Info Security

Subscribe to Info Security  feed
Updated: 2 hours 13 min ago

IoT Set to Put Strain on Cyber Skills Market

Thu, 04/25/2019 - 10:01
IoT Set to Put Strain on Cyber Skills Market

UK demand for cybersecurity skills rose 10% year-on-year in the last quarter of 2018, with adoption of the Internet of Things (IoT) technologies set to put further strain on the market going forward, according to Experis.

The recruitment company’s latest Experis Industry Insiders report revealed a near 17% increase in advertised cybersecurity roles from the previous quarter, to 13,214.

However, average permanent salaries actually dropped slightly, by 2% year-on-year to £58,557, as employers sought out short-term solutions to fill their skills gaps. Contractor day rates jumped nearly 20% over the previous year, to £505.

In the IoT space, the number of new roles advertised jumped 49% quarter-on-quarter to Q4 2018. Permanent (1.5%) and contractor (4%) average salaries both increased.

“IoT offers huge opportunities for organizations, if they have the right cybersecurity foundations in place to take advantage of new innovations safely. We can see that there is a strong demand for top talent, but the market is struggling to keep pace,” argued Experis director of specialist markets, Martin Ewings.

“Businesses are having to be creative and take a blended approach to their talent acquisition strategies — tapping into the contractor market to build a hybrid team of permanent and temporary workers. In doing so, they can have fast access to the skills they need right now, while taking a longer-term view by building permanent capabilities and investing the time required to enable strategic development.”

However, building these permanent capabilities will be challenging given continued global shortfalls. Skills shortages in cybersecurity have reached nearly three million worldwide, including 142,000 in EMEA, according to (ISC)2.

Defense contractor Raytheon is doing its bit by announcing this week a new cyber-apprenticeships scheme as part of a £2m investment strategy which also includes a Cyber Academy to train university students.

The firm claimed there would be opportunities for 70 cyber-apprentices each year for the two-year program, which offers an alternative to three- and four-year degree courses. Plans are in place to certify around 280 apprentices over four years.

Categories: Cyber Risk News

Dark Web’s Wall Street Market Suspected of Exit Scam

Thu, 04/25/2019 - 09:53
Dark Web’s Wall Street Market Suspected of Exit Scam

Dark web drugs marketplace Wall Street Market appears to have become the latest underground site to be hit by an exit scam, taking with it an estimated $30m of users’ money.

News has swirled for days that the site’s owners are about to pull the plug, with suspicions raised after an official moderator published a notice claiming that it had suffered a server crash. This meant it was unable to synchronize bitcoin wallets with the blockchain, the individual claimed.

“Due to this incident, we were forced to send crypto assets manually to the waiting list bitcoin wallet, as we have to wait for this process to complete, so that coins can be sent to the appropriate matching escrow wallet,” the post continued.

“Our technical advisors said that the platform will soon shift to the maintenance mode in order to prevent sending of more bitcoins, and they estimated the synchronization process to be successfully completed yesterday.”

However, multiple posts on dark web Reddit-like forum Dread claim this is merely a distraction designed to buy the administrators time while they drain funds, according to Deepdotweb.

Users have also taken to Reddit to complain about problems with the site, suggesting that its owners have decided to exit scam after a large influx of users and money that came from the recently shuttered Dream Market.

Exit scams typically occur when dark web sites stop shipping orders but continue to accept payment. Once a significant pot of money is built up in escrow, the administrators take it and close the site.

This latest incident highlights the continued uncertainty of doing business on the dark web. Law enforcers have done their best to disrupt some of the biggest marketplaces in recent years, notably with the take downs of Hansa and Alpha Bay in 2017.

Things had begun to stabilize since then, but exit scams are a constant concern and widely seen as a cost of doing business on the dark web.

It could be that the administrators of Wall Street Market decided to do a runner with the money rather than face the potential scrutiny of investigators.

Categories: Cyber Risk News

Report: 42% of Used Drives Sold on eBay Hold Sensitive Data

Thu, 04/25/2019 - 09:20
Report: 42% of Used Drives Sold on eBay Hold Sensitive Data

A new report from Blancco Technology Group has warned that those looking to make some money by selling used storage drives may be putting themselves at risk of falling victim to cybercrime.

As detailed in Privacy for Sale: Data Security Risks in the Second-Hand IT Asset Marketplace, Blancco, in conjunction with Ontrack, analyzed 159 leading brand drives purchased through auction site eBay in the US, UK, Germany and Finland, discovering that almost half (42%) still held sensitive data.

What’s more, 15% of the drives assessed were found to contain personally identifiable information (PII), despite sellers surveyed by Blancco as part of the research stating they had used proper data sanitization methods to ensure no data was left behind. This worrying finding suggests that although sellers recognize the need to remove any data before looking to sell-on a storage drive, the methods they are using are inadequate.

“Selling old hardware via an online marketplace might feel like a good option, but in reality, it creates a serious risk of exposing dangerous levels of personal data,” said Fredrik Forslund, VP, cloud and data erasure, Blancco. “By putting this equipment into the wrong hands, irreversible damage will be caused – not just to the seller, but their employer, friends and family members.”

It is also clear that there is confusion around the right methods of data erasure, Forslund added, as each seller was under the impression that data had been permanently removed.

“It’s critical to securely erase any data on drives before passing them onto another party, using the appropriate methods to confirm that it’s truly gone. Education on best ways to permanently remove data from devices is a vital investment to negate the very real risk of falling victim to identity theft, or other methods of cybercrime.”

“Deleting data is notoriously difficult,” added Sam Curry, chief security officer at Cybereason. “Most people don’t understand and probably shouldn’t have to understand how indexing works, but most so-called deletion just removes pointers to data and not the data itself.

“Destruction of the device really doesn’t make the data go away either; sure parts of it might be damaged or hard to read because the media can't be plugged in easily. The data, however, persists.

“The conventional best practices for securely decommissioning drives before disposal are to get professionals that you trust (and that’s a big deal and another subject) to really wipe and rewrite every trace ‘three times,’ which feels a little like overkill to laypeople. It does matter, though, when the data you have is in trust from and for other people.”

Categories: Cyber Risk News

#CYBERUK19: GCHQ Ramps Up Intelligence Sharing with UK Firms

Thu, 04/25/2019 - 08:55
#CYBERUK19: GCHQ Ramps Up Intelligence Sharing with UK Firms

GCHQ boss Jeremy Fleming has revealed how the government listening post has improved its collaboration with UK businesses over the past year, to enable intelligence sharing within seconds.

Fleming told an audience of IT security professionals at the government’s CYBERUK conference in Glasgow yesterday that the agency is sharing intelligence with banks to enable real-time customer alerts, as well as the wider business community.

“In the last year we have made it simple for our analysts to share time critical, secret information in a matter of seconds. With just one click, this information is being shared and action is being taken,” he added.

“In the coming year, we will continue to scale this capability so — whether it's indicators of a nation state cyber actor, details of malware used by cyber-criminals or credit cards being sold on the dark web — we will declassify this information and get it back to those who can act on it.”

This is the result of the Industry100 initiative coordinated by GCHQ’s National Cyber Security Centre (NCSC). Fleming claimed it had been so successful that the project will be made permanent in the future.

Another sign of its effectiveness came in helping protect smaller firms against what appears to have been a Magecart campaign.

“This year, we identified over 1200 sites which were serving malicious code to illicitly copy credit card transactions,” said Fleming. “We were able to help these small businesses fix the problem and protect their customers and their reputation.”

The government’s vision to make the UK the safest place to live and work online will require a “national effort” to achieve — involving both public and private sectors and consumers, he claimed.

Sarah Armstrong-Smith, head of continuity & resilience at Fujitsu, agreed that public-private partnerships are key to tackling cyber-threats.

“By working collaboratively, organizations can share with each other, their partners and government, practical knowledge, intelligence and technological innovation that helps fight cybersecurity threats and increase resilience,” she added. “In order to make a stand and stop cyber-criminals, we must unite in our efforts to tackle the continuing challenge that we all face.”

Jake Moore, cyber security specialist at ESET, also welcomed the industry outreach efforts by GCHQ.

“GCHQ working more closely with banks and other businesses can’t come soon enough. Consumers have been in desperate need for help and support from law enforcement for quite some time as so few people are aware of how to protect themselves online,” he argued.

“Cybersecurity awareness is a national issue and those who are unaware of the magnitude of the problem require extra support. Sharing intelligence in real time with banks might be the difference between someone losing their life savings and being able to stop the attack in the first place.”

Categories: Cyber Risk News

Insider Threats a Top Risk to Healthcare

Wed, 04/24/2019 - 18:46
Insider Threats a Top Risk to Healthcare

Across the healthcare sector, ransomware is reportedly no longer the most prevalent security threat, according to new research from Vectra that found attacks decreased during the second half of 2018.

The Vectra 2019 Spotlight Report on Healthcare found that internal human error and misuse occur much more frequently than hacking. In addition, a growing number of errors are the result of unmanaged devices and lateral movement of device-to-device communication.

Based on data from the Attacker Behavior Industry Report (2019 RSA Conference Edition), researchers also observed network behaviors from a sampling of 354 opt-in enterprise organizations in healthcare and eight other industries.

Among the findings, the report noted that attackers hide command-and-control communications in healthcare networks using HTTPS tunnels. “Hidden HTTPS tunnels are the most common behavior detected in healthcare. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic. When attackers hide their command-and-control communications in HTTPS tunnels, it often looks like service provider traffic,” the report said.

Researchers also found that hidden domain name system (DNS) tunnels were commonly used to mask data exfiltration behaviors, as these behaviors can also be caused by IT and security tools that use DNS communication.

The second most-common behavior consistent with data exfiltration in healthcare, according to the research, is the smash and grab. “This occurs when a large volume of data is sent to an external destination not commonly in use, in a short period of time.”

Security cameras are able to quickly send mass volumes of data to a hosted cloud site, but smash-and-grab behaviors can appear to be normal operation for an IoT device. As a result, low and slow attackers are able to use it for obfuscation.

“Healthcare organizations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information,” said Chris Morales, head of security analytics at Vectra. “Improving visibility into network behavior enables healthcare organizations to manage risk of legacy systems and new technology they embrace.”

Categories: Cyber Risk News

Magecart Swoops in to Strike Atlanta Hawks Shop

Wed, 04/24/2019 - 17:08
Magecart Swoops in to Strike Atlanta Hawks Shop

The online shop for the Atlanta Hawks currently states that it is temporarily down for maintenance, and according to Sanguine Security, the ecommerce site is the latest victim of a Magecart attack.

In the wild, hawks hold their place at the top of the food chain. On the court, the Atlanta Hawks boast 29 wins for the 2018–2019 season. The ecommerce store, though, reportedly has a weak link in its supply chain.

"Yesterday, we were alerted that the host site for HawksShop.com was subject to an isolated attack," a spokesperson for the Hawks organization said. "We take these matters of security and privacy extremely seriously. Upon receiving that information, we disabled all payment and checkout capabilities to prevent any further incident.

"At this stage of the investigation, we believe that less than a handful of purchases on HawksShop.com were affected. We are continuing to investigate and will provide updates as needed."

According to an April 23 post, Magecart thieves injected a payment skimmer in the online store of the Atlanta Hawks. 

As many online stores do, the Atlanta Hawks shop also runs Magento Commerce Cloud 2.2, a commonly used enterprise-grade e-commerce system, owned by Adobe. While Magento itself is quite secure, attackers often use insecure third-party components to gain access to the core of the shop system,” Sanguine Labs wrote.

Leveraging vulnerabilities in third parties has proven successful for the Magecart group, which is also reportedly responsible for infecting hundreds of websites via supply chains. “Cyber-criminals have found that this card-skimming malware is stealth and effective in securing credit card information off of websites. This payment card information can have a huge impact on customers, far beyond the unauthorized use of their cards,” said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.

“Payment card information, combined with other user data from other breaches and social media, builds a complete profile. Using these real identities, and sometimes fake identities with valid credentials, allows cyber-criminals to take over accounts, apply for loans and much more. This is why more companies today are implementing user verification platforms that include passive biometrics that verify users based on more parameters than just their personally identifiable information.”

Sanguine Labs reported that the time frame for detection is small, with new attacks being discovered each week. In addition to using automation to identify and prevent attacks, “passive biometric technology is making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data. This makes it challenging for bad actors to access illegitimate accounts, as they can't replicate the customer’s inherent behavior,” Zuk said.

Categories: Cyber Risk News

Magecart Swoops in to Strike Atlanta Hawks Shop

Wed, 04/24/2019 - 17:08
Magecart Swoops in to Strike Atlanta Hawks Shop

The online shop for the Atlanta Hawks currently states that it is temporarily down for maintenance, and according to Sanguine Security, the ecommerce site is the latest victim of a Magecart attack.

In the wild, hawks hold their place at the top of the food chain. On the court, the Atlanta Hawks boast 29 wins for the 2018–2019 season. The ecommerce store, though, reportedly has a weak link in its supply chain.

"Yesterday, we were alerted that the host site for HawksShop.com was subject to an isolated attack," a spokesperson for the Hawks organization said. "We take these matters of security and privacy extremely seriously. Upon receiving that information, we disabled all payment and checkout capabilities to prevent any further incident.

"At this stage of the investigation, we believe that less than a handful of purchases on HawksShop.com were affected. We are continuing to investigate and will provide updates as needed."

According to an April 23 post, Magecart thieves injected a payment skimmer in the online store of the Atlanta Hawks. 

As many online stores do, the Atlanta Hawks shop also runs Magento Commerce Cloud 2.2, a commonly used enterprise-grade e-commerce system, owned by Adobe. While Magento itself is quite secure, attackers often use insecure third-party components to gain access to the core of the shop system,” Sanguine Labs wrote.

Leveraging vulnerabilities in third parties has proven successful for the Magecart group, which is also reportedly responsible for infecting hundreds of websites via supply chains. “Cyber-criminals have found that this card-skimming malware is stealth and effective in securing credit card information off of websites. This payment card information can have a huge impact on customers, far beyond the unauthorized use of their cards,” said Ryan Zuk, VP of customer success for NuData Security, a Mastercard company.

“Payment card information, combined with other user data from other breaches and social media, builds a complete profile. Using these real identities, and sometimes fake identities with valid credentials, allows cyber-criminals to take over accounts, apply for loans and much more. This is why more companies today are implementing user verification platforms that include passive biometrics that verify users based on more parameters than just their personally identifiable information.”

Sanguine Labs reported that the time frame for detection is small, with new attacks being discovered each week. In addition to using automation to identify and prevent attacks, “passive biometric technology is making stolen data valueless by verifying users based on their inherent behavior instead of relying on their data. This makes it challenging for bad actors to access illegitimate accounts, as they can't replicate the customer’s inherent behavior,” Zuk said.

Categories: Cyber Risk News

Online Fitness Store Gets One-Upped by Hackers

Wed, 04/24/2019 - 15:44
Online Fitness Store Gets One-Upped by Hackers

Lifting weights might build strength for the body, but for customers of Bodybuilding.com, bulking up wasn’t enough to stop hackers from stealing their personal data. According to a security notice issued by the popular online fitness store, Bodybuilding.com recently experienced a security incident that may have affected customer information.

“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018,” according to the statement.

“On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed. While we have no evidence that personal information was accessed or misused, we are notifying all current and former customers and users about the incident out of an abundance of caution to explain the circumstances as we understand them.”

In the aftermath of discovering the incident, the company contacted law enforcement and brought in external forensic investigators. Additionally, the notice to customers said that the company will be forcing a password reset upon the next login for all of its customers.

The company does not store full credit or debit card information, but customers do have the option of storing card information in their accounts. In those cases, Bodybuilding.com only stores the last four digits of the card, and according to the statement, it never stores the full card number.

“While we have no evidence that personal information was accessed or misused, information you provided to us which might have been accessed in this incident could include name, email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in your BodySpace profile,” the company said, adding that much of the information in the BodySpace profile is already public.

“We’re never out of danger from a data breach of our personal information and passwords, as the Bodybuilding.com incident reminds us. Despite the fact that web applications often house sensitive consumer data, they are often forgotten when it comes to implementing security measures,” said Oscar Tovar, vulnerability verification specialist, WhiteHat Security.

“Since Bodybuilding.com’s breach was a phishing attack, this showcases the importance of ongoing security training for employees. Organizations’ people continue to be the single largest threat vector for successful breaches. In addition, this paints a large target on an organization making them an easy target for hackers, who can exploit them and gain access to sensitive information. Every single company that touches sensitive data needs to make security a consistent, top-of-mind concern.”

Categories: Cyber Risk News

FBI: BEC Losses Surged to $1.3bn in 2018

Wed, 04/24/2019 - 10:25
FBI: BEC Losses Surged to $1.3bn in 2018

The FBI dealt with cyber-attacks causing losses of over $2.7bn in 2018, nearly half of which were linked to Business Email Compromise (BEC) scams.

In total, there were over 20,000 victims of BEC/Email Account Compromise (EAC) last year, leading to losses of just under $1.3bn, the largest of any cybercrime type. The nearest to this were confidence fraud/romance scams ($362m) and investment cybercrime ($253m), according to the 2018 Internet Crime Report.

The FBI noted an increase in the number of gift card BEC scams, of the sort spotted by Agari recently. The security vendor claimed fraudsters are increasingly transferring their victims from email to mobile communications early on in the scam.

The largest group losing money to cyber-criminals was the over-60s ($649m), followed by the 50-59 age group ($495m). This could be partly explained by the continued prevalence of tech support scams which predominantly target the elderly. There were over 14,000 reported victims last year, linked to losses reaching almost $39m — a 161% increase from 2017.

Elsewhere, the number of reported ransomware victims dropped from 1783 to 1493 cases. However, the losses incurred by these victims rose from $2.3m to $3.6m. What’s more, these estimates don’t include lost business, wages, files, equipment, productivity or third-party remediation.

“In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents,” the report claimed.

Finally, the FBI also noted a strong surge in extortion-related attacks in 2018. The 51,000+ complaints it received accounted for losses of over $83m, a 242% increase on 2017 figures. These included DoS attacks, “hitman schemes,” sextortion, government impersonation schemes, loan schemes, and high-profile data breaches.

Categories: Cyber Risk News

Online Thief Cracks Private Keys to Steal $54m in ETH

Wed, 04/24/2019 - 09:39
Online Thief Cracks Private Keys to Steal $54m in ETH

An individual or group of hackers have managed to amass over $54m in stolen digital currency by raiding digital wallets improperly secured with private keys, according to a new report.

Consultancy Independent Security Evaluators (ISE) claimed the “Blockchainbandit” had taken advantage of poorly implemented private keys to transfer nearly 38,000 in Ethereum (ETH) out of the targeted wallets to one under its control.

That was the figure as of January 13, 2018, but it may be many times greater today, the firm warned. In a test operation, it placed a dollar’s worth of ETH in a weak private key-derived wallet and saw it transferred out to the attacker within seconds.

In total, ISE claimed it was able to guess or duplicate 732 weak private keys in use on the Ethereum blockchain, highlighting a potential issue with key generation by developers.

The firm suggested that programming errors in the software generating these keys has made them easy to brute force.

It hypothesized that a 256-bit private key may have been truncated due to coding mistakes, meaning it’s insufficiently complex. Other possible errors suggested by the researchers included “error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors.”

It’s even possible that users were allowed to choose their own keys, it’s claimed.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” argued ISE executive Partner, Ted Harrington.

ISE urged developers to use well-known libraries or platform-specific modules for random number generation; use a cryptographically secure pseudo-random number generator; audit code for truncated keys; and use multiple sources of entropy. It also claimed developers should review NIST guidelines on cryptographic random number generation.

Categories: Cyber Risk News

UK Government Allows Huawei to Provide ‘Non-Core’ 5G Kit

Wed, 04/24/2019 - 09:07
UK Government Allows Huawei to Provide ‘Non-Core’ 5G Kit

The British government has decided to allow Huawei to provide equipment for carriers’ 5G networks, but only ‘non-core’ technology, according to reports.

Prime Minister Theresa May made the decision after a meeting of the National Security Council (NSC), despite apparent concerns raised by foreign secretary Jeremy Hunt, home secretary Sajid Javid, defence secretary Gavin Williamson, and international development secretary Penny Mordaunt.

The partial ban will see the Shenzhen giant only able to provide equipment such as antennas, which are not deemed a potential national security risk. However, the distinction between what constitutes the 5G core and non-core has been questioned by intelligence chiefs.

Australian Signals Directorate director-general, Mike Burgess, warned in a speech last year: “The distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network.”

For its part, GCHQ has been fairly measured in its treatment of Huawei, despite growing pressure from the US to follow its lead with an outright ban.

In a speech in Singapore earlier this year, director Jeremy Fleming, focused on the need for greater competition in the 5G market to improve cybersecurity. That echoed his counterpart at the National Cyber Security Centre (NCSC), Ciaran Martin, who argued that its evaluation center had found “serious problems with [Huawei’s] security and engineering processes.”

“As we said then, and repeat today, these problems are about standard of cybersecurity; they are not indicators of hostile activity by China,” he continued.

The UK decision will not go down well in Washington, which has already threatened allies such as Germany by claiming it will withhold intelligence information in the future if the country allows Huawei to build its 5G networks, fearing Chinese snoopers may be listening in.

Australia has stood by its Five Eyes partner the US in issuing a total ban on Huawei for 5G networks, while the New Zealand Government Communications Security Bureau is still deciding. The Chinese firm opened a transparency center in Brussels recently in a bid to convince local lawmakers that it poses no threat.

Categories: Cyber Risk News

European Parliament Approves Mass ID Database Plans

Tue, 04/23/2019 - 10:35
European Parliament Approves Mass ID Database Plans

The European Parliament has approved plans to boost physical security by implementing a mass identity database, although privacy concerns persist.

The Common Identity Repository (CIR) will centralize the personal information of nearly all non-EU citizens in the EU’s visa-free Schengen region. The latter covers the vast majority of the EU except for Ireland and the UK, as well as Bulgaria, Croatia, Cyprus, and Romania.

The data — which will include fingerprints, names, addresses, photos and other info — will be consolidated from five separate systems, including databases of asylum seekers, short-stay visa applicants, and those with previous criminal convictions in the EU.

The idea is that it will enhance security in the region by minimizing information gaps and silos, helping law enforcers track terrorists and serious criminals who may otherwise be able to slip across borders undetected. Data on an estimated 300 million non-EU and some EU citizens will be stored in the CIR, according to reports.

“Global law enforcement agencies and border control personnel have been sharing information about people for decades, if not centuries,” argued John Gunn, CMO at OneSpan.

“CIR is a very positive move that will simply make the methods more timely, efficient, and effective resulting in speedier cross-border travels with less hassle and in greater safety for all as those with evil intent are more easily identified and stopped.”

However, other have voiced concerns that there are not enough safeguards to protect individual freedoms, and that the database could be a major target for hackers. EU privacy advisory body the Article 29 Working Party (WP29) explained these at length in a document last year.

“Regarding the Common Identity Repository (CIR), the WP29 is of the view that the cross-matching of various sources for identification and consolidating them in a new common database for the purpose of overall identification poses an additional interference with the rights to privacy and data protection,” it said.

“The WP29 is not convinced of the necessity and proportionality to establish such a mixed-purpose identification database including biometric data. Whether identity fraud is in practice such an essential threat to the internal security of the Union as to justify the central registering of biometric identifiers of all bona fide [third country nationals] TCN travellers, migrants and asylum seekers is not yet sufficiently established in terms of proportionality and therefore remain an issue of major concern.”

Categories: Cyber Risk News

Addiction Center Patients Exposed in Privacy Snafu

Tue, 04/23/2019 - 09:28
Addiction Center Patients Exposed in Privacy Snafu

A large trove of personally identifiable information (PII) has been leaked by an addiction treatment center after researchers found another unsecured Elasticsearch database online.

Justin Paine, who is also a director of trust and safety at Cloudflare, blogged about his findings late last week, claiming to have found the offending database via a simple Shodan search.

As the data trove required no authentication to access, he was able to scroll through the 1.45GB of information. Although there were nearly five million documents contained in the database, they related in the end to around 146,000 unique patients.

Paine traced them back to Pennsylvania-based addiction treatment center Steps to Recovery.

“A leak of PII related to 146,316 unique patients would be bad on any day. It's particularly bad when it is something as sensitive as a addiction rehab center. Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” he argued.

“What could a malicious user do with this data? Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment.”

After a few cursory Google searches, he was also able to determine with “high confidence” a patient’s age, birthdate, address, previous addresses, family members’ names, their political affiliation, phone numbers and email addresses.

Despite contacting the firm about the privacy snafu at the end of March, Paine had received no response as of April 15 and there are concerns that it has still not notified patients about the risk of identity theft. However, a message he sent to the hosting provider was received and access to the database subsequently restricted.

It’s just the latest in a long line of incidents involving misconfigured Elasticsearch instances. One revealed in November last year exposed the PII of nearly 82 million Americans.

Categories: Cyber Risk News

Cyber Readiness Worsens as Attacks Soar

Tue, 04/23/2019 - 09:02
Cyber Readiness Worsens as Attacks Soar

The number of organizations in Europe and the US that have been hit by a cyber-attack over the past year has soared to over three-fifths (61%), according to a new report from Hiscox.

The global insurer today released the results of its Hiscox Cyber Readiness Report 2019, which is compiled from interviews with over 5300 cybersecurity professionals in the US, UK, Belgium, France, Germany, Spain and the Netherlands.

It revealed a sharp increase in the number of firms suffering an attack, up from 45% in the 2018 report. In the UK, the figure rose from 40% to 55%.

There was also a rise in the number of small (from 33% to 47%) and medium-sized businesses (36% to 63%) reporting an attack, across the US and Europe.

Two-thirds of firms (65%) on average claimed to have been hit by supply chain cyber incidents.

Average losses were also up by 61%: from $229,000 last year to $369,000 this, a figure exceeding $700,000 for large firms versus just $162,000 in 2018.

Although cybersecurity spending went up by 24% over the past year to reach $1.45m, only 10% of responding organizations were classed as “experts” in terms of their cyber-readiness, with nearly three-quarters (74%) described as unprepared “novices.” Disappointingly, there was a sizeable drop in the number of large US and German firms achieving “expert” scores.

Hiscox cyber CEO, Gareth Wharton, argued that cyber-attacks have become “the unavoidable cost of doing business today.” 

‘This is the third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms report one or more cyber-attacks in the past 12 months. Where hackers formerly focused on larger companies, small and medium-sized firms now look equally vulnerable,” he explained.

“The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber-insurance policy.”

Categories: Cyber Risk News

Singapore Responds to Recent Cybersecurity Attacks

Mon, 04/22/2019 - 14:49
Singapore Responds to Recent Cybersecurity Attacks

During a visit to San Francisco, Singapore foreign affairs minister Vivian Balakrishnan commented that the country cannot "go back to pen and paper. ... If people lose confidence in the integrity and security of the system, then all these aspirations cannot be fulfilled."

The comments follow information coming into the open regarding data breaches, one of which affected 14,200 individuals diagnosed with HIV up to January 2013. In a statement by the police, it was confirmed that the information was "in the possession of an unauthorized person" and had been illegally disclosed online.

The statement went on to say that the information was in the possession of Mikhy K. Farrera Brochez, a male US citizen residing in Singapore between January 2008 and June 2016. He was convicted of fraud and drug-related offences in March 2017, sentenced to 28 months in prison and deported from Singapore. The fraud offences were in relation to Brochez lying about his HIV status to the Ministry of Manpower in order to obtain and maintain his employment pass.

According to Bloomberg, Balakrishnan said the government’s response to recent cybersecurity attacks and human leaks has to be one where "it’s completely open." It follows the first meeting of the Public Sector Data Security Review Committee, which was held on April 18, 2019, according to a government statement. 

Bloomberg reported that attendees of the meeting "reviewed past data incidents" and broad approaches to raise the bar of security. The committee will submit its final report to the prime minister by the end of November 2019. 

Singapore has been trying to position itself as a "Smart Nation," with initiatives focusing on digital identity, smart urban mobility and e-payments. However, the data breaches have made many people nervous, especially with the ambitions of artificial intelligence (AI) clear. 

“The ability to deploy AI in our respective fields should be commoditized,” Balarkrishman said. “We will be one of the earliest adopters of these new technologies.”

Categories: Cyber Risk News

WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court

Mon, 04/22/2019 - 14:04
WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court

Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017. 

According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."

Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.

Kronos targeted banking information and was valued at $7,000 on the dark web

Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it. 

According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.

Categories: Cyber Risk News

WannaCry "Hero" Pleads Guilty to Writing Malware in US Court

Mon, 04/22/2019 - 14:04
WannaCry "Hero" Pleads Guilty to Writing Malware in US Court

Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017. 

According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."

Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.

Kronos targeted banking information and was valued at $7,000 on the dark web

Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it. 

According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.

Categories: Cyber Risk News

Password "123456" Used by 23.2 Million Users Worldwide

Mon, 04/22/2019 - 13:38
Password "123456" Used by 23.2 Million Users Worldwide

The National Cyber Security Centre (NCSC) expects 42% of Britain online users to lose money due to fraud, according to its first UK Cyber Survey

Released over the Easter weekend (April 21, 2019), the report also found that the most-used password from global cyber breaches was "123456," with "ashley" the most-used name as a password. The global password-risk list was published to disclose passwords already known to hackers.

Survey Findings from Poll, NCSC

The polling was independently carried out on behalf of NCSC, a part of GCHQ and the Department for Digital, Culture, Media and Sport (DCMS). The findings, as well as 100,000 passwords already known to have been breached by hackers, were released ahead of NCSC's CYBERUK 2019 conference, which will be taking place in Glasgow this week.  These will inform government policy and guidance offered to the public.

Ian Levy, NCSC technical director, said: “We understand that cybersecurity can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable.

“Password reuse is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band."

Survey Findings from Poll, NCSC

According to the NCSC's announcement, the list was created after breached usernames and passwords were collected and published by international web security expert Troy Hunt. The website allows people to check if they have an account that has been compromised in a data breach.

The report also found that the proportions of respondents who felt they would be a victim of cybercrime in the next two years range from 12% having information stolen and a ransom demanded to 42% who feel they will have money stolen that will later be reimbursed. Only 51% feel that apps being accessed without consent will have a big personal impact, while 91% feel having money stolen without reimbursement would have a big impact.

Other findings included: 

  • Only 15% know a great deal about how to protect themselves from harmful activity.
  • The most regular concern is money being stolen, with 42% feeling it will likely happen to them by 2021.
  • 89% use the internet to make online purchases, with 39% on a weekly basis.
  • One in three rely to some extent on friends and family for help on cybersecurity.
  • Young people are more likely to be privacy conscious and careful of what details they share online.
  • 70% always use PINs and passwords for smartphones and tablets.
Survey Findings from Poll, NCSC

Margot James, DMCS’ digital and creative industries minister, said, "Cybersecurity is a serious issue, but there are some simple actions everyone can take to better protect against hackers. We shouldn't make their lives easy, so choosing a strong and separate password for your email account is a great practical step. 

“Cyber-breaches can cause huge financial and emotional heartache through theft or loss of data, which we should all endeavor to prevent."

The NCSC‘s two-day CYBERUK 2019 conference will see 2,500 delegates come to Glasgow’s Scottish Exhibition Centre on April 24 and 25 for a range of speeches, workshops and interactive displays.

Categories: Cyber Risk News

Mueller Report: Individuals Deleted Data During Investigation

Fri, 04/19/2019 - 14:51
Mueller Report: Individuals Deleted Data During Investigation

After two years of investigating, yesterday Robert S. Mueller III finally released his investigation, Report on the Investigation into Russian Interference in the 2016 Presidential Election. The 448-page report looks into Russian interference specifically but also into any individuals in the US that may have been involved. 

Appointed in May 2017 as Special Counsel to the investigation, Mueller found that Russia's interference in the 2016 election included social media activity, which related back to the Cambridge Analytica exposé in March 2018, and "a Russian intelligence service conducted computer-intrusion operations against entities, employees, and volunteers working on the Clinton Campaign and then released stolen documents."

"The Internet Research Agency (IRA) carried out the earliest Russian interference operations identified by the investigation – a social media campaign designed to provoke and amplify political and social discord in the United States," says the report. "The IRA was based in St. Petersburg, Russia, and received funding from Russian oligarch Yevgeniy Prigozhin and companies he controlled.

"At the same time that the IRA operation began to focus on supporting candidate Trump in early 2016, the Russian government employed a second form of interference: cyber intrusions (hacking) and releases of hacked materials damaging to the Clinton Campaign. The Russian intelligence service known as the Main Intelligence Directorate of the General Staff of the Russian Army (GRU) carried out these operations."

Interestingly, data loss was discussed in the report as "the Office" had learned that some of the individuals they had interviewed – including some associated with the Trump Campaign – had deleted relevant communications or communicated during the relevant period using encrypted applications. In some instances this hindered the investigation, according to Mueller. 

However, the report concludes, there isn't sufficient evidence to prove a crime had been committed in relation to the US election. 

"The Russian contacts consisted of business connections, offers of assistance to the campaign, invitations for candidate Trump and [Russian president Vladimir] Putin to meet in person, invitations for campaign officials and representatives of the Russian government to meet, and policy positions seeking improved US-Russian relations," says the report."While the investigation identified numerous links between individuals with ties to the Russian government and individuals associated with the Trump campaign, the evidence was not sufficient to support criminal charges."

It is also unclear what will happen next. According to BBC News, Attorney General William Barr is facing "heavy criticism" of his handling of the report's release, with some accusing him of misleading them with an earlier summary on whether President Trump obstructed justice. 

According to USA Today, the Kremlin hit back at Mueller's investigation: The report "does not present any reasonable proof at all that Russia allegedly meddled in the electoral process in the US," said Dmitry Peskov, spokesman for Russian president Vladimir Putin.

Categories: Cyber Risk News

Cyber-Attack Knocks the Weather Channel Off the Air

Fri, 04/19/2019 - 14:31
Cyber-Attack Knocks the Weather Channel Off the Air

The Weather Channel, based in Atlanta, Georgia, has been hit with a cyber-attack that knocked it off the air for 90 minutes. 

On April 18, 2019, the organization took to its Twitter channel to confirm that it had been hit by a "malicious software attack" on its network but as of press time hasn't released any specifics on the attack itself. When the AMHQ show should have started, viewers saw taped programming, Heavy Rescue. AMHQ's Twitter feed also confirmed that it was "experiencing technical difficulties." 

Around 90 minutes later, the show returned with its anchors informing of the cyber incident.

"The Weather Channel, sadly, has been the victim of a malicious software attack today," said anchor Jim Cantore.

"Yes, and it has affected our ability to bring you your weather information," added anchor Stephanie Abrams. "So we just wanted to say thank you again for your patience and we want to get right to today's severe weather."

While attacks on television networks do not always make mainstream news, many countries have fallen victim to them. In February 2018, a cyber-attack on the PyeongChang Olympic Games, attributed to Russia, took the official Olympic website offline for 12 hours and disrupted Wi-Fi and televisions at the PyeongChang Olympic stadium.

Also, in October 2018, the National Cyber Security Centre accused Russia's military intelligence services of targeting firms in Russia and Ukraine, the US Democratic Party and a small TV network in the UK.

Categories: Cyber Risk News

Pages