Info Security

Subscribe to Info Security  feed
Updated: 1 hour 5 min ago

Dems Use Fake News Propaganda in Alabama Campaign

Fri, 01/11/2019 - 17:29
Dems Use Fake News Propaganda in Alabama Campaign

For the second time in less than two months, the New York Times has reported that a progressive group of Democrats allegedly leveraged social media sites in a secret project intended to spread false information and sway the 2017 Senate race in Alabama.

According to the New York Times, “The 'Dry Alabama' campaign, not previously reported, was the stealth creation of progressive Democrats who were out to defeat Mr. Moore – the second such secret effort to be unmasked.”

In December 2018, a technologically savvy group of Alabama Democrats allegedly attempted to mimic tactics used by the Russians, who meddled in the 2016 presidential campaign, according to one of the group's internal reports.

According to The Hill, Matt Osborne, a progressive activist who worked on the Dry Alabama campaign, said Democrats had no choice but to use disinformation if they wanted to level the playing field with Republicans. “If you don’t do it, you’re fighting with one hand tied behind your back,” Osborne reportedly said. “You have a moral imperative to do this – to do whatever it takes.”

The reality is that this was the intentional creation of fake news. "It is akin to having a digital billboard or TV ad with incorrect facts," said Chris Morales, head of security analytics at Vectra. "Since we have been successful using AI to detect attacker behaviors in real time, someone should ask a team of data scientists to find a way to use AI to detect political misinformation, since there seems to be more than an average person can sort through.”

Reportedly a participant in the Alabama project, Jonathon Morgan was chief executive of a small cybersecurity firm New Knowledge.

“First of all, I find it abhorrent that a firm would use 'cybersecurity' as part of its tagline if in fact they were conducting offensive maneuvers to sow disinformation,” said Paul Innella, CEO of Washington DC-based cybersecurity firm TDI.

“Cybersecurity professionals have an ethics code we follow, one which is endorsed when obtaining a number of certifications in our space. While it’s not the Hippocratic Oath, we still hold ourselves to a high standard – cybersecurity is defensive at its core. This is a slippery slope of the highest order if we are going to start using a field whose reputation is built on trust to now pivot to a field of propagating mistrust.”

The proper use of cybersecurity would enable detection of misinformation and impede the progress of spreading this kind of propaganda, Innella continued. 

“A cyber task force should be formed that combines the awesome power of our intelligence and justice agencies to combat this ever-present danger. A threat to free and honest speech is a threat to our constitutional rights, one which demands an even more powerful response.  We absolutely have the people and the technologies to address this growing danger, our government needs to employ it, diligently, and now.”

Categories: Cyber Risk News

Side-Channel Attack Targets Windows, Linux

Fri, 01/11/2019 - 16:22
Side-Channel Attack Targets Windows, Linux

A research team of experts from Graz University of Technology, Boston University, NetApp, CrowdStrike, and Intel has published findings on page cache attacks. Unlike Spectre and Meltdown, this attack is a first-of-its-type, hardware-agnostic, side-channel attack that can remotely target operating systems such as Windows and Linux and effectively exfiltrate data, bypassing security precautions.

In explaining the attack, authors wrote: “Our side-channel permits unprivileged monitoring of some memory accesses of other processes, with a spatial resolution of 4KB and a temporal resolution of 2 microseconds on Linux (restricted to 6.7 measurements per second) and 466 nanoseconds on Windows (restricted to 223 measurements per second); this is roughly the same order of magnitude as the current state-of-the-art cache attacks.”

After detailing background information on hardware caches, cache attacks, and software caches, the authors provide an attack threat model in which the researchers “assume that attacker and victim have access to the same operating system page cache. On Linux, we also assume that the attacker has read access to the target page, which may be any page of any attacker-accessible file on the system.”

In addition to mitigation strategies, the researchers also stated that they responsibly disclosed the vulnerability to Microsoft, and the company said it will roll out a fix.

"This attack class presents a significantly lower complexity barrier than previous hardware-based, side-channel attacks and can easily be put into practice by threat actors, both nation-state as well as cyber-gangs,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

“In particular, password recovery via unprivileged applications is a major worry, as it would be available to most unwanted software bundlers and other programs typically thought of as relatively harmless. There is not much that an end user can currently do to protect themselves against this type of attack except to not run any software from a shady source, even if it does not raise any antivirus flag," said Hahad.

Categories: Cyber Risk News

US Shutdown Plays into Hackers’ Hands

Fri, 01/11/2019 - 10:45
US Shutdown Plays into Hackers’ Hands

The US government shutdown is having a chilling effect on national cybersecurity, with 80 government web certificates having already expired without being renewed and FBI agents issuing a stark warning.

Vendor Netcraft claimed on Thursday that the lapsed certificates include those affecting “sensitive government payment portals and remote access services” at agencies like NASA, as well as the Department of Justice and the Court of Appeals.

The impact of this administrative snafu is to render the sites inaccessible or insecure. If HSTS is properly implemented, modern browsers will now not allow users to visit sites with expired certificates, said Netcraft.

“However, only a few of the affected .gov sites implement correctly-functioning HSTS policies. Just a handful of the sites appear in the HSTS preload list, and only a small proportion of the rest attempt to set a policy via the Strict-Transport-Security HTTP header — but the latter policies will not be obeyed when they are served alongside an expired certificate, and so will only be effective if the user has already visited the sites before,” it explained.

“Consequently, most of the affected sites will display an interstitial security warning that the user will be able to bypass. This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.”

The concern is that as the shutdown continues, growing numbers of certificates will expire without being renewed, increasing the security risk.

The National Institute of Standards and Technology (NIST) is particularly badly affected by the shutdown, with an estimated 85% of personnel furloughed and its website shut.

That’s bad news for the information security community as NIST guidance documents and frameworks are widely consulted to improve baseline security practices around the world.

As if that weren't enough, FBI special agents have signed an open letter warning that the shutdown could hurt operations and even force agents to consider roles elsewhere.

"As those on the frontlines in the fight against criminals and terrorists, we urge expediency before financial insecurity compromises national security," they said.

Suzanne Spaulding, a former Department of Homeland Security (DHS) under-secretary and Nozomi Networks advisor, warned that the loss of so many government employees means the US is “losing ground against our adversaries.”

“And the timing couldn’t be worse, with Congress just having established the new Cybersecurity and Infrastructure Security Agency (CISA) at the DHS,” she added.

“Getting this agency fully operational requires a lot of work and it’s like repairing an airplane while you’re flying it. You try to avoid disrupting the critical operational activity even while you make changes to improve the organization. This shutdown is a disruption CISA can ill afford.”

House Democrats have accused Trump of holding the country hostage over an exaggerated threat, as he demands over $5bn to fund a wall on the southern border with Mexico that he originally promised would be paid for by the Latin American nation.

The current shutdown is the longest since 1995, with an estimated 800,000 federal employees expecting not to be paid this week. Most Americans blame the president for the impasse, according to a new poll.

Categories: Cyber Risk News

Zurich Refuses to Pay Out for NotPetya ‘Act of War’

Fri, 01/11/2019 - 10:30
Zurich Refuses to Pay Out for NotPetya ‘Act of War’

Confectionary giant Mondelez is suing Zurich after the insurer refused to pay out over $100m on its insurance policy to cover losses incurred during the NotPetya ransomware campaign.

The owner of Cadbury believes it is owed the money to pay for the permanent damage to 1700 of its servers and 24,000 laptops as well as unfulfilled orders and other disruption to its distribution operations, according to reports.

It believes this falls under its policy’s provision to cover “all risks of physical loss or damage” to property, including “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

However, the insurance giant has claimed that an exclusion applies in this case because NotPetya falls under a “hostile or warlike action in time of peace or war” — meaning it doesn’t have to pay up.

Led by the UK, the Five Eyes nations came together in February last year to blame Russia for the attacks in June 2017.

“The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds,” a Foreign Office statement noted at the time.

However, despite their strong statements, the governments didn’t produce hard evidence to back up their claims, which could make it difficult for Zurich to prove its case, according to experts.

The insurer should instead have invoked a gross negligence clause, because Mondelez was hit by the same ransomware twice, argued Igor Baikalov, chief scientist at Securonix.

“The ‘fool me once’ proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn't happen again,” he added.

“Zurich is likely taking one for the team here, testing the waters for the whole insurance industry on the efficiency of the war exclusion and their ability to attribute attacks to a nation-state. I wonder who insures the insurers: what kind of cybersecurity protection is on Zurich's own policy?”

NotPetya cost losses that ran into the hundreds of millions for the likes of FedEx, Maersk, Merck and many more. It was claimed in November that they have now exceeded $3bn.

Categories: Cyber Risk News

MongoDB Instance Leaks 200 Million Chinese CVs

Fri, 01/11/2019 - 09:36
MongoDB Instance Leaks 200 Million Chinese CVs

A huge MongoDB database containing detailed CVs for over 202 million individuals has been found exposed online.

The unprotected MongoDB instance was found via a simple BinaryEdge or Shodan search and was left without any password protection, according to Bob Diachenko, director of cyber risk research at and HackenProof.

The 854GB trove contained data on 202.7m Chinese job-seekers including “personal info, such as mobile phone number, email, marriage, children, politics, height, weight, driver license, literacy level, salary expectations and more.” Such information could be used to good effect in follow-on phishing attacks.

The source of the data is unknown, although it is believed it may have been scraped from third-party CV sites.

“The origin of the data remained unknown until one of my Twitter followers pointed to a GitHub repository which contained a web app source code with identical structural patterns as those used in the exposed resumes,” explained Diachenko.

“The tool named ‘data-import’ (created three years ago) seems to have been created to scrape data (resumes) from different Chinese classifieds, like and others. It is unknown, whether it was an official application or an illegal one used to collect all the applicants’ details, even those labelled as ‘private’.”

The database was secured “shortly after” Diachenko publicized his discovery on Twitter, although it’s unclear for how long it was exposed online before he first spotted it on December 28 last year.

He claimed that “at least a dozen” IPs may have accessed the database before it was taken offline, according to the MongoDB log.

Misconfigured security settings are likely to continue exposing organizations to preventable risk in 2019, especially as more of them migrate data and systems to the cloud, Trend Micro said in its 2019 predictions report recently.

Categories: Cyber Risk News

Phishing Attacks Bypass Two-Factor Authentication

Thu, 01/10/2019 - 15:53
Phishing Attacks Bypass Two-Factor Authentication

Using a new penetration testing tool to automate phishing attacks, hackers can potentially bypass two-factor authentication (2FA), according to a new post published by security researcher Piotr Duszynski. The tool was written to intentionally make phishing campaigns as easy and effective as possible, said Duszynski.

Dubbed Modlishka, a Polish word that means "mantis," the tool can reportedly bypass login operations for accounts protected by 2FA and enable an attacker to have full control of "cross" origin TLS traffic flow from the victims browsers, Duszynski wrote.

Phishing with Modlishka (bypass 2FA) from Piotr Duszynski on Vimeo.

A GitHub user inquired whether the 2FA is broken, to which Duszynski explained, “2FA isn't broken. At the end it is all about 'social engineering' that you will have to be stay alert about. Which can be e-mail, phone, post or face2face based.

“If you don't want to always verify if the domain name in the URL address bar of your browser isn't somehow malicious or worry if there's yet another URL spoofing bug, then consider switching to U2F [universal second factor] protocol."

"While cyber-criminals can get past 2FA, this should only be one piece in the authentication stack and not the only one,” said Don Duncan, security engineer for NuData Security, a Mastercard company.

“This is why companies are using multilayered authentication tools that can verify the legitimacy of a transaction from different angles," Duncan continued. "This way, if one of the layers is fooled by a bad actor, the other layers or tools can flag that activity. It is this in-depth defense that allows companies to provide an exceptional experience for customers while cutting out cyber-criminals.”

Still, Duszynski said that in his experience as a penetration tester, he has had the greatest success infiltrating customer networks by using social engineering. “One definitely does not need to burn a 0day exploit/s for all of those sophisticated top-notch security defenses that are protecting the perimeter, when often just few e-mails or phone calls will do just perfectly fine to compromise internal infrastructure and company's sensitive data.”

Categories: Cyber Risk News

Cooking Utensil Firm OXO Files Data Breach in California

Thu, 01/10/2019 - 15:35
Cooking Utensil Firm OXO Files Data Breach in California

Award-winning cooking tools company OXO revealed that it has suffered data breaches over the last two years that may have compromised customer and credit card information.

In a breach disclosure letter filed with the State of California, OXO said that the data security incident involved “sophisticated criminal activity that may have exposed some of your personal information.” The attacker is believed to have accessed credit card information, along with names and billing and shipping addresses, though the letter does not state the scope of impact.

“On December 17, 2018, OXO confirmed through our forensic investigators that the security of certain personal information that you entered into our e-commerce website ( may have been compromised. We currently believe that information entered in the customer order form between June 9, 2017 – November 28, 2017, June 8, 2018 – June 9, 2018, July 20, 2018 – October 16, 2018 may have been compromised. While we believe the attempt to compromise your payment information may have been ineffective, we are notifying you out of an abundance of caution.”

OXO is currently working with security consultants and forensic investigators, who are looking at past vulnerabilities in the website as part of an ongoing investigation of the incident. Additionally, the company has taken measures to secure its site to prevent future incidents.

“This latest breach underscores the importance of 24/7 security monitoring,” said Matan Or-El, CEO of Panorays. “With the new year upon us, companies should perform an in-depth review of all their digital assets to ensure that they and their third parties have not been compromised. We expect that future hacks will be targeted towards entire industries so as to maximize the payout for cyber-criminals.”

OXO has also secured the services of risk mitigation and response firm Kroll in order to extend identify monitoring services to its customers.

Categories: Cyber Risk News

Hyatt First Major Hotel Chain to Launch Bug Bounty

Thu, 01/10/2019 - 15:17
Hyatt First Major Hotel Chain to Launch Bug Bounty

In the wake of the massive data breach suffered by Marriott, Hyatt has announced that it will launch a bug bounty program in partnership with HackerOne, making it the first major hotel chain in the world to have a public bug bounty program.

“By being the first organization in the hospitality industry to embrace the collaborative efforts of global security researchers, Hyatt hopes to continue to raise its already high level of security standards as well as learn from and collaborate with security researchers,” Hyatt stated in its program policy.

With the goal of better protecting its millions of global guests from cyber threats, the Hyatt program will engage with researchers around the globe, offering them the chance to earn cash rewards for reporting valid security flaws on,,, and the iOS and Android versions of the Hyatt mobile app.

“At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” said Hyatt chief information security officer Benjamin Vaughn in a press release. “As one of the first global hospitality brands to launch this type of program, we extend the ways we care for our guests and deepen our commitment to protecting their sensitive information.”

Security researchers can earn $4,000 for critical vulnerabilities and $1,200 for each high vulnerability reported, while those deemed medium will be awarded $600 and low vulnerabilities will be paid $300. To date, Hyatt has paid a total of $5,650 bounties, with the average bounty worth between $150–300.

Hyatt only accepts disclosures from HackerOne researchers, and the vulnerability reports must meet all of the established requirements and contain “original and validated vulnerabilities that a potential attacker could use to compromise the confidentiality, integrity, and/or availability of the services in scope.”

Categories: Cyber Risk News

Global DNS Hijacking Blamed on Iranian Hackers

Thu, 01/10/2019 - 11:54
Global DNS Hijacking Blamed on Iranian Hackers

Security researchers have spotted a new series of DNS hijacking attacks successfully targeting organizations globally on a large scale and traced back to Iran.

The attacks have managed to compromise “dozens” of domains run by government, telecommunications and internet infrastructure in the Middle East and North Africa, Europe and North America. In so doing, they change DNS records to direct users to malicious but legitimate-looking, Let’s Encrypt certified domains where email credentials are harvested.

FireEye observed three attack methods, with activity first spotted in January 2017.

The first uses previously compromised credentials to log-in to a DNS provider’s administration panel with the aim of changing DNS A records.

The second exploits a previously compromised registrar or ccTLD to change DNS nameserver (NS) records. A third technique is used in combination with the previous two, to return legitimate IP addresses for users outside the targeted domains.

FireEye warned that a “large number” of DNS/SSL cert firms had been affected by these attacks, including telcos, ISPs, infrastructure providers and governments.

“It is difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors are using multiple techniques to gain an initial foothold into each of the targets described above,” the vendor explained.

“FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.”

There was less forthcoming information on the type of organizations and users targeted by the cyber-espionage itself, although FireEye claimed they include “Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value.”

This, along with the fact that the attackers used IP addresses previously associated with Iranian raids, has led the vendor to attribute the campaign to Tehran with “moderate confidence.”

Categories: Cyber Risk News

IT Guy’s Help Snares Mexican Drugs Baron

Thu, 01/10/2019 - 11:01
IT Guy’s Help Snares Mexican Drugs Baron

The trial of a suspected Mexican drugs baron took an unexpected turn this week after it emerged that the FBI managed to persuade the accused’s IT consultant to hand over access to his secure comms infrastructure.

IT specialist Christian Rodriguez had worked for drug lords before, and was apparently recommended by one, Colombian Jorge Cifuentes to Mexican "El Chapo" Joaquin Guzman.

Once on board, he’s said to have built a bespoke encrypted communications network for El Chapo as well as installing spyware on others’ phones so the kingpin could listen in to their conversations.

In total, it’s reported that Guzman was tracking 50 devices including those of his wife, mistress and members of the cartel, with malware known as FlexiSPY installed on brand new handsets by Rodriguez before being gifted to the individuals.

The Feds’ big break came in 2010 when, posing as a Russian mobster, an undercover agent is said to have arranged a meeting with Rodriguez where he requested a similar system.

It’s unclear how, but the FBI eventually managed to persuade the IT guy to turn informant. In 2011 he apparently moved the network servers from Canada to the Netherlands in what he claimed was a routine upgrade, whilst handing over the all-important encryption keys to the authorities.

That allowed the FBI to tap 200 VoIP phone calls in which Guzman apparently discussed major drug deals, beating up the police, and even bribing a corrupt federal police commander.

However, it’s believed the IT consultant suffered a nervous breakdown in 2013 from the stress of working for, and colluding against, his employer.

Although the story at times reads like the script of a film, it highlights the vital role technology now plays in law enforcement investigations.

However, ultimately the breakthrough was achieved via old-fashioned undercover work.

Categories: Cyber Risk News

Reddit Locks Down Accounts After Security Incident

Thu, 01/10/2019 - 10:06
Reddit Locks Down Accounts After Security Incident

A large number of Reddit users have been locked out of their accounts as a precaution while the site’s admins investigate potential unauthorized access.

Staffer “Sporkicide” would not disclose exactly how many users were affected by the move, but claimed in a post yesterday that “a large group of accounts were locked down due to a security concern.”

“By ‘security concern,’ we mean unusual activity that did not correspond to the account’s normal behavior that may indicate unauthorized access,” the admin continued.

“The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services. If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk.”

These credential stuffing attacks, facilitated by automated software which injects breached credentials into other sites to crack accounts, is set to become ever more popular in 2019, according to one security vendor.

“Breached credentials will be actively and heavily used in fraudulent transactions as cyber-criminals take the next logical step after amassing data breach info dumps in past years: using these stolen credentials,” Trend Micro predicted in a recent report.

However, some of those commenting on the security notice claimed they used strong, site-specific credentials for Reddit. One even suggested the incident could be the result of a session hijacking attack of the same kind that led to the theft of access tokens for 30 million Facebook accounts last year.

Reddit is no stranger to security incidents: last year it suffered a major breach of user data after hackers first cracked staff accounts by intercepting SMS-based two-factor authentication codes.

Sporkicide claimed yesterday that over “the next few hours” affected account holders will be able to reset their passwords.

Jarrod Overson, director of engineering at Shape Security, claimed Reddit accounts are prized as they can be used to push malicious content, exploit other users and make content go viral.

“Reddit is notoriously easy for attackers to manipulate — they don’t require an email to open an account; the signup form only uses basic reCAPTCHA, which has been ineffective for years; and the login form does not appear to use any automation prevention techniques to protect against credential stuffing attacks,” he added.

“Sites like Reddit are a dream for attackers, there are virtually no barriers to entry and the value of trusted accounts on social networks is so high.”

Categories: Cyber Risk News

IcePick-3PC Malware Strain Steals Device IPs

Wed, 01/09/2019 - 18:52
IcePick-3PC Malware Strain Steals Device IPs

IcePick-3PC has impacted a range of businesses, from publishers to e-commerce, across a variety of industries, including retail and healthcare, according to researchers from The Media Trust’s digital security and operations (DSO) team. The malware strain was first identified in spring 2018 and is able to steal device IPs en masse.  

When it was initially detected, IcePick-3PC was used to spam device owners using phishing in a campaign that fraudulently offered gift cards from big-name retailers, such as Amazon and Walmart, in return for users sharing their personal information.

In a January 9, 2019, blog post, researchers explained that a website’s third-party tools are designed to incorporate interactive web content, such as animation via HTML5, and are loaded onto client platforms by self-service agencies. In the attack, which has affected more than 100 clients, IcePick-3PC executes after malware writers successfully hijack a website’s third-party tools.  

“The malware conducts the usual checks on user agent, device type, whether the device is an Android device, battery level, device motion and orientation, and referrer,” the blog stated.

Additionally, before it downloads, the malware is able to examine the devices of those users who visit a website with a compromised third party library. “The extraction and collection of IPs represents the largest scale of IP theft the DSO has observed to date and marks a significant advancement in malware authoring, as stealing IP en masse with such efficiency demands rarefied coding skills,” researchers wrote.

“But now that this malware has overcome such hurdles and even breaks through VPNs in order to intercept IPs, it enables bad actors to identify users’ device vulnerabilities, and leaves the devices wide open for exploit targeting and potential future attacks.”

JavaScript tools used for animations in HTML5, called the GreenSock Animation Platform, were identified as the self-service agencies most often used, with malicious code injections found in TweenMax and CreateJS.

“In order to protect sites from this malware, publishers and e-commerce businesses should thoroughly vet the self-service agencies they work with for security weaknesses and avoid repeat offenders. They can also detect such offenders by scanning interactive ads and site pages for unauthorized code,” researchers said.

Categories: Cyber Risk News

Scapy-Sploit, Plugin Problems and the Year of Drupal

Wed, 01/09/2019 - 17:20
Scapy-Sploit, Plugin Problems and the Year of Drupal

A Python network tool, Scapy, is vulnerable to denial-of-service (DoS) attacks, according research published by Imperva. The company also released its 2018 State of Web Application Vulnerabilities, which found that injections represented 19% of the total vulnerabilities in 2018, while plugins were the root cause of 98% of the vulnerabilities in WordPress.

In the latest version of Scapy, the algorithm used to determine the type of network packet relies on port numbers, but the packet type can easily be spoofed.

According to researchers, “The vulnerability occurs when Scapy is tricked into thinking a network packet is a RADIUS packet. The vulnerability is due to a lack of input validation when reading the length field in the RADIUS packet’s Attribute Value Pairs (AVP). This can cause an infinite loop in the following code section if a certain byte is set to zero.”

In addition to the vulnerability in this tool, web application vulnerabilities are trending upward and WordPress vulnerabilities have tripled since 2017. Still, Drupal vulnerabilities were exploited en masse, targeting hundreds of thousands of sites throughout 2018.

There was, however, some good news in regard to other web app vulnerabilities. Last year saw a decline in both the number of the internet of things (IoT) and PHP vulnerabilities, as well as in vulnerabilities related to weak authentication. Still, API vulnerabilities did show some growth. In fact, 2018 saw a total of 264 API vulnerabilities, up 23% from the 214 reported in 2017.

“The overall number of new vulnerabilities in 2018 (17,142) increased by 21% compared to 2017 (14,082) and by 159% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch,” the report stated.

When looking at content management systems (CMSs), attackers spent much of their time targeting WordPress, which is used by 59% of all websites using a known CMS, according to the report. “Although Drupal is the third-most popular CMS, two of its vulnerabilities, CVE-2018-7600 and CVE-2018-7602, were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations.”

Categories: Cyber Risk News

Phone Carriers Selling Customer Location Data

Wed, 01/09/2019 - 16:49
Phone Carriers Selling Customer Location Data

Bounty hunters are able to leverage a somewhat dubious skeptical service available through major telecom companies, including T-Mobile, AT&T, and Sprint, according to Motherboard.

A researcher reportedly paid $300 to a bounty hunter who was then able to geolocate a phone down to a location in a specific neighborhood only blocks away from the actual location of the targeted phone. According to a blog post from Motherboard’s Joseph Cox, these surveillance capabilities are available to individuals and businesses and sometimes sold through word of mouth.

“At least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard,” Cox wrote.

In addition to telecoms selling cell phone location data to company, the researcher said that there is a trickle down effect with the information, which could land in the wrong hands.

“Your mobile phone is constantly communicating with nearby cell phone towers, so your telecom provider knows where to route calls and texts. From this, telecom companies also work out the phone’s approximate location based on its proximity to those towers,” Cox said.

As we rely more on connected devices, our data is everywhere and becoming accessible to parties often unknown to us, and we may not have given consent for our data to be shared. “With each data transaction, the potential for the new party to either leak data, fall victim to compromise, or further share the data means that very quickly there's no control or governance,” said Ben Johnson, co-founder and CTO, Obsidian Security.

“Sadly, most of us assume not only that what we deliberately put on the Internet will fall into unauthorized hands but that data generated by our devices, services and even our human networks will be utilized in various ways we haven't authorized. Every copy of data is a liability, and until those who collect or generate this data have better guiding principles and scrutiny, we must assume that our data and data about us is everywhere.”

Categories: Cyber Risk News

NHS Digital CISO Quits After Three Months

Wed, 01/09/2019 - 11:11
NHS Digital CISO Quits After Three Months

NHS Digital’s first chief information security officer (CISO) has resigned just three months into the job, dealing a blow to efforts to improve cybersecurity across the UK’s health service.

In a memo to staff seen by HSJ, NHS Digital deputy CEO, Rob Shaw, said that Robert Coles’ departure was due to personal reasons and that a search for a replacement would begin immediately.

“We have enjoyed working with Robert, and his resignation is accepted with great regret,” he’s reported to have said. “I would like to personally thank him for the passion he brought to the role and the early progress he has made in developing the system-wide cyber-strategy.”

Coles only started his job as NHS Digital’s first CISO on October 1 with a daunting task ahead of him, given scarce funds and well-documented systemic cybersecurity challenges.

In fact, his role was only created after recommendations by NHS England CIO, Will Smart, following the infamous WannaCry ransomware attack of May 2017.

That attack is said to have cost the NHS £92m: £19m as a result of access to information and systems being unavailable, leading to cancelled appointments and £72m spent on extra IT support.

An estimated 19,000 operations and appointments were cancelled as a result of the ransomware-related outages, which caused disruption at a third of NHS England’s trusts and infected a total of 603 primary care and other NHS organizations, including 595 GP practices.

Despite his resignation, Coles is reportedly set to return to work as an independent consultant in the coming months.

“I am very sorry not to be able to continue in my role at NHS Digital,” he explained in the memo. “I have enjoyed working with the very talented and passionate cybersecurity team at NHS Digital and seeing the commitment to improving cyber-resilience across the health and care system.”

Coles is no stranger to high-profile jobs, having held similar positions at pharma giant GlaxoSmithKline, the National Grid and Merrill Lynch.

Categories: Cyber Risk News

Firm Offers $2m for iOS Zero-Day Exploits

Wed, 01/09/2019 - 10:45
Firm Offers $2m for iOS Zero-Day Exploits

Controversial exploit broker Zerodium has upped its bug bounties for the majority of desktop/server and mobile exploits, offering security researchers millions of dollars for their work.

At the lower end, a Windows local privilege escalation or sandbox escape will now pay out $80,000, up from $50,000, while at the top of the server/desktop category are “zero click” Windows remote code execution exploits, which have doubled in value to $1m.

However, the biggest bucks go to researchers looking for flaws in mobile platforms.

A local pin/passcode or Touch ID bypass for Android or iOS will net you $100,000, up from $15,000, while a zero click Apple iOS remote jailbreak with persistence is now worth $2m, up from $1.5m

“Zerodium pay outs for eligible zero-day exploits range from $2000 to $2m per submission,” the firm’s website explained.

“The amounts paid by Zerodium to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc).”

The firm claims it was founded to “build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”

However, unlike Trend Micro’s Zero Day Initiative, for example, exploits submitted to the firm are usually sold on privately rather than shared with the white hat community and vendors.

Law enforcement and intelligence services around the world are keen to get their hands on the latest security research, to monitor terrorists and criminals but also dissidents, journalists and others.

Categories: Cyber Risk News

Microsoft Kicks Off 2019 With Medium Patch Load

Wed, 01/09/2019 - 09:59
Microsoft Kicks Off 2019 With Medium Patch Load

Microsoft started the new year yesterday by issuing fixes for a near half century of vulnerabilities, although only seven were rated critical.

Many of these were remote code execution (RCE) bugs, with experts agreeing that CVE-2019-0547 should be top of the priority list. This RCE vulnerability in the Windows DHCP Client was given Microsoft’s highest exploit index rating.

“DHCP is a network management protocol often used to dynamically configure things like IP addresses for systems when they connect to a router,” explained Rapid7 senior security researcher, Greg Wiseman. “Any untrusted network, such as a random Wi-Fi hotspot in a coffee shop, is a potential vector for this attack.”

Other critical flaws to look at first include three Chakra scripting engine memory corruption vulnerabilities (CVE-2019-0539, CVE-2019-0567, CVE-2019-0568); two Hyper-V RCEs (CVE-2019-0550, CVE-2019-0551); and CVE-2019-0565, a Microsoft Edge memory corruption vulnerability.

Unlike the past few months, there were no zero-day flaws for admins to tackle, but there was one which had been publicly disclosed although not actively exploited in the wild.

CVE-2019-0579 is an RCE in the Jet Database Engine: one of 11 CVEs which could lead to RCE in the product.

Also on the list is Exchange memory corruption vulnerability CVE-2019-0586, which could allow an attacker to take control of a victim machine by sending a specially crafted email.

System administrators are also spared the regular task of patching Adobe Flash this month, although the vendor released fixes for two critical vulnerabilities in Reader and Acrobat last Thursday.

Qualys director of product management, Jimmy Graham, also reminded IT teams not to forget the out-of-band patch Microsoft released on December 17 for CVE-2018-8653, fixing a bug affecting Internet Explorer 9-11 which has been actively exploited in the wild.

“This patch should also be prioritized to all workstation-type devices,” he said.

The Zero Day Initiative has a full list of CVEs for January 2019 here.

Categories: Cyber Risk News

Sophos Acquires Avid Secure, Expands Cloud Security

Tue, 01/08/2019 - 17:00
Sophos Acquires Avid Secure, Expands Cloud Security

Network and endpoint security company, Sophos, announced today that it has acquired Avid Secure, a cloud infrastructure security company that uses artificial intelligence to deliver cloud security analytics, according to a press release.

No further details about the acquisition have been released, though a spokesperson for the company said in an email that Sophos will be holding meetings during RSAC 19 to discuss the company’s recent acquisition and overarching cloud business strategy.

“The accelerated adoption of public cloud environments is presenting new data security challenges to organizations. With the cloud workload protection and the cloud security posture management software from Avid Secure, Sophos will expand its current capabilities in cloud security and drive leadership in this growing space,” said Dan Schiappa, senior vice president and general manager of products at Sophos.

“We welcome the Avid Secure team to Sophos and are excited to bring their transformational technology into our portfolio, strengthening our ability to offer the best protection for our customers’ data on endpoints and networks, wherever their services are hosted.”

Since 2017, Avid Secure, a privately owned company headquartered in San Francisco, California, has offered its AI-based platform that provides public cloud protection for services such as AWS, Azure and Google.  

“We built the Avid Secure platform to revolutionize the security of public cloud environments in a process efficient way,” said Nikhil Gupta, CEO and co-founder at Avid Secure in the press release.

“We are proud of our innovative AI powered technology that provides enterprises with end-to-end continuous security analytics, visibility, and compliance to protect their data and maximize their investments in public cloud services. The opportunity to join Sophos in their mission to evolve cybersecurity into an intelligent, integrated system presented a perfect fit for our engineering vision. I, and the whole team at Avid Secure look forward to what we can achieve together.”

Categories: Cyber Risk News

Detection Limited Hacker Access to EWN Database

Tue, 01/08/2019 - 16:25
Detection Limited Hacker Access to EWN Database

Swift detection of a malicious insider that used stolen credentials to gain unauthorized access to Australia’s Early Warning Network (EWN) allowed EWN staff to shut down systems and limit the number of messages the hacker was able to disperse, according to a 7 January 2019 update on the company’s website.

The anomalous activity of the hacker who had illegally accessed the EWN alert system was detected around 9:30 EDT on 5 January 2019. While news of companies being hacked becomes more commonplace, the ability to swiftly detect and respond to malicious insiders continues to be critical to an organization’s overall security strategy.

After gaining access to the alert system – which is designed to alert users to weather emergencies – the attacker was able to send what the company describes as “nuisance” messages by way of email, text messages and phone calls to landlines, then to part of EWN’s database.

Included in the message was a link to opt out of future messages, and those who received the fraudulent alert are advised to not click on the links and delete the message.

“EWN staff at the time were able to quickly identify the attack and shut off the system limiting the number of messages sent out. Unfortunately, a small proportion of our database received this alert. Our systems are back up and running providing ongoing alerts for severe weather and natural hazard events. Investigations are continuing with police involvement,” the website said.

“The unauthorized alert sent on Saturday night was undertaken by an unauthorized person using illicitly gained credentials to log in and post a nuisance spam-notification to some of our customers. The links used in this alert were non-harmful and your personal information was not compromised in this event. Investigations are continuing with the police and Australian Cyber Security Centre involved.”

Infosecurity Magazine contacted EWN, but the company has not responded. According to the Australian Broadcasting Corporation (ABC), EWN's managing director, Kerry Plowright, said the breach was the result of compromised login details believed to have come from within Australia. No personal data has been compromised, as the system reportedly holds only "white pages" and no personal information. 

Categories: Cyber Risk News

Disgruntled Man Behind German Cyber-Attack

Tue, 01/08/2019 - 15:43
Disgruntled Man Behind German Cyber-Attack

Citing annoyance at government officials as his motive, a 20-year-old man has confessed to be the hacker responsible for releasing private information on hundreds of politicians in Germany, according to Reuters.

The news comes one day after investigators at the Federal Criminal Police Office (BKA) in Wiesbaden, Germany, reportedly searched the home of a 19-year-old man believed to have been connected with the suspected hacker who admitted he exposed the personal data of several German politicians.

On the evening of 6 January 2019, the BKA searched the suspect’s home in Central Hesse as part of its investigation on the suspicion of spying and the unauthorized disclosure of personal data of politicians, journalists and public figures, according to a BKA statement. The suspect was provisionally arrested but released due to a lack of evidence.

Infosecurity Magazine contacted the BKA to clarify whether the suspect is currently under arrest and being detained, and this article will be updated with any further details.

“During the interrogation, the defendant stated that he had acted alone in the data spying and unauthorized data releases. The investigations have so far revealed no evidence of third-party participation. To his motivation, the defendant stated that he acted out of annoyance over public statements made by the politicians, journalists and public figures concerned,” the statement said.

Through its preliminary investigation, the BKA learned that the suspect reportedly used a hijacked Twitter account and accessed his internet connections through a VPN service for anonymization. Investigators seized the suspects computers and data carriers, which are being fully evaluated.

“According to the accused, a computer that he had set aside two days before the search and a data backup from a share-hosting service could be found and secured,” the statement said.

Categories: Cyber Risk News