At the final day of the Cyber: Secured Forum in Dallas, moderators hosted a series of discussions in which attendees played a crucial part in putting forth solutions to some of the the most pressing cyber–physical topics facing the security industry.
Attendees were divided into four different groups to collaborate on responses to some of the biggest cyber–physical challenges, including:
- The Tenants of a Cybersecurity Hardening Guide
- Privacy in the Age of Connected Devices
- Show Me the Money: The Considerations for Monetizing Cybersecurity as an Integrator
- Gap Analysis – How the Security Industry Should Address Cybersecurity
In coming together to share their responses, attendees expressed their collective ideas. One of the key concerns for integrators is understanding how to monetize cybersecurity. In order to do this successfully, integrators need to acquire an array of skill sets that they might not have. For those that are looking to grow and be the experienced industry provider, they need to rely on the skills of others while they themselves grow and learn.
While it’s not all about the money, business is all about the money. Unfortunately, connectivity has opened up a Pandora’s box of opportunity and challenges for the physical security industry. Integrators are seeking to monetize cybersecurity services while ensuring new threats to their customers are mitigated in the systems they deploy.
In looking at privacy in the age of connected devices, attendees recognize that the lack of security in the internet of things poses not only digital but also physical privacy vulnerabilities. As such, solutions providers are working to ensure that their connected products are hardened out of the box and that the folks deploying them have the guidance to ensure that they provide customer value, not cybersecurity headaches.
The security industry needs to shift its siloed thinking order to really address cybersecurity. One overarching theme of the Cyber: Secured Forum was that the lines between physical and cybersecurity are slowing disappearing. The vulnerabilities are overlapping, the risks are expanding and the ability to mitigate risks is hampered by an ever-growing skills gap. Collaboration, now more than ever, is key.
“There’s not really a difference from the hacker perspective. They are trying to use whatever avenue they can to exploit your company,” Finney said. Where once penetration testers might have only tested the network, now Finney has pen testers come to campus and try to break into the wireless network or use social engineering methods to access areas of campus where they aren’t supposed to be.
While the university is charged with protecting student data, Finney said, “We also want to protect them, wherever they are.”
The security industry is made up of people. In physical and cybersecurity, “both of us make our spouses sit with their backs to the restaurant so that we can see all the exits. We both integrate highly complex technologies, and we both know that the bad guys are going to figure out what our defenses are,” Finney said.
For years, it was believed that you couldn't have cybersecurity without physical security, but today, Finney said, the opposite is also true.
Finney shared lessons he learned as the CISO of Southern Methodist University, which has integrated support for physical security technologies and cybersecurity on the same team, promoted by a major event on campus.
The opening ceremony of the George W. Bush Presidential Library and Museum was planned on the SMU campus, and Finney explained that the Secret Service told him that the event would be the biggest security event because five living presidents would be in attendance.
Finney said that his team has completed a campus-wide lock-down initiative, centralized support and increased response time to improve security for the event with the help of an integrator. The initiatives then had the lingering effect of improving the student experience, which has successfully helped to reduce crime on campus – all while hardening systems against hacking.
Senior ministers from the UK, Australia, Canada, New Zealand and the United States have announced their support of weakening encryption, essentially asking tech companies to install backdoors in encrypted communications.
The news comes following a two-day security summit in London, where home affairs, interior security and immigration ministers of the ‘Five Eyes’ countries discussed current and emerging threats which could undermine national and global security.
As detailed in the an official UK government release, “During a roundtable with tech firms, ministers stressed that law enforcement agencies’ efforts to investigate and prosecute the most serious crimes would be hampered if the industry carries out plans to implement end-to-end encryption, without the necessary safeguards.”
Home Secretary Priti Patel said: “The Five Eyes are united that tech firms should not develop their systems and services, including end-to-end encryption, in ways that empower criminals or put vulnerable people at risk.
“We heard today about the devastating and lifelong impact of child sexual exploitation and abuse, and agreed firm commitments to collaborate to get ahead of the threat.
“As Governments, protecting our citizens is our top priority, which is why through the unique and binding partnership of Five Eyes we will tackle these emerging threats together.”
Also speaking at the conclusion of the two-day conference was United States Attorney General William P. Barr. Barr said that encryption presents a unique challenge and the Five Eyes partnership has a duty to protect public safety, including those related to the internet.
“We must ensure that we do not stand by as advances in technology create spaces where criminal activity of the most heinous kind can go undetected and unpunished.”
However, Javvad Malik, security awareness advocate at KnowBe4, said that calls to weaken encryption, or to place backdoors in, are periodically made by ill-informed politicians.
“No matter how hotly this is debated, it can't change the maths behind encryption, which will either work or not. Weakening encryption will do more harm than good, as it will leave all communication vulnerable and allow bad actors to compromise legitimate traffic,” he argued.
Organizations in the financial services sector have repeatedly been impacted by attackers leveraging credential stuffing and unique phishing attempts, according to newly released data in Akamai’s 2019 State of the Internet/Security Financial Services Attack Economy Report.
The report found that 50% of all the companies impacted by observed phishing domains were in the financial services sector. The report reflects the analysis of 3.5 billion attempts during an 18-month period that have put the personal data and banking information of financial services customers at risk.
Researchers observed that, between December 2, 2018, and May 4, 2019, 197,524 phishing domains were discovered. Customers were directly targeted in 66% of those attacks. In addition, “94% of the attacks against the financial services sector came from one of four methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection (which accounted for more than 8 million attempts during this reporting period), based on Akamai’s calculations,” according to the report.
“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” said Martin McKeay, security researcher at Akamai and editorial director of the State of the Internet/Security Report. “Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers.”
Criminals are using "bank drops," which researchers explained are packages of data that include a person’s stolen identity, that can be used to open accounts at a given financial institution. The packages are known as "fullz" by criminals online and include an individual’s name, address, date of birth, Social Security details, driver’s license information and credit score.
While financial institutions are trying to understand the methods criminals are using to open these drop accounts, attackers are gaining more success because they continue to target the financial services industry.
“Attackers are targeting financial services organizations at their weak points: the consumer, web applications and availability, because that’s what works,” said McKeay. “Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail. It requires being able to detect, analyses, and defend against an intelligent criminal who’s using multiple different types of tools for a business to protect its customers.”
UK businesses are stepping up their preparations for a potentially tortuous split from the EU, with a third moving some operations to the continent to avoid data privacy regulatory issues, according to new research.
Business process outsourcer Parseq polled 500 decision makers in businesses with 250+ employees about how Brexit might impact their current data privacy obligations.
Although the GDPR is technically transposed into UK law, the country will require an “adequacy decision” from the European Commission to ensure unhindered data flows after it leaves the trading bloc – something that is certainly not guaranteed.
That’s why the vast majority (89%) of firms polled by Parseq said they’d taken proactive measures.
Around a third (35%) said they’d refocused their client base to the UK, while a similar number (32%) had transferred operations to the EU.
Nearly two-fifths (37%) said they have audited data flows to and from the EU and even more (42%) have sought advice from regulator the Information Commissioner’s Office (ICO).
Craig Naylor-Smith, managing director at Parseq, argued that UK firms are currently operating on shifting sands given the lack of clarity over post-Brexit data transfer arrangements.
“The Data Protection Act (2018) transposed the GDPR into UK law, but if the rules in Europe diverge once we leave the EU it could make transferring personal data to and from the continent more difficult — a vital consideration for businesses in our increasingly connected, digital world,” he added.
“With this in mind, it’s encouraging to see so many firms take proactive steps to prepare for the prospect of regulatory changes. However, with an even proportion of firms increasing their European presence and refocusing their position to the UK, it’s clear the best course of action will depend on individual strategies.”
The bottom line is: UK businesses must consider how Brexit could impact data privacy regulations as a matter of urgency, he said.
The US-CERT has been forced to issue an ICS alert after a security researcher revealed major cybersecurity shortcomings in small aircraft which could enable attackers to cause crashes.
The issues lie with the CAN bus networks, a common feature of automobiles which connect electronic sensors and actuators.
“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” the alert noted.
“The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot. The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft.”
The research itself was carried out by Rapid7’s Patrick Kiley, who is also a pilot. He spotted an over-reliance in the avionics sector on physical security and called for more defense-in-depth.
“Just as football helmets may actually raise the risk of brain injuries, the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyber-attack, not less,” he argued in a blog post introducing the research.
“Think about it: if you felt like your internal LAN was totally and completely untouchable by attackers, you probably wouldn't worry much about software patching or password management. Of course, LANs aren't impregnable, and neither are CAN bus networks, so we're worried about this mindset when it comes to avionics security.”
The hope is that, just as greater scrutiny of these systems in the automotive industry has led to steps being taken to mitigate risk, the same can happen in the light aircraft space.
Researchers are warning of a potentially serious Android ransomware threat that spreads via malicious links in SMS messages and posts in forums.
ESET malware researcher, Lukas Stefanko, explained in a blog post that Android/Filecoder.C has been active since at least July 12 — distributed via Reddit posts and an Android developers forum known as “XDA Developers.”
“Using victims’ contact lists, it spreads further via SMS with malicious links,” he continued.
“Due to narrow targeting and flaws in execution of the campaign, the impact of this new ransomware is limited. However, if the operators start targeting broader groups of users, the Android/Filecoder.C ransomware could become a serious threat.”
Once the malware sends itself out via malicious SMS links it will encrypt most files on the victim device and request a ransom. The texts that contacts of the victim receive try to socially engineer them into clicking by claiming that their photos have been found in an app.
Most of the malicious forum and Reddit posts discuss porn-related topics, although some are also tech-related. Links, sometimes shortened, or QR codes are used to point to the malware, explained Stefanko.
“To maximize its reach, the ransomware has the 42 language versions of the message template seen in Figure 5. Before sending the messages, it chooses the version that fits the victim device’s language setting. To personalize these messages, the malware prepends the contact’s name to them,” he continued.
“The malware contains hardcoded C&C and Bitcoin addresses in its source code. However, it can also dynamically retrieve them: they can be changed any time by the attacker, using the free Pastebin service.”
If users delete the ransomware app then their device will be encrypted for good, although there’s nothing to support the claim on the lock screen that affected data will be lost after 72 hours, ESET said.
The ransom itself is relatively small, around $94-$188.
The security vendor urged Android users to stick to the official Google Play store for app downloads, keep their devices up-to-date at all times, pay attention to permissions requested by apps and download AV to their handsets.
Customers reportedly received an email in which the company explained that an unauthorized third party had gotten access to the personal information of “some customers,” reportedly those in Australia, Hong Kong, Indonesia, Malaysia, New Zealand, the Philippines, Singapore and Thailand.
The exposed information included the users’ first and last name, date of birth, gender, email address, encrypted password and data related to “beauty preferences,” according to what Alia Gogi, managing director of Sephora Southeast Asia, reportedly wrote in an email.
Additionally, Gogi added that no credit card information was accessed and the company has “no reason to believe that any personal data has been misused,” the report said.
"It is a great challenge for many organizations to standardize their cybersecurity operations globally. Varying regulations for both security and privacy come into play, especially when dealing with an enterprise that operates around the globe,” said George Wrenn, founder and CEO of CyberSaint Security.
“This breakdown is why we see many large organizations flock to an integrated risk management (IRM) approach. IRM is allowing organizations to aggregate risk and compliance data from all business units and make smarter and more informed decisions. With the patchwork of regulations that are emerging around the world, cybersecurity leaders must be prepared to integrate their organizations to stay wholly aware of the posture of their organization."
Fraudsters and cyber-criminals have easy access to customer data given the mega breaches of the past few years, and Kevin Gosschalk, CEO, Arkose Labs, said that each subsequent breach only adds to the available information on the dark web, creating a paradigm of fraudulent activity.
“These types of incidents provide cyber-criminals with the incentive and tools they need in order to commit ongoing, lucrative and easy fraud. In this case, the information hackers had access to, including encrypted passwords and email addresses, can now be weaponized in future account takeover (ATO) attacks. While Sephora has cancelled all existing passwords as an immediate first step, customers are inherently still at risk,” Gosschalk added.
"There is an ongoing onus on Sephora to safeguard its customers against future cybercrime associated with their password vulnerabilities. Our reality is that cybercrime is a well-funded and connected business where fraudsters have access to sophisticated tools and resources to launch attacks. This breach is yet another incident that provides them with the exact ammunition they need. The longer-term solution will come from eliminating the economic incentives behind these attacks through the use of integrated strategies that detect fraud in real time and block attacks from being successful.”
Enterprises in the midst of digital transformation are finding that physical security and its convergence with cyber and information security requires that they consider new approaches to risk management, according to a panel of industry leaders at today’s Cyber: Secured Forum in Dallas.
The panelists represented an array of industries from companies such as Southern Methodist University, Glasswing Ventures, McAfee, Comcast Cable and Booking Holdings, all sharing “A View from the CISO’s Office.”
Concerns range from active shooters and the physical safety of students to how to secure the critical data sources that more and more employees within the organization are accessing.
The challenge with cybersecurity in some organizations is that they have to sell cyber within the organization because of existing cultures, but integrating and blending IT and physical security has the potential to bring everything together in a single pane of glass, said Mark Weatherford, global information security strategist at Booking Holdings.
Technology can solve some of the physical and IT integration issues, including those related to the provisioning and de-provisioning of employees. The pace of innovation is accelerating, and the longer you put off a focus on cybersecurity, the greater the challenge will be when you finally address it, according to the panelists.
Security orchestration is an issue that is improving, according to the panelists, which helps organizations manage and identify in order to mitigate risk. In the IT culture, there’s long been a habit of getting rid of products that don’t work, which hasn’t always been the case in the physical security world. “They don’t integrate as fast,” Weatherford said. “In the physical security world it’s been a different culture with respect to buying things.”
The panelists speculated on how convergence and integration will continue to play out over the next several years, and one panelist said there is a great opportunity for physical security companies to acquire cybersecurity providers in order to converge capabilities. The very definition of physical devices is changing, which has created a lot of opportunity for the physical feature set moving forward, one panelist noted.
The biggest challenges in dealing with the convergence of physical and cybersecurity are culture, language, perception and budget, according to Mark Weatherford, global information security strategist at Booking Holdings, who delivered the keynote speech at today’s Cyber: Secured Forum in Dallas.
Weatherford shared an anecdote of a story from a few months ago when he came to realize that “sometimes we get so wrapped up in technology and thinking about how we can solve the world’s problems that we don’t realize the issue is really about money.”
Admittedly hyperbolic, Weatherford said he sees some truth in a quote from Allan Schiffman, who said, “Amateurs study cryptography; professionals study economics.”
The adversary’s goals are about money, which is why the providence of the supply chain is critically important. “Cybersecurity can now interrupt that supply chain in a variety of different ways,” Weatherford said.
Because organizations depend on a vast and complex supply chain ecosystem, the industry is facing a perfect storm in which the internet of things (IoT) is innovating faster than the speed of security. “Laws and law enforcement are limited, inconsistent and unenforced,” Weatherford said.
Despite the rapid pace of innovation, cybersecurity has no national boundaries and no international norms of behavior and is complicated further by the reality that everyone can have anonymous access to vast resources and information. Some companies still rely on 30- to 40-year-old protocols with little to no security.
“The security community hasn’t down ourselves any favors,” said Weatherford. “When a naïve user can take down an entire company by clicking on a bad link, face it, our security stinks.”
Still, businesses are integrating technologies faster than they can keep up with it. “There are three basic components that we always talk about: people, processes and technology. But it is harder to hire people and develop processes, so they buy technology,” said Weatherford.
The good news is, according to Weatherford, that the industry is starting to see a trend where companies that are spending money are having a positive effect on the security of their organizations. Still, insider threats remain the number-one vector into companies today.
“Security convergence refers to the convergence of two historically distinct security functions – physical security and information security – within enterprises. Both are integral parts of any coherent risk management program,” Weatherford said.
The value proposition in convergence is that it helps eliminate silos, provides situational awareness and more unified and strategic security governance, eliminates duplicate processes, allows for more distributed resources and guides strategic planning, Weatherford said.
The most common configuration problems found in the majority of penetration tests can be easily resolved with straightforward fixes.
- Brute forcing accounts with weak and guessable passwords
- Excessive file system permissions
- Windows Management Instrumentation (WMI) lateral movement
Chris Nickerson, founder of Lares, said that these top five findings were common in “95% of the tests.”
Specifically, Lares confirmed that in three of the five most common findings, security basics including password, privilege and patch management could resolve the issues and that “every single vulnerability can be avoided or eliminated through better cybersecurity hygiene practices.”
In the case of brute forcing accounts, this can be resolved with the use of multi-factor authentication or with account lockout policies, while 'kerberoasting' can be managed with strong passwords, both in terms of length and complexity.
Meanwhile, “excessive file system permissions” can be mitigated with tools to detect file permissions abuse, enabling installer detection for all users and limiting the privileges of user accounts and groups.
Also, while they were publicly disclosed in 2017, the EternalBlue vulnerability can be mitigated by applying the Microsoft patch, disabling SMBv1 and blocking inbound SMB at your perimeter.
The only one of the top five which is not resolved with standard 'basics' is WMI lateral movement, which Lares said can be mitigated by disabling WMI or RPCS, restricting non-administrator users from connecting remotely to WMI, and preventing credential overlap across systems of administrator and privileged accounts.
In an email to Infosecurity, Nickerson said that WMI is rarely protected or restricted, so it tends to be a widely used vector for access/execution. “For instance: the most common way we bypass 2FA logins in RDP is using WMI directly,” he explained.
Asked if he felt that this shows a lack of network visibility, or whether that is not really possible as lateral movement is a common issue, he agreed saying “there are ways to correlate logs of using WMI on a host to detect spraying or one to many/many to one execution, so there is opportunity to pick up its use and artefacts of its execution on the host.”
He also said that east/west traffic analysis is lacking in many environments, and “the most optimal solution is to ‘chain’ the detection techniques to correlate UBA, network traffic analysis and host based execution.”
Infosecurity asked Nickerson if he felt that four of the top five most common findings being fixed with common techniques was a positive thing, or if it was demoralizing that basic securty is proving to be so difficult?
Nickerson said: “It seems to me that these techniques are not only the basics, but they have been a common way to compromise enterprises for years. It indicates to me that we are still stuck in the ‘buy a thing to make us secure’ mentality versus ‘tune what we have to work better.’
“The good part is that these techniques are addressable with fairly simple configuration. I think the industry is starting to catch on to the fact that they need to constantly tune their environment and not just buy ‘x’ new product.”
Nickerson praised the work of “purple team” type engagements that focus on defensive improvement, rather than the “traditional hack and report.
“Many teams are still operating from a ‘vulnerability focused perspective,’ the shift to including techniques in their protection/detection strategy is the next evolution of the defensive program and will be a major change in measuring the effectiveness of their controls,” he said.
“Testing for vulnerabilities and techniques (like integrating testing and tuning based on the descriptions provided by Mitre's ATT&CK framework) will help programs stay ahead of the curve and begin tracking how their defenses improve over time, opposed to the never ending vulnerability tail chase.”
Personal information on thousands of Los Angeles Police Department (LAPD) officers and applicants appears to have been stolen in a breach of local government security.
The suspected hacker claims they have their hands on the data of 2500 LAPD officers, trainees and recruits, and around 17,500 police officer applicants.
Reports suggest the City of LA was contacted by the individual last week, and its IT Agency has been forced to apply extra security around its IT systems. Those affected by the breach are said to have been contacted.
It’s not 100% clear if the hacker has access to all of the data they claim, although officer names, dates of birth, Social Security numbers, emails and passwords could be part of the trove.
The LA Police Protective League, a police officers’ union, issued a strongly worded statement in response.
“The data breach that exposed personal information of Los Angeles police officers and those applying to become police officers is a serious issue for our members. We urge the City of Los Angeles to fully investigate the lapse in security and to put in place the strongest measures possible to avoid further breaches in the future,” it said.
“We also call upon the city to provide the necessary resources and assistance to any impacted officer who may become the victim of identity theft as a result of this negligence so that they may restore their credit and/or financial standing.”
Total losses of data and devices by the UK’s Ministry of Defence (MoD) have risen by nearly 300% over the past two years, according to official figures.
The figure jumped from 117 incidents in 2017-18 to 463 in 2018-19, according to the MoD’s annual report.
Within that figure, “loss of inadequately protected electronic equipment, devices or paper documents from secured government premises” jumped over 180%, from 22 to 62.
There were fewer losses of that type from outside secured government premises: just 21 in 2018-19, up from 11 over the previous two years.
However, “unauthorized disclosure” incidents soared from 73 to 352 over the period.
“It’s very concerning to see sensitive documents or equipment go missing from secure locations, particularly as the UK faces a growing range of threats,” said shadow defense secretary, Nia Griffith.
“The new secretary of state must ensure his department does everything it can to trace these devices and prevent future security breaches.”
Andy Harcup of data of data security firm Absolute Software, also argued that rising thefts of mobiles and laptops pose a serious security risk.
“Each device contains a goldmine of confidential data which could be exploited by hackers, foreign states or even a rogue employee,” he added.
“It’s vital all government organizations ensure devices are properly protected with endpoint security, so they can track, secure and freeze them if they fall into the wrong hands.”
This isn’t the first time the MoD has been found wanting over cybersecurity. Last year reports emerged that there were 37 recorded breaches of security protocol over the previous 12 months.
These include: sending sensitive information unprotected over the internet, connecting mobile devices to ministry networks without checking first for malware and devices, documents and rooms left unsecured.
Capital One has announced a major breach of customers’ personal data, affecting over 100 million Americans and a further six million in Canada.
The financial institution blamed “unauthorized access by an outside individual” who has been arrested by the FBI and is now in custody.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the firm explained.
“This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
However, the trove also included 140,000 Social Security numbers, 80,000 linked bank account numbers and one million Canadian Social Insurance numbers.
The bank blamed a “configuration vulnerability” exploited by the suspected attacker, but said “this type of vulnerability is not specific to the cloud.
“The elements of infrastructure involved are common to both cloud and on-premises data center environments,” it added.
In fact, according to a statement from the US Department of Justice, it appears as if the individual is “a former Seattle technology company software engineer” at a cloud computing provider who posted the details of the breach on GitHub.
Reports suggest the person in question, Paige Thompson, worked at Amazon Web Services.
“The intrusion occurred through a misconfigured web application firewall that enabled access to the data,” it revealed.
“On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI.”
The revelation that a tech insider stole highly sensitive customer data from a client should not affect the overall migration to public cloud environments, according to Igor Baikalov, chief scientist at Securonix.
“Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds,” he argued.
“This fact alone shouldn't be considered a setback for the adoption of public cloud. It should rather be viewed as another harsh reminder of the importance of third-party security and insider threat programs for both providers and consumers of public cloud services."
New vulnerabilities give hackers the ability to bypass the payment limits on Visa contactless cards regardless of the card terminal, according to new research from Positive Technologies.
In a July 29 press release, Positive Technologies said that researchers tested the flaws several times with five major UK banks and with cards and terminals outside of the UK. They found that the limits could be bypassed 100% of the time and could allow an attacker to steal from accounts.
“The attack works by manipulating two data fields that are exchanged between the card and the terminal during a contactless payment. Predominantly in the UK, if payment needs an additional cardholder verification (which is required for payments over 30 pounds in the UK), cards will answer 'I can’t do that,' which prevents against making payments over this limit. Secondly, the terminal uses country specific settings, which demand that the card or mobile wallet provide additional verification of the cardholder, such as through the entry of the card PIN or fingerprint authentication on the phone,” the press release said.
Checks were bypassed by using a device acting as a proxy to intercept communication between the payment terminal and the card, an attack known as man in the middle (MITM). These MITM attacks can also be accomplished using mobile wallets, allowing a fraudster to charge up to £30 without unlocking the phone.
“The device tells the card that verification is not necessary, even though the amount is greater than £30. The device then tells the terminal that verification has already been made by another means. This attack is possible because Visa does not require issuers and acquirers to have checks in place that block payments without presenting the minimum verification,” according to the release.
"The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing," said Tim Yunusov, head of banking security for Positive Technologies. "While it’s a relatively new type of fraud and might not be the number-one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers."
Working in the security operations center (SOC) is growing increasingly more painful because of an increasing workload and alert fatigue, according to new research, Improving the Effectiveness of the Security Operations Center, published by the Ponemon Institute and sponsored by Devo Security.
Respondents cited malware (98%), known vulnerabilities (80%), spear-phishing (69%) and insider threats (68%) as the most identified exploits in the SOC.
“Most respondents rate their SOC’s effectiveness as low and almost half say it is not fully aligned with business needs. Problems such as a lack of visibility into the network and IT infrastructure, a lack of confidence in the ability to find threats and workplace stress on the SOC team are diminishing its effectiveness,” the report said.
In fact, 65% of respondents said that these pain factors would cause them to consider changing careers or leaving their job, and those frustrations exist even in those organizations that consider the SOC essential to their cybersecurity strategy, according to the report. SOCs are struggling, and most of the participants ranked their SOC’s effectiveness as low, with nearly half reporting the SOC is not fully aligned with business needs.
As a result of these problems, 78% of respondents say the mean time to resolution (MTTR) can be weeks to months – even years. “Only 22 percent of respondents say resolution can occur within hours or days. Forty-two percent of respondents say the average time to resolve is months or years,” according to the report. In addition to the lack of visibility, threat hunting was also ranked as a top challenge.
“Threat hunting teams have a difficult time identifying threats because they have too many IOCs [indicators of compromise] to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise and too many false positives. More than half of respondents (53 percent) rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective. The primary reasons are limited visibility into the network traffic, lack of timely remediation, complexity and too many false positives,” the report said.
A new scam is impersonating WhatsApp and using the fraudulent claim that its victims will receive "free internet," according to ESET researchers.
“Researchers in Latin America received a message on WhatsApp stating that the app was giving away 1,000 GB of internet data to celebrate its anniversary. It shouldn’t come as much of a surprise when we say that it was a scam,” the report said and then looked at the situation in greater detail.
The URL seemed suspect to the researchers, who noted that it wasn't an official WhatsApp domain. “Even though businesses may sometimes run promotions through third parties, the rule of thumb here is to check on the company’s website to make sure any promotion is real and valid,” researchers added.
Indeed, clicking on the link delivers the user to a survey page with the WhatsApp logo at the top. Not surprisingly, those who fall for the scam and start answering questions are then invited to share the link with 30 friends in order to be entered in the drawing to win.
“Apparently their goal here is click fraud – a highly prevalent monetization scheme that relies on racking up bogus ad clicks that ultimately bring revenues for the operators of any given campaign,” the report said. Because it can be repurposed to perform a variety of other functions, click fraud presents many different threats.
“Even though in this case we found no evidence that clicking the link led to the installation of malicious software or that there was any intention to phish for personal information, it doesn’t mean that this cannot change at any time.”
Researchers added that the domain used in this scam is also hosting other fraudulent offers from high-profile companies, including Adidas, Nestlé and Rolex.
Russian state-sponsored trolls have been in action again, this time co-ordinating fake news efforts on social media designed to influence last week’s Ukraine elections.
The news was revealed by Facebook’s head of cybersecurity policy, Nathaniel Gleicher.
The campaign in Ukraine focused on two main areas: one originating in Russia which led to the removal of 18 Facebook accounts, nine pages, and three groups; and another originating from Russia and the Luhansk region of Ukraine which led to the removal of 83 Facebook accounts, two pages, 29 groups, and five Instagram accounts.
In the former, those behind the operation created fake accounts, impersonated dead Ukrainian journalists and hid their true location as well as driving users to other websites. It involved frequent criticism of the Ukrainian government ahead of the presidential elections last week.
The second operation involved users posing as members of the Ukrainian military and focused on the conflict in the east of the country, centered around Luhansk.
However, the activity stretched well beyond Ukraine to the other side of the world.
Gleicher explained that his team was also forced to remove 12 Facebook accounts and 10 Facebook pages after spotting a fake news effort in Thailand designed to influence public opinion. It appears to have links with the Russian state.
“The people behind this small network used fake accounts to create fictitious personas and run pages, increase engagement, disseminate content, and also to drive people to off-platform blogs posing as news outlets,” he said.
“They also frequently shared divisive narratives and comments on topics including Thai politics, geopolitical issues like US-China relations, protests in Hong Kong, and criticism of democracy activists in Thailand. Although the people behind this activity attempted to conceal their identities, our review found that some of this activity was linked to an individual based in Thailand associated with New Eastern Outlook, a Russian government-funded journal based in Moscow.”
Facebook also removed 181 accounts and 1488 pages involved in a coordinated inauthentic activity campaign in Honduras. It traced back these efforts to social media managers in the government there.
The UK has been slammed for illegally copying and sharing a database of EU citizens, but is taking “practical steps” to address the issue, according to a new report.
European commissioner for security, Julian King, refused to cite the UK by name when challenged on the findings of a classified report revealed by EU Observer.
He told the site, “those are meant to be confidential discussions that we have with the individual member states."
However, King did say that measures were being taken to address the failings outlined in the report.
It apparently details how the UK broke data protection laws by making multiple copies of the EU’s Schengen Information System (SIS) database, which contains the details of suspects, undocumented migrants and others wanted by the police.
Although the UK is not in the travel-free Schengen zone, it was granted access to the SIS since 2015 for security purposes.
It’s claimed that the multiple copies exposed the data to an increased risk of loss or theft, as did the UK government’s sharing the information with contractor IBM, which may have been obliged to hand it over to the US authorities under the terms of the Patriot Act.
The report also claims that as the database is continually updated, the UK’s versions, stored on laptops and PCs at airports and in government offices, are always out-of-date, meaning some individuals could be wrongly identified.
Together, these issues “constitute serious and immediate risks to the integrity and security of SIS data as well as for the data subjects,” the report is said to have stated.
However, King claimed it wasn’t just the UK which had fallen short on data protection best practice.
"It is not just one member state that has some challenges in this area, there are a number of member states that have challenges in this area,” he said.
The revelations come at a crucial juncture as the UK seeks to leave the EU following a change of Prime Minister and accession of a right-wing government. One of the key areas of discussion between negotiators on both sides is security, with the UK looking to maintain access to such databases and other information-sharing agreements.
A British cybersecurity researcher who was arrested in the US for historic hacking offenses has been spared jail time.
Marcus Hutchins, 25, sprang to fame in 2017 when he discovered a “kill switch” which helped to mitigate the impact of the infamous WannaCry worm.
However, a few months later things turned sour after he was arrested by police whilst attending Black Hat/Def Con in Las Vegas.
On bail since that time, Hutchins pleaded guilty back in April to two counts of creating and spreading malware. According to that plea, between July 2012 and September 2016, he helped create and, in partnership with another, sell malware known as UPAS-Kit and Kronos.
This malware was subsequently used in attacks to steal consumer banking log-ins and other details.
Hutchins’ lawyers had argued that he was still technically a child when he committed those felonies, and that he was now using those same skills “for constructive purposes.” They also claimed that some of the evidence against Hutchins should be inadmissible as he wasn’t fully aware of his rights at the time of interview.
Judge JP Stadtmueller appears to have agreed that Hutchins has "turned a corner." The Devon man will now be allowed to return to the UK, and is not liable for any fines. He was facing a 10-year stretch if found guilty but will now be required only to complete a year of supervised release.
The judge has gone even farther, and recommended that his lawyers look into securing a pardon from the US state, as he does not have the power to grant one.
“@marciahofmann and I are thrilled that the judge recognized the important contributions @MalwareTechBlog has made to keeping the world secure and let him go home a free man. It’s been a true honor to represent him,” wrote Brian Klein of Baker Marquart LLP.
“Without precedent and more than appropriately, the judge even suggested @MalwareTechBlog explore a pardon. @marciahofmann and I plan to do so.”