Info Security

Subscribe to Info Security  feed
Updated: 26 min 53 sec ago

US Slaps Sanctions on Three North Korean Cyber Groups

Mon, 09/16/2019 - 09:45
US Slaps Sanctions on Three North Korean Cyber Groups

The US Treasury has finally announced sanctions on three notorious North Korean state hacking groups, which it accused of attacks designed to generate money for the country’s illegal weapons program.

The Office of Foreign Assets Control (OFAC) said on Friday that the sanctions would apply to Lazarus Group, Bluenoroff and Andariel. It effectively demanded that global banks block any transactions related to the groups.

All three entities have been pegged as under the control of the Reconnaissance General Bureau (RGB), Pyongyang’s primary intelligence agency.

Lazarus Group is the largest and best known, having been blamed for the destructive malware attack on Sony Pictures Entertainment and WannaCry. Along with Bluenoroff hackers it is also said to have launched the daring $80m cyber-heist on Bangladesh Bank.

While Lazarus Group targets range far and wide — including government, military, financial, manufacturing, publishing, media, entertainment, international shipping and critical infrastructure — Bluenoroff was apparently set up explicitly with the aim of making money to overcome global sanctions on North Korea.

Andariel, meanwhile, is apparently focused on hacking ATMs, stealing customer information to sell on the dark web, and stealing from online gambling sites, as well as hacking South Korean military systems to gather intelligence.

The groups’ efforts also focused on cryptocurrency exchanges in a bid to generate more funds for Pyongyang’s missile and nuclear weapons programs, the Treasury claimed.

This chimes with allegations from the UN, denied by North Korea, that the hermit nation had amassed a trove of $2bn from “at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activity” across 17 countries.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber-attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury under secretary for terrorism and financial intelligence. 

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

Categories: Cyber Risk News

UK’s Environmental Agencies Lose Hundreds of Devices

Mon, 09/16/2019 - 08:40
UK’s Environmental Agencies Lose Hundreds of Devices

The UK government is in hot water again after Freedom of Information (FOI) requests revealed its Environment Department has misplaced hundreds of laptops and mobile devices over recent years.

Security vendor Absolute Software sent requests for info to the Department for Environment, Food, and Rural Affairs (DEFRA) and non-departmental public body the Environment Agency, which it sponsors.

They revealed that the two organizations lost a combined 540 devices over the past three financial years: DEFRA accounting for 100 of these and the Environment Agency reporting a total of 440.

Mobile phone losses were most common, with the Environment Agency again losing the lion’s share (363) and DEFRA just 63.

The Environment Agency misplaced 59 laptops over the period, with just 35 going missing from DEFRA, while only 21 tablet computers were lost in total – three from DEFRA and 18 from the Environment Agency.

Yet despite the headline stats, it’s the Environment Agency which appears to be improving its device security processes. It recorded an overall decrease of 24% in lost IT kit over the three-year period, while DEFRA witnessed a 43% increase.

A spokesperson from the Environment Agency played down the findings, claiming they should be seen in the context of the public body’s 10,000+ nationwide staff.

“Due to the nature of our work, we have operational staff working in the field to protect the environment and support our incident response capabilities,” the statement noted.

“Because of this there is always a risk that exposure to threats concerning mobile technology will be increased. All staff are required to work in accordance with our IT and security policies so that we continue to work toward minimizing losses, and risk associated with losses.”

Absolute Software vice-president, Andy Harcup was less forgiving, branding the losses “unbelievable.”

“Every single lost device is a potential goldmine of confidential information and should be properly secured so that if stolen it can be tracked, frozen and recovered,” he argued.

“It’s also critical that government agencies have capabilities in place so that when mobile devices are exposed to threats outside of their control, they are able to locate the devices whether they are on or off the network, and wipe the data on the devices in order to comply with critical regulations like GDPR.”

These are just the latest two government bodies to have had their device security policies scrutinized: the Ministry of Defence recorded a 300% increase in losses of both devices and sensitive data over the past two financial years, according to Absolute Software.

Categories: Cyber Risk News

Symantec Axes Hundreds of US Jobs

Fri, 09/13/2019 - 18:08
Symantec Axes Hundreds of US Jobs

American software giant Symantec is cutting hundreds of jobs at four different sites across the US as part of a $100 million restructuring program.

Government filings of notices made by the company in August under the Worker Adjustment and Retraining Notification (WARN) Act indicate that the roles of 230 Symantec employees will be terminated on October 15, 2019.  

The company's Californian headquarters at Mountain View will bear the brunt of the losses, with 152 job cuts expected. In San Francisco 18 jobs will go, and a further 24 will be axed from the company's site in Springfield, Oregon. In Culver City, Los Angeles County, 36 positions will be scrapped. Employees were notified in early August. 

The cuts will affect many different job classifications but most of the roles targeted were primarily related to tech work. According to the Employment Development Department (EDD) filings made by Symantec in California, many software engineer and software development engineer jobs are to go along with a raft of middle-management positions.

In a letter which accompanied the filings, Symantec wrote: “Layoffs are expected to be permanent," before stating, "None of the affected employees are represented by a union, and no bumping rights exist."

Symantec, which supplies 50 million people with Norton antivirus software and LifeLock identity theft protection, has over 11,000 employees globally. The US job cuts are part of a planned 7% reduction in Symantec's international workforce announced last month alongside news of the company's $10.7 billion sale of its enterprise division to San Jose chipmaker Broadcom.

News of the cuts come amid rumors that Symantec has received interest from two private-equity suitors who, according to the Wall Street Journal, are seeking to buy the cybersecurity firm for more than $16 billion.

The Journal reported that "Permira and Advent International Corp. recently approached Symantec proposing a takeover deal valuing Symantec at $26 to $27 a share that would hand them the company’s consumer operation while preserving the sale of its enterprise business to Broadcom Inc." 

With the sale of its enterprise arm to Broadcom pending, it's not clear how the proposed deal would work if it was to go ahead.

Categories: Cyber Risk News

Cybersecurity Firm Employees Charged with Burglary of Courthouse Client

Fri, 09/13/2019 - 17:05
Cybersecurity Firm Employees Charged with Burglary of Courthouse Client

Two employees of a Colorado cybersecurity firm hired to test the security of an Iowa courthouse have been charged with burglary after allegedly breaking into the building.  

Gary Edward Demercurio, 43, of Seattle, Wash., and Justin Lawson Wynn, 29, of Naples, Fla., were arrested at approximately 1 a.m. on Wednesday morning after being found inside the Dallas County Courthouse in possession of burglary tools. 

Dallas County deputy sheriffs arrived at the scene after an alarm at the courthouse at 908 Court Street in Adel was tripped.

Demercurio and Wynn, who both work for global cybersecurity firm Coalfire, have been charged with third-degree burglary and possession of burglary tools. 

At the time of their arrest, Demercurio and Wynn told Dallas County deputy sheriffs that "they were contracted to break into the building for Iowa courts to check the security of the building."

In a press release issued later that day, Iowa Judicial Branch confirmed that while the state court administration had hired cybersecurity firm Coalfire to carry out security testing, the midnight shenanigans allegedly committed by Wynn and Demercurio were not exactly what it had in mind. 

While the administration had asked Coalfire to test vulnerabilities in the the state’s electronic records system, it "did not intend, or anticipate, those efforts to include the forced entry into a building."

"It’s a strange case," said Dallas County Sheriff Chad Leonard on Wednesday. "We’re still investigating this thing."

When contacted for comment, Coalfire replied with the following statement: "Coalfire is a global cybersecurity firm that has conducted over 10,000 security assessments since 2001. We have performed hundreds of assessments for similar government agencies, and our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client. 

"However, we cannot comment on this situation or any specific client engagements due to the confidential nature of our work and various security and privacy laws. Additionally, we cannot comment on this specific case as it is an active legal matter." 

Demercurio was released from Dallas County Jail after posting a $57,000 bond. Wynn was likewise released after posting a bond of $50,000. Both men are scheduled to appear before Dallas County District Court for a preliminary hearing on September 23.

Categories: Cyber Risk News

MSOE Opens Cyber-Learning Center Built with $34m Alumnus Donation

Fri, 09/13/2019 - 16:14
MSOE Opens Cyber-Learning Center Built with $34m Alumnus Donation

A Wisconsin university today celebrated the grand opening of a new cyber-learning facility funded by a $34 million donation from a former student and his wife. 

Dwight Diercks graduated from the Milwaukee School of Engineering (MSOE) in 1990 with a degree in computer science and engineering. Now senior vice president of software engineering at California-based technology company NVIDIA, Diercks today serves as a regent of the university, which awarded him an honorary engineering doctorate in 2014.

A day-long program of events was held to mark the opening of the Dwight and Dian Diercks Computational Science Hall, which included a keynote address by Jensen Huang, founder, president, and CEO of NVIDIA.

According to the MSOE website, "Diercks Hall—and the courses taught within—position MSOE at the educational forefront in artificial intelligence (AI), deep learning, cyber security, robotics, cloud computing and other next-generation technologies."

The four-floor building features seven contemporary classrooms, nine innovative teaching laboratories, 25 offices for staff, and a 256-seat auditorium. At the heart of the hall is a state-of-the-art data center with an NVIDIA GPU-accelerated AI supercomputer, which is named Rosie after the women known as Rosies who programmed one of the earliest computers, the ENIAC. Rosie is also the name of Dierck's mother, who passed away in 2006.

On the building's third floor, the Caspian Cyber Security Laboratory will allow students to conduct real-world cybersecurity experiments and test defensive mechanisms in a professional and controlled environment. The room is grounded with special shielding paint and an electromagnetic field to prevent computer viruses that students are working on from spreading to the rest of campus through the wireless network.

The substantial donation given by Diercks and his wife, Dian, was bolstered with an additional $4 million contributed by several individuals and corporations to support long-term operations and maintenance of the facility. 

Speaking at today's live-streamed opening ceremony, held in the new hall's atrium, the mayor of Milwaukee, Tom Barrett, quipped, "When I first heard the words artificial intelligence I thought someone had heard I had inflated my SAT scores," before declaring Friday, September 13, 2019, to be Dwight and Dian Diercks Day throughout the entire city of Milwaukee.

After Diercks and his wife cut a red ribbon with a giant pair of scissors to officially open the hall, he shared with the crowd his pleasure at learning that the addition of an external staircase to the building had increased the facility's final size to a square footage of 65,536, which is the number of different values representable in a number of 16 bits.

Categories: Cyber Risk News

#44CON: GPS Trackers Hacked to Make Premium Rate Calls

Fri, 09/13/2019 - 13:30
#44CON: GPS Trackers Hacked to Make Premium Rate Calls

Speaking at 44CON, Pen Test Partners researchers Tony Gee and Vangelis Stykas demonstrated vulnerabilities in GPS trackers, which enabled them to call premium rate phone numbers, and possibly influence the outcome of television talent shows.

Gee said that there is demand for GPS trackers, which are used in watches for kids, cars and even on pets’ collars, but their research had found consistent API vulnerabilities. Gee said that the problems were in “a lot of common APIs and used across platforms” in IoT products that were available cheaply.

Stykas called one product range “a monstrosity,” saying that the research into Thinkrace technology found that most API calls did not require authentication, and all users start with the default password “123456.” There were at least 370 vulnerable devices, across 80 domains on 40 different servers, which Stykas said allows anyone to be tracked, with a hacker able to change the email and take over the device, and force a firmware update. 

Calling it a “classic horizontal escalation of privilege,” Stykas said that the vendor had not responded to vulnerability disclosures for three years “on multiple attempts.”

In further research, Gee said that a lot of the GPS devices, particularly tracker watches for kids, used a pay-as-you-go SIM card, and allowed for a premium rate phone line to be called. “If we own the number, we make the money,” he said, pointing out that the costs of setting up a number only runs into hundreds of pounds, but regulation by the PSA was strong on doing this.

Looking at the options of hacking a GPS tracker to enable text voting to a premium line, Gee said that a typical SMS vote is 35p, so with a £10 top up you could vote 28 times. If there are 25 million vulnerable devices, that can enable seven billion votes. While he admitted that the voting at the annual Eurovision song contest could not be influenced because of the jury system, it was possible to influence talent shows like X Factor and Britain’s Got Talent. This would also allow the attacker to gamble on who the winner would be.

Talking on the disclosure, Gee said that the UK’s main four providers (o2, Vodafone, EE and 3) have a default “on” for premium lines to be called. Meanwhile, the vendors have been notified but “most products are not fixed and multiple devices have the same flaws.” However, the PSA have responded and said that Pen Test Partners will be invited to review changes.

Gee concluded by saying that most trackers will not be fixed, but manufacturers “need to get better” as “authentication is not authorization.”

Categories: Cyber Risk News

#44CON: Establishing a Mental Health Toolbox

Fri, 09/13/2019 - 11:45
#44CON: Establishing a Mental Health Toolbox

Noting the warning lights to assess your levels of stress and mental health now, and in the future, can save a lot of anguish in your working life.

Speaking at 44CON in London on the issue of dealing with mental health, Duo Security CISO advisory group member J Wolfgang Goerlich recommended a strategy of a “career owners manual” and knowing what to do to “make sure you have got a career and what you’re doing well.”

He recommended having a the right state of health to be able to thrive in what he called a “good community,” where we need to be supportive of others, as “a lot of us struggle.”

Goerlich advised taking a back seat, stepping back from work for a few months and to avoid being afraid of duplicating work.

When looking at yourself in a current position, he recommended taking the following steps:

  • Look at how your culture fits the company culture. Are we happy with the people in our organization “and do they make us feel good?”
  • Are our values reflected in theirs, and do we feel good about ourselves when we look in the mirror or do we feel like we are compromising ourselves?
  • Are the tasks we are doing good?
  • Is diversity good where we work, as diversity beings different perspective and points of view

“You need to be sure the inputs line up, as different companies have different values” he said, as if we are unhappy, it is too easy to ignore warning lights around our mental health, and it is too easy to take a “teenager’s action” as they ignore warning lights on a car. These warning lights should be around:

  • Physiological effects
  • Non-competitive compensation
  • Lack of training
  • Lack of career path
  • Poor teamwork
  • Poor leadership
  • No appreciation or recognition
  • Misaligned values and culture

In terms of tools, Goerlich recommended relaxing, recharging and re-learning, and doing “what is good for you.” This included time off work, what Goerlich called “zero days,” to recharge. The steps to take to recharge are as follows:

Weekly: prepare for the week ahead, do the “basic things,” de-stress and energize, and review the previous week.

Monthly: review stress, check warning lights, and schedule “zero days.”

Quarterly: check your health, review accomplishments, review learning, plan for next quarter, and schedule time off.

Annually: annual job reviews, and annually review your job.

Decade: asses who you are now, what you enjoy now, and where is the job market going?

“Make sure you have got the tools in your toolbox and are doing maintenance on your career,” he concluded. “This [cybersecurity] is a fantastic career and industry, but we see too many people struggle.”

Categories: Cyber Risk News

Marketer Exposes 198 Million Car Buyer Records

Fri, 09/13/2019 - 10:40
Marketer Exposes 198 Million Car Buyer Records

Another unprotected Elasticsearch database has been discovered by researchers, this time exposing personally identifiable information (PII) linked to 198 million car buying records.

The privacy snafu was discovered back in August by Jeremiah Fowler, researcher at SecurityDiscovery.

The non-password protected database contained a massive 413GB of data on potential car buyers, including names, email addresses, phone numbers, home addresses and more stored in plain text.

Also left publicly accessible were IP addresses, ports, pathways, and storage info “that cyber-criminals could exploit to access deeper into the network,” he explained.

Fowler spent several days trying to locate the owner of the database, which contained information from multiple websites.

“Only by manually reviewing multiple domains did I discover that they all linked back to,” he added. “I was able to speak with the general sales manager who was concerned and professional with getting the information secured and public access was closed shortly after my notification by phone.”

As the name suggests, Dealer Leads provides online marketing support in the form of prospective car buyers for dealerships around the US. It's unknown how long the data was exposed for.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,” Fowler warned.

“Also, when contacting a local dealership in their hometown about a specific automobile they may not have known that the website actually collected their data as a lead or that this data could potentially be stored, saved, sold, or shared via DealerLeads.”

The incident is just the latest in a long line of privacy leaks via Elasticsearch, AWS S3, and other online platforms, due to security misconfigurations.

In recent months, Honda exposed 134 million company documents, a leading Chinese uni leaked 8TB of email metadata, and Dow Jones left a sensitive global watchlist of criminals and terrorists open to the public — all via misconfigured Elasticsearch instances.

Categories: Cyber Risk News

Iranian Threat Group Targets 380 Global Universities

Fri, 09/13/2019 - 09:45
Iranian Threat Group Targets 380 Global Universities

An Iranian threat group exposed last year has been detected targeted hundreds of universities in over 30 countries in a global phishing operation.

Cobalt Dickens has been linked to indictments last year against nine Iranian nationals who worked for the Mabna Institute. They allegedly stole more than 31TB of data from over 140 US universities, 30 US companies and five government agencies, alongside more than 176 universities in 21 other countries.

The Secureworks Counter Treat Unit this week claimed their activity has not declined despite the publicity given to the indictments; in fact, it discovered a new campaign similar to the group's August 2018 phishing raids, using free online services and publicly available tools.

Specifically, the group uses compromised university resources to send spoofed library-themed emails containing links to log-in pages designed to harvest user credentials.

Some 20 new domains were registered in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland using the Freenom domain provider. Many use valid SSL certificates issued by Let’s Encrypt to add further authenticity to the phishing campaigns.

Continuing the theme of using publicly available resources to carry out these attacks, the group utilized the SingleFile plugin available on GitHub and the free HTTrack Website Copier standalone application, to copy the login pages of targeted university resources, according to Secureworks.

The researchers claimed that metadata in the spoofed web pages indicates the attackers are of Iranian origin. At least 380 universities worldwide have apparently been targeted in this latest campaign.

“Some educational institutions have implemented multi-factor authentication (MFA) to specifically address this threat,” it concluded.

“While implementing additional security controls like MFA could seem burdensome in environments that value user flexibility and innovation, single-password accounts are insecure. CTU researchers recommend that all organizations protect Internet-facing resources with MFA to mitigate credential-focused threats.”

Universities are an increasingly popular target for nation state attackers looking for highly sensitive research to advance homegrown development programs.

Categories: Cyber Risk News

Mirai and SMB Attacks Dominate 1H 2019

Fri, 09/13/2019 - 09:00
Mirai and SMB Attacks Dominate 1H 2019

Attacks on IoT devices using Mirai and its variants and raids against the Windows SMB protocol dominated the first half of 2019, according to new data from F-Secure.

The Finnish security vendor analyzed its global network of honeypots to find the number of “attack events” in the first six months of 2019 was 12 times higher than the same period in 2018.

The largest share, 760 million events, came via the Telnet protocol, followed by 611 million events on UPnP, both of which are used by connected devices.

The malware found in F-Secure’s honeypots was predominantly versions of Mirai, the infamous strain which searches for exposed IoT endpoints before cracking those open that are protected only by default credentials.

SMB port 445 also featured strongly, with 556 million events. This indicates continued interest on the part of cyber-criminals in exploiting the protocol targeted by the WannaCry hackers. According to F-Secure, it remains popular due to the high number of unpatched servers around the world.

In fact, Kaspersky data from last November revealed that WannaCry hit almost 75,000 users in Q3 2018.

“Three years after Mirai first appeared, and two years after WannaCry, it shows that we still haven’t solved the problems leveraged in those outbreaks,” said F-Secure principal researcher Jarno Niemela.

“The insecurity of the IoT, for one, is only getting more profound, with more and more devices cropping up all the time and then being co-opted into botnets. And the activity on SMB indicates there are still too many machines out there that remain unpatched.”

The report also revealed a decline in crypto-jacking, suggesting that this had been influenced by lower prices for digital currency and the shutting down of CoinHive earlier this year.

However, ransomware is once again a major threat. Interestingly, the most popular attack vector is RDP (31%), revealing that easily brute-forced passwords are a key security risk. Second most popular was email spam (23%), followed by compromised firmware/middleware.

Categories: Cyber Risk News

Ireland Hit by Pedophile Sextortion Email Scam

Thu, 09/12/2019 - 17:29
Ireland Hit by Pedophile Sextortion Email Scam

Residents of Ireland are being targeted by an aggressive email sextortion scam that accuses recipients of being pedophiles before threatening to expose them as such unless a ransom is paid. 

The scam was highlighted yesterday by the Irish arm of IT security company ESET, which posted a warning on its website. ESET Ireland registered several complaints related to the illegal extortion scam.

Victims were sent emails with the subject lines "I know you are a pedophile . . ." and "What the **** are you doing, pedophile?" from someone claiming to be an internet security specialist affiliated with the Anonymous group. 

The sender of the email claimed to have installed spyware on the victim's computer that they purported to have used to record the victim watching illegal pornographic videos featuring young teens.

Victims were told that four video files in which they were captured masturbating to illegal porn were in the possession of the hacker, who threatened to send them out to everyone in the victim's address book unless a Bitcoin ransom of 5,000 GBP was paid.

In a bid to blackmail their victims into paying up, the scammers wrote: "I was observing you for quite some time, and what I have collected here is overwhelming. I know about your sexual preferences and your interest in young bodies. I have secured 4 video files clearly showing how you masturbate (captured from your camera) to young teenagers (captured from your internet browser). Glued together is a pretty overwhelming evidence that you are a pedophile."

Predicting that people who receive the sextortion emails may contact the police, the scammers wrote: "Don’t even think about going to police. If you try, I will immediately know it and I will send them your masturbation videos, pedo."

While sextortion scams that weaponize shame are nothing new, American software company Symantec says cyber-attacks of this type are plentiful and on the rise. From January through May of 2019, Symantec blocked almost 289 million of these emails from landing in the inboxes of potential victims. Of these, about 30% were sent during a 17-day period around Valentine's Day. 

ESET Ireland recommends that anyone who has received these emails does not reply and marks them as spam. If the emails contain any identifiable personal info, recipients are advised to report them to the police.

Categories: Cyber Risk News

A Third of Security Pros Have Skipped Cyber-Safety Checks to Launch Products Faster

Thu, 09/12/2019 - 16:15
A Third of Security Pros Have Skipped Cyber-Safety Checks to Launch Products Faster

survey of 300 security professionals has found that 34% admit to bypassing security checks to bring products to market faster.  

The research was carried out by cyber assessment company Outpost24, which questioned attendees at the Infosecurity Europe Conference held in London in June of this year. 

Worryingly, 64% of the security professionals surveyed were of the opinion that their customers could be affected by data breaches as a direct result of unpatched vulnerabilities in their organizations' products and applications. 

Asked if the products their company is happy to sell to the public would stand up well under penetration testing, 29% of respondents said either that they weren't sure or that they didn't believe their organization’s products and applications would fare well if tested. 

According to the survey results, an alarming number of organizations have the same attitude toward security testing as many people have toward flossing their teeth—they know they should do it, but rarely bother. 

Despite 92% of security professionals agreeing that it is important to carry out security testing on new products and applications, 39% of them said that their organizations didn't introduce security testing from the beginning of the product or application lifecycle. 

Bob Egner, VP at Outpost24, said: "Our study shows that even despite continuous warnings, organizations today are still leaving their customers at risk because of a failure to address security vulnerabilities in products before they are introduced to market. If organizations are not addressing these security vulnerabilities, they are taking a huge gamble and abusing customer trust."

Egner foresees a bleak future for companies whose greed blocks them from adequately checking for vulnerabilities in their products and resolving identified weaknesses before products are launched. 

He said: “Negligence towards security will eventually lead to disastrous outcomes for technology and application vendors and their customers. There should be no excuses today, especially when security is such a big issue and so many breaches, which have happened up and down the technology stack, are well publicized.”

Egner advised organizations to save their reputations and be more considerate of their customers by unearthing software vulnerabilities in products and applications before they go on sale, using a combination of penetration testing and automated application scanning.

Categories: Cyber Risk News

UNICEF Leaks Personal Data of 8000 Online Learners

Thu, 09/12/2019 - 15:27
UNICEF Leaks Personal Data of 8000 Online Learners

The United Nations (UN) children’s agency UNICEF has apologized after inadvertently leaking the personal data of users of its online learning platform, Agora.

The leak occurred on August 26, when 20,000 Agora users were accidentally emailed a spreadsheet containing the personal information of 8,253 people enrolled in a course about childhood immunization.

Among the information accidentally leaked were names, email addresses, duty stations, gender, organization, name of supervisor, and contract type. 

A staff member unwittingly triggered the leak after running a report. The incident was detected by UNICEF the day after the email was sent out, and their response was swift and effective. 

In an email about the leak sent to Devex, UNICEF’s media chief Najwa Mekki wrote: “Our technical teams promptly disabled the Agora functionality which allows such reports to be sent and blocked the Agora server’s ability to send out email attachments. These measures will prevent such an incident from reoccurring.”

After discovering the leak, UNICEF sent an apologetic email to Agora users. The message included an appeal for recipients to permanently delete the email containing the leaked data, erase any data downloaded, and then empty the recycle bin. 

Plans are said to be in motion for UNICEF to carry out an internal assessment and review of the incident. 

Learning portal Agora is free to access and open to UNICEF staff, partners, and the general public. Part of the mandatory staff training program on Agora is an information security awareness course that teaches "concepts and solutions for data protection, use of UNICEF’s information assets and best practices for cyber security at work and at home." 

Commenting on the incident, senior director of security research at Tripwire Lamar Bailey said: "You can have the all the industry-leading security controls in place, but nothing stops human error.  

“Training employees is often overlooked, or the investment is not as high as it needs to be. Employee security training is always a tough area. The training programs can be too simplistic, and this causes people to ignore them or blow them off.”  

Categories: Cyber Risk News

Google Searches Reveal the 15-Year Decline of AV

Thu, 09/12/2019 - 11:00
Google Searches Reveal the 15-Year Decline of AV

The past 15 years has seen huge changes in the cybersecurity-related search terms internet users are deploying to find out more about the industry, with anti-virus supplanted by emerging next-gen solutions, according to new data from RedScan.

Taking its cue from Google’s Year in Search report, the security vendor decided to analyze the past decade-and-a-half of search data to understand how trends have evolved over time.

Internet searches for “anti-virus” and “network security” have declined significantly over that time, as has interest in the main AV brands. At the same time, there’s been a surge of interest in terms such as “SIEM,” “Cloud Computing,” “Mobile Device Management” and “BYOD.”

Interestingly, searches for “passwords” have declined rapidly since 2004, although terms such as “two-factor authentication” and “multi-factor authentication” have not risen significantly over the same time period.

“It’s a bit concerning that searches for passwords are in such a steep decline. Good password hygiene is essential, and people are often really bad at setting unique passwords,” the report noted.

As for the threat landscape itself, searches for “keyloggers” declined sharply from around 2004 onwards, while “phishing,” “ransomware” and “DDoS” have remained pretty consistent. Spikes in searches for DDoS coincided with the major Mirai botnet attack on Dyn in 2016 and for ransomware with the WannaCry attack of 2017.

In 2004, “Spyware” and “adware” were far more popular search terms than “malware,” although the trend has now been reversed. “Cryptojacking” also spiked sharply from around 2017 while searches for “GDPR” understandably rocketed shortly before its introduction in early 2018.

As for the future, Google search term analysis indicates the rising popularity of “threat hunting,” “IoT security,” “AI and security” and “zero trust security.”

"Cybersecurity has changed remarkably over the past 15 years and Google’s search data is a great measure of this,” said Andy Kays, technical director at Redscan.

“As businesses embrace digital transformation, their security strategy must evolve accordingly. Our data shows that interest in traditional preventative tools is declining in favor of next-generation technologies that offer enhanced threat detection and response capabilities.”

Categories: Cyber Risk News

Over Half of UK Firms Still Not GDPR Compliant

Thu, 09/12/2019 - 09:30
Over Half of UK Firms Still Not GDPR Compliant

Over half of UK businesses aren’t compliant with the GDPR more than 15 months after its introduction, despite many reporting data security incidents to the ICO, according to new research from Egress.

The security vendor polled 250 “GDPR decision-makers” from companies of all sizes and sectors to compile its new report, GDPR compliance: where are we now?

Some 52% said they were not fully compliant with the EU-wide data protection regulation, with over a third (35%) claiming compliance had dropped down the priority list over the past year. That’s concerning given that GDPR compliance cannot be achieved via a one-off tick box exercise but requires continual attention.

Just 6% said the recent ICO fines issued to BA and Marriott raised the profile of GDPR again within the business.

Although 42% of respondents rated their firm as “mostly compliant,” it’s unclear which elements were still lacking. Data breach threats can come from anywhere and it only takes a small oversight for a potentially serious incident to occur.

Bearing this out, over a third of respondents (37%) reported at least one incident to the ICO in the past 12 months. According to Egress-obtained FOI information, 60% of security-related personal data breach incidents reported to the watchdog in the first six months of 2019 were caused by human error.

Mid-sized companies are either most exposed to data security incidents or most alert to respond, the findings seem to indicate.

Over half (53%) of mid-size companies (250-999 employees) reported data breaches to the ICO in the past 12 months, compared with 36% of small companies (1-249 staff) and only 23% of enterprises (1000+ employees), according to the report.

“Since the rush to meet last May’s deadline, we now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR. The wait of more than a year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’,” argued Egress CEO, Tony Pepper.

“Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6% of organizations have taken action to avoid the full potential of the legislation. These announcements should definitely have acted as a clearer warning that organizations cannot risk compliance complacency.”

He added that any technology solutions brought in need to tackle the underlying problem of human error, by mapping employee behavior to block phishing attacks, and prevent misdirected emails and attaching the wrong documents.

“Reliance on people to follow processes and protect data is only going to get organizations so far: people are always going to make mistakes or behave unexpectedly, and more must be done to provide a safety net that protects sensitive information,” Pepper said.

Categories: Cyber Risk News

Wikipedia Gets $2.5m Donation to Boost Cybersecurity

Thu, 09/12/2019 - 08:38
Wikipedia Gets $2.5m Donation to Boost Cybersecurity

The Wikimedia Foundation has received a $2.5m donation to boost its cybersecurity efforts following a major DDoS attack that left Wikipedia unavailable across much of the world last weekend.

The non-profit relies on charitable donations and volunteers to keep the online encyclopedia and other “free knowledge” projects running.

So it was relieved at the major cash injection, which came from Craigslist founder-turned-philanthropist Craig Newmark.

“Wikipedia’s continued success as a top-10 website that has hundreds of millions of users makes it a target for vandalism, hacking, and other cybersecurity threats that harm the free knowledge movement and community,” said John Bennett, director of security at the Wikimedia Foundation.

“That’s why we are working proactively to combat problems before they arise. This investment will allow us to further expand our security programs to identify current and future threats, create effective countermeasures, and improve our overall security controls.”

The non-profit didn’t go into much more detail about which areas of its security stack the money would help to fund, although application security, risk management and incident response were all highlighted.

It would also be safe to assume that some funds would be diverted into better DDoS mitigation, given the attack last weekend which started on Friday evening UK time and led to disruption for most of Europe and the Middle East.

Under his Craig Newmark Philanthropies organization, Newmark has donated millions to fund journalism and combat fake news, improve voter protection and help address the gender disparity in IT. As part of these efforts he’s sent nearly $2m the way of the Wikimedia Foundation.

“As disinformation and other security threats continue to jeopardize the integrity of our democracy, we must invest in systems that protect the services that work so hard to get accurate and trustworthy information in front of the public,” said Newmark.

“That’s why I eagerly continue to support the Wikimedia Foundation and its projects — like Wikipedia, the place where facts go to live.”

Categories: Cyber Risk News

Calls to Bring Back Role That Was Scrapped by Departing U.S. Security Advisor

Wed, 09/11/2019 - 17:57
Calls to Bring Back Role That Was Scrapped by Departing U.S. Security Advisor

Chris Kennedy, former leader of cybersecurity operations programs for the U.S. Department of the Treasury and the U.S. Marine Corp, has called for the reinstatement of the cybersecurity coordinator role on the National Security Council.

The position was scrapped last year by the then U.S. national security advisor John Bolton, who tendered his resignation yesterday. Bolton is the third national security advisor to exit the White House since President Donald Trump took office in January 2017. Trump claimed yesterday on Twitter to have asked Bolton to step down.

"The removal of the position in May 2018 mystified myself and others within the cybersecurity industry," said Kennedy, who is now CISO and vice president of customer success at AttackIQ. "The elimination of the role did not make sense considering the importance of cybersecurity in the protection of our nation." 

Kennedy, who is a former Marine Corps officer and Operation Iraqi Freedom veteran, believes the importance of cybersecurity to American national security hasn't been fully realized, leaving the United States vulnerable to attack. 

He said: "I still do not think we as a nation understand our dependence on technology, the risks we assume every day, and the capabilities of nation-state backed threat actors. Risks of being attacked grow every day as enterprises continue to adopt more technology to augment their business.

"The world runs on technology today, and that presents one of the most significant risks to the nation⁠—logistics that feed and supply our nation, critical infrastructure that enables our way of life, and technology platforms across all industries that enable businesses to conduct their mission are all cybersecurity implications. To not have a focal point focusing on that risk is exceptionally worrisome since a major cyber-attack would have catastrophic implications."

The need for a cybersecurity coordinator operating at a national level was echoed by Joseph Carson, chief security scientist at Thycotic, who said: "The elimination of the cybersecurity coordinator position removed accountability and responsibility. This was a step in the wrong direction. 

"Without a cybersecurity coordinator, it has been as if there is no one is driving the White House on protecting citizens from cyberattacks.”   

Dan Tuchler, CMO at SecurityFirst, believes Bolton's decision to scrap the cybersecurity coordinator role made the U.S. more vulnerable to cyber-attacks. 

He said: "John Bolton greatly damaged our ability to focus on these threats by removing the position of cybersecurity coordinator. It’s hard to imagine his replacement being worse, but it’s also unlikely in this political climate that the replacement will restore the cybersecurity position."

With the proviso that he "didn't want to be alarmist," Tuchler added, "Let’s hope the situation is corrected before something terrible happens." 

Categories: Cyber Risk News

Program to Land Neurodiverse Adults Government Cybersecurity Jobs Wins Prize

Wed, 09/11/2019 - 16:47
Program to Land Neurodiverse Adults Government Cybersecurity Jobs Wins Prize

A pilot program that aims to find neurodiverse adults cybersecurity jobs with the federal government has won the Government Effectiveness Advanced Research (GEAR) Center challenge.

The program was created by a collaboration between George Mason University, Mercyhurst University, Rochester Institute of Technology, University of Maryland, Drexel University, SAPSpecialisterne, the DXC Dandelion Program, and the MITRE Corporation, which led the effort. 

Neurodiversity in Cybersecurity was one of three grand prize winners, each of which was awarded a $300,000 federal grant. The proposal urges the creation of a workforce program to help the federal government identify, train, and promote candidates who are neurodiverse.  

Neurodiversity as a term covers a wide range of conditions, including dyspraxia, dyslexia, attention deficit hyperactivity disorder, dyscalculia, autistic spectrum disorders, and Tourette's syndrome.

Key features of the program are management and co-worker training and the creation of career and social development programs to prepare candidates.

“Attracting and retaining technical talent, especially those with cybersecurity skills, is a key management challenge for the U.S. government, states and the private sector, as well,” said James Cook, MITRE vice president for strategic engagement and partnerships. “MITRE and its partners developed an approach to activate an untapped talent pool that leverages leading practices and tools that have been adopted by the private sector and non-governmental organizations to tackle this persistent problem. We look forward to partnering with a government agency to pilot the program.”

A government agency partner is yet to be confirmed; however, MITRE has every reason to believe that the project will prove successful once it's up and running. Earlier this year, the nonprofit launched a company-wide initiative to mainstream neurodiversity hiring and employment practices with a focus on positions in cybersecurity. Two college co-ops have recently been hired through this program, which MITRE has said it will continue to scale. 

"Cybersecurity is a role-oriented discipline requiring logic, curiosity, ability to solve problems and find patterns through micro-focused attention,” said Tara Cunningham, CEO, Specialisterne, which specializes in neurodiverse tech hiring and is one of the pilot’s partners. “Although autistic and other neurodiverse people are strong across all disciplines, for many, cybersecurity is a natural fit."

The Office of Management and Budget (OMB) and General Service Administration’s (GSA) GEAR Center competition challenges problem solvers from the public, academia, and industry to build cross-sector, multidisciplinary teams to demonstrate the potential of the GEAR Center. Winning entries by two other collaborative teams focused on government use of evidence and data.

Categories: Cyber Risk News

New Platform Aims to Keep Kids Safe Online

Wed, 09/11/2019 - 15:16
New Platform Aims to Keep Kids Safe Online

A new platform designed to keep young people safe while browsing the internet was launched today by Slovakian cybersecurity company ESET.

Safer Kids Online was developed in consultation with cybersecurity experts and a child psychologist. The multilingual platform offers guidance and advice to children, teens, and parents on how to stay safe online. 

Users can learn the key warning signs that a child is being hounded by cyber-bullies and discover ways to prevent children from becoming the victims of online sexual predators. The platform will also feature advice on how to build a child's awareness of the potential dangers involved in online activities they may perceive to be risk-free, such as posting selfies online and 'checking in' via geolocation services.

A friendly and respectful tone has been used to create the platform's educational resources, which include vlogs and in-depth articles aimed at parents, and comics and prize competitions that appeal to children.

Creators of the platform have been careful not to make the internet sound like a scary place—that would hardly be great for business—but in a statement released today they underlined how aware they are of the risks posed to children who venture online. 

The statement said: "According to the Cyberbullying Research Centre, 34% of 12- to 17-year-olds in the U.S. have experienced cyberbullying, while UK children’s charity the NSPCC recently revealed that police recorded 9,000 child sexual offenses with an online element between 2017 and 2018."

Natália Rasavacová, Safer Kids Online Guru at ESET, believes the new platform will fill a gap often unintentionally left by parents and schools. 

She said: “The digital age has brought boundless opportunities for progression around the world, but dangers are also present and alive. Children particularly can face risks, and we know that parents and schools, even with the best intentions, don’t always have the knowledge of how to protect their kids in the digital sphere." 

The need for online safety guidance for children is clear, as every third person on the internet is a child. However, the platform is likely to be good news for ESET as well as for young internet users and their parents since visitors are gently directed to advice on guardian software, such as ESET Parental Control for Android.

Categories: Cyber Risk News

#GartnerSEC: Reuse Procedures From IAM in PAM Implementations

Wed, 09/11/2019 - 15:00
#GartnerSEC: Reuse Procedures From IAM in PAM Implementations

Implementing identity and access management (IAM) can lend several procedures for the roll out of privileged access management (PAM).

Speaking at the Gartner Security and Risk Management Summit in London, Alan Radford, technical director of One Identity, and a representative from a European IT service provider, who was speaking off the record, discussed the implementation of PAM at the company, which they said came after finding more developers had access to customer data “and with 500 IT admins we want to know what is going on, and who has what privilege and when and how they are using them.”

The speaker said that when choosing what to implement, it is important to know whether you are going to choose IAM or PAM, as there are benefits to both “and it makes sense for you to do IAM first and procedures can then follow on PAM.” 

Radford asked, if someone has neither PAM or IAM, can PAM be a stand-alone technology? The speaker that while PAM is not a stand-alone technology, “by having systems in place and accountability decentralized, in a sector where we are regularly audited internally and by the FCA” the technology enabled them to document its activities and controls.

They also said that “segregation of duties is a key element in IAM” as a developer should not be able to push a project into production, “but may be allowed in an incident to fix stuff” and that requires knowledge on how segregation of duties is implemented.

Looking at provisioning users, the speaker said that the IAM process should be easy to join, switch parameters and enroll users, and switch back. “You’re not introducing a new system, it’s a new project.”

They recommended figuring out what information you can use from IAM into your PAM integration “and figure out what you have under the hood in the company, and know who is responsible.”

Speaking to Infosecurity, the speaker said that you have to be aware that you’re not introducing a system, you’re introducing procedures, and you will hit the organization with a new system of working, “and this is a way of getting out of the project paradigm.”

The speaker said it is not like shifting from Outlook on-premise to Office 365, this is moving from something you were not doing to something you are. “That is not a project, that is introducing new ways of working and procedures that need to be followed, it is an ongoing thing, so you need to think about having a team to support that,” they said.

Asked if he sees a lot of the IAM and PAM procedures not being re-used, Radford said that you “cannot achieve true governance without encompassing all of your privileged access and all of your end user access, and understanding what the difference is between the two for your company.”

Categories: Cyber Risk News