On October 11, 2018, WikiLeaks published AmazonAtlas, a 20-page document from late 2015 containing the addresses and operational details for more than 100 of Amazon’s data centers, one of which indicates an affinity for the comedy of Jerry Seinfeld.
In addition to revealing the information about the data centers, located in 15 cities across nine countries, WikiLeaks also created a map showing the exact locations of the centers. A center in Manassas, Virginia, operates under the pseudonym Vandalay Industries, a fictitious latex company made famous in a Seinfeld episode when an unemployed George Costanza assured the unemployment office that he was on the verge of landing a job.
According to WikiLeaks, “Amazon is known as Vandalay Industries on badges and all correspondence with building manager.” It’s not at all uncommon for Amazon to operate out of data centers that are owned by other companies. In fact, the intent is to have little to no indication that Amazon operates at the location, which lends to the secrecy of its whereabouts.
Though Amazon has long been a leading cloud provider for the intelligence community, the leaked locations could potentially compromise the company’s status as a leading contender for a $10 billion contract with the Department of Defense (DOD).
“Amazon is one of the only companies with the certifications required to host classified data in the cloud. The Defense Department is looking for a single provider and other companies, including Oracle and IBM, have complained that the requirements unfairly favor Amazon,” WikiLeaks wrote.
“While one of the benefits of the cloud is the potential to increase reliability through geographic distribution of computing resources, cloud infrastructure is remarkably centralized in terms of legal control. Just a few companies and their subsidiaries run the majority of cloud computing infrastructure around the world. Of these, Amazon is the largest by far, with recent market research showing that Amazon accounts for 34% of the cloud infrastructure services market.”
Prior to the leak, the locations of the cloud infrastructure controlled by Amazon were hidden. In revealing the locations, WikiLeaks also create the Quest of Random Clues, a puzzle game that encourages players to find the data centers while highlighting various concerns, one of which includes contracts with the intelligence community.
Infosecurity Magazine contacted Amazon for comment, but the company has not responded.
A new variant of the Magecart attacks has been targeting smaller e-commerce operations, according to The Media Trust’s digital security and operations (DSO) team.
Researchers found a new type of malware that targets payment pages on legitimate Magento-hosted retail sites. Dubbed CartThief, the malware’s behavior is similar to that of the current iteration of the Magecart malware.
As soon as credit card information is entered into a checkout page and a payment is submitted, the malware collects, encrypts and sends personally identifiable (PII) and financial information to the malicious actors’ command-and-control server.
What sets this malware apart is the method used to encode or obfuscate the malicious domain and the PII data collection activity. To avoid arousing suspicion and sneak past many blocking technologies, there are no user-identifying cookies or source codes to set off alarms for users. The absence of cookies is one feature that differentiates CartThief from other Magecart variants.
“The fact that the malware targets sites using a variety of payment gateway providers calls into question the effectiveness of PCI DSS security standards for online businesses, in particular the absence of a requirement for businesses to know and manage all third-party code present on their sites and apps,” wrote Michael Bittner, digital security and operations manager at The Media Trust.
By exploiting vulnerabilities in web applications, bad actors were able to attack Magento-hosted e-commerce sites and insert rogue files into legitimate HTML code, granting them access to the payment page. Because the activity has only been executed on a handful of smaller e-commerce sites, researchers believe that the attackers are intentionally flying under the radar while testing the malware before staging a larger-scale attack, which they suspect could come during the holiday shopping season.
“Given increasing malicious activity and the advent of financial penalties, e-commerce operations should police their digital ecosystem for any unauthorized activities and actors by continuously scanning their sites. Doing so will help them pre-empt any security issues,” Bittner wrote.
In analyzing global cybercrime patterns ThreatMetrix found that identity spoofing, fueled by stolen identity data, is the most prevalent attack vector for the gaming and gambling industry.
Additionally, the Q2 2018 Gaming & Gambling Report discovered that location (IP) spoofing attacks increased 257% year-over-year, making it the fastest growing attack vector in the space. Because more sophisticated location spoofing tools are available, fraudsters are making frequent attempts to disguise their true location and launder money.
Distinguishing trusted users from fraudsters is made increasingly more challenging with malicious account takeovers (ATOs) and the use of collusive play and self-excluders.
“Rising cybercrime levels is no small issue for a sector that enjoys a truly global customer base,” said Ellie Burns, fraud and identity manager at ThreatMetrix, in a press release. “With more than two billion gamers worldwide, nearly 60% of the industry's traffic is cross-border.
"Operators must contend with a rapidly evolving regulatory landscape and stringent new anti-money laundering laws, making the verification of the true location of a transacting gamer a vital component in authenticating identity.”
An additional contributor to the growth of IP spoofing attacks is that users are trying to access services that might be restricted in their locations, which is one factor driving the high volume of cross-border traffic.
Increased mobile transactions were also a key finding in the report, resulting from more people placing bets and accessing accounts from their smartphones. The report revealed that 71% of all gaming and gambling transactions are now made via mobile devices, which is a 45% increase year-on-year. Not surprisingly, mobile payments are attacked more often than any other transaction. Hackers have realized that mobile serves as a door of opportunity where they are able to monetize stolen credentials.
“To deal with these challenges, gaming and gambling operators must incorporate dynamic digital identity intelligence that pieces together key indicators, such as device intelligence, true geo-location, online identity credentials and threat analysis, to better inform risk decisions. The key is to be able to effectively differentiate trusted users from fraudsters and understand changes in trusted user behavior, without adding unnecessary friction,” said Burns.
Trade association UK Finance has called for a new tax on payments to create a fund that banks can use to compensate victims of fraud.
CEO of the banking lobby, Stephen Jones, made the proposals before a Treasury Select Committee this week, reportedly claiming that a “tiny levy” on each payment could help to break the stand-off between financial institutions and other stakeholders over authorized push payment (APP) fraud.
“Customers will pay if the banks have to pay,” he’s reported to have said. “There’s no such thing as a free lunch here. It’s a question of how can the cost be fairly distributed across the system.”
APP occurs when a scammer tricks their victim into making payments to an account controlled by them. Banks argue that they shouldn’t be responsible for compensating the consumer if they’ve basically met their level of care.
A third of fraud losses in the UK last year were down to APP, amounting to £236m.
However, earlier this year the Financial Ombudsman Service (FOS) revealed that in disputes it is called upon to arbitrate, banks often try to blame customers — which it said is increasingly difficult to do given the growing sophistication of online scams.
The heated debate is part of an overall attempt to draw up an industry code governing how APP victims should be compensated.
Brooks Wallace, head of EMEA for cybercrime and fraud prevention at Trusted Knight, argued that Jones’ proposals could set a dangerous precedent and claimed the banks were trying to “shift financial responsibility to the customer before [fraud] really starts to impact their bottom line.”
“This statement demonstrates two things - firstly, that banks are starting to feel the burden of hefty fraud losses through more sophisticated online crime. Secondly, that they are becoming increasingly unwilling to foot the bill,” he added.
"This is a risky route to go down. While some fraud is not the fault of the bank, often fraud could have been halted if the bank had better fraud prevention in place for its customers. While the banks could argue that losses are down to third-parties — such as payment details being stolen in retailer data breaches — ultimately, financial organizations need to have more rigorous procedures for identifying and stopping fraudulent transactions taking place.”
A leading fitness software company may have exposed millions of customer records by failing to protect a cloud database.
Researcher Bob Diachenko said he found the exposed database hosted on AWS via a simple Shodan search for unsecured Elasticsearch instances which could be targeted by ransomware attackers.
He found the cloud store of 119GB of data belonging to Fitmetrix, with two identical sets of data and two IP addresses. Interestingly one was labelled as “compromised” as it contained a ransom note from an ultimately unsuccessful attempt to extort the company.
“It appears that the attackers are using a script that automates the process of accessing a database, possibly exporting it, deleting the database, and then creating the ransom note,” Diachenko wrote.
“This script sometimes fails and the data is still available to the user even though a ransom note is created.”
The exposed data included name, gender, email address, birth date, home and work phone, height, weight and much more.
The total number of records affected topped 122 million, although it’s unlikely that all of these contain customer data, according to Diachenko, who estimated that “millions” were still likely to have been affected.
Parent company Mindbody, which acquired the firm earlier this year, finally responded and secured the database five days after first being contacted, on October 10.
Balaji Parimi, CEO of CloudKnox Security, said these incidents are occurring more frequently as complex multi-cloud environments become more popular.
“The most likely scenario in this case is that a FitMetrix employee changed the privacy configuration for these servers to share access and simply forgot to change it back when the task was completed. These incidents are rarely malicious. They are the result of what’s emerging as the biggest cyber-threat facing enterprises today: the complexity of and lack of visibility organizations have into their own infrastructure,” he argued.
“In order to mitigate these types of mistakes and the threat they pose, it’s critical for companies to devote cybersecurity resources to gaining better visibility. That means understanding which employees have the types of privileges that can affect the company’s security posture and limiting those privileges to properly-trained, security-conscious employees. With proper visibility and authorization settings, organizations can put real guard rails in place to help prevent these types of mistakes.”
Bloomberg this week doubled down on its blockbuster report of Chinese spy chips inserted into the supply chain of a leading US server provider, claiming a leading telco found evidence of tampering.
The news site is under pressure after all main parties it claimed had been affected by the alleged sophisticated spying campaign vigorously denied the report. These included the server company itself, Supermicro, and customers Amazon and Apple — who were also backed by the UK’s GCHQ and the US Department of Homeland Security (DHS).
The unnamed telco was apparently hired by Yossi Appleboum, a former Israeli army tech specialist and now co-CEO of US-based Sepia Systems, to scan its datacenters.
According to the report, he uncovered “unusual communications” from a Supermicro server. A further inspection revealed an “implant” built into the Ethernet connector which appeared similar to other manipulations he’d seen by Chinese suppliers.
Supermicro claimed to have no knowledge of any unauthorized components and complained it was not given enough time or info to respond to the new allegations.
The latest hardware manipulation is different from the microchips alleged to have been placed on motherboards subsequently sold unwittingly to 30 major tech companies.
However, they had the same purpose, of providing unauthorized access to the network the server is installed on, and “were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China,” according to Bloomberg.
Experts have criticized the original story for containing few named sources. Apple has denied the allegations in the strongest terms, taking the unprecedented step of writing to lawmakers on the House and Senate commerce committees to reiterate these sentiments.
However, for some, it’s a timely reminder of the risks posed by modern global supply chains.
“It doesn’t require an implant from a nation state adversary,” argued Chris Day, chief cybersecurity officer at Cyxtera. “Organizations must protect themselves by practicing defense-in-depth, especially across their supply chain.”
Although the telco was unnamed, AT&T, Verizon and Sprint told Bloomberg it wasn’t them.
With “well over” 1% of the world’s top one million websites still using a Symantec certificate, Mozilla has suspended plans to distrust the TLS certificates issued by the Symantec Certification Authority, which is now a part of DigiCert.
According to a statement by Mozilla’s certification authority program manager Wayne Thayer, so many websites continue to use these certificates that moving from Firefox 63 Nightly into Beta “would impact a significant number of our users.”
Thayer said that “it is unfortunate that so many website operators have waited to update their certificates, especially given that DigiCert is providing replacements for free.”
He added: “We prioritize the safety of our users and recognize the additional risk caused by a delay in the implementation of the distrust plan. However, given the current situation, we believe that delaying the release of this change until later this year when more sites have replaced their Symantec TLS certificates is in the overall best interest of our users. This change will remain enabled in Nightly, and we plan to enable it in Firefox 64 Beta when it ships in mid-October.
“We continue to strongly encourage website operators to replace Symantec TLS certificates immediately. Doing so improves the security of their websites and allows the 10’s of thousands of Firefox Nightly users to access them.”
In a previous update in July, Thayer that 3.5% of the top one million websites were still using Symantec certificates that were due to be distrusted in September and October. Firefox 60 displayed an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1 2016 that chains up to a Symantec root certificate as part of the consensus proposal for removing trust in Symantec TLS certificates that Mozilla adopted in 2017.
“This proposal was also adopted by the Google Chrome team, and more recently Apple announced their plan to distrust Symantec TLS certificates,” he said.
New findings from Confense have revealed that one in ten reported emails in 2018 were malicious, with more than 50% of those linked to fraudulent attempts to gather login and system information from users – known as credential phishing.
As detailed in its report The State of Phishing Defense 2018: Susceptibility, Resiliency, and Response to Phishing Attacks the firm analyzed more than 135 million phishing simulations, 800,000 reported emails and nearly 50,000 real phishing campaigns targeting organizations in 23 industries ranging from healthcare, financial services to manufacturing.
Key findings discovered that 21% of reported crimeware emails contained malicious attachments whilst the term ‘invoice’ was one of the most-used phishing subjects, appearing in six of the 10 most effective phishing campaigns this year.
However, on a more positive note, Cofense claimed the overall phishing resiliency of users had improved in the last few years with reporting rates up 14% from three years ago. Interestingly, organizations in the utilities and energy industries were noted as building the most resiliency to phishing over time, but Cofense warned that overall industries involved with critical infrastructure still have work to do.
“We founded Cofense on the principal that the human element, the users who are targeted, are a critical factor in defending against phishing threats,” said Aaron Higbee, co-founder and CTO of Cofense.
“We see phishing emails bypass technology controls every day and more and more end-users recognizing and reporting these threats that slipped past million-pound defenses. The results of our research detailed in the ‘State of Phishing Defense’ shows that resiliency is building across key industries thanks to those same people that were once deemed as the weakest-links in an organization. These trends are powerful and reinforce that humans are a key element to a successful security program.”
More Brits under-21 are falling victim to identity fraud and acting as money mules than ever before, according to new figures from Cifas.
The non-profit fraud prevention service revealed new figures today claiming its members have identified a 24% increase in young victims of so-called “impersonation fraud” in the first nine months of the year, versus the same period in 2017. This type of fraud occurs when scammers use a victim’s identity to open new accounts, hijack existing ones or buy products in their name.
The largest segment of impersonation fraud affecting this age group related to payment cards (34%), an increase of 79% over the same nine-month period last year.
But the under-21s aren’t just victims of fraud, they’re increasingly also helping online scammers to launder money — a vital role in the cybercrime ecosystem.
Cifas noted a 26% rise in the identification of money mules: individuals who, often unwittingly, are recruited to receive stolen funds, withdraw them and then wire to another account, often abroad.
Although the crime carries with it a maximum penalty of 14 years behind bars, it appears many young bank account owners are attracted by the opportunity to make money quickly and easily.
Cifas CEO, Mike Haley, called for a broader education effort on the part of parents, teachers and banks.
“As the rise in money mules demonstrates, many young people seem unaware of the risks they’re running and the consequences it can have not only for the individual concerned but for society as a whole. More needs to be done to raise awareness about the harm of fraud and financial crime,” he added.
“We’re calling on banks in particular to ensure that they are providing young people with the necessary knowledge to prevent them falling victim to fraud — or becoming fraud perpetrators.”
The latest figures from Cifas released in August revealed identity fraud had fallen for the first time in four years, by 5% in the first six month of 2018 versus the same period last year.
However, identity fraud against online retail accounts rose by 24% during the period, while Cifas also recorded a rise in fraudulent applications for credit and debit cards (12%).
In April, Cifas claimed identity fraud had hit an all-time-high in the UK.
The number of compromised credentials detected in North American botnets has soared 141%, according to the latest quarterly analysis from Blueliv.
The cyber-threat intelligence vendor scans the open, deep and dark web for signs of stolen log-ins for its clients, so that they can take action before the cyber-criminals have had a chance to monetize their wares.
The large rise between the March to May and June to August quarters this year came alongside declines in other regions.
Europe and Russia saw a decrease of 22%, while compromised credentials geo-located to Asian botnets dropped by 36%. A sharp drop of detections (33%) in July and August in Europe and Russia matched a 77% increase in Asia, indicating a botnet may have been taken down in Europe while Asian campaigns thrived, according to the firm.
“All it takes is a single good credential for a threat actor gain access to an organization and cause havoc,” argued Blueliv CEO, Daniel Solís.
“We are observing a booming market for credential theft, and the latest statistics show that this sort of cybercrime is a truly global enterprise. By understanding the lifecycle of the compromised credential, CISOs seeking to protect their business and analysts looking for IOCs gain valuable information to shrink their attack surface.”
According to the firm’s recent report, The Credential Theft Ecosystem, once attackers have infiltrated targeted organizations via compromised credentials, they can access customer databases to harvest PII and/or user log-ins to sell on the dark web or use directly to commit identity theft.
Other potential impacts of corporate credential theft include blackmail, BEC, espionage, hacktivism and more.
“As long as credentials remain the preferred way for companies to authenticate their employees and customers, they’ll continue to be the weakest link in the cybersecurity chain,” the firm noted.
In terms of credential-harvesting malware, Pony, KeyBase and LokiPWS (also known as Loki Bot) were most popular, with Pony out in front, although LokiPWS samples increased 91% quarter-over-quarter.
The US authorities have arrested and charged an alleged officer in China’s Ministry of State Security (MSS) with trying to steal aviation secrets from American firms, in a move likely to enrage Beijing.
The charges were announced on Wednesday and reveal the alleged intelligence officer as Yanjun Xu (aka Qu Hui, aka Zhang Hui), a deputy division director with the MSS Jiangsu State Security Department, Sixth Bureau.
They claim that from at least December 2013 until his eventual arrest in Belgium, Xu targeted experts working at US aviation firms including GE Aviation. He recruited them to travel to China, often under the pretense of giving a university presentation, before paying travel costs and stipends.
The individuals were then allegedly asked to provide blueprints and other materials, which were handed over to engineers at a leading Chinese university.
“Innovation in aviation has been a hallmark of life and industry in the United States since the Wright brothers first designed gliders in Dayton more than a century ago,” said US attorney for the Southern District of Ohio, Benjamin Glassman.
“US aerospace companies invest decades of time and billions of dollars in research. This is the American way. In contrast, according to the indictment, a Chinese intelligence officer tried to acquire that same, hard-earned innovation through theft. This case shows that federal law enforcement authorities can not only detect and disrupt such espionage, but can also catch its perpetrators.”
The arrest of a Chinese intelligence officer is unprecedented: the US has indicted PLA officers in the past for allegedly hacking American companies, but that’s where it ended, as the individuals reside in China.
The latest move will do little to calm boiling tensions between the two superpowers, which are involved in a de facto trade war, amidst widely disputed reports that Chinese spies have infiltrated the supply chain for server components in a major espionage campaign against government and corporate targets.
If the news is true, it would seem to sound the death knell for an agreement between former President Obama and Xi Jinping in which China agreed to cease economic cyber-espionage.
Dmitri Alperovitch, co-founder of CrowdStrike, confirmed China's re-emergence as the world's most prolific cyber-espionage actor.
"From a cyber perspective, China is actively engaging in targeted and persistent intrusion attempts against multiple sectors of the economy, including biotech, defense, mining, pharmaceutical, professional services, transportation, and more. Currently, the MSS is the primary government agency engaged in the majority of cyber-attacks ... CrowdStrike has observed multiple intrusions demonstrating their sophisticated tradecraft," he explained.
"We believe China poses a long-term and strategic threat to the global economy, and today’s arrest of a senior MSS officer responsible for industrial espionage is an important deterrence tool in keeping the perpetrators accountable.”
Blockchain is revolutionizing the global economy, according to Nitin Uttreja and Ashish Dwivedi of CA Technologies. In their session, How Blockchain Is Revolutionizing Cybersecurity, Uttreja and Dwivedi said that blockchain companies enable banks to transact with other banks for improved efficiency of cross-border transactions.
“The distributed-ledger technology is not just restricted to the banking or financial world. Blockchain technology has the potential to disrupt nearly every industry, including healthcare, supply chain management, media, advertising, gambling, cloud and cybersecurity,” the presenters wrote.
Because it is so difficult to change or remove data once it is entered into the blockchain, the technology mitigates the risk of a single point of failure. It is a distributed database with a decentralized ledger database that is continuously growing. The technology is chronological and secured using cryptography.
Any changes are stored in a new block. “A small change in the input would give a completely different hash, making it infeasible to find two messages that produce the same hash,” Uttreja said. Attempting to make changes would produce a completely different hash, which would not match, so all the subsequent blocks would become invalid.
Yet “securing data by this technique is not good enough,” said Uttreja. “To counter we use proof of work or mining, which slows down the calculation of blocks. What we do in mining is take index, previous hash, timestamp and try to create a hash that specifies a certain criteria.”
As far as the application to cybersecurity, Dwivedi said that there are real-time use cases of blockchain in cybersecurity, including decentralized identity, cloud storage, passwords and securing IoT.
"The key challenge with digital is that individuals have no control over their personal data and do not know when it is shared with other institutions," the presenters wrote. Users leave personal information on complex servers. If that server is compromised, the user’s data is at risk. There are also challenges of centralized identity with storing personally identifiable information (PII) on a central depository and the potential of third parties accessing data without subject’s knowledge.
The blockchain solution is that the data becomes decentralized across a distributed database with peer-to-peer transmissions that use cryptographic hashing, Dwivedi said.
“Blockchain enables the creation of a decentralized distributed storage marketplace, with complete decentralization and true redundancy, total privacy, resulting in cost reductions.”
In welcoming attendees, CFO Debra Taylor said, “We recognize the important role we play and the obligation we have as an organization to be inclusive, respectful and free from bias or discrimination but also to develop a community that reflects the diverse public we serve.”
The event's focus was both inclusion and diversity, and attendees were asked to brainstorm the ways that organizations can create a more inclusive and diverse workforce. Deidre Diamond, co-founder and CEO of CyberSN, said that when she thinks about inclusion, she thinks about the GQ skills – the emotional intelligence.
“It’s been really cool to watch our industry put value to emotional intelligences,” Diamond said. “The reality is that studies have proven that diverse groups make better decisions because they can see a 365-degree view. Diverse groups bring more money to organizations.”
Diamond talked about the benefits of win-win communication, a skill long taught in sales but that has been absent across other silos. One attendee, who noted that he benefits from being a fourth-generation college-educated white male, said, “That’s really what we have to break away from.”
Another attendee talked about a session on STEAM (science, technology, engineering, ARTS, and math) that she had attended and the benefits of bring the arts into the cybersecurity field. “At the end of the day, if they’re an arts major, music major, why aren’t we bargaining and pitching to them? It’s about widening the pool,” said Kyle Kennedy, president of Brainbabe.
A common concern among the attendees was the ways in which the résumé limits a candidate's potential of actually getting hired because we are all judged by the content we share. “If the content doesn’t match the content of what hiring managers are looking for on their list, you’re not even in the pool,” Diamond said.
Changing the way that human resources crafts job descriptions and the way that hiring managers thing about the skills that are essential to the projects will open the door to a wider pool of candidates who bring more than technical expertise to their roles.
“DevOps is critical in the sense of introducing automation. Automation is important for managing complexity and minimizing human error, but the security team needs to be thinking about how to work with the DevOps teams so that they have an appreciation for security,” Shema said.
In the end, the apps that DevOps are building are being created for people, so it’s important to be working with them, working for them and building for them. While it’s easy to dismiss users and their behavior as foolish, it’s also sometimes true that developers are lazy and both behaviors create risk, Shema said.
In order to bring security to where the developers are, there needs to be a common language, particularly in meetings. By focusing on communication and having a clear framework for what needs to be discussed, Shema said, it is possible to turn DevOps in to DevSecOps.
“Putting security in the middle is intentional because you can’t tag security on at the end. Security is what ties the two together,” Shema said.
A good sense of a shared vocabulary between developers and security does exist with OWASP. “Those are really quick, off-the-cuff terms we can throw out so security practitioners and DevOps teams can quickly understand whether something is high risk or low risk, but there is a need for having a shared vocabulary in the meetings with DevOps in order to make the meetings more successful,” Shema said.
Different end users pose different risks, so the teams need to have discussions about the different ways to look at threat models that include the end user. To that end, Shema offered suggestions on how to make meetings more successful.
“Things like tabletop role-playing games that promote social interaction. They require people to get together and move toward a common goal,” he said. In many games, players encounter fights that happen between monsters and heroes, and they learn the skills necessary to overcome different challenges. Those skills translate over to dealing with people.
The coder or sysadmin play the barbarian, DevOps becomes the fighter, red teams morph into thieves while blue teams take on the role of clerics and the CISO plays the bard.
“It’s about ensuring that everyone gets a turn around the table so that there’s not one person monopolizing the conversation. When a single person is the only one talking, it erases other people’s voices,” Shema said. "Having an agenda keeps the meeting focused and avoids people going off topic. Then you can pull people in to make sure their voices are heard."
While these tactics are not revolutionary, Shema's purpose is to remind DevOps to rely on people when it comes to security policies.
UK supermarket giant Morrisons is in the Court of Appeal this week fighting to have overturned a judgement that it should compensate employees after a major insider data leak.
A High Court judge ruled last year that the company was “vicariously liable” for the actions of one of its employees, former internal auditor Andrew Skelton, who published the personal details of 100,000 employees online and sent them to several newspapers.
The leaked data included NI numbers, birth dates and bank account details, and Skelton was eventually jailed for eight years back in 2015.
Morrisons argued at the time that it had already paid around £2m to mitigate the breach. However, it was also awarded £170,000 in compensation, while employees got nothing.
In the UK’s first class action lawsuit, over 5000 of these employees subsequently took the supermarket chain to court, demanding compensation for the “upset and distress” caused by disgruntled insider Skelton’s actions.
The retailer’s lawyers are arguing this week that their client cannot be held “vicariously liable” because the Data Protection Act 1998 — the legislation in place at the time of the incident — excludes vicarious liability.
Representing the claimants, JMW Solicitors data privacy specialist, Nick McAleenan, argued that Morrisons is looking to protect its £374m annual profits rather than recognize the impact of the breach on its employees.
“This is a classic David and Goliath case — the victims here are shelf-stackers, checkout staff and factory workers; just ordinary people doing their jobs,” he reportedly said.
“They were obligated to hand over sensitive financial and personal information to Morrisons — including national insurance numbers, dates of birth and bank account details — and had every right to expect that information to be kept confidential.”
The infamous Magecart digital skimming code has been found again, this time inserted into a customer rating plugin used on thousands of e-commerce sites.
RiskIQ, which has been tracking the groups behind Magecart for a couple of years, was alerted to the latest discovery on September 15.
In that respect, it’s a supply chain attack of the sort seen with Ticketmaster partner and Inbenta Technologies rather than a direct web compromised as per British Airways.
It could be the same group as one which inserted Magecart into Feedify last month, as the two attacks shared the same server for exfiltrating skimmed card details to, according to RiskIQ threat researcher, Yonathan Klijnsma.
Interestingly, the attackers also made a mistake with the Shopper Approved campaign, initially forgetting to obfuscate their code, which has given RiskIQ some useful info.
Thanks to the speedy action of Shopper Approved — which removed the script two days later, lunched a full investigation and brought in forensic experts — only “a small fraction” of its clients were apparently affected.
Klijnsma argued that all e-commerce players should block third-party scripts from being displayed on checkout pages, to mitigate the Magecart threat — which has been traced to six groups, although there could be more out there.
“Magecart groups are carrying out a full-scale assault on e-commerce and show zero signs of stopping. These attacks are only getting more and more traction as the groups learn how to become more effective,” he concluded.
“While initial attacks involved low-tier Magento stores, later attacks targeted CDNs to increase their reach. Now, Magecart operatives have learned to tune the CDNs they compromise to ensure that the only sites they hit are online stores. To achieve their goals, they will go after any analytics company, CDN, or any service supplying functionality to e-commerce websites.”
Microsoft has issued the latest monthly round of security fixes, this time addressing half a century of vulnerabilities, including one critical zero-day and three which have been publicly disclosed.
The most pressing vulnerability to fix would appear to be CVE-2018-8453, a privilege escalation flaw in Win32 which means the OS fails to properly handle objects in memory.
“An attacker first needs to log into the operating system, but then can exploit this vulnerability to run code in the kernel and gain administrator privileges,” explained Ivanti director of product management, Chris Goettl. “This vulnerability has a Base CVSS score of 7 and is present in all operating systems with updates this month from Server 2008 through Windows 10.”
On that note, Microsoft has also released a fix for an issue which forced the firm to pause its Windows 10 October 2018 Update (version 1809).
According to Redmond, “an incorrect timing calculation may prematurely delete user profiles on devices subject to the ‘Delete user profiles older than a specified number of day’ group policy.” In effect, the bug deleted all customer files in their C:/Users/[username]/Documents/ folder, and rolling back to the previous version did not restore the files.
There’s been a fair amount of criticism from security experts as to how Microsoft managed to let such a major fault ship with its latest update, especially as the issue had been flagged in the past.
Elsewhere, three publicly disclosed bugs will need to be addressed, according to Rapid7 senior security researcher, Greg Wiseman.
“CVE-2018-8497 is another elevation of privilege vulnerability affecting Windows 10 / Server 2016 and newer,” he explained. “CVE-2018-8423 is an RCE in Microsoft's JET Database Engine and affects all supported versions of Windows. The third public vulnerability [CVE-2018-8531] is another RCE, relevant to developers who build products using the Azure IoT Hub Device Client C# SDK.”
As the threat landscape continues to evolve, many who are overwhelmed today may not have the time to think about whether they are prepared for the threats of tomorrow. Those who attended Viruses, Trojans, Worms, Malware and Ransomware: What’s Next and Are We Prepared? with Tony Cole, CTO, Attivo Networks, at the 2018 Security Congress learned that the future holds lots of security challenges that will be far more complicated than what they are facing now.
“We’ve just started with the problems we are seeing today. The world we live in is changing dramatically, and it’s absolutely astounding how quickly new innovations and new technology are changing our society,” Cole said.
Part of preparing for the future demands an understand of existing threats, and while it’s important to understand the differences between viruses, Trojans, worms, malware and ransomware, what’s more important to understand is that every organization is a target.
What began as a collection of people compromising websites for fame and fortune has evolved into nation-state attacks and organized crime the likes of Wannacry and Spectre. In order to prepare for the threats to come, it’s important that cybersecurity professionals start thinking about what Cole calls “the art of the possible.”
“I’m always surprised at how many companies don’t believe that they are a target,” said Cole. There are so many verticals that organizations are vulnerable to, whether its ransomware or the more mundane siphoning of power in crypto-mining.
“Crypto-mining is just getting started, or maybe we are just starting to detect. It’s evidence that if you write your code well enough so that it doesn’t have impact, most of the world is not going to notice it,” Cole said.
It’s the future, though, that is really scary to Cole. “We are sitting at the tip of the problem set. You can actually get an IP-enabled toaster to imprint different images on your toast. Why are you connecting these things? Why would you want a washing machine connected to anything?”
The internet of things (IoT) is a contributing factor to the unforeseen complications of the future because in an everything-is-connected world, attribution becomes much harder, not to mention that developers are looking to get their products to market quickly, which means that security is never a concern.
According to Cole, enterprises will spend $752 bn on IoT this year, and consumers will soon catch up to that. Other current trends include the bleeding of nation-state threats into the underground – as was the case with Eternal Blue. Companies are selling zero-day vulnerabilities, ransomware is burgeoning, and Chinese activity has substantially increased.
“People are going to have a lot more ways to hide in systems, and the technology evolution will continue to be used against us,” said Cole. Amid all the noise, though, there a ways of correcting the course. “Move to a cave and become a philosopher,” Cole advised.
Short of that, it’s key to remember that you are the target and you must adapt to the inevitability of a breach. Prepare for the inevitable by hunting, using active cyber defense, building a real security awareness training program and leveraging the home-field advantage.
“The enterprise belongs to you, not the attackers,” Cole said.
Community outreach is fast becoming a way to help raise cybersecurity awareness for the lay person, with many (ISC)2 chapters around the world working to educate their friends, parents, teachers and community members about cyber risks and online safety.
Toward that end, security leaders were recognized at Security Congress during the Information Security Leadership Awards luncheon. For his dedication to fostering a safe and secure online environment through his “Cyber Security for Dummies” project, Joseph Carson, CISSP, chief security strategist at Thycotic, received the Community Awareness award.
In recognition of her security education growth initiative, Rinki Sethi, CISSP, vice president of information security, Palo Alto Networks, was awarded the Senior Information Security Professional award.
In addition to the awards ceremony, the center hosted a panel discussion, How to Be a Community Rockstar, offering ideas from different (ISC)2 members and chapters on how to engage the community to raise awareness about staying safe online.
One common suggestion was that chapters can offer local scholarships to high school students who are interested in pursuing careers in cybersecurity. “We put together a program where we matched funds from our members, up to a certain number, then went out to schools to get people to apply. To generate interest, we offered naming rights to the scholarship. We posted our scholarships (for anyone pursuing a career in information security) and got some applications,” said Tony Howlett, CTO at Codero.
The Austin (ISC)2 chapter also visits with senior citizens to educate them on fraud and instituted a "bring your kids to chapter" day, as a way for kids to see what their parents do and to introduce other members to the resources that are available.
“It’s us and you,” said Patrick Craven, director of the Center for Cyber Safety and Education. “We are trying to create that awareness. It starts small, which sometimes means it’s not a local school but a local classroom. Talking to a teacher and getting a teacher interested. That’s part of creating the grassroots movement inside the schools.”
In advance of Cyber Safety Day – New Orleans, the Center for Cyber Safety and Education talked with cybersecurity practitioners at the 2018 Security Congress about how to talk to children about staying safe online.
Showcasing its curriculum that can be used by volunteers anywhere, the center encouraged audience members to get involved by either adopting a school or supporting scholarships. Patrick Craven, director of the Center for Cyber Safety and Education, and Ciera Lovitt, educational program specialist, were joined by Garfield, the star of the center’s educational outreach program for elementary schools.
Given that 90% of security incidents are the result of human error, the center’s goal is to educate people of all ages about good cyber-hygiene practices. For young kids, that includes topics ranging from cyber-bullying to passwords and computer security.
The center’s Children’s Internet Usage Study found that 40% of kids in grades 4-8 chatted with a stranger online. “Of those, 53% revealed their phone number to a stranger and 11% met with a stranger. It is crucial that our children learn how to be safe online and avoid being the target of cyber-criminals,” according to a press release.
In an effort to bring the content to more elementary school kids, the center is celebrating Cyber Safety Day – New Orleans, a one-day event created by the nonprofit to celebrate National Cybersecurity Awareness Month.
Participating schools will receive Garfield’s Cyber Safety Adventures – Lesson 1: “Privacy, Online Friends Are Not the Same as Real Friends,” which will be delivered on Wednesday, October 10, as part of Cyber Safety Day.
Over 2,300 students in New Orleans in 17 elementary schools city-wide will engage in the lesson using the cyber-safety education materials for free. As part of the event, former New Orleans Saints running back Deuce McAllister will also be visiting the classrooms with Garfield after the cyber-safety lesson.
Craven emphasized that educating a single child costs the nonprofit organization $2.17, and attendees were invited to donate to the rapidly growing cause. Craven noted that last year the center had 66 scholarship applications. This year, it had thousands.