Info Security

Subscribe to Info Security  feed
Updated: 1 hour 37 min ago

Experian Data Breach Hits 24 Million Customers

Thu, 08/20/2020 - 08:30
Experian Data Breach Hits 24 Million Customers

Experian has suffered a major breach of customers’ personal information, affecting an estimated 24 million South Africans and nearly 800,000 businesses.

The credit reporting agency revealed in a statement yesterday that an individual fraudulently claimed to represent one of its client and then requested “services” from the firm, prompting the release of the data.

Experian sought to play down the seriousness of the incident by claiming that this information “is provided in the ordinary course of business or which is publicly available.” It did not clarify exactly what customer records were taken, but said that the trove did not contain consumer credit or financial information.

Experian was also tight-lipped on the number of customers affected, although one of the authorities it has engaged with following the incident, non-profit the South African Banking Risk Information Center (SABRIC), claimed 24 million consumers and 793,749 business entities were involved.

It explained that domestic banks have been working behind the scenes to identify how their customers may have been impacted.

“The compromise of personal information can create opportunities for criminals to impersonate you but does not guarantee access to your banking profile or accounts,” said SABRIC CEO, Nischal Mewalall. “However, criminals can use this information to trick you into disclosing your confidential banking details.”

SABRIC urged affected Experian customers not to reveal any additional personal information if they receive unsolicited contact online or by phone, and to change their passwords regularly.

Experian claimed that the individual involved in the incident has already had their “hardware” confiscated and the stolen data has been secured and deleted.

“Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes,” it added. “Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”

It confirmed that its own IT infrastructure had not been compromised.

This isn’t the first major data breach to hit the credit reporting giant. Back in 2015, 15 million North American customers and applicants had their personal data, including Social Security numbers and ID details, stolen.

Categories: Cyber Risk News

Chrome to Warn Users Completing Suspicious Forms

Wed, 08/19/2020 - 17:46
Chrome to Warn Users Completing Suspicious Forms

Users of Google's cross-platform web browser Chrome are to be shown a warning when they start to complete a form that may not be secure. 

Beginning in M86, Chrome will warn users when they try to complete forms on secure (HTTPS) pages that are submitted insecurely. These forms, which are described on the Chromium Blog as “mixed forms,” have been deemed by Google to be unsafe.

post published on the blog on Monday reads: "These 'mixed forms' (forms on HTTPS sites that do not submit on HTTPS) are a risk to users’ security and privacy.

"Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data."

In an effort to protect users from inadvertently sharing details with malicious actors, Chrome will be disabling the autofill facility on mixed forms. 

However, the change will not affect the autofill process used by Chrome's password manager.

"On mixed forms with login and password prompts, Chrome’s password manager will continue to work," the blog states. "Chrome’s password manager helps users input unique passwords, and it is safer to use unique passwords even on forms that are submitted insecurely than to reuse passwords."

From M86, when a user begins filling out a mixed form, they will be shown warning text alerting them that the form is not secure. The text will read: "This form is not secure. Autofill has been turned off."

If a user ignores the warning and tries to submit a mixed form, they will see a full-page alert highlighting the potential risk and asking them to confirm if they’d like to go ahead with the submission.

Explaining why Chrome is making these changes, Chrome Security Team's Shweta Panditrao wrote: "Before M86, mixed forms were only marked by removing the lock icon from the address bar. We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms."

Tim Wade, technical director, CTO Team at Vectra, commented: “By creating simple, straightforward warnings that users understand demystifies security for the end user, which makes the web a much safer place.”

Categories: Cyber Risk News

Majority of ICS Vulnerabilities Can Be Exploited Remotely

Wed, 08/19/2020 - 17:11
Majority of ICS Vulnerabilities Can Be Exploited Remotely

New research has found that more than 70% of industrial control system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely.

The discovery was unveiled in the inaugural "Biannual ICS Risk & Vulnerability Report," released today by Claroty, a global leader in operational technology (OT) security.

The report details the assessment of 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) during the first half of 2020, affecting a total of 53 vendors. 

Claroty's research team found that ICS vulnerabilities published by the NVD in 2020 increased by 10.3% from the 331 published last year. 

The number of ICS-CERT advisories published over the same period had increased much more significantly, with 32.4% more in 2020 than the 105 published in 2019. 

Alarmingly, more than 75% of vulnerabilities published in the first half of 2020 were assigned high or critical Common Vulnerability Scoring System (CVSS) scores.

“There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible,” said Amir Preminger, vice president of research at Claroty. 

“Our findings show how important it is for organizations to protect remote access connections and internet-facing ICS devices, and to protect against phishing, spam, and ransomware, in order to minimize and mitigate the potential impacts of these threats.”

Researchers found that more than 70% of the vulnerabilities published by the NVD can be exploited remotely, illustrating the rarity of fully air-gapped ICS networks that are isolated from cyber-threats. 

The most common potential impact was remote code execution (RCE), found to be possible with 49% of vulnerabilities. This was followed by the ability to read application data (41%), cause denial of service (DoS) (39%), and bypass protection mechanisms (37%).

Of the 385 unique Common Vulnerabilities and Exposures (CVEs) included in the advisories, energy had 236, critical manufacturing had 197, and water and wastewater had 171.

Categories: Cyber Risk News

New Vulnerability Threatens IoT Devices

Wed, 08/19/2020 - 16:52
New Vulnerability Threatens IoT Devices

A team of IBM hackers has discovered a vulnerability in a component used in millions of Internet of Things (IoT) devices. 

The flaw in Thales' (formerly Gemalto) Cinterion EHS8 M2M module was uncovered by IBM's X-Force Red team. 

After further testing, Thales confirmed that the newly detected vulnerability also affected nine other modules within the same product line of the EHS8, including the BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62.

The modules found to carry the weakness are mini circuit boards that enable mobile communication in IoT devices. These modules run and store Java code that frequently includes sensitive data like encryption keys and passwords. 

If a malicious actor managed to steal such information from the modules, they could potentially get control over a device or gain access to the central control network to conduct widespread attacks.

Thales is one of the leading manufacturers of components that enable smart devices to connect to the internet, verify identities, and securely store information. The company's vast portfolio connects over 3 billion devices per year ranging from cars to medical monitoring devices.

Explaining how such an attack could work on a medical device, a spokesperson for X-Force Red said: "Cybercriminals could manipulate readings from monitoring devices to cover up concerning vital signs or create false panic. In a device that delivers treatment based on its inputs, such as a pacemaker or insulin pump, they could also over or underdose patients."

If attackers used the flaw to target energy and utilities devices such as smart energy meters, the consequences could potentially be just as dire.

The spokesperson said: "Attackers could hack smart meters to deliver falsified readings that increase or reduce a monthly bill. With access to a large group of these devices through a control network, a malicious actor could also shut down meters for an entire city causing wide-reaching blackouts that require individual, in-person repair visits, or even worse, damage to the grid itself." 

The vulnerability was discovered by X-Force Red in September 2019 and discussed by the team at their virtual Red Con 2020 event earlier today. 

In February 2020, Thales released patch CVE-2020-15858 to customers. 

Categories: Cyber Risk News

SpyCloud Raises $30m in Funding to Tackle Surge in Online Fraud During #COVID19

Wed, 08/19/2020 - 14:45
SpyCloud Raises $30m in Funding to Tackle Surge in Online Fraud During #COVID19

Cybersecurity firm SpyCloud has raised $30m from a Series C round of funding as it looks to further develop its fraud detection and prevention capabilities.

The new investment was led by Centana Growth Partners and included contributions from M12 (Microsoft’s venture fund), Altos Ventures, Silverton Partners and March Capital Partners.

The announcement follows a surge in online scams during the COVID-19 crisis, with cyber-criminals exploiting the increasing reliance on internet services during the lockdown. SpyCloud revealed that in the early days of the pandemic, it uncovered 139,000 new web domains related to the virus. There have also been multiple new scams carried out by fraudsters, including posing as government agencies to launch phishing attacks and undertaking credential stuffing attacks on food delivery apps.

The security company therefore wants to expand its product and engineering teams and create new technologies to protect against these kinds of activities.

“Criminals work together to steal information and find creative ways to monetize it. As a result, even the most careful and sophisticated organizations are vulnerable,” explained Ted Ross, SpyCloud CEO and co-founder. “SpyCloud will continue to pursue new and innovative ways to stay ahead of criminals and provide solutions that make the internet a safer place for individuals and businesses.”

SpyCloud added that the takeover of business accounts to commit fraud via stolen employee and customer credentials is one of the most common methods used by cyber-criminals, and this threat has grown as a result of the rise in home working during the pandemic.

Eric Byunn, partner at Centana Growth Partners who has joined SpyCloud’s board, commented: “With so many people now working from home and multiple family members sharing devices with a mix of personal and professional applications, attack surfaces have increased significantly. Criminals are certainly taking full advantage of these new opportunities to exploit your employees and their family members. SpyCloud is dedicated to protecting everyone from attacks and preventing them before they happen.”

Categories: Cyber Risk News

Data Firm Exposes 235 Million Social Media Profiles

Wed, 08/19/2020 - 13:01
Data Firm Exposes 235 Million Social Media Profiles

A social media data broker has exposed the public-facing profiles of 235 million users via a misconfigured online database, according to researchers.

Comparitech teamed up with Bob Diachenko to uncover three identical copies of the data on August 1, left online with no password or other authentication required to access it.

In total, 192 million profiles were scraped from Instagram, 42 million from TikTok and four million from YouTube.

Each record contained some of the following: profile name, real name, profile pic, account description, age, gender and more.

Around a fifth of profiles also contained either a phone number or email address, according to Comparitech.

Although the personal information contained in this trove was all publicly available, social media companies like Facebook have threatened legal action in the past against automated data scraping firms that subsequently sell their collections to marketers.

Comparitech said that although access to the exposed database was shut down three hours after its first disclosure, it’s unclear how long the information was left online without a password.

The firm warned that, if discovered, the trove could have been used by spammers or to make follow-on phishing attacks more convincing.

The data itself was traced back to Social Data, a firm that apparently sells data on social media influencers to marketers. It was at pains to point out that the exposed information was taken from publicly available profiles, even though their consolidation into a single database makes it a more attractive prospect for cyber-criminals.

Comparitech also claimed that “evidence” suggests a connection between the data and a now-defunct company known as Deep Social which was removed from Facebook and Instagram marketing APIs in 2018 and threatened with legal action.

Social Data reportedly denied any connection between the two companies, although some of the original datasets were labelled as follows: “accounts-deepsocial-90” and “accounts-deepsocial-91.”

Categories: Cyber Risk News

Police and Industry Take Down $42m “Bulletproof Exchange”

Wed, 08/19/2020 - 09:35
Police and Industry Take Down $42m “Bulletproof Exchange”

Bitcoin exchange Binance has revealed how it joined forces with Ukrainian police to take down a cybercrime gang thought to be responsible for laundering $42m in cryptocurrencies.

First announced by the Cyberpolice of Ukraine back in June, the raid led to the arrest of three residents from the Poltava region. They have been accused of laundering the funds via 20 online cryptocurrency exchanges over the 2018-19 period.

More than $200,000 worth of computer equipment, weapons, ammunition and cash were seized during the swoop.

In a blog post published on Tuesday, Binance explained that the police operation was the product of a first-ever collaboration with its Binance Sentry security team and Security Data Science analytics arm.

The “Bulletproof Exchanger” project began in early 2020.

“One of the Security Data Science team’s tasks is to identify transactions between Binance and high-risk entities, including what we refer to as ‘bulletproof exchangers.’ These cryptocurrency platforms often serve as the cash-out points for cryptocurrency operations connected to financial crimes and other fraud,” it explained.

“Similar to bulletproof hosting services, which are web hosting providers with more lenient rules regarding what can be hosted on their servers, bulletproof exchangers are well-known for their lenient know-your-customer (KYC) and anti-money laundering (AML) policies.”

In conjunction with Blockchain analytics firm TRM Labs, Binance looked for entities handling large transaction volumes linked to high-risk categories like ransomware attacks, exchange hacks and darknet-related activities.

Its big data analysis provided police with crucial evidence for its investigation, which remains ongoing.

“As the digital currency market has a large number of financial transactions with money obtained from hacker attacks on international companies, the spread of malware, theft of funds from the bank accounts of foreign companies and individuals, the Department of Cyberpolice with Binance and its methodological assistance, promotes more prompt detection of those involved in such offenses,” said police chief Oleksandr Hrynchak.

Categories: Cyber Risk News

Marriott Hit by Another Class Action Lawsuit After Breach

Wed, 08/19/2020 - 09:00
Marriott Hit by Another Class Action Lawsuit After Breach

Marriott International is set for another courtroom showdown with victims of a major data breach announced in 2018, affecting 339 million global customers.

Tech journalist Martin Bryant, 41, has reportedly filed a collective action lawsuit on behalf of the estimated seven million former guests of the hotel giant from England and Wales whose personal data was compromised.

Represented by law firm Hausfeld, Bryant is claiming damages for loss of control of personal data, under the UK’s Data Protection Act 1998 and the EU General Data Protection Regulation, according to the Financial Times.

“Personal data is increasingly critical as we live more of our lives online but, as consumers, we don’t always realize the risks we are exposed to when our data is compromised through no fault of our own,” he told the paper.

The suit comes on the back of other legal action in the US and Canada.

It comes after UK data protection regulator the Information Commissioner’s Office (ICO) has come in for criticism after delaying its final decision on the size of the fine to be levied.

The ICO originally issued a notice of intent in July 2019 to fine Marriott £99m for security failings that led to the incident. However, the company has since made representations to the regulator in an attempt to dial down the fine.

Originally extended to May 2020, the final decision from the ICO is now likely in September.

However, the latest legal action proves that regulatory fines are only one small part of the total costs of a data breach that victim organizations can expect to pay.

“As well as being subject to GDPR and the legal, financial and reputational implications that come with it, organizations have a duty of care to their customers,” argued Stuart Reed, UK director of Orange Cyberdefense.

“Preventative measures are simply not sufficient. There must also be ongoing monitoring of key systems and robust response procedures in place to minimize the impact should the worst happen and a breach occur.”

Categories: Cyber Risk News

Former CIA Officer Charged with Espionage

Tue, 08/18/2020 - 19:18
Former CIA Officer Charged with Espionage

A Hawaii resident who worked for the Central Intelligence Agency in the 1980s has been charged with espionage.

Alexander Yuk Ching Ma was arrested on August 14 for allegedly passing classified information to intelligence officials of the People's Republic of China (PRC) over a ten-year period in exchange for money and expensive gifts.

The 67-year-old is accused of conspiring with a relative of his who was also previously employed as a CIA officer to communicate information up to the Top Secret level. 

Ma was born in Hong Kong but became a naturalized US citizen. While working for the CIA from 1982 to 1989, Ma held a Top Secret clearance and signed numerous non-disclosure agreements in which he acknowledged his responsibility and ongoing duty to protect US government secrets.

After leaving the CIA, Ma lived and worked in Shanghai, China, before moving to Hawaii in 2001.

Court documents allege that Ma and his co-conspirator's involvement with PRC spies began in March 2001 with three days of meetings in Hong Kong. During these meetings, the two former CIA officers allegedly sold information to the foreign intelligence service about the CIA’s personnel, operations, and methods of concealing communications.  

Part of the meeting was captured on videotape, including a portion where Ma can be seen receiving $50,000 in cash from the PRC intelligence officials.

It is further alleged that after Ma moved to Hawaii, he sought employment with the FBI in order to once again gain access to classified United States government information that he could sell on to his PRC handlers. 

Ma was hired as a contract linguist in 2004 by the FBI’s Honolulu Field Office. It is alleged that for the next six years, Ma used his position to regularly copy, photograph, and steal secret documents.  

It is further alleged that Ma gave some of these documents to his handlers during his frequent trips to China from which he would often return with thousands of dollars in cash and expensive gifts.

Ma is charged with conspiracy to communicate national defense information to aid a foreign government and faces a maximum penalty of life imprisonment if convicted.

Categories: Cyber Risk News

Fortinet Partners with IBM for New Training Program

Tue, 08/18/2020 - 18:44
Fortinet Partners with IBM for New Training Program

Fortinet and IBM have joined forces to provide a new training program that aims to bridge the skills gap in the cybersecurity industry.

In an announcement made earlier today, Fortinet said that it would be integrating its Network Security Expert training and certification curriculum with IBM’s SkillsBuild, a digital platform for users to develop technology and professional skills, including cybersecurity. 

SkillsBuild will now include cybersecurity curriculum from Fortinet’s NSE Training Institute for jobseekers looking for a career in security.

“Some of the toughest challenges businesses are facing today need skills that don’t require a traditional degree, such as cybersecurity experts, which is why there is a critical need to make sure everyone, from job seekers to professionals transitioning to new careers, are gaining meaningful skills that align to industry needs," said Lisa Neddam, SkillsBuild program leader, IBM Corporate Social Responsibility. 

"That’s why, regardless of background, education or life experience, SkillsBuild will equip learners with the professional skills and mentorship they need to be more employable and navigate jobs in the new digital economy.”

Under the SkillsBuild program, learners can earn badges of achievement that can be shown to prospective employers as evidence of their expertise. The badges can act as building blocks toward a professional certification. 

The two companies said that they are focused on creating new cybersecurity career pathways by training traditionally untapped forests of candidates and connecting learners to employers. 

Through their collaboration, the companies hope to attract those with long-term unemployment, refugees, asylum seekers, veterans, military spouses, migrants, career changers, young adults without traditional degrees, and students to train for careers in the cybersecurity industry. 

“To further address the cyber skills shortage, we’re excited to partner with IBM to integrate Fortinet’s Network Security Expert training and certification curriculum with IBM’s SkillsBuild digital platform," said Sandra Wheatley, SVP, customer marketing, threat intelligence, and influencer communications at Fortinet.

"As both a technology company and learning organization, Fortinet will work with IBM to make it easier for anyone to start a career in cybersecurity regardless of their background, previous access to education, or life experience.” 

Categories: Cyber Risk News

US Jails Sextortionist for 35 Years

Tue, 08/18/2020 - 16:26
US Jails Sextortionist for 35 Years

A 21-year-old convicted sex offender from Minnesota who used social media and chat platforms to sextort more than 40 underage girls has been jailed for 35 years.

Dylan Matthew Deling, who grew up in Fairmont, was previously convicted in Nicollet County in March 2018 of possessing child sexual abuse images. He was 19 years old 

An investigation was launched into his activities when a Dropbox employee discovered an account containing sexually explicit images of children as young as 2 years old and reported it to the police. Law enforcement officers were able to trace the account back to Deling.

On February 22, 2019, Deling was indicted on new charges of extortion and child sexual abuse image possession. According to the indictment, on May 14, 2018, Deling persuaded, induced, and coerced a minor victim to engage in sexually explicit conduct so he could video it. 

“As the cyber-threat landscape continues to evolve, sextortion crimes are becoming more prevalent through the use of social media platforms and messaging apps,” said US Attorney Erica MacDonald, speaking at the time of Deling's 2019 indictment. 

“These types of cases cause very real harm and can have a devastating impact, especially on young victims. Teachers, parents, and students alike need to be aware of this issue, know how to defend against online predators, and be vigilant in reporting these crimes.”

On July 18, 2019, Deling pleaded guilty to producing child sexual abuse images and extortion between October 2017 and August 2, 2018. 

Deling confessed to using social media and chat platforms, including Snapchat, Facebook, Instagram, Kik, and Skype, as well as text messages to extort sexually explicit images from more than 40 minor girls aged between 11 and 17. 

Victims were threatened with rape and told violence would be wreaked upon them and their loved ones if they did not comply with Deling's demands. 

To underscore his threats, Deling sent screenshots of maps of the girls’ residences, family members’ contact information, and other identifying information to the girls, as well as posted the information online.

Yesterday, Deling was sentenced to 420 months in prison and 30 years of supervised release.

Categories: Cyber Risk News

61% of Airlines Have No Published DMARC Record, Customers Susceptible to Email Fraud

Tue, 08/18/2020 - 15:00
61% of Airlines Have No Published DMARC Record, Customers Susceptible to Email Fraud

The majority of airline companies are potentially leaving their customers vulnerable to email fraud, such as phishing, according to a new analysis by Proofpoint.

It found that 61% of member airlines belonging to the International Air Transport Association (IATA) do not have a published Domain-based Message Authentication, Reporting & Conformance (DMARC) record, increasing the risk of having their identity spoofed and of customers being targeted by email fraud. IATA member airlines make up 82% of total air traffic.

In addition, 93% of global airlines included in the study have not implemented the recommended level of DMARC protection, known as Reject. This blocks fraudulent emails from reaching their intended target.

DMARC is an email validation protocol that verifies that the domain of the sender has not been impersonated.

Adoption rates were found to vary significantly between regions, with 85% of airlines in China and North Asia having no published DMARC policy, followed by Asia Pacific (70%), Europe and Middle East and Africa (both 57%) and The Americas (43%).

Adenike Cosgrove, cybersecurity strategist, international at Proofpoint, commented: “The COVID-19 pandemic saw international travel halted and while many regions are still unable to travel, a number of countries worldwide are slowly ungrounding their airlines.

“While the travel sector has always been a rife target for cyber-criminals, the pandemic has offered new grounds for the targeting of travellers globally. Whether booking new flights, or seeking information on flight cancellations, one thing remains the same: many people worldwide are eagerly awaiting communication from airlines.

“Worryingly, at a time when opportunistic cyber-criminals may look to take advantage of such global uncertainty, the majority of international airlines are leaving their customers exposed to email fraud.”

In June, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) called for greater DMARC support and adoption to prevent rampant phishing, which has been emboldened and bolstered by the global pandemic.

Categories: Cyber Risk News

HMRC Investigating Over 10,000 COVID-Related Phishing Scams

Tue, 08/18/2020 - 14:10
HMRC Investigating Over 10,000 COVID-Related Phishing Scams

More than 10,000 email, SMS, social media and phone scams exploiting the COVID-19 pandemic are being investigated by Her Majesty’s Revenue and Customs (HMRC) in the UK.

The official figures, published following a Freedom of Information (FOI) request by the Lanop Accountancy Group, highlight how the health and economic crisis has provided major scamming opportunities for cyber-criminals.

The data showed that May was the month in which the highest number of phishing scams were reported by members of the public to HMRC, at 5152, representing a 337% rise compared to March when lockdown measures were first introduced in the UK. This was followed by 2558 reports in June, and 2105 in April. The total since March comes to 10,428.

Government programs introduced to support businesses and workers impacted by the lockdown have been a common target for scammers. Examples include an email purporting to be from HMRC regarding the government’s Coronavirus Job Retention Scheme, which attempted to get business owners to reveal their bank account information, while another offered a bogus tax rebate under the guise of the Self-Employment Income Support Scheme.

The FOI also showed that 106 COVID-related websites have been requested for removal since March, with April the highest month at 42, followed by 24 in May and 17 in March. In May, it was revealed that HMRC formally asked internet service providers (ISPs) to remove 292 scam web addresses exploiting the coronavirus outbreak.

Chris Ross, SVP international at Barracuda Networks, commented: “With HMRC offering a range of financial support packages for businesses and individuals during the pandemic, it’s no surprise that hackers have chosen to exploit the crisis in an effort to cash-in on COVID-19. These scams are often cleverly designed with official branding and are incredibly realistic, coaxing unsuspecting victims to hand over confidential information such as bank account details, usernames and passwords."

Stav Pischits, CEO of Cynance, added: “Tackling this problem requires companies to recognize that these scams are not going to go away anytime soon. It’s also key to recognize that hackers have no limits and will target everyone from the CEO to the newly hired graduate in an effort to capture their objectives.

“That’s why all businesses need dedicated security and data protection policies and procedures, addressing network security, staff training and more, not only to ensure that they are compliant with data protection regulations, such as the GDPR, but also to improve their actual protection against phishing attacks and other online threats.”

Last month, research revealed that over 10% of all phishing attempts in Q1 of 2020 were related to COVID-19.

Categories: Cyber Risk News

Huawei Phones Unlikely to Receive Security Updates as Trade Ban Begins

Tue, 08/18/2020 - 13:30
Huawei Phones Unlikely to Receive Security Updates as Trade Ban Begins

Some Huawei phones are set to stop receiving software updates after a US reprieve, which allowed some trade with Huawei, lapsed last week.

According to the Washington Post, the reprieve expired last Thursday, and provided some exceptions to a trade ban which the Trump administration imposed last year on Huawei.

The ban generally prohibited US companies from exporting technology to Huawei, but the reprieve allowed US software providers to continue sending updates and patches to Huawei, so it could provide them to customers using Huawei phones or Huawei wireless network equipment.

In a support update published in February, Google said the ban “prohibits all US companies, including Google, from collaborating with Huawei.

“We have continued to work with Huawei, in compliance with government regulations, to provide security updates and updates to Google’s apps and services on existing devices, and we will continue to do so as long as it is permitted,” Google said earlier this year.

The Commerce Department confirmed that the license has expired, telling the Washington Post that the license had provided “an opportunity for users of Huawei devices and telecommunications providers to continue to temporarily operate such devices and existing networks while hastening the transition to alternative suppliers.”

Brian Higgins, security specialist at told Infosecurity that, in this case, Huawei has been caught in the political crossfire and it looks like whilst support remains available, it can no longer be installed. “The best, and quite possibly only, advice for Huawei customers is to take the hit and upgrade to a post-May 2019 device as soon as possible,” he said. “At least they run on proprietary Huawei software and you can update them whenever you’re prompted. Just don’t ever decide to update later.”

Niamh Muldoon, senior director of trust and security at OneLogin, said: “The Huawei saga keeps being pushed around the political playing field, but this eventuality is likely to have an impact on the individual Huawei user. Failure to update to the latest version of a mobile device’s software is one of the main in-roads for cyber-criminals looking to compromise a device, or to compromise the accounts hosted on the device, such as banking, messaging or social media applications.

“If a vulnerability is patched in a software update, and a user installs said update, they are protected from it. However, if this option is taken away from people, it leaves them with no option but to continue using an outdated software model which may leave them vulnerable to compromise. While the concerns around Huawei are politically complex and not appropriate for simple answers, for them to be potentially affecting the end user in this method is unacceptable.”

Also in a statement published on Monday, the Bureau of Industry and Security in the Department of Commerce added 38 Huawei affiliates to the entity list, which imposes a license requirement for all items subject to the Export Administration Regulations. It also imposed license requirements on any transaction involving items subject to Commerce export control jurisdiction where a party on the entity list is involved, such as when Huawei (or other list entities) acts as a purchaser, intermediate or end user.

“These actions, effective immediately, prevent Huawei’s attempts to circumvent US export controls to obtain electronic components developed or produced using US technology,” the statement said.

Categories: Cyber Risk News

Florida International University Launches New Cybersecurity Bachelor’s Degree

Tue, 08/18/2020 - 13:00
Florida International University Launches New Cybersecurity Bachelor’s Degree

Florida International University (FIU) in Miami is launching a new bachelor’s degree in cybersecurity that will prepare graduates for future careers in the sector.

The degree program, starting in the Fall of 2020, will train students for jobs in areas such as data security, systems security management and network threat analysis. Those enrolled will learn about and explore solutions for modern cybersecurity issues such as safeguarding devices, software and data from cyber-threats as well as protecting power grids from hackers.

The curriculum ties in with FIU’s master’s in cybersecurity along with the university’s other cybersecurity education and research efforts

Kenneth G. Furton, FIU provost and executive vice-president, said: “From our finances to social profiles to business enterprises and even government infrastructure, the world we live in is highly networked, resulting in an ever-growing demand for skilled cybersecurity professionals. We are responding to that workforce demand by educating professionals who will find innovative ways to protect these expanding networks that touch nearly every aspect of our lives.”

Students will have the opportunity to complete a capstone project on security, working collaboratively with information technology and computer science students, and engage in research through programs sponsored by the National Science Foundation.

Nagarajan Prabakar, program director and associate professor in FIU’s School of Computing & Information Sciences, added that cybersecurity has become one of the most challenging tech problems of the modern world and experts are in constant pursuit of new ways to safeguard information assets.

“This program is FIU’s direct response to the increasing demand for professionals in this field. We are committed to arming our students with the knowledge and specialized skill set needed to protect us from the cyber-attacks of the future, which will increase in numbers and degree of sophistication over time.”

Categories: Cyber Risk News

Nearly 40% of Firms Fired Staff for Security Policy Breaches

Tue, 08/18/2020 - 11:00
Nearly 40% of Firms Fired Staff for Security Policy Breaches

Almost two-fifths (39%) of British business decision makers have sacked employees because they breached corporate security policy during the pandemic, according to new data from Centrify.

The IAM specialist polled 200 UK respondents to find out more about how COVID-19 and mass remote working has impacted corporate cybersecurity.

Over half (58%) of respondents admitted that employees are more likely to try and bypass enterprise security practices when working from home.

That may explain why nearly two-thirds (65%) said they had made major changes to their cybersecurity policy to take account of their newly distributed workforce.

Changes to policy could include updates to remote access and authentication, which 57% of business decision makers said they are currently trying to implement. Multi-factor authentication (MFA) is regarded as industry best practice in helping to mitigate the risk of phishing and brute force attacks on RDP and corporate user accounts, for example.

A further 55% of respondents told Centrify that they are planning to formally ban staff from using personal devices to work from home.

This could also help to reduce cybersecurity risk as personal IT kit might be less well secured than corporate equivalents, and potentially used by other members of the household who may engage in risky online behavior.

Centrify VP, Andy Heather, argued that humans continue to be the weakest link in the corporate security chain.

“With more people than ever working from home and left to their own devices, it’s inevitable that some will find security workarounds, such as using personal laptops and not changing passwords, in order to maximize productivity,” he added.

“It’s also possible that the changes in security procedures are not being communicated well to employees, and many are practicing unsafe internet usage without even realizing.”

Categories: Cyber Risk News

ISO Warning as #COVID19 Threatens Re-Certification Audits

Tue, 08/18/2020 - 09:35
ISO Warning as #COVID19 Threatens Re-Certification Audits

Hundreds of thousands of ISO certifications are in danger of lapsing because auditors haven’t been able to visit organizations’ premises during the pandemic, according to InfoSaaS.

The international standards at risk of suspension include ISO 27001, which covers rigorous best practices for information security management systems, as well as ISO 27017 and ISO 27018 (enhanced security control sets for cloud services), ISO 9001 (quality management) and ISO 45001 (health and safety risks).

Re-certification audits must be undertaken within six months of the anniversary of an ISO certificate being issued or else it should be suspended and a new assessment required, according to the UK Accreditation Service (UKAS).

However, auditors usually have to visit premises in person, especially if organizations are still using manual spreadsheet-based processes for compliance. InfoSaaS argued that this approach requires face-to-face explanation and cross-referencing.

As of 2018, around 1.3 million ISO certificates were granted to global organizations, including thousands in the UK.

If no special dispensation is granted due to COVID-19, these ISO-holders may find themselves being forced to pay as much as three-times their anticipated outlay this year on restoring certifications, as well as devoting extra time and resources to the project, InfoSaaS claimed. In the meantime, they would be forced to remove any ISO accreditation messaging from marketing materials.

Peter Rossi, co-founder of InfoSaaS, argued that around 2500 ISO certificates could be at risk of lapsing each month among its UK customers alone, and related to just three standards: ISO 9001, ISO 27001 and ISO 4500.

“The uncomfortable truth is that, under current circumstances, some organizations may decide not to be re-audited and simply to let their ISO certifications lapse,” he added.

“Any such de-prioritization may, in turn, lead to an unwanted decline in standards for the likes of information security, environmental management, health and safety and quality management. This is not a good outcome for anyone.”

Categories: Cyber Risk News

Carnival Cruises into Danger After Ransomware Attack

Tue, 08/18/2020 - 08:33
Carnival Cruises into Danger After Ransomware Attack

British-American cruise operator Carnival has suffered a ransomware attack in which guest and employee data was accessed, it has revealed in a regulatory filing.

The Miami-headquartered travel giant — which operates big-name brands including Cunard, P&O, AIDA and Princess — said the attack was discovered on August 15.

Attackers managed to encrypt “a portion” of the IT systems one of its brands, although Carnival refused to elaborate on which company had been hit.

“The company does not believe the incident will have a material impact on its business, operations or financial results. Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies,” it continued.

“Although we believe that no other information technology systems of the other company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other company’s brands will not be adversely affected.”

Carnival said that it has notified law enforcement, engaged legal counsel and hired incident response professionals who have helped to implement containment and remediation measures.

The attack comes at a bad time for the company, which has been hit hard by the current pandemic and a collapse in global tourism. Last month it was forced to borrow another $1bn to stay afloat, adding to around $7bn it had previously secured.

Steve Durbin, managing director of the Information Security Forum, argued that many organizations’ systems may have been exposed of late due to mass home working by employees.

“To protect against the scale and scope of these threats, an organization will be forced to rethink its defensive model, particularly its business continuity and disaster recovery plans. Established plans that rely on employees being able to work from home, for example, do not stand up to an attack that removes connectivity or personally targets individuals as a means of dropping ransomware into the corporate infrastructure,” he said. 

“Revised plans should cover threats to periods of operational downtime caused by attacks on infrastructure, devices or people. Creating a cyber-savvy workforce that takes information security seriously, while fostering a culture of trust, will help to eradicate poor security practices as well as reduce the number and scale of incidents.”

Categories: Cyber Risk News

American Charged with Attempting to Hire Hitman on Dark Net

Mon, 08/17/2020 - 18:20
American Charged with Attempting to Hire Hitman on Dark Net

A New Jersey man has been charged with trying to hire a hitman on the dark net to kill a child with whom he exchanged sexually explicit images. 

John Michael Musbach was arrested on Thursday for allegedly paying $20,000 in Bitcoin to have his then 14-year-old victim murdered. The 31-year-old Haddonfield resident was charged with one count of murder-for-hire.

According to court documents, Musbach began communicating with his victim in the summer of 2015, when the boy was aged 13. 

Using an Internet Relay Chat (IRC) website, Musbach requested and received sexually explicit videos and photographs of his victim. Musbach also sent indecent images and videos of himself to the victim.

An investigation was launched in September 2015 when the victim's parents discovered the message exchange. 

Law enforcement officers arrested Musbach in March 2016 on charges relating to child sexual abuse images. During a search of Musbach's residence, officers seized a cell phone and a laptop provided to Musbach by his then-employer, a cloud hosting company.

In February 2018, Musbach received a two-year suspended sentence with parole supervision for life after he pleaded guilty in October 2017 to endangering the welfare of a child (the victim) by sexual contact.  

In 2019, agents from Homeland Security Investigations in St. Paul, Minnesota, were provided with messages between Musbach and a fraudulent murder-for-hire website that operated on the dark net.

Those messages, supplied by an informant, revealed that in May 2016, Musbach contacted the website. Using the alias Agentisai, Musbach asked if a 14-year-old was too young to target. 

After being assured that a 14-year-old victim was acceptable, Musbach paid around 40 Bitcoin (approximately $20,000) for the hit. 

Court documents show that Musbach repeatedly messaged the website’s administrator to ask when the hit would occur. When pressed for an additional $5,000 by the scammers, Musbach tried to cancel the deal and asked for a refund.

The Department of Justice said: "Agents were able to confirm Musbach’s identity through several means, including linking him to the same screen name he used to communicate with the murder-for-hire website and also by tracing the flow of monies from Musbach’s bank account to the purchase of Bitcoin used to pay for the hit."

If convicted, Musbach could face 10 years behind bars plus a hefty fine.

Categories: Cyber Risk News

Companies Team Up to Offer Cloud Auditing Certificate

Mon, 08/17/2020 - 17:36
Companies Team Up to Offer Cloud Auditing Certificate

Cloud Security Alliance and ISACA are joining forces to bring a Certificate of Cloud Auditing Knowledge (CCAK) to the market.

The strategic partnership of the global technology association and the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment was announced today. 

CCAK will be the first credential for industry professionals that certifies their expertise in the essential principles of auditing cloud computing systems. 

Detailed availability and pricing of the CCAK offerings will be announced later this year. The certificate is scheduled for completion in the final quarter of 2020.

“ISACA is pleased to forge this new partnership with CSA, an organization we have worked with since its founding in 2009,” said David Samuelson, CEO of ISACA. 

“As cloud becomes the centerpiece of organizational IT strategies and the repository of corporate crown jewels, we have a unique responsibility to increase the security and transparency of this platform. 

“We truly believe that this partnership allows us to do more together than we could individually to accelerate cloud assurance competencies throughout our global audience.”

The CCAK’s holistic body of knowledge will be composed of the CSA’s Cloud Controls Matrix (CCM), the fundamental framework of cloud control objectives; its companion Consensus Assessments Initiative Questionnaire (CAIQ), the primary means for assessing a cloud provider’s adherence to CCM; and the Security, Trust, Assurance & Risk (STAR) program, a global leader in cloud security audits and self-assessments, in addition to new material. 

Jim Reavis, co-founder and CEO of Cloud Security Alliance, said: “ISACA’s global leadership within the IT audit profession and its reputation for high-integrity knowledge programs make them the ideal partner to achieve real progress in creating trust in the cloud.”

The cloud auditing and assurance initiative is one of many joint ventures that ISACA and CSA say they plan to announce over the next few months. 

A joint statement released by the partners today said that the new collaboration will “promote harmonization between the myriad cloud trustmarks and standards within various industries and nations, as well as drive greater consensus between cloud providers, customers, and governing bodies.”

Categories: Cyber Risk News