Info Security

Subscribe to Info Security  feed
Updated: 2 min 45 sec ago

Over 230 UK Police Disciplined for Computer Misuse

Fri, 11/08/2019 - 11:30
Over 230 UK Police Disciplined for Computer Misuse

Hundreds of UK police officers have been disciplined over the past two financial years for misusing computer systems, a new Freedom of Information (FOI) request has revealed.

Think tank Parliament Street received data from 23 forces across England and Wales as part of the FOI-based research.

In total, 237 officers and staff members were disciplined, with six resigning during investigations and 11 sacked.

In Gwent, three officers were fired for searching the police database for a named person, disclosing confidential information and unlawfully accessing information. In Wiltshire, three officers lost their jobs for misusing the police database.  

Surrey police has the dubious honor of being the force with the highest number of incidents, recording 50 individual cases. Next came the Metropolitan Police with 18. Here, one staffer was sacked for misusing the Crime Reporting Information System (CRIS) and four were disciplined for misusing social media.

In Cumbria, 16 incidents occurred over the two years after individuals accessed police systems without a policing purpose.

“Instilling the highest standards of IT best practice in serving officers and operational staff is critical for maintaining the integrity of our police forces. All too often these incidents arise due to a lack of training or understanding about the need for correctly handling sensitive information,” argued Sheila Flavell, COO of FDM Group.

“With cybercrime on the rise, it’s vital that those tasked with keeping us safe are proficient with technology and acutely aware of the importance of data protection rules.”

The study calls to mind a Huntsman Security report from 2017 which revealed that UK police investigated nearly 800 cases of misuse of data by staff over the previous 12 months.

In addition, a Big Brother Watch report from 2016 revealed 2315 recorded incidents of data breaches between June 2011 and December 2015. Over 800 staff and officers accessed personal info without a policing purpose and over 800 shared information “inappropriately” with third parties during the period.

Categories: Cyber Risk News

UK Government Spends £2M on Anti-Drone Projects

Fri, 11/08/2019 - 10:37
UK Government Spends £2M on Anti-Drone Projects

The UK government is set to spend £1.8m developing anti-drone capabilities, as threats from the skies increase.

The Ministry of Defence’s Defence and Security Accelerator (DASA) this week announced funding for 18 projects, which will each receive around £100,000. Successful organizations included University College London, Thales UK, QinetiQ, Northumbria University and BAE Systems Applied Intelligence.

Projects include developing methods to detect 4G and 5G-controlled drones, AI sensors to automatically identify aerial vehicles and low-risk ways of stopping drones through electronic interception.

The first, proof-of-concept, phase will run until summer 2020 and will be followed by a second phase focused on maturing these projects into integrated solutions.

“The introduction of Unmanned Air Systems (UAS), often referred to as drones, has been one of the most significant technological advances of recent years and represents a shift in capability of potential adversaries,” explained competition technical lead, David Lugton.

“The threat from UAS has evolved rapidly and we are seeing the use of hostile improvised UAS threats in overseas theatres of operation. There is a similar problem in the UK with the malicious or accidental use of drones becoming a security challenge at events, affecting critical infrastructure and public establishments; including prisons and major UK airports.”

Drones famously forced hundreds of flights to be cancelled at London’s Gatwick Airport last Christmas, with tens of thousands of passengers stranded. In fact, the number of near-misses involving UAS in the UK soared by over a third from 2017 to 2018.

However, drones could also represent a growing threat not just to physical safety but also network security.

Just this week, defense contractor Booz Allen Hamilton warned that 2020 could see hackers use UAS as rogue access points — landing them in concealed places on corporate property while they harvest credentials, perform man-in-the-middle attacks against employees and carry out network reconnaissance.

Categories: Cyber Risk News

New Study: Hospital Breaches Could Be Killing Patients

Fri, 11/08/2019 - 09:51
New Study: Hospital Breaches Could Be Killing Patients

Data breaches at hospitals appear to be having a serious impact on patient care, increasing mortality rates for years after an incident, according to new research.

Researchers at Vanderbilt University and the University of Central Florida analyzed breach data for 3000 hospitals from 2012-2016 in an attempt to estimate the relationship between breach remediation efforts and care quality. Department of Health and Human Services (HHS) breach data and Medicare Compare's public data on hospital care measures provided the data sources.

What they found was shocking: an increase in 30-day mortality rate for heart attacks that translated to 36 additional deaths per 10,000 heart attacks per year. Mortality rates apparently continued to rise for about three years after a breach before tapering off.

Breaches also had a worrying impact on the time it took staff to hook up a patient in the emergency room to an electrocardiogram (EKG). Time-to-EKG rose by 2.7 minutes following a breach.

Although the research wasn’t able to determine what changes led to these delays and outcomes, it pointed the finger at the post-breach delay while an incident is investigated and security updates are applied.

“This long time-frame tells us that in breached hospitals, it’s the remediation efforts — not the breach itself, but the post-breach remediation efforts — that are impacting these time-sensitive processes and patient outcome measures,” said report co-author, Eric Johnson.

“Security solutions designed to prevent future breaches may require usability assessment or include some sort of ‘break glass in case of emergency’ functionalities to ensure providers can quickly get the information they need when they need it most.”

There is no information in the report on ransomware, as it was relatively rare prior to 2016 and thus not covered.

However, the authors warned: “Our findings suggest that ransomware attacks might have an even stronger short-term negative relationship with patient outcomes than the long-term remediation efforts studied here.”

The UK’s NHS famously suffered major outages as a result of the WannaCry ransomware worm in 2017. Estimates suggest 19,000 operations and appointments were cancelled, and some cases critical patients had to be diverted to other hospitals.

Categories: Cyber Risk News

Amazon Doorbell Camera Lets Hackers Access Household Network

Thu, 11/07/2019 - 17:15
Amazon Doorbell Camera Lets Hackers Access Household Network

A vulnerability detected in Amazon doorbell cameras made it possible for hackers to gain access to the owner's household computer network.

The weakness in the Ring Video Doorbell Pro IoT device was discovered by researchers at Bitdefender in June of this year. Researchers found that the credentials of the local wireless network were being sent through an unsecured channel using plain HTTP during the doorbell's setup process. 

By exploiting the flaw, an attacker physically near the device could get hold of the doorbell owner's Wi-Fi password and use it to interact with all the devices in the owner's household network. 

With the ability to communicate with devices such as security cameras and NAS storage devices, an attacker could access and steal private photos, videos, emails, and documents. It would also make it possible for an attacker to mount man-in-the-middle attacks. 

According to Bitdefender chief security researcher Alexandru “Jay” Balan, the vulnerability could even have allowed a particularly determined hacker to gain physical access to a property. 

Balan told Infosecurity Magazine: "With access to a user's Wi-Fi password and, implicitly, access to the user's home network, there's a lot that can be done since devices are less secure on the inside.

"It's possible that someone could hack a local system that can output sounds (like a computer or a sound system) and make it say 'Alexa, open the front door'; however, this is admittedly a stretch." 

The video doorbell is an immensely popular home security device, with almost 17,000 reviews and more than 1,000 answered questions on the Amazon.com website.

Bitdefender disclosed the vulnerability to Amazon on June 24. Amazon began implementing a fix on September 5, and as of now, all Ring Doorbell Pro cameras have received a security update that fixes the issue.  

This isn't the first time Bitdefender has found flaws in a security device. 

"We uncovered vulnerabilities in Guardzilla indoor security cameras last year that showed significantly bigger issues," said Balan. 

"There's no escaping someone finding security flaws in your products, no matter who you are."

Worryingly, more than half of vendors alerted to vulnerabilities in their products take no action to resolve them. 

"We actually appreciate Ring's response. They deployed the patch quickly," said Balan.

"In more than 60% of the notifications we have sent to vendors we have received no response whatsoever."

Categories: Cyber Risk News

Trend Micro Employee Sells Customer Data

Thu, 11/07/2019 - 16:10
Trend Micro Employee Sells Customer Data

An employee of trusted cybersecurity firm Trend Micro has been fired after illegally accessing and selling customer data to a malicious third party. 

An estimated 68,000 English-speaking customers were affected by the insider threat incident, which was disclosed by Trend Micro on Tuesday. 

Trend Micro's suspicions were first aroused in early August 2019, when customers running the company's home security solution began reporting that they had received calls from scammers purporting to be Trend Micro support personnel. 

In a statement shared on the company website, a Trend Micro spokesperson wrote: "The information that the criminals reportedly possessed in these scam calls led us to suspect a coordinated attack."

An investigation was "immediately launched" by Trend Micro, but it wasn't until October 2019 that the company was able to say for sure that the scam phone calls had stemmed from an insider threat.

Information that ended up in the hands of the criminal scammers included names, email addresses, and telephone numbers. 

The identity of the malicious third party who bought the information from the rogue Trend Micro employee, and how much they paid for the stolen data, is currently unknown.  

A Trend Micro spokesperson wrote: "A Trend Micro employee used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers.  

"There are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers was improperly accessed."

Upon discovering the wounding betrayal by one of their own, Trend Micro immediately disabled the unauthorized account access and fired the insider threat culprit. The incident is currently under investigation by law enforcement. 

In a statement released on their website, Trend Micro reminded their customers that the company never makes unsolicited phone calls to consumers. 

A company spokesperson wrote: "If a support call is to be made, it will be scheduled in advance. If you receive an unexpected phone call claiming to be from Trend Micro, hang up and report the incident to Trend Micro support."

Categories: Cyber Risk News

PayPal Tops List of Most Imitated Brands

Thu, 11/07/2019 - 16:06
PayPal Tops List of Most Imitated Brands

PayPal has knocked Microsoft off the top spot to become the brand most imitated in phishing attacks.

The payment facilitator was accorded this dubious honor today with the publication of Vade Secure's Phishers' Favorites report for Q3 2019.

Researchers analyzed data from more than 600 million protected mailboxes worldwide to determine which organizations email scammers deign to pose as most frequently. The resulting report lists the 25 most aped organizations.

Pole position was tenaciously held by Microsoft for five consecutive quarters before PayPal bumped the famous software vendor down to second place in the third quarter of 2019. 

"You can no longer identify phishing based on poor design, typos, or bad grammar; they’re well designed and well written," Adrien Gendre, Vade Secure’s chief solutions architect, told Infosecurity Magazine. 

"When I speak at conferences, I like to show a slide with two Office 365 login pages: one is real and the other is phishing. Most of the time, the audience picks the wrong one. And the reason is because phishers often pull JavaScript, CSS, and other resources directly from the legitimate Microsoft website." 

Cozying up into third position is streaming giant Netflix, which has been impersonated more and more with each passing quarter over the past year and a half. Gendre speculated that the increase in the number of attacks is tied to the company's content release schedule. 

"Cybercriminals certainly have their finger on the pulse of current events and social trends, and they create and time their attacks accordingly," said Gendre. 

"Leading up to the launch of a new iPhone, we typically see a spike in Apple phishing. And it’s probably not a coincidence that Netflix phishing grew in Q3, when Stranger Things Season 3, the most watched Netflix show this year, was released."  

The most impersonated industry in this year's third quarter was finance, with ten different financial services brands making it into the top 25 list of phishers' favorites. On its own, finance accounted for a whopping 37.9% of all URLs. 

Phishers mailed out 79.1% of their email scams on weekdays, with Mondays and Wednesdays proving to be the most popular days on which to cast a virtual line. 

Asked if scammers are ditching big-dream bait like wealth and romance in favor of more banal hooks, Gendre said: "We still see a fair share of wealth and romance scams. For phishing, though, the hook is less about romance and more about creating fear, uncertainty and doubt (FUD), combined with a sense of urgency. 

"For example, 'your Netflix account has been suspended because your payment wasn’t processed.' The combination of fear and urgency is intended to drive targets to click without thinking or scrutinizing the email."

Categories: Cyber Risk News

SecureData CTO Names Three Pillars of Active Defense

Thu, 11/07/2019 - 14:40
SecureData CTO Names Three Pillars of Active Defense

Speaking at a SecureData event in London, CTO Etienne Greeff identified the three pillars of active defense.

He listed these as: observe the landscape, understand where your vulnerabilities are and detect attacks and where you can be compromised. However, he warned that there is “no point in doing them if you are not doing them consistently.”

On the subject of addressing security issues, Greeff said that “keeping machines up-to-date is difficult,” as is dealing with vulnerabilities, and attacks “make it extremely hard to be good guys fighting bad guys.”

He said that to deal with the challenges, as defenders, “we need to understand the threat landscape and what attackers are targeting,” as well as understand offensive actions, vulnerabilities, our attack surface and what is out there. 

The attack surface is where the “most gain is made” Greeff stated, pointing out that unlike the threat landscape, the attack surface is under your control and offers a bigger opportunity to focus your security spending.

Greeff said that there is too much focus on “things that are trivial” as often threat intelligence is “not as useful as you think” – too often, small a proportion of intelligence is malicious. “We focus too much on the enemy and not on ourselves, and we need to understand the network and learn from it.”

Looking at how to have a better defense, Greeff said that this is achieved by working in a “meticulous and consistent way” by collecting data and correlating it to make sense of it. Then using it so you know what it contains and what you need to act upon, and “then analyze the data to know what to do, and measure it.”

He concluded by saying that “all of you will have a security issue” at some point, and knowing how to deal with an attack and learn from an assault will aid you. He said: “We face overwhelming odds and security is not an easy task and we complicate it with interconnected systems and face a sophisticated adversary – but focus on knowing yourself, your attack surface and behaviors and vulnerabilities.” 

Categories: Cyber Risk News

Magento 1 End-of-Life Offers Opportunities for Hackers

Thu, 11/07/2019 - 13:44
Magento 1 End-of-Life Offers Opportunities for Hackers

A popular Content Management System (CMS) software version is soon set to be retired, potentially exposing hundreds of thousands of companies to the risk of digital skimming attacks.

Launched in 2007, Magento 1 currently powers around 12% of global e-commerce stores, or 250,000 active sites, according to security firm Sucuri.

However, with end of support set to land in June 2020, there will be new opportunities for attackers to compromise these websites to access sensitive customer data.

All eyes will be on the groups using the infamous Magecart skimming code to harvest card details as they are entered into e-commerce website payment pages.

“It’s no secret that a CMS without support will develop vulnerabilities. Eventually, these lead to a compromised website — which cripples any e-commerce business,” explained Sucuri’s Art Martori.

“When you consider the popularity of the Magento e-commerce platform, it’s easy to see how their announcement of the Magento 1 end of life could leave a significant portion of e-commerce retailers scrambling for new solutions.”

By exploiting Magento 1 vulnerabilities that emerge but are no longer patched after June 2020, these hackers could therefore theoretically implant the malicious JavaScript on even more sites next year.

They have already compromised an estimated hundreds of thousands of sites and millions of users, possibly many more.

Hackers have even sought to exploit misconfigured Amazon Web Services (AWS) S3 buckets to implant the code onto more sites.

Sucuri recommended web application firewalls (WAFs) as a useful way to protect end-of-life platforms like Magento 1 while potentially easing the pain of migration.

Categories: Cyber Risk News

US: Saudi Government Recruited Twitter Staff to Spy

Thu, 11/07/2019 - 11:00
US: Saudi Government Recruited Twitter Staff to Spy

The Saudi Arabian government recruited two former Twitter employees to spy on prominent critics of the regime, a new US complaint has alleged.

Prosecutors claimed in the newly released court documents that US citizen Ahmad Abouammo and Saudi Ali Alzabarah accessed personal information in over 6000 Twitter accounts back in 2015.

These included government critic and noted journalist, Omar Abdulaziz, who has over one million followers and was close to Washington Post columnist Jamal Khashoggi — who was murdered in the Saudi consulate in Istanbul last year, despite being a US citizen.

Although the duo’s jobs did not require access to user information, they were able to look up email addresses and even associated IP addresses, giving the Saudi government information on where the users were geographically located.

Abouammo was a media partnership manager for Twitter’s Middle East region, while Alzabarah was a site reliability engineer. Their intermediary is said to have been a Saudi named Ahmed Almutairi, who worked as a social media adviser to the royal family.

Reports suggest that the Saudi Crown Prince Mohammed bin Salman, implicated in the Khashoggi murder, is linked to the plot.

The complaint also alleged that the two defendants were paid handsomely for their efforts, in designer watches and tens of thousands of dollars placed into secret bank accounts.

After Alzabarah allegedly admitted to his boss that he had been spying on Twitter users, he was escorted out of the office. However, he is said to have flown to Saudi Arabia the next day with his family and not returned.

Twitter released a statement thanking the FBI and Department of Justice for their support with the investigation, and claiming that it limits access to sensitive account info “to a limited group of trained and vetted employees.”

“We recognize the lengths bad actors will go to to try and undermine our service,” it noted. “We understand the incredible risks faced by many who use Twitter to share their perspectives with the world and to hold those in power accountable.”

Categories: Cyber Risk News

Cybersecurity Skills Shortage Tops Four Million

Thu, 11/07/2019 - 10:31
Cybersecurity Skills Shortage Tops Four Million

Global IT security skills shortages have now surpassed four million, according to (ISC)2.

The certifications organization compiled its latest Cybersecurity Workforce Study from interviews with over 3200 security professionals around the world.

The number of unfilled positions now stands at 4.07 million professionals, up from 2.93 million this time last year. This includes 561,000 in North America and a staggering 2.6 million shortfall in APAC.

The shortage of skilled workers in the industry in Europe has soared by more than 100% over the same period, from 142,000 to 291,000.

The report estimated the current global workforce at 2.93 million, including 289,000 in the UK and 805,000 in the US.

Nearly two-thirds (65%) of responding organizations reported a shortage of cybersecurity staff, with a lack of skilled or experienced security personnel their number one workplace concern (36%).

(ISC)2 claimed the global security workforce needs to increase by a staggering 145% to cope with a surge in hiring demand. In Europe, this has come particularly in smaller companies with one-99 employees, as well as those with over 500 employees.

Unsurprisingly, over half (51%) of cybersecurity professionals said their organization is at moderate or extreme risk due to staff shortages.

The report pointed to four key strategies to help organizations tackle such shortages. These include in-house training and development and setting applicant qualification requirements at the right level to ensure as wide a net as possible is cast.

(ISC)2 also stressed the need to attract new workers from other professions, or recent graduates with tangential degrees, as well as seasoned professionals from consulting and contracting sectors. Finally, organizations should look to strengthen from within by cross-training existing IT professionals where appropriate.

Categories: Cyber Risk News

Cloud Covers Up Insider Threats

Wed, 11/06/2019 - 20:59
Cloud Covers Up Insider Threats

A new study has found that more than half of organizations believe detecting insider threats is harder following migration to the cloud.

The 2020 Insider Threat Report published today found that a lack of visibility into anomalous activity, especially in the cloud, and manual SIEM workloads have increased the risk of insider threats for organizations and prevent many from detecting and stopping data exfiltration.

The annual report was produced with the support of Gurucul by Cybersecurity Insiders, the 400,000-member community of information security professionals, to explore how organizations are responding to evolving security threats.

Key findings are that 58% of organizations consider their monitoring, detecting, and response to insider threats somewhat effective or worse, and 53% believe that detecting insider attacks has become significantly to somewhat harder since migrating to the cloud.

Nearly half of the companies surveyed for the report admitted that they are unable to remediate insider threats until after data loss has occurred. 

Although 68% of organizations indicated that they felt vulnerable to insider attacks, 17% admitted having no visibility whatsoever into user behavior within core applications. 

The most popular method for monitoring user behavior within core applications was via server logs, which were used by 46% of companies surveyed for the report. In-app audit systems/features were used by 31%, and 33% said that they had conducted user-activity monitoring.

The majority of organizations—87%—found it moderately difficult to very difficult to determine the actual damage of an insider attack, though the most common estimate, given by half of the organizations surveyed, was that an insider attack would cost less than $100,000.  

As for identifying the sources of threats, 63% of organizations think that privileged IT users pose the biggest insider security risk.

“Insider threats are not limited to employees. They extend to contractors, supply chain partners, service providers and account compromise attacks that can abuse access to an organization’s assets both on-premise and in the cloud,” said Craig Cooper, COO of Gurucul. 

“Lack of visibility and legacy SIEM deployments put companies at risk. Insider threat programs that monitor the behavior of users and devices to detect when they deviate from their baselines using security analytics can provide unmatched detection, risk-based controls and automation.”

Categories: Cyber Risk News

New Website Mocks Excuses Given by Breached Companies

Wed, 11/06/2019 - 20:14
New Website Mocks Excuses Given by Breached Companies

The excuses made by companies that have suffered a data breach are being parodied online by a new website, whose creator is unknown. 

"Why the f*ck was I breached?" uses algorithms to generate a slew of entertaining excuses that attempt to explain how data came to be exposed. 

Excuses that appear on the site include "Anonymous collective used that other vulnerability we were going to patch next Tuesday to make a mess," "Russians used an open window in the server room to transfer 7 petabytes of data," and "Teenagers used nefarious techniques to do something, but we aren't quite sure what it is."

Along with each excuse comes an assurance that no further breaches will occur because the company has taken some kind of action that even a cybersecurity novice can see will be totally ineffective at preventing a similar incident from occurring.

Preventative actions that appear on the site include "We have since worked with law enforcement," "We have since copy-pasted a security policy we found on Google," and "We have since watched the movie Hacker 8 times back to back." 

The site opens with the statement: "Did you just lose 100m customer SSNs because your root password was 'password,' you set an S3 bucket to public, or you didn't patch a well-known vulnerability for 8 months? Is the media and government chewing you out because of it? Worry not! Our free excuse generator will help you develop an air-tight breach statement in no time!"

Users can then scroll down to view an auto-generated breach excuse. To make the next excuse appear, users must click a button that reads "Equifax already f*cking used that one."

While the site was clearly created for comic effect, by mocking the often vague information disclosed by companies following a data breach it flags the salient issue of how cybersecurity is approached and implemented. 

The site aims particular criticism at Equifax, which exposed the personal information of 147 million people in July 2017. Although staggering in size, this breach is paltry when compared to the breaches that affected 3 billion Yahoo users in 2013 and 500 million Marriott customers between 2014 and 2018.

Categories: Cyber Risk News

California DMV Exposes Drivers' Data for 4 Years

Wed, 11/06/2019 - 18:48
California DMV Exposes Drivers' Data for 4 Years

The Social Security information of thousands of drivers has been exposed following a data breach at the California Department of Motor Vehicles that went unnoticed for four years.

Information relating to 3,200 people issued with driver's licenses was inadvertently leaked to federal agencies, including the U.S. Department of Homeland Security.

A total of seven agencies were able to access the data, including district attorneys in San Diego and Santa Clara counties, the Small Business Administration, and the Internal Revenue Service.

According to the Los Angeles Times, some data exposed by the DMV was accessed as part of investigations into criminal activity or compliance with tax laws.

DMV spokesperson Anita Gore stated that no information had been accessed by or shared with private individuals as a result of the breach. 

The DMV restricted access to the data shortly after discovering the breach on August 2, 2019. 

“Protection of personal information is important to DMV, and we have taken additional steps to correct this error, protect this information and reaffirm our serious commitment to protect the privacy rights of all license holders,” Gore said. 

“That’s why DMV immediately began correcting the access error following a legal compliance review, ensured that no additional confidential information was disclosed to these entities, and has implemented several additional layers of review.”

Customers of the DMV were informed of the breach by letter. In it, Albert C. Hwang, chief privacy officer at the DMV, wrote: “We sent this letter and the attached notice to you based on having, in the past, shared your Social Security information in error.”

California state law requires customers to be notified of any unauthorized acquisition of computerized data that compromises the confidentiality of personal information.

News of the breach come just months after a state audit in March found “significant deficiencies” in DMV operations, including technology and staffing problems and poor management practices.

The audit found that the department's computer system was relying on programming language dating to the 1950s and that some parts of the department’s operating structure hadn’t been updated since 1990. 

The DMV has also been criticized for soul-crushingly long waiting times, with some Californians reporting queues that lasted nearly six hours.

Categories: Cyber Risk News

Facebook Admits Another Developer Privacy Snafu

Wed, 11/06/2019 - 11:30
Facebook Admits Another Developer Privacy Snafu

Facebook has revealed yet another incident where third-party developers may have been allowed too much access to user data.

In this case, names, profile pictures and other information relating to members of Facebook groups may have been accessed improperly by as many as 100 developer ‘partners’ of the social network.

“We know at least 11 partners accessed group members’ information in the last 60 days,” said Facebook director of developer platforms and programs, Konstantinos Papamiltiadis.

“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted.”

The snafu relates to a Groups API that Facebook restricted as part of its efforts in April last year to clamp down on data sharing with third parties, in the wake of the Cambridge Analytica scandal.

“Before April 2018, group admins could authorize an app for a group, which gave the app developer access to information in the group,” said Papamiltiadis.

“As part of the changes to the Groups API after April 2018, if an admin authorized this access, that app would only get information, such as the group’s name, the number of users, and the content of posts. For an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in.”

Unfortunately, the social network subsequently discovered that some apps/developers retained access to this additional information “for longer than intended.”

These have now been removed as part of Facebook’s efforts to improve transparency and accountability following its record $5bn settlement with the FTC.

In September this year it announced the suspension of tens of thousands of apps from hundreds of developers for potential abuse of policy, such as improperly sharing user data.

Categories: Cyber Risk News

Researchers Lift the Lid on Politically Themed Malware

Wed, 11/06/2019 - 11:00
Researchers Lift the Lid on Politically Themed Malware

The internet is awash with politically themed malware, used in everything from ransomware to remote access trojans (RATs), according to new research from Cisco Talos.

The security firm’s study began with analysis of a regular-looking malicious spam campaign which used an executable named “trump.exe.”

Taking this as a jumping off point, the research team found a wide range of similarly themed threats that “was almost a microcosm of what we see in the threat landscape daily.”

These included Donald Trump-themed ransomware, and separate Trump and Vladimir Putin-themed locker malware. Interestingly, one of these threats offered no way for hackers to monetize their efforts.

Cisco also found numerous politically themed RAT campaigns, including Neshta, which used Kim Jong Un, and an NjRAT campaign that used an image of Putin — the same one used as an icon for the “Papa-Putin.exe” executable.

Some RATs were found using booby-trapped files purporting to contain political content as a lure, such as the Word document “12 things Trump should know about North Korea.doc,” which was used to spread the Konni RAT.

An Excel spreadsheet titled “Trump_administration_economic_indicators_on_China_investments.xls” contained malicious macros leading to infection by the well-known PoisonIvy RAT, often used in nation state attacks.

Other tools featuring political iconography included a Trump crypter, injectors referencing Barack Obama and Putin, and a Putin-themed malware loader.

Cisco also discovered a range of political software “ranging from the absurd to the disturbing,” including a “Dancing Hillary” game and a “Trump's Cyber Security Firewall” tool.

“As this investigation has exposed, adversaries will go to any lengths and use anything they deem advantageous, from pop culture to political references — everything is fair game,” it concluded. “This is applicable not only to the adversaries delivering malware, but also the miscreants writing tools for adversaries to leverage including crypters, injectors and loaders.”

Categories: Cyber Risk News

Drone Wars: Experts Warn of Flying Network Security Threat

Wed, 11/06/2019 - 10:00
Drone Wars: Experts Warn of Flying Network Security Threat

Drones could become a major network security threat from 2020, forcing organization to guard the airspace around their buildings, security researchers have warned.  

Small unmanned aerial vehicles (UAVs) will increasingly evolve from novelty items to “ubiquitous business tools” over the coming years, explained defense contractor Booz Allen Hamilton in a new 2020 Cyber Threat Trends Outlook report.

However, as they do, cyber-criminals may also look to take advantage by flying them close to target networks and/or landing them in concealed locations such as on roofs. In this way, a UAV could be fitted with a Wi-Fi Pineapple and used as a rogue access point to harvest credentials, perform man-in-the-middle attacks against employees and carry out network reconnaissance, the report warned.

IoT devices such as smart light bulbs, or even wireless mice could also be targeted.

“Drones equipped with specially fitted hardware and software may also be used to install malicious malware on systems or disrupt system’s operations, particularly devices that are vulnerable to exploitation of wireless protocols like Bluetooth and ZigBee,” the report claimed.

“The requirement for both the attacker and the drone to be in proximity to a target (e.g., Bluetooth has an estimated maximum range of 300 feet) will limit the frequency with which drone-based attacks will be used, but the threat nonetheless remains real.”

To mitigate the threat, Booz Allen Hamilton urged organizations to consider training physical security staff to spot drones, installing jamming signals and treating their airspace as an extension of the corporate attack surface.

“For small office/home office wireless networks, operators may consider mitigations commonly used to address war-driving attacks, such as turning off the wireless network when not in use, updating administrator passwords on routers regularly, and using security measures such as wireless traffic encryption and firewalls,” it added.

Elsewhere in its report, the IT consulting giant warned of a growing risk to satellite infrastructure, connected cars, the upcoming Tokyo Olympics and digital elections.

Categories: Cyber Risk News

#EdgeLondon2019: Focus on System and User Hygiene, Not Zero-Days

Wed, 11/06/2019 - 09:40
#EdgeLondon2019: Focus on System and User Hygiene, Not Zero-Days

There is a sense of failure among security practitioners, believing that they cannot keep up with attacks, and this has created a sense of irrational fear.

Speaking at the Tenable Edge conference in London, Tenable CEO Amit Yoran said that this “sense learnedness” has led people to reassess their perception of risk. Rather than zero-days, which he said were often overhyped, he argued that two other things are actually more important to focus on: system hygiene and user challenges. 

Acknowledging that user problems are harder to solve, Yoran focused on security hygiene, saying that “sophisticated adversaries take advantage of known vulnerabilities as 60% of breaches are caused by known vulnerabilities to which patches are available” but often not applied.

He said that in the last two years, the NSA “has not responded to a breach that involved a zero-day exploit” and this has led to irrational fears and news on what we are concerned about, when breaches are often “the result of bad hygiene and stuff we know about and can fix.”

Yoran said that knowing your level of risk is imperative, as boards and CEOs do not ask about sandboxing, exploiting files “and which form of AI or ML you’re using to detect logins,” but are asking simple questions such as “how vulnerable are we and what is our level of risk?”

He concluded: “Those are the questions business leaders are asking, and it is imperative for the future of vulnerability management as it is a system of record for the understanding of risk.” 

Categories: Cyber Risk News

Sumo Logic Acquires JASK

Tue, 11/05/2019 - 21:09
Sumo Logic Acquires JASK

Californian security-event management company Sumo Logic has acquired JASK Labs, Inc.

JASK makes security information and event management (SIEM) software and is best known for its flagship product, JASK Autonomous Security Operations Center (ASOC), which collects and analyzes data from any source, including endpoint data, network data, and applications in the cloud.

Sumo Logic, which had its own SIEM prior to the acquisition, has rebranded the JASK solution as Sumo Logic ASOC. 

Since it was founded in Austin, Texas, in 2015, JASK has raised nearly $40M from investors like Battery Ventures, Dell Technologies Capital, TenEleven Ventures, and Kleiner Perkins.

“The team at JASK set out to fundamentally disrupt traditional security solutions that are no longer meeting the needs of modern security teams,” said Greg Martin, CEO of JASK.

“Over the past five years, we’ve worked with customers and experts on the front lines of this disruption to uncover what will truly have an impact on improving the performance of security analysts that have been mired with alert fatigue. We’re excited to bring together our collective security DNA and joint customers and partners to create a powerful security intelligence solution that provides a cloud-native best-in-class modern SOC and analytics solution.”

Ramin Sayar, president and CEO of Sumo Logic, said: “Security in the modern world is moving from a human-scale problem to a machine-scale problem.

“Customers are looking for a new approach to help them overcome the pain and complexity around an increasingly perimeter-less world. The JASK team are experts in helping customers navigate this new world. By aligning our efforts as a single team, we are able to democratize security intelligence for all.”

Commenting on how the acquisition will affect the SIEM market, Nir Polak, co-founder and CEO of Exabeam, said: "Based on how rarely we see JASK or Sumo Logic compete against us for business, I can’t envision their combined company making any significant headway in the next-gen SIEM market.  

“When you multiply a fraction by another fraction, you get an even smaller fraction. I don’t think this merger will be the force multiplier either company is hoping for.”

Categories: Cyber Risk News

Ransomware Attack on Canadian Territory

Tue, 11/05/2019 - 20:13
Ransomware Attack on Canadian Territory

Nunavut, Canada's largest and most northerly territory, is working hard to recover from a ransomware attack that struck over the weekend. 

The sophisticated cyber-assault was launched on the sparsely populated territory's government network at approximately 4:00 am on Saturday morning, resulting in the swift encryption of multiple Word documents and PDF files. 

Users trying to access the infected government network were confronted with a ransom note that read: "Your network has been penetrated. All files . . . have been encrypted with a strong algorithm . . . we exclusively have decryption software for your situation."

The threat actors behind the attack instructed users to download an encrypted browser and visit a specific URL within the next 21 days. Users were told that the sooner they pay, the lower the price they will be charged to recover their encrypted files.  

In an attempt to contain the attack, the government shut down parts of its network, leaving many government employees unable to access their email or voicemail. All government services requiring access to electronic information were impacted by the attack, with the exception of Qulliq Energy Corporation. 

"The nature of the government is we're a centralized organization, so it has impacted the file servers of different departments and it's impacted some of our communities as well," Nunavut's director of information, communications, and technology, Martin Joy, told CBC News

The ransomware is believed to have been triggered when an employee working late on Friday night clicked a link in a malicious email or web advertisement. Joy said the ransomware appeared to be DoppelPaymer, which Nunavut's security systems hadn't been trained to detect.  

In a statement released yesterday, the Nunavut government wrote that "there is no concern at this time with the loss of personal information or privacy breaches."

Contingency plans have been implemented to ensure uninterrupted services to the local community, and the government stated that it "expects the majority of files will be restored, using existing up-to-date back-ups."

Minister of Community and Government Services Lorne Kusugak said in a statement in the legislature Monday that it would be at least a week before services were restored. 

Speculating on why threat actors might have targeted Nunavut, Emsisoft’s Brett Callow commented: "US entities are on very high alert, bolstering their IT, and so are less likely to be compromised. Because of this, big game hunters are increasingly looking for opportunities in other countries."

Categories: Cyber Risk News

UK Launches Cyberhood Watch

Tue, 11/05/2019 - 19:16
UK Launches Cyberhood Watch

Community safety organization Neighbourhood Watch has established a cyber-safety initiative to help Brits protect themselves and their families from online crime.  

The UK's largest voluntary movement teamed up with antivirus brand Avast to create the UK Cyberhood Watch

Formed in response to the rising level of cybercrime, the new scheme aims to teach communities about the risks associated with going online while also gathering data on which regions of the UK are most vulnerable to cyber-threats. 

According to a survey of 14,000 Neighbourhood Watch members carried out by the watch in conjunction with Avast, 20% have been victims of cybercrime, while 38% know someone else who has become a victim of cybercrime.

Researchers found a general lack of confidence in talking about cybercrime experiences within the community, and some gaps in understanding around the best methods of online protection.

In terms of financial impact, over a third (36%) lost money, and of them, 29% lost more than £1,000. The majority of these crimes were kept secret by the victims, with only 30% reporting the incident to the police.

"Neighbourhood Watch is about making sure that fewer people feel afraid, vulnerable or isolated in the place where they live, and in recent years that means helping members learn how to protect themselves, and their local community, against cybercrime has become a key priority," said John Hayward-Cripps, CEO of Neighbourhood Watch. 

"This may surprise some people who think Neighbourhood Watch is solely focused on physical crime prevention. Our members recognize that the threat of cybercrime is very real, and they tell us that there is a definite need for simple advice and resources, so they feel better equipped to defend themselves against it and advise others."

Avast’s support will include a training and accreditation scheme for local Neighbourhood Watch representatives, local informative events, downloadable guides and resources, and ongoing sharing of information about relevant emerging threats.

"Neighbourhood Watch community leads, who often represent people and places that are most at risk of cyber threats, are increasingly asking for help following feedback from local members who have experienced scams or security incidents themselves or know someone who has. We are delighted to provide our support by working with them to deliver a cybersecurity accreditation programme with training courses to help members become more confident and knowledgeable in supporting their community cybersecurity requirements," said Peter Turner, senior vice president, Consumer Security, Avast.

Categories: Cyber Risk News

Pages