they are concerned that more regulation would present challenges to both businesses and the economy.

Despite the fact that the majority of security incidents are the result of human error, 61% of consumers report being very careful about their computer/mobile security. The survey found that only 12% of respondents report putting forth little-to-no effort to protect their computers because they believe hackers can break into company networks anyway.

"Our survey is incredibly good news for brands that take the personal data privacy and security of their customers seriously," said Janrain CEO Jim Kaskade. "Despite high-profile missteps and outright failures in the way brands have approached data privacy and security, consumers are very open to a consent-driven relationship with brands, which will go a long way toward solidifying trust for stronger, longer-term relationships."

Categories: Cyber Risk News

Amid Fears of Election Security, SEO Poisons URLs

Thu, 10/18/2018 - 13:23
Amid Fears of Election Security, SEO Poisons URLs

A recent poll from the University of Chicago Harris School of Public Policy and the Associated Press–NORC Center for Public Affairs Research found that a wide majority of Americans are concerned about election security ahead of next month's midterm elections.

Though Republicans seem more confident in election security, a significant number of Americans across the aisle fear the potential of a hack on voter systems, with 58% of Democrats and 39% of Republicans not fully trusting the integrity of voting systems.

Many reportedly fear that election security has seen little to no improvement since 2016 when Russia meddled in the US presidential election, particularly in light of a report from The Washington Times earlier this month that Peter King’s congressional campaign site was hacked.

“Elections are one of the most important things we rely on our government to run and they’re being outsourced to companies that clearly don’t have security as their top priority,” said Brian Vecci, technical evangelist at Varonis.

“Election systems without a verifiable paper record are inherently insecure, and any electronic system is going to be vulnerable to attack," said Vecci. "If we can’t come up with a system that’s clearly better – including more secure – than the old way of pulling levers, should we be in a rush to change?

“Election security should not be outsourced to the lowest bidder in each state, which has resulted in a huge variety of different systems and platforms and made it even harder to ensure the integrity of an election. Instead, similar to the introduction of GDPR and the California Consumer Privacy Act, if we implement a standardized system with a set level of required security regulations, we can reduce threats and ensure the outcome of our elections are in the hands of US citizens and US citizens alone.”

When it comes to election security, though, there are factors beyond technology that impact the integrity of elections. While a lack of funding, regulation and skilled staff contribute to the lack of confidence in electronic voter systems, cyber-criminals are reportedly using SEO to poison the midterm elections. Researchers from Zscaler have been actively tracking SEO poisoning campaigns and found in excess of 10,000 compromised websites with more than 15,000 keywords leading to multiple redirects.

“SEO poisoning, also known as search engine poisoning, is an attack method that involves creating web pages packed with trending keywords in an effort to trick search engines to get a higher ranking in search results,” researchers wrote in a blog post. Researchers have spent more than a month watching this midterm-elections SEO poisoning campaign and said they continue to discover hundreds of newly compromised sites every day.

Regardless of the security solutions put in place to protect the voting machines, cyber-criminals are still able to use technology to influence what information is disseminated via websites and social media, a vital piece of the discussion that has yet to make it to the forefront of the election security conversation.

Categories: Cyber Risk News

European Banks and Police Warn Consumers of Cyber Scams

Thu, 10/18/2018 - 10:46
European Banks and Police Warn Consumers of Cyber Scams

Europol and the European Banking Federation have launched a new campaign designed to raise public awareness of growing incidents of financial fraud and data theft, as part of European Cyber Security Month (ECMS).

Over the coming week, law enforcers from 28 EU member states as well as Colombia, Liechtenstein, Norway, Switzerland and Ukraine will be joining forces with 24 national banking associations and others to warn consumers not to fall for cyber scams.

The campaign will focus on the seven most common online financial scams: CEO fraud, invoice fraud, phishing and its variants, spoofed bank websites, romance scams, personal data theft via social media, and investment and online shopping scams.

Most of these use social engineering techniques to trick the victim into handing over their personal and financial details, or paying or transferring funds to a malicious third party.

A dedicated site explains the tell-tale signs of such scams, and what consumers can do to stay safe.

Many fall under what’s known as authorized push payment (APP) fraud: where the scammer tricks their victim into making payments to an account controlled by them.

According to the UK’s Payment System Regulator (PSR) there were 43,875 reported cases of APP scams last year, and 88% of victims were consumers who lost an average of £2784.

However, it’s a contentious area as many financial institutions will not reimburse their consumers for this kind of fraud — even though few have measures in place to spot and block this kind of fraud.

The UK regulator is working on an industry code of practice, which should clarify matters, as well as initiative such as stricter checks on the identity of those opening bank accounts; confirmation of payee, so that consumers will have to verify that they are paying the person they want; and improved data sharing so banks can respond more quickly to scams.

Banking lobby group UK Finance controversially argued last week that a new levy on each payment made in the country could help provide funds to compensate victims of APP fraud.

Categories: Cyber Risk News

Former Equifax Developer Sentenced for Insider Trading

Thu, 10/18/2018 - 09:47
Former Equifax Developer Sentenced for Insider Trading

A former software manager who helped to built a customer portal for Equifax following its catastrophic 2017 breach has been sentenced to eight months home confinement after pleading guilty to insider trading.

Sudhakar Reddy Bonthu, 44, of Atlanta, was also fined $50,000 and ordered to forfeit $75,979, according to the Department of Justice.

“Bonthu intentionally took advantage of information entrusted to him in order to make a quick profit,” said US attorney Byung Pak. “The integrity of the stock markets and the confidence of investors are impaired by those who use non-public information for personal gain.”

Bonthu, who was a software product development manager for Equifax’s Global Consumer Services team in August 2017, was called on to help develop an online interface designed for customers to check if they had been affected by the breach.

Although he wasn’t told directly that Equifax had been breached, Bonthu unsurprisingly worked it out for himself, also finding out the scale of the incident.

“On September 1, 2017, Bonthu bought 86 ‘put’ options in Equifax stock that expired on September 15, 2017. Those options allowed him to profit if the value of Equifax stock dropped within that two-week period. These trades also violated company policy, which did not allow employees to purchase option contracts in Equifax common stock,” the DoJ explained. 

“Equifax publicly disclosed the data breach on September 7, 2017, and its stock fell the next day. Bonthu then exercised his put options, making a profit of more than $75,000.”

Another insider trading case is still being fought. Former Equifax CIO Jun Ying has pleaded not guilty to charges related to his sale of $1m of shares. Prosecutors allege he did so after hearing about the incident, but before the company announced it.

Categories: Cyber Risk News

UK ISPs: Government Must Take Lead on Cybersecurity

Thu, 10/18/2018 - 09:10
UK ISPs: Government Must Take Lead on Cybersecurity

The UK’s ISPs have called on the government to streamline the number of regulatory bodies dealing with cybersecurity, improve cybercrime reporting processes and set minimum standards for the industry.

The latest survey from the Internet Services Providers’ Association (ISPA) found that 88% suffer regular cyber-attacks: half of these on a daily basis.

However, they’re responding appropriately. Cybersecurity is a high or very high priority when it comes to day-to-day operations for 61% of ISPs, and an overwhelming 94% said they expect to increase investment in the area over the next three years.

Some 86% also plan on implementing the NCSC’s Active Cyber Defence strategy, which the GCHQ body claimed this week had driven some encouraging results over the past two years.

ISPs are very much on the front line when it comes to cyber-threats facing their customers, so it’s heartening that all respondents claimed the industry should play a proactive role in handling attacks, while 78% said they already offer cybersecurity services to their customers.

However, there appears to be a distinct lack of confidence in the government’s role, especially when it comes to the regulatory environment.

“Despite increased awareness about the importance of cybersecurity, government and law enforcement must turn their words into actions,” argued ISPA chair, Andrew Glover.

“In order to ensure the UK has an effective cybersecurity regime, the government should streamline the number of organizations involved in the cybersecurity landscape to minimize confusion. This needs to be underpinned by clear minimum standards on cybersecurity, set by government, and improved online cybercrime reporting processes.”

Some 40% of ISPs believe the response to cybercrime could be improved if there was better collaboration and coordination within the industry, although half currently don’t share their experiences with peers.

The industry also believes law enforcers need to get better at tackling online crime.

Nearly two-thirds (62%) of respondents said cybercrime handling would improve if police took a more coordinated approach, while 31% suggested that better cybercrime training was necessary. These were also the top two priorities reported in the 2016 survey, showing progress has not been made thus far.

It was revealed earlier this year that UK police spent £1.3m on cybersecurity training over the past three years.

Categories: Cyber Risk News

Launch Day Catastrophe for Donald Daters App Users

Wed, 10/17/2018 - 16:32
Launch Day Catastrophe for Donald Daters App Users

Supporters of President Trump who want to date like-minded individuals had Emily Moreno, a former aide to Sen. Marco Rubio, to thank for creating the Donald Dater app, but their gratitude might have fallen flat after their information was leaked on the day the app was launched.

According to Time, Monero confirmed the leak was discovered on October 15, 2018, by security researcher Elliot Alderson, who was able to download the entire database, which included the personal information of more than 1,600 users.

Information on users who were seeking to “Make America Date Again,” included users’ names, profile pictures, device types, private messages and access tokens that can be used to log into their accounts, Alderson said in a tweet. The researcher also detailed how he found the database in a post on Medium.

"This is just the tip of the iceberg,” said Aaron Lint, chief scientist at Arxan. “We all know that applications are weak spots in corporate infrastructure because of the lack of true ownership for app security. Again, we see evidence of how the software itself betrays the back end. When critical data passes through your app, it can be trivially exfiltrated by attackers. Leaving the application unprotected is leaving the data in transit unprotected.”

Leaked data is not the only risk posed to users of dating apps and websites, and the Donald Dater app is not the only dating site to make headlines this week. Breaking news from Barclays reported by the BBC this morning found that an online dating site scam cost victims £2,000. Barclays reportedly found that thousands of people are losing thousands of pounds from online dating scams.

“It’s not surprising to hear dating scams are costing people dearly. We previously found that 38% of people openly share their email address in their dating profiles and 7% of people even share their passwords with people via dating sites,” said Raj Samani, chief scientist and fellow at McAfee.

“Sharing this personal information puts people directly in the firing line for hackers and scammers wanting to cash in on the online dating phenomenon. We urge dating site users to keep sensitive data such as email addresses, full names and phone numbers private. And those looking for love online need to make sure the apps they’re using are protected with strong, secure passwords to further avoid the security risks of online dating.”

Categories: Cyber Risk News