Info Security

Subscribe to Info Security  feed
Updated: 2 hours 1 min ago

Kubernetes Clusters Hit by Kubeflow Crypto-Mining Attack

Fri, 06/12/2020 - 08:20
Kubernetes Clusters Hit by Kubeflow Crypto-Mining Attack

A first-of-its-kind campaign targeting a popular Kubernetes toolkit seeded cryptocurrency mining malware across multiple clusters, according to Microsoft.

Open source project Kubeflow is a framework for running machine learning tasks in Kubernetes.

As the nodes used for these tasks tend to be relatively powerful, sometimes including GPUs, they’re an attractive target for crypto-miners, according to Yossi Weizman, security research software engineer at the Azure Security Center.

Back in April, his team detected a suspect image subsequently found to be running an XMRIG miner, deployed from a public repository onto multiple clusters.

Weizman explained that the Kubeflow dashboard is exposed by an Istio ingress gateway and, by default, is accessible only internally. However, users may have unwittingly made the set-up less secure by tweaking these settings.

“In some cases, users modify the setting of the Istio Service to Load-Balancer which exposes the service to the internet. We believe that some users chose to do it for convenience: without this action, accessing the dashboard requires tunneling through the Kubernetes API server and isn’t direct,” he said.

“By exposing the service to the internet, users can access the dashboard directly. However, this operation enables insecure access to the Kubeflow dashboard, which allows anyone to perform operations in Kubeflow, including deploying new containers in the cluster.”

This likely allowed attackers to deploy a backdoor container in the cluster, Weizman added.

Although only “tens” of clusters were affected in this operation, it comes hot-on-the-heels of a larger-scale cryptocurrency mining campaign against Kubernetes clusters spotted by Microsoft in April.

Weizman concluded that organizations should make use of authentication and access controls, ensure sensitive interfaces are not exposed to the internet, regularly monitor the runtime environment, allow deployments of only trusted images and always scan images for vulnerabilities.

Categories: Cyber Risk News

US Cops' Personal Info Leaked Online

Thu, 06/11/2020 - 17:40
US Cops' Personal Info Leaked Online

The US Department of Homeland Security has produced a document warning that the personal information of America's police officers is being leaked online. 

According to the unclassified intelligence document obtained by The Associated Press, threat actors are searching for private or identifying information about cops serving in departments nationwide and publishing it online in a form of cyber-attack known as doxxing.

In the document, the DHS warns that the digital act of doxxing could engender actual physical violence perpetrated by "violent opportunists or domestic violent extremists" if information like officers' home addresses fell into malicious hands. 

A further dire consequence of doxxing that the DHS said could happen is that law enforcement officials would be prevented from carrying out their duties.

Included in the document is the bombshell that numerous high-ranking police officials have already fallen victim to doxxing attacks that have seen their home addresses, email addresses, and phone numbers splashed across social media. 

Top brass officers whose privacy has been compromised are serving in cities including Washington, Atlanta, Boston, and New York.

The DHS believes doxxing attacks on police officers are linked to the ongoing protests over police brutality triggered by the death of George Floyd

The report states that “at least one of the police commissioners was targeted for his alleged support of the use of tear gas to disperse protests."

Police officers in cities across America have been placed in a difficult position, ordered to keep the peace as numerous peaceful demonstrations have been high-jacked by looters and violent extremists. 

It seems that the excessive force used by a minority of cops has tarnished the reputation of America's entire law enforcement community, the majority of whom uphold their sworn oath to protect and serve the public. 

Some protestors have cited Floyd's death as evidence of systemic racism in the police force. They may be surprised to learn that of the people shot to death by US police in between 2017 and June 2020, 1,398 were white, 755 were black, 542 were Hispanic, 133 were "other." The race of a further 588 people shot to death by American cops was unknown.

Categories: Cyber Risk News

SD-WAN is the Cloud Security of Choice for Half of UK Businesses

Thu, 06/11/2020 - 17:15
SD-WAN is the Cloud Security of Choice for Half of UK Businesses

Software-defined wide area network (SD-WAN) is the cloud security solution of choice for around half (49%) of UK businesses, who have either deployed it or are planning to do so in the next 12 months, according to a report by Barracuda Networks.

The research also found this approach is being used by 27% of UK decision makers, who have added security to their public cloud, whilst 33% said SD-WAN is their preferred additional security solution to add to the public cloud.

In the study, global IT decision makers from a broad range of sectors across EMEA, APAC and the US were surveyed about their attitude to SD-WAN; a targeted, software-defined approach to the traditional wide-area network.

Nearly half (48%) of UK respondents thought SD-WAN improved overall connectivity, while 45% said it increased network flexibility and agility. None of those surveyed from the UK said there were no benefits in deploying the software.

The sector with the highest uptake of SD-WAN in the EMEA region was construction and property, with 80% of respondents from this area saying they have already deployed it, or expect to in the next 12 months. This was followed by the IT technology and telecoms industries (76%).

There is currently zero deployment of SD-WAN in EMEA public sector organizations, although 35% are in the process, or expect to do so in the next year, according to the analysis.

Microsoft Azure was the most popular SD-WAN product; it was 50% more favored globally than Amazon AWS and 125% more preferred than Google GCP. The survey indicated that Microsoft Azure was perceived to be more secure and user friendly than AWS and GCP.

Klaus Gheri, VP, network security, Barracuda, commented: “As more organizations move to the public cloud, SD-WAN technology is a critical part of securing these cloud deployments. By deploying an all-in-one, secure SD-WAN solution natively built into the public cloud network, organizations can reap the full benefits of public cloud.”

Categories: Cyber Risk News

Macy's Pays $192,000 to Settle Data Breach Suit

Thu, 06/11/2020 - 16:20
Macy's Pays $192,000 to Settle Data Breach Suit

US department store giant Macy's has agreed to pay almost $200,000 to settle a lawsuit brought over a data breach, according to Footwear News

The class-action lawsuit was brought after a third party managed to obtain customer information from the company in spring 2018. In the suit, plaintiff Anna Carroll accused the 162-year-old company of failing to properly secure customer data against cyber-attackers.

On June 5, Macy's received final approval from a federal judge in Alabama to settle the suit. The retailer has set aside $192,500 to be allocated to eligible class members. 

Under the terms of the settlement, plaintiff Anna Carroll will receive a payment of $2,500 from Macy's. A further $60,000 will be shelled out by the store to cover legal costs. 

Class members will be reimbursed up to $1,500 provided they can supply documents to prove that they incurred expenses and lost time as a direct result of the data breach. Claimants who are unable to prove that their time was wasted in dealing with the fallout from the breach can only claim a single $30 payment. 

Judge R. David Proctor called the settlement “fair, reasonable, and adequate” in a memorandum. 

Opting to pay to make the suit go away is not an admission of failure to implement adequate cybersecurity measures on Macy's part. The company has stated that it "is not in any way liable for the cyber-attack" but chose to settle the suit because of the "risks, uncertainties, burden, and expense of continued litigation." 

Macy's customers were informed in July 2018 that a third party had used valid usernames and passwords to gain access to accounts on Bloomingdales.com and Macys.com between April 26 and June 12 that year. 

In November 2019, Macy's notified its customers of a further data breach that occurred in October 2019. A Massachusetts consumer subsequently filed a class-action against Macy's in March 2020 over the 2019 data breach. 

According to the suit, Macy’s has offered “neither financial compensation nor an opportunity to obtain, free of charge, certain professional monitoring” aimed strictly at protecting against identity theft for one year.

Categories: Cyber Risk News

UK Government Awards £10m Fund to Develop Cybersecurity Tech Solutions

Thu, 06/11/2020 - 15:25
UK Government Awards £10m Fund to Develop Cybersecurity Tech Solutions

The UK government is investing £10m over the next four years to boost the development of new cybersecurity technology solutions, digital secretary Oliver Dowden has announced today at London Tech Week Connect. Nine grant winners will share the fund from the government’s Digital Security by Design program, launched last year, which aims to improve the resilience of UK organizations to cyber-attacks.

The winners will use the money to build on their innovative solutions and create enhanced software and applications to contain any hacking attempts.

The selected solutions tackle a range of cyber-threats. The University of Southampton will get a portion of the fund for its ‘HD-Sec’ solution, which seeks to speed up the process of and reduce errors and security vulnerabilities in software design that could have been exploited by hackers.

Another is ‘AppControl’ from the University of Glasgow, which will use the money to leverage its state-of-the-art microprocessors, with the aim to ensure vital systems that could be used in cars, medical robots or nuclear power plants remain digitally secure.

Each team will be expected to demonstrate the economic and societal benefits of their new secure technology by creating a working example of their solution.

Dowden said: “We have a world-class cybersecurity sector and together we are working hard to make sure the UK is the safest place to work, connect and live online. With government support, these projects will build cutting-edge, secure technologies that will give people and businesses further confidence in our digital services and help weaken the threat of cyber-attackers.”

The initiative forms part of the UK government’s commitment to increase investment in R&D by 2.4% of GDP by 2027. Yesterday, applications were opened for the world’s first artificial intelligence (AI) and data science conversion courses in the UK, which will begin in autumn 2020.

Cyber-attacks are an increasing threat to organizations in the UK. According to the government’s Cyber Security Breaches Survey 2020, published in March, 46% of businesses and 26% of charities have experienced cybersecurity breaches or attacks in the last 12 months.

Categories: Cyber Risk News

MAZE Attacks Victoria Beckham's Advisory Firm

Thu, 06/11/2020 - 15:24
MAZE Attacks Victoria Beckham's Advisory Firm

The threat group MAZE claims to have carried out a cyber-attack on a mergers and acquisitions firm whose client list includes former Spice Girl and fashion designer Victoria Beckham. 

MAZE maintains that it has encrypted and exfiltrated data from New York company Threadstone Advisors using ransomware. 

Threadstone is an independent advisory firm based on Madison Avenue that specializes in the consumer and retail sectors. The company worked with Beckham to facilitate a minority investment by NEO investment partners. 

Other clients of the M&A firm include Charles S. Cohen, Pittsburgh Brewing Co., Harrys of London, and Xcel Brands. 

Notice of the alleged assault was posted on the cyber-criminals’ blog within the past 24 hours, along with the phone number and email address of Threadstone's managing director, Joshua Goldberg. 

Proof of the attack in the form of files containing Threadstone's data has not been made available by MAZE. However, the threat group claims on their blog that such evidence is "coming soon." 

No information has been shared as to how much of Threadstone's data MAZE claims to have accessed or how much the group is demanding as a ransom payment. 

Infosecurity Magazine contacted Goldberg to confirm the alleged attack but had not received a response at time of publication. 

Commenting on the possible cyber-crime, Emsisoft's Brett Callow said: "For companies that hold sensitive information about its clients, data theft is a nightmare scenario."

Callow said that this particular type of cyber-attack placed companies in an impossible situation. 

"Whether the ransom is paid or not, their information is in the possession of cyber-criminals and may be made publicly available and/or sold or traded with other criminal enterprises," said Callow. 

"At best, a company will receive a pinky promise that the stolen data will be deleted and not misused—but as that pinky promise is being made by criminal scumbags, it carries very little weight. No weight at all, in fact."

Previous victims of MAZE include IT services firms Cognizant and Conduent. Cognizant admitted that its run-in with the MAZE group in April 2020 could end up costing the firm $70m.

Categories: Cyber Risk News

Malicious Apps Pose as Contact Tracing to Infect Android Devices

Thu, 06/11/2020 - 14:13
Malicious Apps Pose as Contact Tracing to Infect Android Devices

Threat actors are using fake COVID-19 contact tracing apps to infiltrate Android devices in countries around Asia, Europe and South America.

According to research from Anomali, 12 fake apps have been detected as targeting citizens in Armenia, India, Brazil, Chhattisgarh, Columbia, Indonesia, Iran, Italy, Kyrgyzstan, Russia and Singapore.

Once installed, the apps are designed to download and install malware to monitor infected devices, steal banking credentials and personal data.

In particular, the Anubis and SpyNote malware have been detected as being downloaded by these apps. Anubis is an Android banking Trojan that utilizes overlays to access infected devices and then steal user credentials, while SpyNote is an Android Trojan used for gathering and monitoring data on infected devices.

The fake app detected as imitating the Brazilian government’s official COVID-19 tracing app imitates the legitimate application by asking for the accessibility service privilege on the user’s app settings, and once the user enables the permissions, the app will run in the background and hide the icon from the application drawer.

“We believe the threat actors are distributing the malicious apps via other apps, third-party stores, and websites, among other channels,” Anomali said.

“Threat actors continue to imitate official apps to take advantage of the brand recognition and perceived trust of those released by government agencies. The global impact of the COVID-19 pandemic makes the virus a recognizable and potentially fear-inducing name, of which actors will continue to abuse.”

Previous research by Lookout found a larger mobile surveillance campaign operating out of Libya and targeting Libyan individuals. Upon first launch, that app informed the user it did not require special access privileges, “but subsequently proceeds to request access to photos, media, files, device location, as well as permission to take pictures and record video.”

Tom Davison, technical director – international at Lookout, said: “One single app-based malware campaign may in fact be spread through 10s or even 100s of infected apps. Frequently these will impersonate well-known apps, or latch onto topics of interest for their intended targets.

“As more countries adopt government-sponsored or privately developed contact tracing apps, it is not unexpected that further malicious app samples will emerge. None of the samples observed by Lookout were ever on the Google Play Store and the advice to users is to always download mobile apps from official stores.”

Paul Balkwell, vice-president EMEA at AppRiver, a Zix company, told Infosecurity that it has already seen how vulnerable people are to these kind of attacks that impersonate legit COVID-19 contact tracing government apps. “With contact tracing considered a fundamental vehicle to reopening world economies, we will unfortunately see an increase in these malicious apps and other opportunistic scams,” he said. “The threat environment is evolving to match the current situation.”

Asked if he expected there to be more fake/malicious apps pretending to be contact tracing apps, Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), said given that contact tracing implementations are trending towards using Bluetooth and discussion includes knowing contacts and communicating where the contact occurred, “it’s reasonable for consumers to expect any contact tracing app to request extra permissions like access to device contacts and location.”

However, as consumers have no way to vet the true technical requirements for any contact tracing app, Mackey said if the app also requests access to camera, phone or files, that might seem reasonable enough. “This then represents a perfect cover for cyber-criminals who could request excess privileges and safely mount their attacks while legitimate contact tracing protocols and apps are being developed,” he added.

Javvad Malik, security awareness advocate at KnowBe4, said criminals will latch onto any current event and news story to try and get malware onto devices, and the COVID-19 pandemic has provided ample opportunities for them to do so and the contact tracing apps are no exception.

“It is likely that as more people become aware of contact tracing apps we will see a sharp rise in the number of fake malicious apps,” he said. “Not only that, but we'll probably see alternate apps crop up which will claim to block contact tracing apps or make users invisible to authorities. The advice, as always, is for users to remain vigilant about apps. They should only trust official sources and not download apps which are sent to them via SMS, email or social media.”

Categories: Cyber Risk News

Cybersecurity Firm OPORA Announces $7m Seed Funding

Thu, 06/11/2020 - 11:18
Cybersecurity Firm OPORA Announces $7m Seed Funding

Cybersecurity firm OPORA has announced seed funding of $7m led by Jerusalem Venture Partners (JVP) and private investors.

OPORA was founded by Yuval Diskin, the former head of Israel’s Internal Security Agency, and uses pre-attack adversary behavior analytics to deliver pre-emptive adversary threat protection against the most persistent, organized and largely uncontested cyber-criminals operating today. OPORA will use the seed funding for product development, sales and marketing efforts.

The company, led by CEO Chris Bell, a serial cybersecurity entrepreneur who was a co-founder of Securonix, also announced two new board members, JVP founder and chairman, Erel Margalit, and JVP principal, Julia Kagan.

Bell said: “We started OPORA because we realized that to get control over cybersecurity and the largely uncontested adversaries behind the chaos, IT Security teams need a pre-emptive advantage. OPORA customers change the balance of power between them and their adversaries, gaining a pre-emptive advantage that translates into adversary level prevention, containment and control.”

Margalit added that it is time to move from defense to offense and track cyber-criminals in their territory before they move to attack.

“Israel has brought the three big cyber-paradigms to the world. The first, firewalls created by Check Point Software, the second being CyberArk’s solution, preventing attackers from within, and now the third – OPORA’s technology is stopping criminals on their home turf before they even attack.”

Categories: Cyber Risk News

FBI Warns of Surge in Mobile Banking Attacks

Thu, 06/11/2020 - 10:30
FBI Warns of Surge in Mobile Banking Attacks

The FBI has issued a warning to users of mobile banking apps that they may be at increased risk of compromise, as cyber-criminals look to exploit surging use of the technology under lockdown.

The Bureau’s Internet Crime Complaint Center (IC3) public service announcement claimed that industry figures show over three-quarters (75%) of Americans used mobile banking last year, and that usage has soared by 50% since the start of the year.

“With city, state and local governments urging or mandating social distancing, Americans have become more willing to use mobile banking as an alternative to physically visiting branch locations,” it continued.

“The FBI expects cyber-actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking Trojans and fake banking apps.”

Banking Trojans are often hidden inside legitimate-looking apps like games or news readers. They lie hidden on the user’s device until they visit their banking app, at which point they spring into action, often using an overlay to harvest log-ins and trick the bank’s back-end fraud screening.

Other variants pose as banking apps themselves and directly harvest log-in and personal data from the victim.

Kacey Clark, threat researcher at Digital Shadows, argued that fake banking apps can also be used for other malicious ends.

“Banking Trojans can be used as a ‘dropper’ to install malware onto a user’s phone, particularly spyware,” she said.

“Once installed on a device, spyware can remain undetected while managing and accessing everything on a victim’s device including sensitive information such as the target device’s camera and microphone, text messages, passwords, contact lists, stored or typed payment card details and geolocation.”

Chris Hazelton, director of security solutions at Lookout, added that mobile phishing is often used to trick users into downloading these apps from fake websites, or steal log-ins directly. He claimed that 46% of Lookout users encountered a mobile phishing attack in the past three months, up from 33% in the middle of 2019.

“Almost all users use a case to protect their phones from physical threats, but they should also protect the digital side of their smartphones to protect from malicious apps,” Hazelton argued. “They should also install mobile security software to protect their data and identities. Many services are free to use, and can easily be upgraded for even more protections.”

The FBI recommended users only download apps from official app stores and banking websites, use password managers with strong credentials, and if possible switch on two-factor authentication.

Categories: Cyber Risk News

Phishing and BEC Surge as #COVID19 Attackers Prioritize Email

Thu, 06/11/2020 - 09:15
Phishing and BEC Surge as #COVID19 Attackers Prioritize Email

Email remains the vector of choice for cyber-criminals, with half of firms (51%) suffering a ransomware attack and even more (58%) seeing an increase in phishing over the past year, according to Mimecast.

The security vendor’s annual State of Email Security report is based on data collected from over 1000 global IT decision makers over February and March, and so is heavily influenced by the COVID-19 crisis.

In fact, while 60% of respondents said they experienced an increase in impersonation attacks (including BEC) over the past year, there was a 30% spike in the first 100 days of the pandemic alone (Jan-April 2020).

Downtime (82%) and data loss (31%) were two of the most common impacts of email attacks and an overall lack of cyber-resilience.

“The increase in remote working due to the global pandemic has only amplified the risks businesses face from these threats, making the need for effective cyber-resilience essential,” said Joshua Douglas, vice-president of threat intelligence at Mimecast. “It’s likely that cyber-resilience strategies are lacking key elements, or don’t have any at all, depending on the organization’s maturity in cybersecurity.”

Interestingly, 60% of respondents claimed that they had suffered an attack which spread from one infected user to other employees, highlighting the importance of enhanced staff training to stop that first attack.

Unfortunately, the report claimed that over half (55%) of those polled don’t provide awareness training on a frequent basis.

Perhaps unsurprisingly, the vast majority (85%) of IT leaders said they expected web and email spoofing volumes to stay the same or increase over the coming year, while 60% believe it is inevitable or likely they will suffer an email-borne attack.

“Security leaders need to invest in a strategy that builds resilience moving at the same pace as digital transformation,” argued Douglas.

“This means organizations must apply a layered approach to email security, one that consists of attack prevention, security awareness training, roaming web security tied to email efficacy, brand exploitation protection, threat remediation and business continuity.”

Categories: Cyber Risk News

Google Warns of Emerging #COVID19 Cyber-Threat Hotspots

Thu, 06/11/2020 - 08:30
Google Warns of Emerging #COVID19 Cyber-Threat Hotspots

Google has warned of a rise in COVID-19 threats in specific parts of the world, as cyber-criminals adapt their campaigns regionally.

The tech giant’s Gmail security product manager, Neil Kumaran, and lead security PMM for G Suite and GCP, Sam Lugani, explained that they’re blocking more attacks of late in India, the UK and Brazil.

These malware, phishing and spam threats “use regionally relevant lures, financial incentives and fear to create urgency and entice users to respond,” they said yesterday.

In the UK, for example, attackers are impersonating the government with reference to the Small Business Grant Fund and other schemes designed to support organizations through the crisis. This chimes with what others are seeing: a recent phishing campaign was spotted targeting those interested in the Self-Employment Income Support Scheme (SEISS).

Other attacks blocked by Google in the UK spoofed the firm itself in messages designed to access personal information.

In Brazil, Google warned of an uptick in phishing attacks spoofing streaming services, with some using a more aggressive approach, by claiming the recipient will be fined if they don’t respond.

In India, there has been an increase in the volume of malicious emails purporting to come from established health insurance companies, providers of COVID-19 symptom tracking services and the government’s Aarogya Setu initiative, designed to connect citizens to essential health services.

Google didn’t provide specific threat data on the scale of the increase in specific regions, but its update should be a reminder that COVID-19 scams are still very much active around the world. Last month the firm revealed that it was blocking 18 million daily malware and phishing emails and over 240 million spam emails targeting its Gmail users.

Kumaran and Lugani urged organizations to adopt DMARC to help prevent spam and abuse of their brand.

It’s a message echoed by US-based industry body the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) this week.

Categories: Cyber Risk News

Alabama City to Pay Cyber-Ransom

Wed, 06/10/2020 - 16:30
Alabama City to Pay Cyber-Ransom

An Alabama city is paying over a quarter of a million dollars to cyber-criminals to recover data encrypted in a ransomware attack.

Florence became a victim of the DoppelPaymer ransomware gang on June 5 in an attack that shut down the city's email system. The gang demanded 38 bitcoin, equivalent to USD $378,000, and threatened to publish or sell data stolen from Florence if the city didn't pay up.

A security firm hired by Florence in the wake of the attack was able to negotiate the ransom down to 30 bitcoin, worth around $291,000. 

City mayor Steve Holt said that Florence had elected to pay the ransom despite not knowing for certain what data the cyber-criminals had stolen and encrypted.  

“Do they have our stuff? We don’t know, but that’s the roll of the dice,” Holt said.

The mayor theorized that attackers gained access to the city's computer system via a phishing attack. 

Holt told KrebsOnSecurity that the DoppelPaymer gang appeared to have compromised the networks of four further victims within an hour of striking Florence, including another municipality that he declined to name.

Krebs contacted Holt's office in late May after receiving a tip from Hold Security that Florence's information technology systems had been infiltrated by hackers who specialize in deploying ransomware. 

The Wisconsin cybersecurity firm had discovered that a Windows 10 system in the city's IT infrastructure, seemingly linked to the city's manager of information systems, had been taken over by malicious actors on May 6. 

Following the tip-off, the city took swift action to isolate the computer and hacked Windows network account. Nevertheless, Florence was unable to fend off the ensuing cyber-attack. 

Ransomware is a major problem in the United States. According to Mimecast’s 2020 State of Email Security report that was released today, 32% of respondents in the public sector said that ransomware has impacted their operations in the last 12 months.

On average, public-sector victims reported experiencing 2 to 3 days of downtime as a result of being attacked with ransomware. For 9% of these victims, attack-induced downtime ended up lasting over a week.

Categories: Cyber Risk News

Minimal Techno DJ Arrested in Berlin on Cyber-Crime Charges

Wed, 06/10/2020 - 16:12
Minimal Techno DJ Arrested in Berlin on Cyber-Crime Charges

DJ and music producer Denis Kaznacheev has been arrested in Berlin on cyber-crime charges at the request of the US government.

Long-term Berlin resident Kaznacheev is co-founder of Nervmusic records and half of minimal techno duo Easy Changes, who have amassed a sizable following since 2007 with releases on Grow Vinyl, Sleep Is Commercial, FoundSound, and Arma. 

The United States has accused Siberian-born Kaznacheev of "money laundering and dark web activities," according to a post on his Facebook page. German police detained the musician on May 30 on behalf of the US Department of Justice, which is seeking his extradition to America. 

Kaznacheev's manager confirmed to Trommel that the musician is currently being held in Berlin's Moabit prison.

Supporters of Kaznacheev relayed the following message from the musician on social media: "Make noise! I am innocent here. Please get me out of here! Everybody, I need your help! Please help me!"

petition has been started to secure the release of the DJ, whose supporters believe has become embroiled in a case of mistaken identity.

In a June 6 Facebook post, a supporter wrote: "We stand by Denis's innocence, and chances are his identity was stolen and used for criminal activities.

"Germany should stand by Denis's innocence and fair civil treatment, and defend him to avoid extradition, as so far, there's no proof that he is guilty of any of the charges. The USA can't unlawfully arrest and destroy the life of a person without evidence."

A GoFundMe page set up to help pay for the artist's legal costs has so far raised €7,982 out of a €10,000 goal.

Donor Bruno Santos wrote: "Denis is a humble, hard-working person and a friend. He's also an admired artist all around the world. This whole thing seems like a terrible mistake, and he needs our support."

Kaznacheev's artist agency has set up a Justice for Denis website through which supporters can sign the petition and make a donation. Supporters have been asked to send letters or postcards to the musician at Moabit prison to keep up his spirits as he waits for his fate to be determined. 

Categories: Cyber Risk News

Cost of US Cyber Command Program Quintuples

Wed, 06/10/2020 - 15:03
Cost of US Cyber Command Program Quintuples

A new cyber weapon system being created by the United States Air Force will cost over five times more than originally estimated, according to a government watchdog.

The United Platform program was initiated in August 2018 as part of the Department of Defense's Joint Cyber Warfighting Architecture. Its mission is to develop a federated software platform to consolidate service-specific capabilities and data processing, sharing, and storage.

According to a report published June 3 by the Government Accountability Office (GAO), initial estimates for how much the completed program will cost fell considerably short of the mark. The GAO's Defense Acquisitions Annual Assessment found that the original pricing for the project had not been independently assessed.

"The program’s cost estimate was more than five times its initial estimate at program initiation, which had not been independently assessed," states the GAO report.

"UP did not have several key elements of its business case approved at the time of program initiation, such as approved requirements, a cost estimate informed by independent analysis, or a formal schedule risk assessment."

In 2018, the Air Force asked for $29.8m for the Unified Platform program in its research and development budget for fiscal 2019. A further $10m was requested for fiscal year 2020, and an additional $6m in fiscal year 2021.

To date, the United Platform program has received $152.19m in funding. The GAO report states that a further $436.79 million is required to complete the program.

"The new cost estimate includes costs beyond the completion of this middle-tier acquisition. Program officials attribute this cost increase to new US Cyber Command requirements," reported the GAO.

In October 2018, the program awarded a contract to Northrop Grumman to act as the system coordinator. Then in March 2019, the program awarded contracts to five different companies for software development.

Under the program, developers are tasked with coming up with new distinguishing software characteristics described as "features." Every three months, all the newly completed features are demonstrated to US Cyber Command, who decide which ones to accept for deployment. 

Program officials told the GAO that in the first four three-month increments of the program, 32 features had been delivered and accepted.

Categories: Cyber Risk News

Healthcare Provider Babylon Reports Data Breach

Wed, 06/10/2020 - 14:45
Healthcare Provider Babylon Reports Data Breach

Healthcare provider Babylon has reported a data breach of its GP video appointment app.

Whilst the company said it has fixed an issue where video recordings of other patients' consultations could be accessed, and notified regulators, one UK-based user found he had access to 50 videos in the Consultation Replays section of the app, and one contained footage of another person's appointment.

According to BBC News, Babylon allows its members to speak to a doctor, therapist or other health specialist via a smartphone video. 

In a statement, Babylon said it was able to identify and resolve the issue within two hours, and blamed a software error. “Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients' consultations through a subsection of the user's profile within the Babylon app."

Babylon told the BBC it had already been in touch with everyone involved to inform them and apologize, and had contacted the Information Commissioner's Office regarding the incident.

The ability to identify and resolve the issue within two hours was commended by cybersecurity commentators.

Tony Pepper, CEO, Egress, said vendors like Babylon offering technology to support new ways of working must ensure data security is core to anything they're developing, and “this includes fully authenticating users before they access data and making sure data isn't deposited, replicated or transferred into portals or insecure areas where it can be subject to unauthorized access.”

Brian Higgins, security specialist at Comparitech.com, added that, as the NHS operates its own App Store, any platforms offered by NHS services including GPS etc. are rigorously tested before they are certified for use. He said: “Babylon Health have clearly explained that this issue was caused by an internal software update and not by any malicious or criminal activity. They have also followed their ICO reporting responsibilities. In short, they appear to have done everything right. 

“What this case highlights is that developing technology is fluid and what might be deemed safe and secure at the point of sale needs regular monitoring to ensure that it stays that way.”

Kelvin Murray, senior threat researcher at Webroot, said: “Anyone who develops an app that handles sensitive customer data should ask themselves two important questions – is it secure and is it really necessary? We’re seeing that breaches such as these are all too common and anyone looking to save time and money by moving to a digital system should take risks such as these into consideration.

“This is especially important in the healthcare industry which is at particular risk of cyber-attacks and data breaches, as information such as health records is very valuable to criminals. It will always command high prices on the dark web as it can be used for criminal activities such as fraud, extortion and in the drug trade.”
 
Aman Johal, lawyer and director of Your Lawyers, said with doctors difficult to access due to COVID-19 restrictions, many people are relying on technological solutions like Babylon Health. “Data breaches like this show that there is still much more that needs to be done to ensure we can trust in the use of such technology. Healthcare organizations can be particularly vulnerable to data breaches due to the wealth of highly sensitive information they hold, and firms operating in this sector must go the extra mile to ensure data is protected, or face the consequences.”

Categories: Cyber Risk News

Places Open for World’s First AI and Data Science Conversion Courses

Wed, 06/10/2020 - 14:15
Places Open for World’s First AI and Data Science Conversion Courses

Applications are now open for the world’s first artificial intelligence (AI) and data science conversion courses, which start in autumn 2020, the UK government has announced. The program will give 2500 people the opportunity to learn new digital skills or retrain in order to find employment opportunities in the AI and data science sectors.

The government has partnered with the Office for Students, universities and industry partners to raise £24m to fund these master’s courses. The fund has been awarded to 18 universities who are working with partner providers to deliver courses in 28 universities and colleges across England.

The move is part of efforts to boost the UK’s technology sector, with the government aiming to increase research and development investment to 2.4% of GDP by 2027. Last month, the UK government launched an online cyber-school to help develop a new generation of cybersecurity professionals.

Places will be available to graduates from a variety of subjects, including science, technology, engineering, maths or social sciences. Applicants could include those returning to work after a career break and looking to retrain in a new profession. The course is expected to enable opportunities to pursue careers in roles such as machine learning engineers, data scientists, research scientists and AI architects.

The program is also seeking to diversify the UK’s tech sector, with 1000 scholarships reserved for students from underrepresented backgrounds, specifically female, black and disabled demographics.

Successful applicants can study flexibly, fitting the course around their daily lives, and will undertake paid work placements to help maximize their employment opportunities at the end of their course.

Digital secretary Oliver Dowden commented: “It is vital we increase diversity across our tech sector and give everyone with the aptitude and talent the opportunity to build a successful career. This will help make sure AI developed in the UK reflects the needs and make-up of society as a whole which will also help mitigate the risk of biased technologies being developed.

“Through these new AI and data science conversion courses we are working with industry and academia to develop and maintain the best AI workforce in the world.”

Categories: Cyber Risk News

CSA Virtual Summit: Is Cloud Moving Too Fast for Security?

Wed, 06/10/2020 - 11:30
CSA Virtual Summit: Is Cloud Moving Too Fast for Security?

Discussing strategies for how to achieve full lifecycle cloud security at the Cloud Security Alliance European Virtual Summit, Chris Hertz, VP, and Jeremy Snyder, senior director at DivvyCloud by Rapid7, said the challenge is not just about adopting cloud services, as you cannot just secure it once as these platforms are always changing.

Snyder said he often sees “a lot of great ideas and a lot of great energy and enthusiasm for adopting cloud technology” but the reality for organizations is that they can be faced with “not getting everything that they want out of their cloud journeys.”

In particular, developers want to embrace services being created by Infrastructure-as-a-Service (IaaS) providers “as it helps them get their jobs done more efficiently and more quickly,” but the pace of change from cloud providers accelerates every year.

Hertz said that cloud services are constantly changing and IaaS providers are always evolving services and the outcomes are unpredictable, as in 2018 there were 81 major breaches down to cloud misconfigurations, and 150 in 2019.

“By our calculation, in our 2020 Misconfiguration Report, we estimate that $5trn in damages have resulted in cloud misconfigurations in 2018 and 2019, so the security achievement gap is real and it is having real impact,” Hertz said.

This means that developers are core to security in a way that they were not before, and the speakers said that is there is misalignment in the way in which security operates today. In particular, if a developer needs to get a task done, they will need to make changes to an access list and to authentication methods to do that.

Snyder added: “That is where some of the ignoring of the circumvention of security comes into place, it is not that people are malicious in anyway, but they have tasks to accomplish in new ways, and that falls into the hands of the developers.” Hertz argued that is why security has not shifted in its approach to the cloud, as security works in the world of the data center with a centralized infrastructure.

“In this new world of self service, we have democratized access but not democratized security, and you have a misalignment,” Hertz said. “Security tries to apply principles that applied in a data center world, but in the cloud security world, it doesn’t work.”

This can lead to security putting blocks in place, or a “rock in the river” as the speakers said, as, whilst developers do not act maliciously, with restrictions in place they cannot get their jobs done. “There is huge friction as security tries to operate as a data center, but eventually the water flows around the rock in the river, and instead you should move from the command and control world to a ‘trust but verify’ and ‘enable but amplify’ model,” Hertz said.

“That is why we are seeing these challenges, as culturally and organizationally, companies are not overcoming this.”

Categories: Cyber Risk News

Dark Basin: Researchers Uncover Major Hack-for-Hire Group

Wed, 06/10/2020 - 11:01
Dark Basin: Researchers Uncover Major Hack-for-Hire Group

Security researchers have uncovered a major new hacking-for-hire operation against journalists, rights groups, government officials, financial institutions and others, seemingly orchestrated by a shady Indian tech firm.

Thousands of individuals and hundreds of organizations globally were targeted with cyber-espionage tactics in a multi-year campaign by the Dark Basin group, according to Citizen Lab.

Linked to Indian firm BellTroX InfoTech Services, the group apparently worked “on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories and advocacy.”

Although the group targeted financial services and pharmaceuticals players for its clients — including one campaign against those investigating market manipulation by German payment processor Wirecard AG — it frequently focused efforts on advocacy and civil society groups.

These include Greenpeace, the Rockefeller Family Fund, Public Citizen and the Union of Concerned Scientists. Dark Basin phished for info from groups working on the #ExxonKnew campaign, which alleged ExxonMobil hid info about climate change for decades, and those involved in trying to preserve net neutrality in the US, the report claimed.

Its links to BellTrox — whose director, Sumit Gupta, was indicted in 2015 for his role in a similar hack-for-hire scheme — are numerous.

Phishing activity aligned with the Indian time zone, and several of the URL shortening services used by the group — Holi, Rongali, and Pochanchi — have associations with the sub-continent.

Even more damning is the fact that some individuals claiming to work for BellTrox list activities on LinkedIn such as email penetration, exploitation and corporate espionage.

“We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners,” the report continued.

“They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure. BellTroX and its employees appear to use euphemisms for promoting their services online, including ‘Ethical Hacking’ and ‘Certified Ethical Hacker.’ BellTroX’s slogan is: ‘you desire, we do!’”

The investigation started when Citizen Lab was contacted by a journalist who had been targeted with phishing attempts. After tracing the URL shortener used, the investigators were able to identify almost 28,000 additional URLs containing e-mail addresses of targets.

These fairly unsophisticated phishing efforts are said to have had at least some success. 

Citizen Lab warned that its findings indicate that there’s likely a large and growing market for hacking-for-hire services like this, with powerful organizations outsourcing cyber-espionage to third parties to maintain plausible deniability of their involvement, while posing a major threat to open democratic societies.

Categories: Cyber Risk News

Working Group Calls for Greater DMARC Support and Adoption

Wed, 06/10/2020 - 10:01
Working Group Calls for Greater DMARC Support and Adoption

The industry needs to do more to prevent the sharp rise in COVID-19 phishing attempts.

In an open statement shared with Infosecurity, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) made a call for further steps to be taken to “authenticate and secure sending domains and email addresses by deploying email authentication at scale and at enforcement.”

It said preventing rampant phishing, emboldened and bolstered by the global pandemic, should be the top priority for domain owners, as email authentication is crucial to ensuring the flow of critical information.

It explained that from organizations, including those on the front lines of the battle against COVID-19 and those involved in the impending general election in the United States and the rest of the worl,d must be protected from misinformation campaigns and phishing.  

“The deployment of correct email authentication requires a careful and measured approach,” the statement said. 

M3AAWG and its members strongly encouraged domain owners, who operate email programs, to adhere to the following email authentication parameters when publishing and signing their various records:

  • Publishing SPF records with at least ~all, or -all if the domain does not send email
  • Signing all mail with aligned DKIM
  • Publishing DMARC policies for organizational domains — even non-sending ones — at enforcement: using at least p=quarantine, although p=reject is preferable, across the entire domain and all subdomains without exception

The statement warned that, during this time of pandemic, “it is more essential than ever that malicious actors are not able to impersonate trusted sources of information or assistance.” 

The full suite of email authentication protocols is the best way for a sender to establish and affirm their identity when sending email, and by creating barriers to impersonation, a sender’s identity becomes more trusted and harder to forge, thereby restoring trust because the sender is who they claim to be. 

M3AAWG acknowledged that implementing email authentication can be challenging and time consuming, current circumstances notwithstanding, so M3AAWG and it members are ready to help the sending community with resources, free tools and documented best practices to protect their brands, domains and email addresses from impersonation. 

“Combatting the assault on our inboxes is a collective endeavor, the importance of which is even more profound given the pandemic and the increased importance of achieving digital proximity while remaining physically distant,” it said.

In an email to Infosecurity, David Appelbaum, CMO of Valimail, said the company is seeing a marked rise in DMARC deployment across the board, not just from its own customers, but among all domains worldwide.

“The rash of COVID19-themed phishing attacks, many of which have spoofed those governments and NGOs left unprotected by DMARC, has absolutely contributed to an increased awareness of DMARC (not to mention DKIM and SPF),” he said.

“M3AAWG is absolutely right to recommend DMARC, and in particular, to insist on the importance of configuring it with an enforcement policy. Anything less leaves domain owners open to being spoofed by the worst kind of opportunistic criminals."

Categories: Cyber Risk News

Microsoft’s Mega Patch Tuesday is Largest Ever

Wed, 06/10/2020 - 09:30
Microsoft’s Mega Patch Tuesday is Largest Ever

Microsoft released fixes for 129 vulnerabilities in its regular monthly update round yesterday, the fourth month in a row to hit over 100 CVEs and the largest of any Patch Tuesday.

Of the 129 CVEs, only 11 are rated critical and there are no flaws being actively exploited in the wild.

Some 98 vulnerabilities can be resolved by deploying OS and browser updates, while the other 31 are spread across Office, SharePoint, Defender, Endpoint Protection and developer tools like Visual Studio, ChakraCore and Azure Dev Ops, according to Ivanti senior product manager, Todd Schell.

He argued that the COVID-related shift to mass home working is causing problems for companies reliant on VPNs to patch.

“There are many solutions that can manage updates without the need for a VPN. Another difficulty companies are facing is user connectivity,” he added.

“I had a conversation with one company that is managing updates without needing to use a VPN to access the network. Their challenge is their users have low internet speeds. Monthly updates requiring hundreds of megabytes of patches, or gigabytes in some cases, become problematic as well.”

Allan Liska, intelligence analyst at Recorded Future, said admins should start with CVE-2020-1281, a remote code execution vulnerability in Microsoft’s Object Linking & Embedding (OLE). It affects Windows 7-10 and Windows Server 2008-2019.

“The vulnerability exists in the way OLE validates user input. An attacker who sent a specially crafted file or program, or convinced a victim to download one, could execute malicious code on the victim’s machine,” he explained. “Microsoft assigned this vulnerability a CVSS score of 7.8; a similar vulnerability, CVE-2017-0199, has been widely exploited including by the Lazarus group and APT 34.”

Others pointed to a remote code execution bug in SharePoint as demanding urgent attention.

CVE-2020-1181 affects the way SharePoint processes unsafe ASP .Net web controls. Although it requires a user to be authenticated to exploit the flaw, SharePoint itself is an increasingly popular target for attackers.

Categories: Cyber Risk News

Pages