Info Security

Subscribe to Info Security  feed
Updated: 43 min 17 sec ago

Park Place Technologies Appoints Security and Army Veteran as its First CISO

Tue, 07/14/2020 - 16:05
Park Place Technologies Appoints Security and Army Veteran as its First CISO

Park Place Technologies, a global IT leader focused on optimizing data centers and IT infrastructure for 17,000 customers, today announced that John Parlee has joined the company as its first Chief Information Security Officer (CISO).

Parlee brings an impressive background of security knowhow and expertise to the role having previously served as director of information security at VMware Carbon Black, head of information security for the Cognex Corporation and as a security engineer for the MITRE Corporation. He also holds degrees from Carnegie Mellon University and the United States Military Academy at West Point, and served as a Captain in the United States Army and the United States Army Reserve.

In his new role, Parlee will lead development and implementation of the Park Place security strategy, management of security threats and vulnerabilities and compliance with relevant security requirements and privacy laws.

Currently providing remote hardware monitoring, Park Place is increasing its focus on security as it prepares to expand its service offerings to discovery and network analytics.

“I am impressed with Park Place’s mission and commitment to customers,” said Parlee. “I look forward to working with the innovative team at Park Place to ensure that security and privacy are top priorities as the company continues to rapidly grow.”

Chris Adams, president and CEO, Park Place Technologies, added: “The addition of John and his security expertise to our team will strengthen our ability to fulfil compliance requirements and minimize risk. His appointment demonstrates that we take the security of our customers very seriously.”
 

Categories: Cyber Risk News

US Army Seeks Cryptocurrency Tracing Tools

Tue, 07/14/2020 - 14:45
US Army Seeks Cryptocurrency Tracing Tools

The United States Army has expressed interest in kitting out its principal investigative division with cryptocurrency tracing tools.

In a Statement of Work (SOW) published July 10, the Army's Criminal Investigation Command's Major Cybercrime Unit (MCU) began the process of welcoming bids from contractors. 

Instead of software or hardware offerings, the Army is inviting vendors of SaaS (Software-as-a-Service) solutions to come forward and provide information for planning purposes. Contractors have until July 20 to accept the Army's invitation to express interest.

According to the document, the US Army Contracting Command-New Jersey (CC-NJ) located at Fort Dix, NJ, is "surveying the market for potential contractors capable of providing one license for one user of a cloud, web-based application capable of assisting law enforcement to identify and stop actors who are using cryptocurrencies for illicit activity such as fraud, extortion, and money laundering."

The Army isn't interested in developing an app from scratch, but instead wants to garner information about pre-existing web-based applications. 

Applications submitted must enable users to conduct an in-depth investigation into the source of cryptocurrency transactions and provide multi-currency analysis "from Bitcoin to other top cryptocurrencies."

The SaaS solution must provide real-time Bitcoin and other cryptocurrency transaction tracing, to include service attribution and identification, and must be able to spot transaction patterns and interaction with other entities. 

Furthermore, it must have the capability to set up unlimited individual user accounts with unlimited queries available.

To facilitate the analysis of data, the app must have some type of visualization and/or link analysis tool and has to be capable of exporting graphs and generating reports as a csv, pdf, or image file. 

This latest publication comes almost a year after the Army shared a pre-solicitation notice that revealed users of the app will be located throughout the US and overseas where there is a CCIU (Computer Crimes Investigation Unit) presence. 

Previously, the Pentagon looked into the use of cryptocurrency in a war game designed around domestic civil unrest. Documents obtained by The Intercept detailed a scenario in which a "rebellion" was launched by a Gen Z that included the use of crypto to redistribute stolen funds.

Categories: Cyber Risk News

Senior Catalonian Politician’s Phone Allegedly Targeted By Government Spyware

Tue, 07/14/2020 - 14:42
Senior Catalonian Politician’s Phone Allegedly Targeted By Government Spyware

A senior Catalonian politician has claimed his phone was targeted with spyware by the Spanish government in a case of possible domestic political espionage, it has been reported by The Guardian newspaper today.

Roger Torrent, the speaker of Catalan parliament, and at least two other pro-independence supporters, have reportedly been told their phones were targeted last year using ‘Pegasus’ spyware that its maker, Israeli firm NSO group, says is only sold to governments to track criminals and terrorists.

The warning came from researchers working with WhatsApp, who believe the attacks occurred in a two-week period from in April to May 2019 when 1400 of its users were allegedly targeted by Pegasus. WhatsApp’s owner, Facebook, has since begun legal proceedings against NSO group over the matter.

According to a Facebook lawsuit, the Pegasus spyware exploited a previous vulnerability in WhatsApp’s software, potentially enabling the operator to access everything on the target’s phone, including emails and text messages. It may have even been able to turn on the phone’s recorder and camera and listen in on conversations.

Quoted in The Guardian, Torrent said: “It seems wrong that politicians are being spied on in a democracy with the rule of law. It also seems to me to be immoral for a huge amount of public money to be spent on buying software that can be used as a tool for the persecution of political dissidents.”

Commenting on the story, Joe Hancock, head of cyber at law firm Mishcon de Reya, said: “The debate around intrusive surveillance can be uncomfortable, balancing rights to privacy against lawful intrusions to protect public safety.

“Eavesdropping and 'bugging' has been used for decades and is viewed as part of legitimate law enforcement activity, although it also happens as part of commercial espionage. Traditional eavesdropping requires the listener to have a level of physical access to their target. This is not the same for the tools allegedly used in this attack, which can be used to target devices internationally.

“We are likely to see more attacks like this one come into the news. When malicious software is found on a device, there is no evidence on the device of the governance or legal process that may have led to the attack being appropriately authorized or not. There may be legitimate reasons and due process for a specific target being selected, whether we agree with that selection or not. All we can do is ensure that oversight and governance of surveillance is appropriate and that we control the availability of these tools where possible.”

In response to the allegations, the Spanish Prime Minister’s office stated: “The government has no evidence that the speaker of the Catalan parliament, Roger Torrent, the former MP Anna Gabriel and the activist Jordi Domingo have been the targets of hacking via their mobiles.

“Furthermore, we must state that any operation involving a mobile phone is always conducted in accordance with the relevant judicial authorization.”

Categories: Cyber Risk News

UK Bans Deployment of Huawei Technology Over Security Fears

Tue, 07/14/2020 - 13:45
UK Bans Deployment of Huawei Technology Over Security Fears

UK Prime Minister Boris Johnson has ordered Huawei equipment to be removed completely from Britain’s 5G network by 2027.

After the Chinese company had been previously approved to run the UK’s 5G network on a limited basis, the UK’s National Security Council has decided to ban the purchase of 5G components from the end of this year, and ordered the removal of all existing Huawei technology from the 5G network by 2027.

According to Reuters, the National Cyber Security Center (NCSC) told ministers it could no longer guarantee the stable supply of Huawei gear after the United States imposed new sanctions on chip technology.

“This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run,” Digital, Culture, Media and Sport (DCMS) secretary Oliver Dowden told parliament. “By the time of the next election, we will have implemented, in law, an irreversible path for the complete removal of Huawei equipment from our 5G networks.”

Dowden said the decision was made after the US imposed sanctions in May, which forced Huawei to use its own microchips and the NCSC advised ministers that they could no longer guarantee that the risk would be reduced.

The NCSC said Huawei have zero access alternatives which the UK has sufficient confidence in, and new restrictions make it “impossible to continue to guarantee the security of Huawei equipment in the future,” according to ITV News

US President Donald Trump has repeatedly voiced caution over the use of Huawei technology, calling it an “agent of the Chinese Communist state,” and requested the UK follow his lead.

Huawei’s technology is used in multiple mobile networks, including BT's EE mobile network, and by Vodafone and Three for 4G and 5G capabilities. The government also wants operators to “transition away” from purchasing new Huawei equipment for use in the full-fiber network, with Dowden saying he expected this to happen within two years, according to the BBC

Shortly before the announcement, Sky News revealed that Lord Browne, Huawei's UK chairman and the ex-chief executive of BP, would be leaving the Chinese company before his term had expired. It said he had given his notice a few days ago and would formally step down in September.

In a statement, Huawei called the decision “disappointing” and “bad news for anyone in the UK with a mobile phone.”

The statement claimed the decision will move Britain into the digital slow lane, push up bills and deepen the digital divide. “Instead of ‘levelling up’ the government is levelling down and we urge them to reconsider,” it said.

“We remain confident that the new US restrictions would not have affected the resilience or security of the products we supply to the UK.” 

Huawei said its future in the UK has become politicized and it will conduct a detailed review of what today’s announcement means for its business in the UK, “and will work with the UK government to explain how we can continue to contribute to a better connected Britain.”

Michael Downs, director of telecom security at Positive Technologies, said: “The ongoing tug of war within the UK on Huawei’s involvement in its 5G networks has come to an end. Although the government isn’t stripping Huawei’s equipment straight away, the phased approach will have a marked effect on the telecoms industry, potentially costing billions because a lot of the major UK operators such as BT and Vodafone are already using its equipment not just for 5G but previous generation networks as well.

“Long term, the decision to exclude Huawei cannot be solved with a solution as idealistically simple as just swapping it for an alternative vendor immediately. There is also the additional cost of delaying deployments, as companies have already gone through the process of testing 5G equipment from Huawei.

“This whole process – including testing – will have to be started all over again. This will mean a more expensive network for the UK and a delay that could result in its national infrastructure being inferior compared to other countries.”

Andrew Glover, chair of the ISPA, added: “The Government’s 5G announcement today provides some welcome clarity to our members who are rolling out networks and providing broadband to consumers and businesses across the UK. We look forward to further consultation with Government to determine the policy for fixed networks with a clear focus on ensuring that our members can roll out new gigabit-capable networks at pace.

“As the Secretary of State emphasized today, supply chain interventions have a direct impact on the speed at which networks can be rolled out, so any new restrictions need to be counter-balanced with an appropriate level of support for the sector.

“The Government has rightly made upgrading our digital communications infrastructure a priority, we now need to see a clear, ambitious plan from policymakers to help the companies that are leading this charge.”

Categories: Cyber Risk News

Rogue Javascript Integrations Permit Attacking Opportunities

Tue, 07/14/2020 - 13:03
Rogue Javascript Integrations Permit Attacking Opportunities

Analysis of the Alexa top 1000 websites has revealed a troubling lack of security controls required to prevent data theft and loss through client-side attacks.

According to research from Tala Security, techniques such as Magecart attacks, formjacking, cross-site scripting and credit card skimming are exploiting vulnerable JavaScript integrations running on 99% of the world’s top websites, and security effectiveness against JavaScript vulnerabilities is declining.

The research determined the average website includes content from 32 third-party JavaScript vendors, and 58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations. 

“The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources,” said Aanand Krishnan, founder and CEO of Tala Security. “It’s imperative that organizations keep security top of mind and pay much closer attention to what has become a pervasive attack vector.”

Whilst 30% of the websites analyzed had implemented security policies, only 1.1% were found to have effective security in place.

Jonathan Knudsen, senior security strategist at Synopsys, said the compnay’s own research showed the average commercial application has well over 400 third-party open source components. He explained: “While the research conducted by Tala Security might identify 32 independent vendors, when looking at any software supply chain, it’s important to look not only at the known vendors, but also at the usage of open source software in the final product or service. After all, it’s impossible to patch something you don’t know is there.”

He also claimed it is “hardly surprising that the research found that the average website has content from 32 third-party vendors” as modern software is more assembled than it is written, with useful chunks of functionality often coming from open source, third-party software components and interactions happening via APIs with multiple other systems.

“There is nothing inherently wrong with using third-party software components, the JavaScript language, or the web ecosystem,” he argued. “Just as with anything else, risk must be managed and minimized during the construction and deployment of websites.”

Keith Geraghty, solutions architect at Edgescan, said that Javascript is not the issue here, as it has “revolutionized the user experience on the web.

“When we refer to vendors, we are usually referring to talented programmers who have developed tools and solutions that, along with HTML and CSS, make up the backbone of the web,” he said. “Like with all plugins and solutions, organizations need to ensure that what they use is safe, up-to-date and falling under the same controls as their traditional patch management strategy.”

Craig Young, senior security researcher at Tripwire, said: “The situation with loading so many JavaScript libraries from so many different domains greatly amplifies the risk subdomain hijacking attacks pose to the internet at large. The problem is that each third-party domain supplying unauthenticated JavaScript presents an opportunity for a server compromise to serve malicious content to unsuspecting users unless the site operator has taken specific security precautions.”

Categories: Cyber Risk News

Researchers Unmask Video Conferencing Users from Images

Tue, 07/14/2020 - 11:00
Researchers Unmask Video Conferencing Users from Images

Security researchers have warned video conferencing users not to post screen images to social media after they managed to unmask the identities of users relatively easily.

A team from Ben-Gurion University (BGU) of the Negev used image processing recognition tools and social network analysis to process 15,700 collage images and over 142,000 face images of meeting participants from Zoom, Microsoft Teams and Google Meet.

AI-based image processing algorithms allowed them to identify the same individuals’ participation at different meetings, either via facial recognition or analyzing features in the background.

According to BGU, they were able to detect faces 80% of the time, as well as gender and approximate ages.

Web-based text recognition libraries available free-of-charge allowed the researchers to work out almost two-thirds of usernames from screenshots. Images can be cross-referenced with social media data to raise further potential security and privacy risks, BGU claimed.

The researchers were able to unmask individuals as well as networks of colleagues, highlighting the risk to corporate users as well as consumers.

“The findings in our paper indicate that it is relatively easy to collect thousands of publicly available images of video conference meetings and extract personal information about the participants, including their face images, age, gender and full names,” said Michael Fire of the BGU Department of Software and Information Systems Engineering (SISE).

“This type of extracted data can vastly and easily jeopardize people’s security and privacy, affecting adults as well as young children and the elderly.”

BGU urged individuals and companies not to post video conference images or videos online and to use generic pseudonyms rather than unique usernames or real names on such platforms. A virtual background is also a better choice as real backgrounds can help “fingerprint” user accounts across multiple meetings, it added.

There was also advice for the platform-makers themselves: BGU said that by adding filters or Gaussian noise to images they can disrupt facial recognition without interfering with the image.

“Since organizations are relying on video conferencing to enable their employees to work from home and conduct meetings, they need to better educate and monitor a new set of security and privacy threats,” Fire said. “Parents and children of the elderly also need to be vigilant, as video conferencing is no different than other online activity.”

Categories: Cyber Risk News

Lack of Diversity and Career Burnout Blights Infosec Industry

Tue, 07/14/2020 - 09:41
Lack of Diversity and Career Burnout Blights Infosec Industry

A lack of diversity and excessive workplace pressure are two of the top challenges for the IT security industry, according to a new study from the Chartered Institute of Information Security (CIISec).

Compiled from interviews with 445 UK industry professionals, The Security Profession 2019/2020 report revealed that over half (54%) had left a job because of overwork or burnout, or worked with someone who had.

The problem appears to be tied to industry skills shortages which leave many practitioners overwhelmed with work, especially during holidays and busy periods.

Almost two-thirds (64%) of respondents said their employers simply hope they can cope with fewer resources when necessary, whilst 51% let routine or non-critical tasks slip. This was certainly the case during the mass shift to remote working in early 2020.

Amanda Finch, CEO of CIISec, warned that the current crisis would likely put security pros under more pressure given the impact on budgets and ways of working.

“Unless the industry can learn how to do more with less while also addressing issues of diversity and burnout, risks will rise and organizations will suffer. To avoid this, we need the right people with the right skills, giving them the help they need to reach their full potential,” she added.

“This doesn’t only apply to technical skills, but to the people skills that will be essential to giving organizations a security-focused culture that can cope with the growing pressure ahead.” 

The signs don’t look good: 82% of respondents told CIISec that security budgets are not keeping pace with rising threat levels – whether because they’re rising too slowly, staying the same or falling.

A related challenge facing the profession is its continued lack of diversity. According to (ISC)2, just 24% of the global cybersecurity workers are female.

CIISec warned that a pronounced gender pay gap continues to afflict the industry in the UK.

For example, 37% of women earned less than £50,000 per year, compared to 21% of men, and only 15% of women earned more than £75,000 per year, compared to 39% of men, the study found.

Just 5% of women earned more than £100,000, versus 18% of men, and no women were paid more than £125,000 per year but 12% of men were.

“Addressing a lack of diversity in the industry isn’t only a matter of fairness,” continued Finch. “It also unlocks the skills and talents of a whole range of people who could collectively rejuvenate the industry and help reduce the huge pressure many security teams are under.”

Categories: Cyber Risk News

Millions of Logins from UK Ticket Site for Sale on Dark Web

Tue, 07/14/2020 - 08:42
Millions of Logins from UK Ticket Site for Sale on Dark Web

Security researchers have discovered a database containing millions of emails and usernames up for sale on the dark web, linked to a well-known UK ticketing provider.

Analysts at Israeli cyber-intelligence firm KELA detected the trove of 4.8 million records, posted to an underground site on July 8. A spokesperson for the company told Infosecurity that they managed to get hold of a sample of 10,000 emails and just 300 (3%) were duplicates.

New user “Jamescarter” is selling the details for $2500, with a .ru contact email. Although the trader claims the email/log-in data comes from a “shopping and forex trading site,” KELA is confident it belongs to customers of a popular ticketing service for live shows based in the UK.

The owners of said email addresses can expect follow-on phishing and potentially credential stuffing attacks if the details are sold.

Although most are from commercial webmail providers, there are also government domains in the haul, potentially putting these high-value accounts at risk of compromise.

Interestingly, the compromised ticketing provider has had its website defaced in the past and was also identified by KELA on a Pastebin list of “websites vulnerable to SQL Injection," although it’s not known if the two incidents are connected.

Affected users are located mainly in the UK, US, New Zealand, Australia, South Africa, Germany and France, the firm explained.

Credential stuffing alone costs EMEA organizations in the region of $4m each year, according to research from Akamai last year. This was calculated based on the cost of application downtime, loss of customers, extra work for IT security teams and the cost of follow-on fraud.

Categories: Cyber Risk News

Bitcoin Thieves Hit Cashaa

Mon, 07/13/2020 - 18:15
Bitcoin Thieves Hit Cashaa

Cyber-criminals have compromised a British cryptocurrency exchange, making off with over $3m in Bitcoin. 

Cashaa has halted all its crypto-related transactions after cyber-criminals stole more than 336 Bitcoin from their exchange. The company has said that prima facia users have not been impacted by the theft. 

In a media brief shared with Cointelegraph, Cashaa’s CEO Kumar Gaurav said: “We are still investigating the damage caused by the incident and suspend all the withdrawals for 24 hours.”

Kumar said that the theft occurred after malicious hackers compromised one of the exchange’s digital wallets. Once access had been gained, the hackers sent the cryptocurrency contained within the wallet to themselves. 

Guarav said that he had reason to believe that the cyber-criminals who hit Cashaa are based in East Delhi, India. Acting on this suspicion, the exchange has filed a cyber-crime incident report with the Delhi crime bureau under the cryptocurrency crime category.

A meeting of Cashaa’s board has been called to determine whether the company will bear all the losses associated with the crime.

Cashaa said it believes that to carry out the theft, cyber-criminals installed malware onto a computer used to make exchange transfers like user withdrawals. This malware sent a notification to the cyber-criminals at 1:23pm on July 10 when an employee logged into the account and made two transfers from a Blockchain.com wallet. It was this wallet that was then compromised and illegally relieved of over 336 Bitcoin. 

The company is now taking steps to prevent the cyber-criminals who hit Cashaa from selling the stolen cryptocurrency on exchanges. On Twitter, Cashaa posted the Bitcoin address of the hacker in hopes of tracking any movement of the illegally acquired funds. 

Guarav said Bitcoin thefts were on the rise because some cryptocurrency exchanges made it easy for cyber-criminals to launder stolen funds.

“As of today, hackers are very confident to hack crypto addresses and move it through exchanges that are facilitating such laundering through their systems,” said Guarav.

“Exchanges like these must be shut down and owners of these exchanges should be charged with money laundering facilitation crime.” 

Categories: Cyber Risk News

Secret Service Launches Cyber-Fraud Task Force

Mon, 07/13/2020 - 17:30
Secret Service Launches Cyber-Fraud Task Force

The United States Secret Service has announced the creation of a new network of task forces to tackle both traditional and newfangled financial crimes.

In recognition of the growing convergence of classic financial crimes with modern financial crimes that feature a cyber element, the service is formally merging its Electronic Crimes Task Forces (ECTFs) and Financial Crimes Task Forces (FCTFs) into a single unified network. 

This new network of crime-fighting crews will be known as the Cyber Fraud Task Forces (CFTF). The Secret Service said that the mission of the CFTF is “to prevent, detect, and mitigate complex cyber-enabled financial crimes, with the ultimate goal of arresting and convicting the most harmful perpetrators.”

In a statement released on July 9, the Service said that the CFTF will pick up where the other two task forces left off, representing “an evolution, not a revolution from the ECTF and FCTF model.” 

The CFTF “will offer a specialized cadre of agents and analysts, trained in the latest analytical techniques and equipped with the most cutting-edge technologies,” according to US Secret Service Assistant Director Michael D’Ambrosio.

A trial of the new model had already improved America’s ability to disrupt and deter criminal activity, in particular scams that exploit the COVID-19 pandemic.

“The CFTF model has allowed for better data sharing, institutional alliance, and investigative skill development,” said a Service spokesperson.

“Through these efforts, the Secret Service has successfully disrupted hundreds of online COVID-19 related scams, investigated a number of cyber fraud cases, halted the illicit sales of online COVID-19 test kits, prevented tens of millions of dollars in fraud from occurring, and is leading a nation-wide effort to investigate and counter a vast transnational unemployment fraud scheme targeting the US state unemployment programs.”

D’Ambrosio said that the CFTF will focus in particular on holding accountable any cyber-criminals who seek to exploit the “perilous moment” created by the global health pandemic “for their own illicit gain.” 

The Secret Service has 42 domestic CFTF locations with two international sites in London and in Rome. Plans have been added to extend the CFTF network further to encompass 160 offices globally. 

Categories: Cyber Risk News

Belgium Suffers First Jackpotting Attack

Mon, 07/13/2020 - 16:30
Belgium Suffers First Jackpotting Attack

Antwerp-based savings bank Argenta has fallen victim to what is believed to be Belgium’s first jackpotting attacks. 

Also known as a “logical attack,” jackpotting is a sophisticated crime in which cyber-criminals install malicious software and/or hardware on an ATM that forces the machine to spew out all of its cash on demand. 

The attack earned its name from the way in which it causes an ATM to mimic the action of a one-armed bandit slot machine when a player strikes it lucky. 

To carry out the attack, the malicious actor must gain control of the ATM by either making a physical connection by USB or hacking into it online using specialized malware. 

Argenta closed down 143 cash machines over the weekend after being hit by two jackpotting attacks. Cyber-criminals targeted West Flanders, attacking machines in Roeslare on Friday and in Ingelmunster on Saturday. 

The attacks follow in the wake of last month’s attempt by cyber-thieves to gain control over ATMs in Ranst and Borsbeek. 

In both instances, the thieves targeted some of the most antiquated machines in the bank’s network. The ATMs, which were manufactured by Diebold, had been scheduled to be replaced when they were attacked. 

The bank has not confirmed how much money was stolen in the first wave of attacks or even whether the attackers were successful in their attempts to force the ATMs to surrender their cash.  

An investigation into the Argenta attacks has been launched by Belgium’s federal police, who are working under the assumption that the same criminal gang masterminded the June and July attacks. 

“We note that despite the upgrades that have been carried out, this type of device remains in the cross-hairs of criminals,” said Argenta’s Christine Vermylen. “That is why we have decided to shut down 143 devices of this type now, pending the installation of new devices later this year. We are looking into whether that operation can be speeded up.”

Jackpotting has been around in Europe and Asia for several years and made its way to the US in 2018. According to The Brussels Times, the cybersecurity industry believes the attacks on Argenta to be the first cases of jackpotting in Belgium. 

Categories: Cyber Risk News

Personal Data of the Average Brit Held by at Least 39 Different Organizations

Mon, 07/13/2020 - 15:43
Personal Data of the Average Brit Held by at Least 39 Different Organizations

At least 39 different organizations hold personal data of the average UK citizen, providing a wide-range of opportunities for hackers to access sensitive information. This is according to Nomidio’s State of Identity 2020 Analysis, which also found that almost a quarter of Brits are unaware of how many organizations hold their personal data.

This growing attack surface has led to a 67% increase in major data breaches since 2014. The problem is exacerbated by the fact that over half (53%) of the UK population use the same password to access multiple accounts.

Unsurprisingly therefore, 77% of those surveyed in Nomidio’s study said they feel vulnerable about multiple organizations holding their data.

The number of businesses, charities and public sector organizations holding personal information is also expected to grow in the wake of the COVID-19 pandemic, with an estimated 3.5 million people believed to have accessed digital services for the first time in the UK during lockdown in areas such as banking and shopping.

The findings suggest a new approach to digital identity is required.

“Why are we issued with a new digital identity every time we register with a new service provider? This situation is completely back to front, it is you or I, the individual, that should be able to present our identity to the different organizations we choose to interact with,” commented Ben Todd, VP of worldwide sales at Nomidio.

“Every time we allow a business to store our date of birth or mother’s maiden name, we’re expanding the attack surface and making it more likely our personal credentials will be lost forever. We need to centralize people’s identities, encrypt them and then give individuals the power to decide which organizations their data is shared with.” 

Last month it was reported that personal data of an estimated 350,000 social media influencers and users has been accessed and partially leaked.

Categories: Cyber Risk News

NCSC Introduces Remote Working Testing Tool for Small Businesses

Mon, 07/13/2020 - 15:10
NCSC Introduces Remote Working Testing Tool for Small Businesses

An exercise which will enable small businesses to test their cyber resilience while staff work remotely has been launched by the National Cyber Security Center (NCSC).

Part of its Exercise in a Box toolkit, the ‘Home and Remote Working’ exercise is aimed at helping SMEs to reduce the risk of data compromise while employees are working remotely.

The exercise focuses on three key areas: how staff members can safely access networks, what services might be needed for secure employee collaboration and what processes are in place to manage a cyber-incident remotely.

Sarah Lyons, NCSC deputy director for economy and society engagement, said: “We know that businesses want to do all they can to keep themselves and their staff safe while home working continues, and using Exercise in a Box is an excellent way to do that.

“I would urge business leaders to treat Exercise in a Box in the same way they do their regular fire drills – doing so will help reduce the chances of falling victim to future cyber-attacks.”

As part of the exercises, staff members are given prompts for discussion about the processes and technical knowledge needed to enhance their cybersecurity practices. At the end an evaluative summary is created, outlining next steps and pointing to NCSC guidance.

A spokesperson for Eventura, a managed services and business systems firm, said: “Exercise in a Box is just like the monthly fire alarm test or evacuation drill; it’s part of the preparation for a real event and the best way to learn and improve on anything is by doing it.”

Categories: Cyber Risk News

Trend Micro and Girls in Tech to Provide Cybersecurity Training to Girls Around the World

Mon, 07/13/2020 - 12:00
Trend Micro and Girls in Tech to Provide Cybersecurity Training to Girls Around the World

Cybersecurity solutions company Trend Micro has announced that it is expanding its partnership with non-profit community Girls in Tech with a new initiative aimed at closing the gender diversity and talent gap in the technology industry.

Together, the two organizations will provide cybersecurity training to girls around the world to help develop a large talent pool of women eager to get their start in the industry.

Despite a global shortfall of more than four million cybersecurity professionals today, just a quarter (24%) of current roles are estimated to be taken by women.

As part of its expanded partnership with Girls in Tech, Trend Micro will develop a new Cybersecurity Fundamentals course for the non-profit. Trend Micro has called on its own security team to build a custom course for Girls in Tech specific to today’s market needs.

The course will feature a blend of online, instructor-led classes and a hands-on lab via Trend Micro Product Cloud covering cybersecurity essentials, network security threats, an introduction to malware analysis and more.

“I’ve always been passionate about and dedicated to encouraging greater gender diversity in the industry. It’s why at Trend Micro we’re committed to supporting equal opportunities in the workplace and in 2018 launched our Close the Gap initiative,” said Eva Chen, co-founder and CEO of Trend Micro. “I’m delighted to be teaming with Girls in Tech to further advance our efforts. Especially in light of recent events, I believe we must celebrate and encourage diversity at every turn today. It’s what makes us human.”

Trend Micro and Girls in Tech first worked together on the Close the Gap program at AWS re:Invent 2018 where they brought managing directors from 30 global Girls in Tech chapters together to brainstorm diversity ideas and programs with industry executives.

“Girls in Tech shares with Trend Micro a unified vision for a future in which women are provided the same opportunities to pursue professions in technology as their male counterparts,” said Adriana Gascoigne, founder and CEO of Girls in Tech. “We look forward to continuing our partnership with Trend Micro to positively impact the technology landscape for women today and generations to come.”

Registration for the new Cybersecurity Fundamentals course is now open. The virtual course will run from August 31 to September 25 and last four hours per week.

Categories: Cyber Risk News

Russian Hacker Finally Found Guilty of 2012 LinkedIn Breach

Mon, 07/13/2020 - 11:00
Russian Hacker Finally Found Guilty of 2012 LinkedIn Breach

A Russian hacker has finally been convicted of cyber-attacks on LinkedIn, Dropbox and Formspring which breached millions of customer accounts, after spending years in custody.

Yevgeniy Nikulin, now 32, was arrested in 2016 in Prague and detained there for over a year while US and Russian officials submitted extradition requests.

He was eventually brought to the US but then faced further delays after violent behavior which led to a psychiatric evaluation. It has also been reported that Nikulin initially refused to meet with his defense counsel.

The case was then postponed due to COVID-19 lockdowns.

According to a 2016 indictment by US prosecutors, Nikulin hacked LinkedIn, Dropbox and Formspring back in 2012. The attacks are subsequently revealed to have hit 117 million LinkedIn accounts, 69 million Dropbox users and 28 million Formspring accounts.

He’s alleged to have used many of the stolen log-ins to launch subsequent attacks on individuals.

In the first case to be held in the Northern California district since the start of the pandemic, it took a jury just a few hours to convict Nikulin.

He now faces up to 10 years in prison for each count of selling stolen usernames and passwords and installing malware onto computers, and up to five years for each count of conspiracy and computer hacking. There’s also a two-year stretch potentially awaiting for identity theft.

Sentencing will be handed down on September 29.

Nikulin is one of the few Russian cyber-criminals to have ended up in court in the US. The Putin administration has taken an increasingly hard line on US extradition attempts of Russian citizens from other countries.

In fact, it claimed back in 2016 that Washington was systematically “hunting for Russian citizens across the world.”

Earlier this month, an indictment was unsealed naming Andrey Turchin as “Fxmsp” — an alleged prolific hacker who made millions from selling network access.

However, he lives in Kazakhstan, which has no extradition treaty with the US.

Categories: Cyber Risk News

Zoom Patches Legacy Windows Zero-Day Bug

Mon, 07/13/2020 - 09:30
Zoom Patches Legacy Windows Zero-Day Bug

Zoom has fixed a zero-day vulnerability announced last week which affects legacy Windows customers.

The popular video conferencing platform worked quickly to patch the bug, which was announced by Acros Security in a blog post at the same time as the firm itself was informed.

“Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10,” noted a brief statement sent to Infosecurity.

“Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.”

There were no details provided of the software flaw at the time, but it’s believed to have required some kind of user interaction to exploit, possibly via a phishing email. It was characterized as enabling arbitrary remote code execution.

While Windows 7 is technically no longer officially supported by Microsoft, there are still plenty of organizations out there with Extended Security Updates or who use virtual patching to maintain legacy installations.

Zoom released a further update on Sunday designed to deliver “minor bug fixes,” as well as AES-256 bit encryption for Zoom phone devices, call monitoring capabilities, customized speed dial and more.

Back in April, Zoom became a victim of its own success after several serious vulnerabilities were found in its platform by researchers, after the product’s daily meeting participants had soared from 10 million in December to roughly 200 million in March.

These included a vulnerability in the Zoom Windows client which could have been exploited to steal user passwords, and two flaws in the macOS app which could have been abused to remotely install malware or eavesdrop on users.

The firm announced Salesforce senior vice-president of security operations, Jason Lee, as its new CISO last month, and has also brought on board several high-profile industry experts as consultants and advisors.

These include former Facebook CSO, Alex Stamos, John Hopkins cryptography expert Matthew Green, Luta Security and NCC Group.

Categories: Cyber Risk News

Central Government Loses 300+ Devices Since 2018

Mon, 07/13/2020 - 08:40
Central Government Loses 300+ Devices Since 2018

Over 300 electronic devices have gone missing from the heart of government over the past two years, according to new research from Parliament Street.

The think tank sent Freedom of Information (FOI) requests to the Prime Minister’s Office, the Privy Council, the Equalities Office and the offices of the leaders of the House of Commons and the House of Lords.

In response, they revealed that 89 devices had disappeared in 2018 and 163 last year, an 83% year-on-year increase. So far this year, 64 items have been lost despite many employees working from home due to COVID-19 lockdowns in central government.

Stav Pischits, CEO of security consultancy Cynance, argued that cyber-criminals can be incredibly persistent in going after high value targets like government data.

“With an increasingly remote workforce due to the COVID-19 outbreak, it’s absolutely essential that government departments take the necessary steps to ensure all devices are correctly secured,” he added.

“Even though these devices were encrypted, hackers can find new ways to break through systems to access confidential files, which could be lethal in the wrong hands. So, ensuring robust encryption and cybersecurity measures at all times is essential.”

This is just the latest in a long line of FOI-related research highlighting the persistent challenge of government-owned mobile devices going missing.

In July 2019 an FOI request from MobileIron revealed that 508 devices and laptops had gone missing from eight departments over the previous year. In the Ministry of Justice alone laptop losses soared 400% from 2016-2019, with 201 going missing in the 2018/19 period, according to Apricorn research.

In February this year, another report, this time from global communications company Viasat, claimed that over 2000 mobile devices had gone missing from central government departments over the previous year, many of them unencrypted. The higher number may be explained by the fact that 27 departments responded to this study.

Categories: Cyber Risk News

Californian Jailed Over Identity Theft Scheme Targeting Military

Fri, 07/10/2020 - 18:00
Californian Jailed Over Identity Theft Scheme Targeting Military

A California man has been put behind bars for his role in an identity theft scheme that victimized thousands of US veterans and service members. 

Trorice Crawford pleaded guilty on December 5 last year to one count of conspiracy to launder monetary instruments. The 32-year-old San Diego resident admitted conspiring with US citizen Robert Wayne Boling Jr. and others to steal millions of dollars between May 2017 and July 2019. 

Crawford hired at least 30 people to act as money mules, paying them to receive funds stolen from current and former military personnel into their bank accounts. 

Unauthorized transfers from victims’ accounts ranged from $8,000 to $13,000 on average, with Crawford keeping a cut from each transaction. Crawford also oversaw the transmission of stolen funds to Boling and others in the Philippines via international money remittance services. 

A federal judge in San Antonio yesterday sentenced Crawford to 46 months in federal prison. Chief US District Judge Orlando Garcia ordered Crawford to pay $103,700 in restitution and be placed on a three-year period of supervised release after completing his prison term.

Crawford’s co-defendant, Frederick Brown, pleaded guilty to charges in connection with the identity theft scheme in October 2019 and will be sentenced on September 17. The 38-year-old used his former position as a civilian medical records administrator for the US Army to steal the personal identifying information (PII) of thousands of military members. 

Brown admitted using his cell phone to capture members’ names, Social Security numbers, DOD ID numbers, dates of birth, and contact information while being logged into the Armed Forces Health Longitudinal Technology Application.

The Las Vegas resident further confessed to handing over the stolen PII to Boling and his Philippines-based co-defendants, Australian Allan Albert Kerr and South Korean Jongmin Seok, so that they could use it to access Department of Defense and Veterans Affairs benefits sites and steal millions of dollars. 

As asserted in the federal grand jury indictment, Boling, Kerr, and Seok used the stolen data to compromise a Department of Defense portal designed to enable military members to access benefits information online. 

The trio are charged with multiple counts of conspiracy, wire fraud, and aggravated identity theft. Measures are being taken to extradite them from the Philippines to Texas.

Categories: Cyber Risk News

SANS Institute Cyber-Skills Game Now Available in Middle East

Fri, 07/10/2020 - 17:00
SANS Institute Cyber-Skills Game Now Available in Middle East

A platform created by the SANS Institute to teach core cybersecurity skills is now available to students and young adults across the Middle East and Africa.

CyberStart Game provides a gamified learning experience that can be used in the classroom or accessed at home. This 100% online learning platform is designed to teach complex security concepts while promoting self-guided exploration and investigation over traditional learning tropes. 

Users can access over 200 different challenges via the platform, working through each one at a pace dictated by their own schedule and ability. The platform was thoughtfully established with built-in clues, tips, and video hints to assist students when they get stuck and to help them complete the challenge. 

CyberStart Game was created by SANS Institute CTO James Lyne, who based each challenge on historical real-world cyber-attacks, security breaches, and other cybersecurity scenarios. 

SANS Institute has opened up the platform to students and young adults in Africa and the Middle East as part of an ongoing emphasis on online learning and because of the heightened level of cybersecurity threat triggered by the current global health pandemic.

Ned Baltagi, Managing Director, Middle East & Africa at SANS Institute, said: “Global communities and their families including school- and university-going students are now in a shelter-at-home position. On the flip side, threat actors are increasing their activities, using advanced social engineering phishing techniques to lure online workers to malicious sites and possible ransomware attacks.”

Baltagi believes that through playing CyberStart, youngsters can acquire valuable cyber-self-defense skills that will help protect them while online.

“At this stage, CyberStart Game is the most appropriate and suitable platform to build awareness of cyber security skills for young adults, who may encounter these threats as they move to the next level of their career or device usage,” he said.

SANS Institute is offering CyberStart Game Education and Enterprise packages that include flexible access for students and teachers. No prior cybersecurity expertise is required to play the game or teach others how to play it.

“We will help schools, universities and organizations in the Middle East and Africa to find the right option for them,” said Baltagi.

Categories: Cyber Risk News

Vulnerability Found in Kasa Camera

Fri, 07/10/2020 - 16:00
Vulnerability Found in Kasa Camera

A hobby farmer on the hunt for a vegetable-eating critter has discovered a flaw in a popular outdoor home security camera. 

Midwesterner Jason Kent purchased a Kasa camera to help identify whatever creature it was that had been eating his cucumber plants. In addition to uncovering the antics of a groundhog, Kent was alarmed to discover an account takeover (ATO)/credential stuffing vulnerability in the security device.

Kent said: “Upon installation I realized the mobile application was connecting directly over the network to the camera, and if I wasn’t on the network, I still could see the images from my camera on the mobile app. As a security professional, this concerned me.”

Kent, who is hacker-in-residence at Cequence Security, said the cybersecurity flaw he found in the device could allow a bad actor to spy on a user's home and change the camera’s settings.

“This API vulnerability makes it easier for a cyber-criminal to take over someone’s Kasa camera account and then use that access to change passwords, modify camera settings, view private security footage or use it to surreptitiously snoop on a user’s home,” he said.

Through further investigation, Kent discovered that although the Kasa’s mobile application uses SSL, the SSL certificate wasn’t pinned. This made it “easy to open it up and look at the transactions.”

“I also found that the authentication is simply BASE64 encoded username:password being passed under SSL,” said Kent. 

“Security best practices dictate that the application should hash under the SSL rather than encoding and reiterated the value of pinning the certificate.”

Of equal concern to Kent was the finding that the authentication to the web platform was giving “very verbose” API error messages included phrases such as “password incorrect.” Kent posits that this could leave users who set up their username as their email address vulnerable to cyber-attack.

Kent reported his concerns to TP-LINK, parent company of the Kasa brand, in March 2020. On June 15, the company said that the vulnerability he found would be fixed. At time of publication, the flaw had still not been remedied.

Categories: Cyber Risk News

Pages