Info Security

Subscribe to Info Security  feed
Updated: 48 min 50 sec ago

US Ordered Secret Cyber-Strike on Iran: Report

Thu, 10/17/2019 - 08:55
US Ordered Secret Cyber-Strike on Iran: Report

The US ordered a secret cyber-attack on Iranian IT systems in response to the alleged Tehran-backed September 14 attacks on Saudi Arabian oil facilities, according to a new report.

Two anonymous US officials told Reuters that the attacks were targeted at Iranian hardware in an operation focused on limiting the Islamic Republic’s ability to spread propaganda.

There are few other publicly available details about the raid, although it appears to have been a much smaller-scale and less sophisticated effort than the infamous Stuxnet operation which disrupted Iran’s nuclear program almost a decade ago.

It would make sense though, given President Trump’s reluctance to get embroiled in a full-scale conflict with the country. He is reported to have called off air strikes on Iranian facilities following the June downing of a US Navy drone, for fear of escalating the stand-off.

Dave Palmer, director of technology at Darktrace, argued that nation states are increasingly turning to cyber-strikes to launch attacks on physical hardware, making it more important than ever that such infrastructure is well protected.

“We have entered a new age of cyber warfare, where sophisticated groups are using advanced software that is capable of going under the radar of traditional security controls, plants itself in the heart of critical systems and uses that knowledge to its advantage,” he said.

“Relying on human security teams will not be enough to resist attackers that are backed by nation states and therefore highly sophisticated. The only way to combat these attacks will be with AI that can automatically respond to attacks before any damage is done.”

A Tripwire study from earlier this month revealed that 93% of security professionals in transportation, manufacturing and utilities fear cyber-attacks shutting down operations, with two-thirds (66%) claiming that it could have catastrophic consequences, such as an explosion.

Categories: Cyber Risk News

Vermont Schools Spy on What Students Do Online

Wed, 10/16/2019 - 19:13
Vermont Schools Spy on What Students Do Online

Schools in Vermont are hiring companies to monitor what their students post and search for online.

According to a report by investigative journalism platform VTDigger, five schools in the Green Mountain State hired Burlington-based firm Social Sentinel to track the online activities of their students. 

Social Sentinel uses keyword-based algorithms and machine learning to scan social media posts within a set geographic area for words that could indicate that a student is at risk or poses a threat to others. 

When a particular word is discovered, a red flag is raised, causing an alert to be sent to school officials. For an additional fee, Social Sentinel can also scan the contents of students' emails. The aim is to alleviate problems like cyber-bullying, self-harm, and teen suicide and to prevent mass shootings or other violence.

A further eight schools told VTDigger that they had contracts with vendors to monitor activity on district services and school-sponsored email for browsing habits and keywords that could mean a student is a threat or in danger. Companies hired to carry out the monitoring included SecurlyBark, and Lightspeed Systems.

Middle schools in the Burlington school district reported using a product called Admin, which is made by GoGuardian. Admin is a multi-layered filtering solution powered by advanced machine learning, which allows school officials to keep tabs on what students search for, watch, and read while using district devices. 

The information was uncovered when VTDigger sent a public records request to all 52 superintendents in Vermont, asking if any social media monitoring contracts had been signed. 

Contacted for comment by VTDigger, Social Sentinel founder Gary Margolis said: "We built a technology that actually helps prevent bad things from happening by giving information that can give context to what’s going on, in a way that respects privacy, and all I do is get questioned by you and folks in the media about privacy issues. It’s mind-bogglingly frustrating."

Brian Schaffer, principal at Lamoille Union High school, which contracted with Social Sentinel for a year in 2015, said the technology "wasn’t as functional as I had hoped it would be."

According to Schafffer, most of the daily alerts flagged irrelevant posts, some of which were written by Quebec tourists bragging about buying Heady Topper beer while on vacation in Vermont.

task force created by Gov. Phil Scott earlier this year to help prevent school shootings recommended that Vermont invest in monitoring software to scan social media posts statewide. The task force was formed after a plot by Fair Haven Union High School student Jack Sawyer to carry out a mass shooting at his school was discovered in February 2018.

Categories: Cyber Risk News

Over 550 Fake US Election Web Domains Discovered

Wed, 10/16/2019 - 17:42
Over 550 Fake US Election Web Domains Discovered

External threat intelligence experts have detected hundreds of fake election web domains designed to target American voters.

New research by Digital Shadows uncovered over 550 fake domains ranging from false funding pages to counterfeit candidate sites set up against 19 Democrat and four Republican presidential candidates.

Most of the sites—68%—simply redirect the user to another domain, often to that of a rival candidate. Worryingly, 8% of domain squats discovered redirect users to file converter or secure browsing Google Chrome extensions that can be used to infringe on voter privacy and host potentially dangerous malware if downloaded. 

One false funding page exploited the possibility of a typo to encourage voters to switch their allegiance. Financial donors who accidentally type when searching for Republican fundraising page are taken to, a fundraising site for the rival Democratic party. 

Harrison Van Riper, strategy and research analyst at Digital Shadows, told Infosecurity Magazine: "We detected a few redirecting domains (donaldtrump[.]cloud, for example), which sent the browser to doyoulikebread.weebly[.]com and would pose the straightforward question of "Do You Like Bread?" with Yes or No options. 

"Yes would lead the user to a video for “You’re the one that I want” from the musical Grease, and No would lead to a video of Oprah Winfrey exclaiming how much she likes bread. The internet can be a weird place, sometimes!"

In total, 66 of the 550+ domains were being hosted on the same IP address, registered under the privacy protection service WhoisGuard, Inc. and potentially operated by the same individual. Digital Shadows was unable to attribute any of the fake domains to a specific person or group. 

"We really can't say who is responsible for these redirects, but hackers with a sense of humor is certainly a possibility. It could also be individuals who want to see their favorite candidate succeed," Van Riper told Infosecurity Magazine.

Van Riper said that the enactment of the GDPR regulation has made it harder to tell who or what organization stands behind a specific domain. Under the new rules, domain registration details have been removed from official records.

Instead of changing the law to prevent fake sites, Van Riper suggests registrars could do more to combat the problem. He said: "I don't see this as a legal issue; rather, I think that registrars could do more to verify that people registering these domains are doing so for legitimate purposes. This is a huge task, but ultimately, it's within the registrar's control to help combat the issue of people setting up fake domains for legitimate websites."

Categories: Cyber Risk News

UK Abandons Planned Online Pornography Age Verification System

Wed, 10/16/2019 - 16:51
UK Abandons Planned Online Pornography Age Verification System

The British government has dropped plans to introduce a national online pornography age verification system because implementing it would be too difficult.

A nationwide system to ensure X-rated online content cannot be viewed by children was first proposed in 2015 by the then culture secretary Sajid Javid. However, it took the proposal two years to become law.

Under the proposal, pornography websites would be required to verify that users were age 18 or older. Suggested ways of doing this included running verification checks on credit cards and making porn passes available to purchase from newsagents on the presentation of photo ID. 

Websites that refused to go along with the age checks could have been blocked by UK internet service providers or had their access to payment services revoked. 

The system was going to be funded and run by private companies and overseen by the British Board of Film Classification.

The system was initially due to come into force on July 15 this year but was then delayed for six months because the government had neglected to announce the plan to the European Union. 

Today, culture secretary Nicky Morgan told parliament that the age verification system would be dropped altogether. Morgan said that the government would focus instead on implementing broader child protection measures as laid out in the online harms white paper published in April 2019. 

The white paper proposes establishing in law a new duty of care toward internet users, which will be overseen by an independent regulator. Companies will be held to account for tackling a more comprehensive set of online harms, ranging from illegal activity and content to behaviors that are harmful but not necessarily illegal.

"The government’s commitment to protecting children online is unwavering. Adult content is too easily accessed online and more needs to be done to protect children from harm," said Morgan. 

"This course of action will give the regulator discretion on the most effective means for companies to meet their duty of care."

While privacy campaigners who raised data security concerns over the proposed system may be celebrating its abandonment, British businesses that had invested time and money in developing verification products are sure to be disappointed.

Categories: Cyber Risk News

Industry Calls for Standardization of CISO Role

Wed, 10/16/2019 - 12:01
Industry Calls for Standardization of CISO Role

Professionals from the cybersecurity industry have called for clarity regarding the role of Chief Information Security Officers (CISOs).

Research from Cyber Security Connect UK (CSCUK), a forum for cybersecurity professionals, has stated that CISOs are being pulled into job requirements outside their jurisdiction and that there is a lack of transparency about the responsibilities of cybersecurity teams within UK businesses of all sizes.

The research also pointed to a lack of skilled, fully qualified professionals coming into the profession.

Mark Walmsley, the chair of the CSCUK steering committee and CISO at Freshfields Bruckhaus Deringer, said: “It is no longer a case of if a cyber-attack will occur but more appropriately, when. In addition, these attacks are increasingly becoming more complex and intelligent. With this in mind, a company’s best defense against such events is a dedicated person to lead the fight against cyber-attacks."

Not only does this person need to be qualified, Walmsley added, they must also be dedicated to the cause, have access to information and budgets that allow them to carry out their job and be able to constantly and consistently upskill to keep up with the fast-paced, ever-changing nature of the cybersecurity landscape.

“While it is true that the varying size, financial situation and purpose of a business may affect the role of the CISO or even the requirement for such a person at all, where they are in operation, clear parameters need to be set. Only with standardization and guidance can the role be fully effective. As further digitization of processes occurs and cyber-attacks become more sophisticated, this need will become only greater,” Walmsley argued.

According to CSCUK, in order for standardization to be possible, professionals believe a benchmarking process must be carried out to fully understand the scale of variations within the role.

“In order to support CISOs so that they can carry out their roles effectively, a better understanding of their current situation is required,” Walmsley explained. “This includes comparing the role within different organizations in terms of qualifications, access to the boardroom and budgets, reporting lines and salaries.”

Categories: Cyber Risk News

Over 100 Million IoT Attacks Detected in 1H 2019

Wed, 10/16/2019 - 10:50
Over 100 Million IoT Attacks Detected in 1H 2019

A security vendor has detected over 100 million attacks on IoT endpoints in the first half of 2019 alone, highlighting the continued threat to unsecured connected devices.

Russian AV vendor Kaspersky said its honeypots had spotted 105 million attacks coming from 276,000 unique IP addresses in the first six months of the year. The number of attacks is nearly nine times more than the figure for 1H 2018 when only 12 million were detected, originating from 69,000 IP addresses, the firm added.

The figures can be seen in the context of a smart home boom, with consumers buying in increasing numbers connected devices which often have poor in-built security and/or are not properly secured by their owners.

Mirai-like attacks which take advantage of weak factory-default log-ins for such devices are increasingly common, conscripting IoT endpoints into botnets which can then be used to launch DDoS and other attacks, Kaspersky explained. Some attacks also exploit old unpatched vulnerabilities to hijack devices, it added.

The most common malware types are Mirai (39%) and Nyadrop (38.6%), which itself often serves as a Mirai downloader. Some way behind them is Gafgyt (2%), which uses brute-forcing techniques to gain persistence.

“Judging by the enlarged number of attacks and criminals’ persistence, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations,” said Kaspersky security researcher, Dan Demeter.

“This is much easier than most people think: the most common combinations by far are usually ‘support/support,’ followed by ‘admin/admin,’ ‘default/default.’ It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices.”

Devices in China were most affected by attacks, accounting for 30% of infections in the first half of the year, followed by Brazil (19%) and Egypt (12%).

Categories: Cyber Risk News

Revealed: State-Sponsored Campaign that Helped China Build an Aircraft

Wed, 10/16/2019 - 10:01
Revealed: State-Sponsored Campaign that Helped China Build an Aircraft

The Chinese government orchestrated a sophisticated multi-year cyber-espionage campaign to gain parity with western aerospace firms and help it build the C919 commercial airliner, a new report has alleged.

The story is an exemplar of the lengths Beijing is prepared to go to steal IP and force tech transfers from foreign companies and nations in order to gain self-sufficiency.

“What is known from CrowdStrike Intelligence reporting and corroborating US government reporting is that Beijing uses a multi-faceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs,” the CrowdStrike report claimed.

“Specifically, state-owned enterprises (SOEs) are believed to help identify major intelligence gaps in key projects of significance that China’s intelligence services then are likely tasked with collecting.”

In this case, that job was taken by the Jiangsu Bureau of the Ministry of State Security (JSSD), tracked by CrowdStrike as Turbine Panda.

Dating back to 2010, the operatives undertook a broad cyber-espionage and human intelligence campaign to target multiple aerospace providers including Honeywell, Safran, Capstone Turbine and others.

Interestingly, many of the operatives were sourced from the local cybercrime community, with PlugX and Winnti hacking tools favored, as well as unique malware linked to a group dubbed “Sakula.”

As part of the campaign, they recruited an insider at General Electric (Zheng Xiaoqing), joint manufacturer of the key LEAP-X turbofan, and a Chinese-born army reservist (Ji Chaoqun) who entered the US on an F-1 student visa to study electrical engineering.

Then the US fightback began: Sakula developer Yu Pingan was arrested whilst attending a US security conference, and insiders Zheng and Ji Chaoqun were also picked up. Other China-based operatives and insiders were also indicted. However, the biggest coup was the arrest of their handler, MSS officer Xu Yanjun: alleged deputy division director of the Sixth Bureau of the JSSD in charge of insider threats.

The report claimed that JSSD operatives were also responsible for the breach of the Office of Personnel Management (OPM) and health insurance firm Anthem.

Depressingly, it seems that even these arrests will do little to halt intrusive Chinese cyber-activity.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” the report concluded. “China still seeks to decrease its dependency on this [Airbus-Boeing] duopoly and eventually compete on an even footing with them.”

Categories: Cyber Risk News

Major Carding Forum BriansClub Suffers Data Breach

Wed, 10/16/2019 - 08:50
Major Carding Forum BriansClub Suffers Data Breach

One of the web’s largest marketplaces for stolen card data has been hacked, leading to the theft the second time over of more than 26 million cards.

A source shared the news with security researcher Brian Krebs, whose name and likeness have been used for years by the administrators of the online BriansClub store.

It is claimed that the trove includes credit and debit card details stolen from bricks-and-mortar retailers from the past four years, including eight million uploaded so far in 2019.

The binary data could allow hackers to create fake magstripe cards with which to fraudulently purchase goods in stores. Although the roll-out of EMV is intended to put an end to this practice, there are still enough merchants and cardholders using the legacy cards to make such forums a going concern.

In fact, Krebs calculated that with cardholder losses estimated at $500 per card, BriansClub could have generated as much as $4 billion in losses from the roughly nine million cards it has sold to fraudsters since 2015.

Tim Mackey, principal security strategist at Synopsys, argued that whether you’re running a global enterprise, a small business or an underground carding forum, there are several shared cybersecurity truths.

“First, the attackers define the rules of the attack and the best you can do is defend against their actions. Second, the only data ever taken is data available for the taking. When designing your data collection and storage procedures, it’s critical to look at all data operations through the lens of what would happen if there was absolutely nothing preventing your biggest competitor or worst enemy from downloading that data,” he explained.

“Is all the data appropriately encrypted? Are all access attempts audited? Is modification controlled? For these questions, and many more, the next question becomes one of “how,” and it’s how you approach these questions and their answers which distinguishes a successful cybersecurity initiative from one likely to make the news for the wrong reasons."

Categories: Cyber Risk News

#ISWUK: Ransomware Remains Top Threat For Present and Future

Wed, 10/16/2019 - 08:15
#ISWUK: Ransomware Remains Top Threat For Present and Future

Ransomware remains the dominant threat for business now, and will continue to be in the future.

Speaking at the NTT Security Information Security World 2019 conference in London, Nicole van der Meulen, head of strategy and development at Europol’s European Cybercrime Centre (EC3) reflected upon the top cyber-threats impacting the security of data today.

van der Meulen Highlighted the five top current threats as:

  • Ransomware
  • Compromised data
  • DDoS attacks
  • Card not present fraud
  • The Dark Web

Van der Meulen said that whilst ransomware was not new and efforts are often determined to be “amateur,” there is a move to more sophisticated attacks “and it is the most dominant threat when it comes to what is reported.”

She added that ransomware reports from law enforcement and the private sector are not different from last year, there has been a “decline in volume” of attacks. However, the next step is to target more profitable targets who are willing to pay, and this is a more efficient approach.

She also said that DDoS attacks are becoming more professional with a financial focus. Meanwhile, card not present fraud continues to rise “and is the most stable” as compromised data is readily available. “The cost of doing business has been accepted, and it is a facilitator for other crimes.”

While there are changes in terms of threats and threat actors, Van der Meulen pointed out that there is a terminology problem, as “we call it cybersecurity, but talk about information security, and confidentiality, integrity and availability” and everything still begins with unauthorized access and the next stage is down to the motive of the attacker.

She also said that there is a lot of focus on the future threats and technology, and while there is a need to predict the emphasis on attackers using AI, it is still cheap to get and use ransomware: “We haven’t solved today’s problems, so why focus on tomorrow? Don’t get too far ahead when threats are the same, but just wearing new clothes.”

Categories: Cyber Risk News

Canadian Students Are Sharing Passwords to Prove Friendships

Tue, 10/15/2019 - 18:11
Canadian Students Are Sharing Passwords to Prove Friendships

Canadian students are sharing their online passwords with one another as proof of friendship, according to the Quebec Access to Information Commission (CAI).

Since 2016, CAI has toured secondary schools across Quebec with a campaign called "Ce que tu publies, penses-y" which roughly translates as "Think before you publish."

The purpose of the cybersecurity campaign is to warn adolescents about the risks and consequences of being active online, especially on social media. So far, 32,000 students have been exposed to the company, but despite the efforts of CAI, the incredibly important message doesn't seem to be getting through.

Speaking to The Canadian Press, "Ce que tu publies, penses-y" program coordinator Isabelle Gosselin said that students don't believe that they are at risk and do nothing to protect their privacy.

According to Gosselin, proof of the extent of this problem is that three out of four high school students raise their hands when asked if they share passwords with friends.

Gosselin said that they are almost proud to do it, often seeing it as proof of friendship or of love. In fact, she said the trend has become very fashionable. 

Government organization CAI wants to encourage young internet users to adopt safe and responsible behavior, particularly in terms of privacy and respect for privacy. However, Gosselin said that when she tries to warn teenagers about the potentially dire consequences of sharing their passwords, they respond with "Don't you think you're exaggerating, ma'am?"

A fresh incarnation of the CAI cybersecurity tour will launch this month in an effort to convince teens to adopt best practices when it comes to online security. Gosselin said the tour's goal is to educate students who think they are invincible. 

During the 2019–2020 school year, the commission will again take their "Ce que tu publies, penses-y" to Quebec high schools in hopes of persuading students to take cybersecurity seriously. 

Students will be shown an hour-long presentation that addresses a number of concepts, such as identity theft, sexting, geolocation, and privacy settings from a privacy perspective. 

To ram the point home, the presentation includes genuine real-life examples of what happens when cybersecurity guidelines aren't followed. Some of the stories that students will hear relate to incidents that have happened within their own school.

Categories: Cyber Risk News

A Quarter of Americans Want Cyber-flashers Jailed for 5 Years

Tue, 10/15/2019 - 17:11
A Quarter of Americans Want Cyber-flashers Jailed for 5 Years

survey has revealed that a quarter of Americans think that sending unsolicited nude digital images should carry a five-year jail sentence and a hefty fine. 

The survey of 1,058 Americans aged 18 to 73 was carried out on behalf of Participants were asked questions about how they send and receive photos in the modern world. 

Seventy percent of women and 50% of men surveyed said they thought that a jail sentence is appropriate for cyber-flashing, with an average recommended term of 1.5 years or a fine of $4,400. These suggested penalties are roughly equivalent to those meted out for committing a class A misdemeanor, such as a DUI or an assault. 

Some believed the punishment should be even more severe, with 25% recommending a jail sentence of five years and a fine of $10,000, which is equivalent to the punishment for a class D felony, like voluntary manslaughter or stalking.

Overall, 89% of women and 79% of men said they think culprits should be fined, with women recommending a fine of $5,700 on average, compared to the $3,300 deemed appropriate by men.

While 40% of women and 21% of men polled thought that people who shared others’ nudes without consent should be added to a public sex offender registry, 58% of women and 38% of men thought culprits' details should be placed on a specially created database of sext offenders.

The survey, conducted in May, revealed that women under age 30 are much more likely to be the unhappy recipients of an unwanted naked image than men in the same age category. While just 12% of men said they had received a nude picture that they didn't want, nearly half of women—47%—had been imposed on by a cyber-flasher. 

Worryingly, 12% of women and 23% of men under age 30 admitted that they had obtained a nude without consent. The most popular way of doing this was by taking a screenshot of a temporary image; however, nudes had also been acquired via friends, captured from a video call, and purchased from a third party. 

Perhaps the most alarming method of getting a nude without the subject's consent—taking a photo of them in person without their knowledge—had been practiced by 10% of men and 6% of women under age 30.

Categories: Cyber Risk News

Florida Women's Clinic Warns 520,000 Patients of Data Breach

Tue, 10/15/2019 - 16:22
Florida Women's Clinic Warns 520,000 Patients of Data Breach

A Florida clinic providing specialized medical care for women has alerted all current and former patients that their personal information and medical records may have been exposed following a data breach. 

North Florida OB-GYN, which joined Women's Care Florida on May 6, 2019, became aware that a cyber-attack had been waged against its network on July 27 of this year. The breach is thought to have taken place on or before April 29, 2019.

In a statement released on their website, North Florida OB-GYN wrote: "Shortly after becoming aware of the incident, North Florida OB-GYN completed a preliminary assessment, in consultation with third-party information technology consultants, and determined that there had been improper access to certain portions of its networked computer systems and that a computer virus had encrypted (made unreadable) certain files on its computer systems."

The assessment findings prompted the clinic to shut down its networked computer systems, initiate its incident response and recovery procedures, and notify the Federal Bureau of Investigation of the breach. The clinic has also launched a confidential forensic investigation into the cyber-incident. 

Medical or personal information affected by the incident may have included name, demographic information, date of birth, Social Security number, driver’s license or identification card number, employment information, health insurance information, and health information, such as treatment, diagnosis, and related information and medical images. 

The affected computer systems did not contain any credit or debit card or financial account information.

All 528,188 patients of North Florida OB-GYN have been contacted by letter and warned that their personal data may have been exposed. 

In a statement released on their website, North Florida OB-GYN wrote: "There is no evidence to date that any unauthorized person has actually viewed, retrieved, or copied any medical or personal information."

The clinic has advised patients to remain vigilant by regularly reviewing their account statements, monitoring free credit reports, and reporting any suspicious activity to their financial institutions.

Virtually all of the encrypted files have now been recovered, and North Florida OB-GYN has taken actions to strengthen security safeguards for the affected systems and to prevent similar incidents.

Categories: Cyber Risk News

#ISWUK: Trust Erosion Preventing Business Transformation

Tue, 10/15/2019 - 12:15
#ISWUK: Trust Erosion Preventing Business Transformation

An Erosion trust, and a lack of situational awareness, are continuing to harm advancements in cybersecurity and digital transformation.

Speaking at NTT Security’s Information Security World event in London, Thales CTO Jason Hart reflected upon the journey of 50 million users to radio, television, internet and, most recently, the Pokemon Go app. He likened this journey to the transformation of businesses for data and digital services, as “this is happening to every part of the organization.”

Hart said that “innovation is not about new technology, it is about taking the user experience and making it easier to consume.” This can lead to “habit forming” which has both positive and negative impacts, and this should challenge businesses to make technology “easier and simpler.”

However, data breaches have led to an erosion of trust, and Hart said that “we cannot solve problems using the same thinking” as we invest money in cybersecurity products and services, yet breaches continue to happen. “The approach has not evolved, we are getting there, and I can see an improvement,” he said.

Hart predicted that we will continue to have a “major problem regarding the integrity of data” as we have the “perfect storm of more data, children born into a data world, and yet we still see breaches.” Hart argued that this can be eradicated quickly by realizing situational awareness, and for businesses to realize which of the following they fit into:

  • Situational aware – understand critical elements of data, people and process
  • Situational ignorance – not looking or considering impact of people, data and processes
  • Situational arrogance – consideration of people, data and process, however no action is taken

“Be situationally aware and look to the needs of the organization and of the user, as different users have different needs,” he concluded, recommending businesses to mitigate risks and consider these across technology, humans and processes.

Categories: Cyber Risk News

Ex-TalkTalk Security Leader to Take on Firm in Unequal Pay Dispute

Tue, 10/15/2019 - 10:45
Ex-TalkTalk Security Leader to Take on Firm in Unequal Pay Dispute

A former TalkTalk executive who led the company’s program to recover from a major 2015 breach is crowdfunding legal fees to bring a landmark equal pay case against the ISP.

Rebecca Burke worked as program director for the embattled UK firm as part of its Top 50 Leadership Team to deliver the top 10 highest priority programs for the business.

These included a strategy to bounce back from the breach in which hackers managed to access the personal details of over 156,000 customers, including 15,000 who also had their financial data exposed.

The ISP was eventually fined £400,000 by privacy watchdog the Information Commissioner’s Office (ICO) for serious failings in its security processes which led to the incident.

However, despite her experience of over two decades working in various public and private sector organizations, Burke alleged she was being paid significantly less at the firm than some male colleagues.

“In May 2017 I was shocked to discover that I had been singled out for redundancy. The suspicious circumstances led me through a slow and painful appeals process that eventually exposed the fact that TalkTalk had been paying me 40% less salary and 50% less bonus than the three other male Programme Directors that were in my team doing the same job,” she explained on her crowdfunding page.

“Myself and my family have endured years of financial and emotional stress in this fight for justice against a giant corporation. I have sacrificed my career, sanity and financial stability because I want to help build a fairer future for our young women and girls by holding our UK businesses to account when they break the equal pay laws that women fought so hard for 50 years ago.”

A personally funded tribunal in 2018 was postponed after Burke’s barrister issued an unusual request for the panel to stand down on the grounds that it was hostile to her case.

She has already received support from BBC journalist, Carrie Gracie, women’s rights group The Fawcett Society and Sam Walker, who won her equal pay and unfair dismissal case against the Co-Op Group in 2018.

The news of Burke’s tribulations will be a PR blow for a cybersecurity industry struggling to become more gender diverse. The latest figures suggest women comprise just a quarter (24%) of roles globally.

Categories: Cyber Risk News

Analyst Urges UK CISOs to Act on Brexit

Tue, 10/15/2019 - 09:45
Analyst Urges UK CISOs to Act on Brexit

A leading analyst firm has warned British CISOs to focus on three key areas to mitigate the potential fallout from the UK’s departure from the European Union.

Whether the UK strikes a withdrawal agreement with the EU or not, security bosses must carefully consider action to maintain unhindered international data flows, and manage potential staffing and regulatory challenges, according to senior analyst, Paul McKay.

He warned that a no-deal Brexit would invalidate current equivalence between the UK and EU’s data protection regimes, putting up barriers to seamless data transfers.

“We recommend that CISOs and DPOs start looking into alternative means now for guaranteeing the legal basis for their international data flows between the UK and EU,” he urged. “This can either be through model clauses or a binding corporate rules program, for example, which are already widely used for transfers outside of the EU.”

CISOs should also work hard to provide reassurance and support for any EU citizens on the staff roster, some of whom may need help with applications to remain in the country. More challenging still will be recruitment.

“Restrictions on the numbers of EU citizens entering the UK and vice versa are generally expected, so review your operating model carefully to mitigate the impact that restrictions on freedom of movement could bring to your security organization structure and headcount deployment,” said McKay.

“In addition, consider the implications for business travel for any service providers and staff supporting you from outside of your main headquarters locations.”

Finally, there are the requirements from EU laws PSD2, GDPR and NIS Directive to report breaches to the relevant authorities. McKay urged UK CISOs to review and update reporting lines as regulatory relationships change, as well as to update incident response plans and any supporting operational processes.

Categories: Cyber Risk News

Pitney Bowes and Groupe M6 Hit By Ransomware

Tue, 10/15/2019 - 08:52
Pitney Bowes and Groupe M6 Hit By Ransomware

A US mailing technology company and one of France’s largest media groups have been hit by ransomware over the past few days, highlighting the continued threat to businesses of all types.

Pitney Bowes, which provides services to print labels, track parcels and manage expenses, revealed the news in an update overnight.

It claimed a third-party attack “encrypted information on some systems and disrupted customer access to our services.”

SendPro products, postage refill, and Your Account access have all been affected, although the firm said there’s no evidence that customer accounts or data have been impacted.

“Our technical team is working to restore the affected systems, and it is working closely with third-party consultants to address this matter,” it added. “We are considering all options to expedite this process and we appreciate our customers’ patience as we work toward a resolution.”

The news comes as French media giant Groupe M6 admitted over the weekend that it was also struck by a cyber-attack, subsequently reported to be ransomware.

According to local reports, the firm’s email servers and phone lines are down due to the attack, although a speedy response from its IT department managed to ensure the threat did not affect the broadcasting of TV channels.

Chris Morales, head of security analytics at Vectra, argued that the best form of protection from ransomware is to identify the warning signs of an attack.

“It is hard to stop, but it can be defeated. There are many precursor signs to a ransomware attack that can be detected and responded to, before a ransomware attack succeeds,” he added.

“Continuous monitoring for network behaviors to proactively detect and respond to attacks does give an organization an opportunity to save themselves from the loss of data.”

Alex Guirakhoo, strategic intelligence analyst at Digital Shadows, claimed that ransomware attackers are getting increasingly targeted in their approach, singling out specific organizations and sectors.

“Future attacks are likely to forgo indiscriminate, widespread targeting in favor of more tailored and specific distribution methods,” he argued. “As organizations continue to pay high extortion demands, sometimes reaching hundreds of thousands of dollars, cyber-criminals are likely to continue perceiving ransomware as a lucrative opportunity.”

Categories: Cyber Risk News

Atlanta Judge Pleads Not Guilty to Improper Access of County Network

Mon, 10/14/2019 - 17:22
Atlanta Judge Pleads Not Guilty to Improper Access of County Network

Superior Court judge Kathryn Schrader has pleaded not guilty to improperly accessing, altering, and removing data from the computer network of Gwinnett County, Georgia, located just northeast of Atlanta.  

The judge was indicted on September 18, along with convicted child molester and co-founder of Atlanta sci-fi convention DragonCon, Ed Kramer; private investigator T.J. Ward; and Frank Karic. 

The defendants are each charged with three counts of felony computer trespass, to which they all pleaded not guilty at their arraignment last Thursday. If convicted of all the charges against them, the defendants could each face a maximum of 45 years behind bars.

According to the Gwinnett Daily Post, Schrader hired private detective Ward to monitor her work computer when she became suspicious that it had been hacked by district attorney Danny Porter. 

It is alleged that Schrader gave Ward improper access to the network. Ward then brought in Karic, who was given improper access so he could install a WireShark monitoring device on Schrader's computer to discover if it had indeed been tampered with. 

Ward then hired former computer forensic analyst Kramer, who was also given improper access so that he could keep tabs on Schrader's computer once the installation was complete. 

According to newspaper the Atlanta Journal-Constitution, Danny Porter has vehemently denied the allegation that he hacked Schrader's computer. 

The details of the alleged offence came to light during a search of Kramer's home computer by police in relation to allegations that he had photographed a young child at a Lawrenceville, Georgia, doctor's office. Police reportedly found a folder labeled with Schrader's name on Kramer's computer. 

Since searching Kramer's computer, police have charged him with possession of child pornography. 

The indictment states that between February 7 and 26, all four defendants "did knowingly use a computer network without authority and with the intent to remove network traffic, data from the computer network of Gwinnett County, contrary to the laws of said state, the good order, peace and dignity thereof." 

Schrader has been a judge on Gwinnett's highest court since 2012, but since April, while the investigation into her alleged criminal activities has been ongoing, Porter has sidelined Schrader from hearing any criminal cases prosecuted by his office. 

The Georgia Bureau of Investigation launched the investigation into Schrader and the three men accused along with her; however, the case has now been handed over to the Prosecuting Attorney's Council of Georgia, which is prosecuting the case.

The next hearing in the case is scheduled for November 7.

Categories: Cyber Risk News

Thoma Bravo Buys Sophos Group for $3.8bn

Mon, 10/14/2019 - 16:14
Thoma Bravo Buys Sophos Group for $3.8bn

A British manufacturer of cybersecurity products has been bought by American private equity firm Thoma Bravo for $3.8bn.

Thoma Bravo, which raised billions for its latest private equity fund this year, bought Imperva and another cybersecurity firm, Veracode, in late 2018. In a buyout deal announced earlier today, Thoma Bravo said that it will be adding Sophos Group to its fast-growing cybersecurity portfolio. 

Sophos manufactures antivirus and encryption products for an impressive list of customers that includes Under Armour IncFord Motor Co., and Toshiba Corp

Thoma Bravo already owns Sophos' close competitor Barracuda Networks, which made a name for itself managing data security over the cloud. 

Shares in Sophos were listed at 225 pence per share in 2015, but since then they have more than doubled to the 583 pence per share closing price recorded on Friday, October 11. 

In a statement released today, Sophos CEO Kris Hagerman said: "Sophos is actively driving the transition in next-generation cybersecurity solutions, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more. We continue to execute a highly effective and differentiated strategy, and we see this offer as a compelling validation of Sophos, its position in the industry and its progress."

Hagerman told news organization Reuters that his company was first approached by Thoma Bravo in June of this year.

"The (Sophos) board ultimately concluded that this offer and the acquisition can accelerate Sophos' progress in next-generation cybersecurity," Hagerman said.

Thoma Bravo is a leading private equity firm focused on the software- and technology-enabled services sector with more than $35bn in investor commitments. With a 40-year history, Thoma Bravo has acquired more than 200 software and technology companies representing more than $50bn of value.

In a statement released on Monday, Seth Boro, managing partner at Thoma Bravo, said: "The Acquisition fits with our strategy of investing in and growing software and technology businesses globally. 

"The global cybersecurity market is evolving rapidly, driven by significant technological innovation, as cyber threats to business increase in scope and complexity. Sophos has a market-leading product portfolio and we believe that, by applying Thoma Bravo's expertise, operational framework and experience, we can support the business and accelerate its evolution and growth."

Categories: Cyber Risk News

Tactics of Supply-Chain Attack Group Exposed

Mon, 10/14/2019 - 15:41
Tactics of Supply-Chain Attack Group Exposed

Researchers have exposed the underhanded methods of a threat group responsible for unleashing a string of supply-chain attacks.

Winnti Group has been targeting the gaming industry for nearly a decade. Their preferred mode of attack is to compromise game developers, insert backdoors into a game’s build environment, and then have their malware distributed as legitimate software.

In April 2013, Kaspersky Lab reported that in 2011 Winnti had altered a video game to include a backdoor. Then, in March 2019, ESET published research proving that the threat group was responsible for compromising and adding a backdoor to two other games and a gaming platform. 

Gamers in Asia were the target in the most recent supply-chain attack, which researchers estimate affected "tens or hundreds of thousands" of people. Over half of the victims—55%—were located in Thailand. 

Following this publication, ESET continued its investigation to discover how organizations’ digital supply chains had been compromised to deliver malware in their applications. 

"Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviors and code similarity to help us spot the needle," says ESET researcher Marc-Étienne Léveillé.

The Winnti Group uses a packer in a backdoor dubbed PortReuse. In collaboration with Censys, ESET performed an internet-wide scan to try to identify one variant of the backdoor, as well as potential victims. 

Léveillé said: "Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was." 

With their new research, ESET was able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse. ESET also analyzed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.

Although Winnti is known principally for espionage, researchers discovered that the group was also using a botnet to min cryptocurrencies.

Léveillé said: "Perhaps they use the virtual money they mine to finance their other operations. Maybe they use it for renting servers and registering domain names. But at this point, we cannot exclude that they, or one of their subgroups, could be motivated by financial gain."

Categories: Cyber Risk News

Stolen Cloud API Key to Blame for Imperva Breach

Mon, 10/14/2019 - 11:30
Stolen Cloud API Key to Blame for Imperva Breach

A security breach which led to the compromise of customer data at Imperva was caused by a stolen API key for one of its Amazon Web Services (AWS) accounts, the firm has revealed.

The firm was notified of the incident, which affected a subset of its Cloud WAF customers, by a third party at the end August.

Chief technology officer, Kunal Anand, explained in a blog post that the firm decided back in 2017 to migrate to the AWS Relational Database Service (RDS) in order to provide greater scale for its user database.

As part of this process the firm created a database snapshot for testing on September 15, 2017.

Separately, Imperva’s IT team created an internal compute instance containing an AWS administrative API key. Unfortunately, this server was left exposed and subsequently found by a hacker, who stole the all-important key and used it to access the database snapshot, exfiltrating the information in October 2018.

The stolen data included email addresses, hashed and salted passwords, API keys, and TLS keys — although Anand claimed to have found no evidence so far that it is being abused for malicious ends.

Imperva has since tightened its internal security, by ensuring new instances are created behind a VPN, unused and non-critical instances are decommissioned, and by putting monitoring and patching programs in place.

Other corrective actions taken include an increase in the frequency of infrastructure scanning, tighter access controls, and an increase in auditing of snapshot access.

At Imperva’s request, more than 13,000 customer passwords were changed and over 13,500 SSL certificates rotated following the breach, highlighting the scale of the incident. In addition, over 1400 API keys were regenerated, according to Anand.

Categories: Cyber Risk News