Feed aggregator

Canadian Banks Spoofed in 2-Year Phishing Attack

Info Security - Mon, 12/23/2019 - 16:48
Canadian Banks Spoofed in 2-Year Phishing Attack

Researchers have unearthed a two-year phishing campaign targeting bank customers in Canada. 

Fourteen banks, including CIBC, TD Canada Trust, Scotiabank, and the Royal Bank of Canada (RBC) were spoofed in a large-scale operation that involved multiple look-alike domains. 

The attack starts by sending legitimate-looking emails containing a PDF attachment. The attachment uses what appears to be an official bank logo, as well as an authorization code.

Victims are told that they need to renew their digital certificate so that they can continue to access online banking. When the victim clicks on any of the URLs that appear in the attached document, they are led to a phishing page asking them to enter their banking credentials.

The intricate scam was uncovered by researchers at Check Point Research, who wrote: "Looking into the detected artifacts revealed an ongoing phishing attack that has been going after customers of Canadian banks for at least two years. 

"By sending highly convincing emails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this were able to run a large-scale operation and remain under the radar for a long time."

In the case of RBC, although the phishing website looks identical to the bank's genuine RBC express login page, the attackers actually invested little time in constructing the deceptive replica. 

"They simply took a screenshot of the official website and added invisible text boxes on top of the input fields to harvest the victim’s credentials," wrote researchers.

Linguistic clues led the researchers to discover the longevity of the scammers' cruel charade.

Researchers wrote: "There were multiple variants of the PDF attachments, with slight differences between them. However, some of the textual instructions they contained were repetitive, used unique phrasing and appeared in more than one document. 

"This allowed us to hunt for more samples and find related PDFs dating back to 2017."

The phishing website that appeared in the PDF attachments resolved to a Ukrainian IP address, which researchers found was hosting more domains impersonating RBC in addition to other banks.

Commenting on the scam, senior security strategist at Synopsys Jonathan Knudesn said he felt it was time users wised up.

"Users should understand the capabilities of phishers; they should know that anyone can construct a web site that looks just like the real thing, and anyone can get a legitimate certificate for a fake web site."

Categories: Cyber Risk News

Londoner Escapes Jail Time After Blackmailing Apple

Info Security - Mon, 12/23/2019 - 10:25
Londoner Escapes Jail Time After Blackmailing Apple

A Londoner who blackmailed Apple threatening to factory reset hundreds of millions of iCloud accounts has been sentenced at Southwark Crown Court.

Kerem Albayrak, 22, from North London, demanded that the tech giant give him $75,000 in crypto-currency or a thousand $100 iTunes gift cards in return for deleting what turned out to be a non-existent database of 319 million ‘accounts.’

In March 2017, he emailed Apple Security with the threat, subsequently sending the team a link to a video of himself accessing two seemingly random iCloud accounts.

It turned out that those accounts and others he had access to were from previously compromised third-party services that were mainly inactive, according to the National Crime Agency (NCA).

Apple contacted the NCA following its receipt of the blackmail demand and officers swooped on Albayrak’s house on March 28, seizing his smartphone, computer and hard drive. After examining his phone records they linked him to a hacker group known as “Turkish Crime Family.”

He pleaded guilty to two counts of unauthorized acts with intent to impair the operation of or prevent/hinder access to a computer, and one count of blackmail.

However, Albayrak escaped jail time, after the court handed down a two-year suspended sentence, 300 hours of unpaid work and a six-month electronic curfew.

“Albayrak wrongly believed he could escape justice after hacking in to two accounts and attempting to blackmail a large multi-national corporation. During the investigation, it became clear that he was seeking fame and fortune. But cyber-crime doesn’t pay,” argued NCA senior investigating officer, Anna Smith.

“The NCA is committed to bringing cyber-criminals to justice. It is imperative victims report such compromises as soon as possible and retain all evidence.”

Categories: Cyber Risk News

Twitter Bins Thousands of State-Backed Saudi Accounts

Info Security - Mon, 12/23/2019 - 10:25
Twitter Bins Thousands of State-Backed Saudi Accounts

Twitter has been forced to suspend thousands of accounts linked to state-backed campaigns driven by Saudi Arabia and designed to influence public opinion, it has revealed.

The social networking site claimed in a new blog post on Friday that 5929 accounts had been removed for “violating our platform manipulation policies.”

“These accounts represent the core portion of a larger network of more than 88,000 accounts engaged in spammy behavior across a wide range of topics. We have permanently suspended all of these accounts from the service,” Twitter said.

“In order to protect the privacy of potentially compromised accounts repurposed to engage in platform manipulation, and in response to researcher feedback requesting that we pre-filter unrelated spam, we have not disclosed data for all 88,000 accounts.”

By liking, retweeting and replying to posts, these inauthentic and hijacked accounts apparently amplified messages favorable to the Saudis.

Twitter claimed the coordinated activity could be traced back to a Saudi social media marketing company known as Smaat.

“Our in-house technical indicators show that Smaat appears to have created, purchased, and/or managed these accounts on behalf of — but not necessarily with the knowledge of — their clients,” it explained. “We have permanently suspended Smaat’s access to our service as a result, as well as the Twitter accounts of Smaat’s senior executives. Smaat managed a range of Twitter accounts for high-profile individuals, as well as many government departments in Saudi Arabia.”

Those Smaat employees appear to have used automated third-party tools to amplify non-political content in large volumes; a tactic apparently designed to disguise the more important political content from moderators.

Twitter has been busy this year removing state-backed attempts to manipulate public opinion for geopolitical advantage. It June it shut down 5000 Iranian and Russian accounts accused of doing so, and in August it was the turn of China, which had 1000 accounts suspended for spreading propaganda about Hong Kong.

Categories: Cyber Risk News

Zynga Breach Hit 173 Million Accounts

Info Security - Mon, 12/23/2019 - 09:32
Zynga Breach Hit 173 Million Accounts

Nearly 173 million usernames and passwords were compromised when a leading gaming developer was breached in September, it has emerged.

Zynga burst on the gaming scene when its Farmville title became a hit a decade ago. It followed this success with Words with Friends, a hugely popular Scrabble-like word game it acquired.

Although Zynga acknowledged the breach at the end of September, several weeks after hackers struck, notification site HaveIBeenPwned now has the official figure on how many accounts were affected.

It claimed in an update late last week that a total of 172.9 million unique email addresses, along with usernames and passwords, were compromised in the attack. On the plus side, passwords were stored as salted SHA-1 hashes, which makes them much harder to monetize.

News of the breach went public at the end of September when notorious cyber-criminal “Gnosticplayers” claimed to have obtained data on over 218 million users.

At the time, Zynga responded by urging users not to share passwords across multiple accounts, and to ensure they create “a unique and strong” credential for all of their online accounts.

“Cyber-attacks are one of the unfortunate realities of doing business today. We recently discovered that certain player account information may have been illegally accessed by outside hackers,” it said at the time.

“We understand that account information for certain players of certain Zynga games may have been accessed. As a precaution, we have taken steps to protect certain players’ accounts from invalid logins, including but not limited to where we believe that passwords may have been accessed.”

Tim Dunton, MD of Nimbus Hosting, argued that social gaming customers are prime targets for data theft.

“All online game organizations need to ensure cybersecurity measures are a top priority in their company culture, to avoid this kind of attack happening in the future,” he added.

“They need to focus on adopting safe, modern and frequently updated IT servers, which are immune to leaking information, even to the most advanced of criminal cyber-specialists.”

Categories: Cyber Risk News

Wawa Stores Plagued by Malware Since March

Info Security - Fri, 12/20/2019 - 17:15
Wawa Stores Plagued by Malware Since March

Payment processing systems at Wawa, the American chain of convenience and fuel stores, have been harboring malware that steals credit card information for nine months.

In an open letter published online yesterday, Wawa CEO Chris Gheysens announced that the malware had potentially been operating at all of Wawa's 842 locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, DC, and Florida since March.

"Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019," wrote Gheysens.

"This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019, and until it was contained."

By April 22, the malware is thought to have spread to most Wawa stores. 

An investigation launched by Wawa into the incident discovered that payment card information, including debit and credit card numbers, expiration dates, and cardholder names, had been exposed as a result of the long-running cyber-attack. ATM cash machines in Wawa stores were not impacted. 

In a statement released to the press yesterday, Wawa said that it "is not aware of any unauthorized use of any payment card information as a result of this incident."

Wawa has said it took "immediate steps after discovering this malware and believes it no longer poses a risk to customers." However, no details have been revealed as to what type of malware was used in the prolonged card-skimming attack or how it gained a foothold in Wawa's payment processing systems. 

Gheysens apologized for the breach, and assured all customers impacted that they "will not be responsible for fraudulent charges related to this incident."

Jonathan Deveaux, head of enterprise data protection at comforte AG, commented: "Details are unclear regarding the type of malware installed on the Wawa payment processing servers, however, if the payment card data was protected in real-time with security tokenization, exfiltration of data from Wawa databases would have contained worthless tokens for the bad actors. 

"Instead, when data is left in its clear-text form, credit and debit card numbers are exposed, which can put millions of payment card holders in a bad position."

Categories: Cyber Risk News

Malicious Email Exploits Greta Thunberg, Christmas, and Children

Info Security - Fri, 12/20/2019 - 16:20
Malicious Email Exploits Greta Thunberg, Christmas, and Children

A malicious email campaign that exploits the notoriety of youthful Swedish climate crisis activist Greta Thunberg has been discovered by multiple research teams.

Threat actors constructed an email that appears to invite the recipient to participate in a demonstration being held to protest the lack of government action being taken to protect the natural environment. 

The email purports to be from environmental activist Greta Thunberg. In a bid to appear more authentic, the sign-off references a genuine accolade recently awarded to Thunberg—being named Time Person of the Year 2019. 

The email states that the time and location of the non-existent demonstration are included in a Microsoft Word document "Support Greta Thunberg.doc," which is attached to the email. When the victim opens the document, the Emotet malware is installed on their computer. 

Emotet is a banking Trojan that has been around since 2014 and has recently made a significant comeback. In the 2019 Q3 Threat Report by Proofpoint, researchers found that Emotet accounted for nearly 12% of all malicious emails in that quarter.

As if exploiting the positive actions of a teenager and public concern over the future of the planet wasn't enough, the emotionally manipulative scammers stooped even lower by throwing Christmas and children into the mix.  

The content of the malicious email reads: "Merry Christmas. You can spend Christmas Eve looking for gifts for children. They will tell you Thank you only that day. But the children will thank you all their lives if you come out for the biggest demonstration in protest against the inaction of the government in connection with the climate crisis."

Proofpoint researchers who detected this festive incarnation of Emotet wrote: "This campaign serves as a reminder that attackers won’t hesitate to target people’s best intentions during this holiday season."

Sickeningly, the threat actors appeared to be specifically targeting .edu domains used by students. 

"We saw more .edu domains attacked than domains associated with any specific country," wrote Proofpoint researchers. 

Versions of the same malicious email have been doing the rounds in a variety of languages, including Spanish, Italian, French, and Polish. 

The one positive takeaway is that the threat actors’ topic of choice signals growing global awareness of Thunberg and the issues for which she advocates. 

Proofpoint researchers noted that the campaign "serves as a mark of how significant environmental awareness has become and how well-known Greta Thunberg is globally."

Categories: Cyber Risk News

100% Rise in Number of UK Businesses Paying Hacking Ransoms

Info Security - Fri, 12/20/2019 - 15:22
100% Rise in Number of UK Businesses Paying Hacking Ransoms

New research into the attitudes and beliefs of cybersecurity professionals has identified a sharp rise in the number of businesses paying up when stung by a ransomware attack.

The 2019 Global Security Attitude Survey Report by California cybersecurity technology company CrowdStrike shows that the number of global organizations paying ransoms from supply-chain attacks has more than doubled from 14 to 39 percent in the past year.

In the UK, over the same time period, the number of businesses coughing up their money after being held to ransom by threat actors has increased by 100 percent from 14 percent to 28 percent. 

On a more positive note, it takes UK organizations on average 39 hours to detect an adversary, versus a sluggish global average of 120 hours.

Over three-quarters (77 percent) of survey respondents admitted that their organization had experienced a supply-chain attack at least once at some point in time, up from 66 percent in 2018. However, compared to last year, more businesses said that they were prepared for such an incident. 

Over half (52 percent) of those hit by a software supply-chain attack in 2019 had a comprehensive strategy in place at the time, compared to only just over a third (34 percent) 12 months ago. 

"Reacting with speed to next-generation, persistent and pervasive threats requires the power of the cloud and crowdsourced data on the real threats facing organizations, whether they are malicious files or from file-less behaviors," said John Titmus, senior director, sales & solution engineering, EMEA region, CrowdStrike. 

"The solution to these threats lies within the power of the cloud and AI to leverage vast data sets to spot indicators of attack before those attacks break out and become breaches. Then organizations react at the speed required to beat organized cybercriminals and nation-state adversaries."

The 2019 Global Security Attitude Survey Report is based on responses from 1,900 senior IT decisionmakers and professionals from across the US, Canada, UK, Mexico, Middle East, Australia, Germany, Japan, France, India, and Singapore, working in a wide range of industries. Responses were recorded in the fall of 2019.

Categories: Cyber Risk News

UK Police in the Dock as Device Losses Soar 150%

Info Security - Fri, 12/20/2019 - 10:51
UK Police in the Dock as Device Losses Soar 150%

UK police officers and staff reported on average four lost or stolen devices every day over the most recent financial year, according to newly released data.

Think tank Parliament Street received Freedom of Information (FOI) requests from 22 forces across the country to better understand their risk exposure from mobiles, tablets, laptops, radios, USBs and other devices.

In total, 2600 of these devices were reported lost or stolen over the past three financial years, with around half (1360) reported in the financial year 2018-19.

This amounts to an increase in lost/stolen devices of 150% from the 544 reported missing in 2016-17.

The worst offender was West Midlands Police, which reported 1012 missing devices over the three-year period. This included 16 laptops, 112 mobile phones and 884 police radios, 494 of which went missing last year.

There was a big drop-off before second-placed Staffordshire Police, which reported 277 lost or stolen devices, and third-placed Greater Manchester Police (225).

Those which saw the biggest increase in missing equipment between 2016 and 2019 were Gwent Police, which reported a 2500% jump, Norfolk and Suffolk Constabulary (1,500%) and Durham (200%).

Absolute Software VP EMEA, Andy Harcup, argued that most of these devices would have contained sensitive data on police investigations, including confidential information about criminals, suspects and victims.

“Everyone recognizes the loss of laptops and mobiles in the line of duty is inevitable, so it’s vital that forces have the necessary systems in place to track and freeze equipment when it falls into the wrong hands,” he added.

“This approach can help improve cybersecurity standards, protect the privacy of individuals and prevent criminals and opportunistic thieves from misusing police devices and stealing data.”

It’s not just the police that are exposed to cyber-risk related to device loss. UK government workers reported over 500 lost or stolen devices over the past year, while at the Ministry of Defence, missing device reports soared 300% over the past two years.

It's unclear whether the majority of devices reported lost or stolen by the police were password protected, encrypted, and/or fitted with device wipe capabilities, according to best practices.

Categories: Cyber Risk News

Data Leak Exposes 267 Million Facebook Users

Info Security - Fri, 12/20/2019 - 10:20
Data Leak Exposes 267 Million Facebook Users

A database of 267 million Facebook user IDs, phone numbers, and names was left exposed online for a fortnight thanks to another cloud misconfiguration, according to researchers.

The trove was likely to have been the result of an illegal scraping operation carried out by cyber-criminals, according to consultant Bob Diachenko and researchers at Comparitech.

“One possibility is that the data was stolen from Facebook’s developer API before the company restricted access to phone numbers in 2018. Facebook’s API is used by app developers to add social context to their applications by accessing users’ profiles, friends list, groups, photos, and event data. Phone numbers were available to third-party developers prior to 2018,” explained Comparitech’s Paul Bischoff.

“Diachenko says Facebook’s API could also have a security hole that would allow criminals to access user IDs and phone numbers even after access was restricted. Another possibility is that the data was stolen without using the Facebook API at all, and instead scraped from publicly visible profile pages.”

The researchers warned that such a large database of sensitive information could be used in major spam, phishing and smishing campaigns.

The database itself was first indexed on December 4, with the data posted on a hacker forum eight days later. Diachenko discovered it on December 14 and notified the ISP managing the IP address, and five days later it was made unavailable.

The original leak came about because of a misconfigured Elasticsearch cluster.

This is just the latest in a long line of data leaks stemming from unsecured cloud databases. In November personal data on over one billion individuals harvested by data enrichment companies was found exposed.

Then in December, over one billion email-password “combos” were found in a similar way by Diachenko. They’re thought to have been stolen or bought by hackers.

Categories: Cyber Risk News

Court's Opinion Good News for EU-US Data Flows

Info Security - Fri, 12/20/2019 - 09:46
Court's Opinion Good News for EU-US Data Flows

An EU court ruling yesterday has raised questions over the validity of the Privacy Shield data sharing framework between Europe and the US, although it confirmed the legality of standard contractual clauses (SCCs), with caveats.

The opinion of advocate general (AG) of the EU Court of Justice, Henrik Saugmandsgaard Øe, stems from the infamous Facebook-Max Schrems case in which a complaint by the latter claimed that transfer of his data from the EU to the US by the social network infringed his privacy rights.

That led to the end of the Safe Harbor data sharing agreement between the EU and US in 2015, because the latter’s bulk surveillance programs, as revealed by Edward Snowden, were considered to imperil Europeans’ privacy rights without providing any adequate cause of redress.

The new opinion issued by the advocate general indicates the EU still has concerns over Safe Harbor’s successor, Privacy Shield.

“According to the advocate general, the resolution of the dispute in the main proceedings does not require the court to rule on the validity of the ‘privacy shield’ decision, since that dispute concerns only the validity of Decision 2010/87,” a statement from the Court of Justice noted.

“Nevertheless, the advocate general sets out, in the alternative, the reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.”

However, SCCs are still a valid and legal way to transfer data to and from a “third country” (i.e. one outside the EU), despite the US surveillance regime, the opinion found.

The caveat is that data protection authorities in the trading bloc must keep an eye on the conditions within these third countries.

There is an obligation on them “to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with.”

Overall, this is good for business and will ease fears about data flows post-Brexit as the UK will effectively become a third country at that time, according to experts.

“The advocate general’s opinion that the EU SCCs remain valid will be welcomed by business on both sides of the Atlantic, as the SCCs are one of the key mechanisms that underpin transfers of personal data to countries outside of the EU, including to the US,” said Bridget Treacy, partner at law firm Hunton Andrews Kurth.

“Despite the continuing validity of the SCCs, the AG points out that businesses that rely on the clauses still need to assess whether the recipient can comply with the clauses in relation to each particular transfer, and suspend transfers when that is not the case. Furthermore, EU data protection supervisory authorities have the power to suspend data transfers pursuant to the SCCs when an adequate level of protection for personal data cannot be provided in light of local laws and practices in the recipient country.”

The AG’s decision is not legally binding, but the European Court of Justice, which is hearing the case next year, usually follows the same thinking.

Categories: Cyber Risk News

Australia to Launch First ACS-Accredited University Cybersecurity Course

Info Security - Thu, 12/19/2019 - 18:54
Australia to Launch First ACS-Accredited University Cybersecurity Course

Australia's Deakin University is to launch the country's first cybersecurity course accredited by the Australia Computer Society (ACS).

The ACS is the only body in Australia with the power to accredit IT and ICT courses. Only recently did it add cybersecurity to its accreditations.

Deakin University is the first educational establishment to be awarded specialist course accreditations in cybersecurity by the ACS, with five Deakin degrees and master's programs receiving recognition.

Yohan Ramasundara, president of ACS, said: "ACS has long been recognized as the accrediting body for technology-related degrees and post-graduate qualifications related to initial professional practice.

"With the growing need for expertise in cybersecurity for our evolving and growing digital economy, introducing recognition for specialist cybersecurity qualifications and expertise was a must."

ACS accreditation is awarded to an institution and its programs after a rigorous evaluation of their capacity to produce graduates who have the knowledge and skills required of a professional. Currently, there are more than 340 programs offered by over 40 institutions that are accredited by the ACS as meeting graduate standards for initial professional practice. 

Professor Karen Hapgood, Deakin’s executive dean of science engineering and built environment, said the university's new cybersecurity accreditation demonstrated the high quality and academic integrity of its cybersecurity courses.

"Deakin is proud to be able to offer students a fully accredited cybersecurity course that will be recognized industry-wide and overseas," Professor Hapgood said.

"It certainly endorses the high-quality curriculum and the high quality of academic staff teaching our courses, and validates Deakin’s decision last year to update its cybersecurity courses in line with industry and world needs.

"As cybersecurity becomes more important to our national and global security than ever before, it is vital that students can take comfort that they are being taught at the highest possible level."

Around 500 students study a Bachelor or Master of Cybersecurity at Deakin each year, with an average annual intake of 150 students. The university launched the courses three years ago.

While cyber security courses are currently offered at many universities and other educational institutions across Australia, until now none of these courses have been accredited by an external and independent body.

Categories: Cyber Risk News

Audit Faults Massachusetts' Information Security

Info Security - Thu, 12/19/2019 - 18:12
Audit Faults Massachusetts' Information Security

Massachusetts' Department of Revenue is not doing enough to protect the sensitive information of taxpayers. 

A recent report on the cybersecurity protocols of the Department of Revenue (DOR), compiled by auditor of the commonwealth Suzanne Bump, found that the DOR had no system in place to assess and document third-party vendor risks.

Furthermore, the audit found that the DOR had no documented and tested incident response procedures and had not established an information technology strategy committee. 

The department previously had a security review board, but the board has not been active since early 2017.

"Without a committee or board charged with governing DOR’s IT environment, responsibility for IT governance and risk is not clear. This can result in information security risks and investments not being aligned with business needs," states the report.

"Without documented and tested incident response procedures, there is a higher-than-acceptable risk that DOR may not be able to respond properly to information security incidents, which may result in delayed identification of an incident, additional loss of data, or negative public opinion."

The audit revealed that the DOR had failed to come up with an interdepartmental service agreement with the Executive Office of Technology Services and Security (EOTSS) that defined and documented updated roles and responsibilities despite having three years in which to do so.

The report states: "DOR management officials told us that they had been trying for three years to negotiate an ISA with EOTSS. They mentioned organizational and managerial changes at EOTSS as a cause of the delay."

No instances in which sensitive data had been compromised were discovered, but Bump’s office found that the DOR "was not prepared to respond to or mitigate cyber-attacks it or its vendors face" and "did not have procedures in place to guide its response to IT security incidents."

"The whole infrastructure for data security was missing at the Department of Revenue," Bump said in an interview that aired Sunday morning on Boston TV show On the Record.

The report, which was published on December 13, covered the DOR’s IT and security-related activities from July 2016 through December 31, 2018.

Categories: Cyber Risk News

Cybersecurity a Growing Concern for America's Corporate Lawyers

Info Security - Thu, 12/19/2019 - 16:32
Cybersecurity a Growing Concern for America's Corporate Lawyers

New research into litigation trends has identified cybersecurity as a major new source of legal disputes in the United States.

The 2019 Litigation Trends Annual Survey conducted by global law firm Norton Rose Fulbright questioned corporate counsel about dispute-related issues and concerns.

Of the 287 lawyers polled, 44 percent said that they foresee cybersecurity and data protection as a new source of disputes during the next few years.

The results of the 2017 and 2018 editions of the Litigation Trends Annual Survey saw cybersecurity and data protection concerns coming to the forefront as a key challenge in dispute management. However, the trend saw a marked rise this year, with respondents reporting an increase in the number of disputes triggered by data privacy issues.

From 2018 to 2019, the number of in-house counsel who rated cybersecurity and data privacy as the most important litigation issue they faced doubled. More than half of those surveyed (52 percent) feel more exposed than previously to such disputes.

Respondents to Norton Rose Fulbright's survey said that their concern over cybersecurity stemmed from the volume of threats, the creativity of threat actors, and the sensitivity of the data content. Counsel were also worried about some jurisdictions’ enactment of stringent data privacy laws.

Rapid growth in the size of the organization was also a key factor. One respondent quoted in the research wrote: "We’re growing at such a fast rate, in terms of the number of companies and the volume of work in the insurance industries, we have a large number of consumer-facing data points, so our consumer data retention is probably tripling yearly."

Companies in 2019 whose in-house counsel took part in the survey spent $1.5m on average on disputes and employed 2.5 disputes lawyers per $1bn of revenue.

Researchers found that more than 80 percent of companies conduct third-party and/or in-house assessments of cybersecurity and data protection risks, and such assessments are helpful in reducing these types of risks.

Other findings of the research are that counsel predict a rise in litigation caused by an anticipated economic downturn. Thirty-five percent of corporate counsel—8 percent more than in 2018—expect disputes to increase in the next year. Nearly two-thirds of corporate lawyers said economic downturns lead to an increase in litigation cases.

Introduced in 2004, the Norton Rose Fulbright’s Litigation Trends Annual Survey is the longest-running survey of corporate counsel on litigation issues and trends.

Categories: Cyber Risk News

Honda Leak Hits 26,000 North American Customers

Info Security - Thu, 12/19/2019 - 10:56
Honda Leak Hits 26,000 North American Customers

Honda has become the latest big-name brand to expose the personal information of countless customers because of a cloud misconfiguration.

The carmaker’s North America business leaked around 26,000 unique customer records thanks to an unsecured Elasticsearch cluster, according to security researcher, Bob Diachenko.

He found 976 million records in total in the exposed database, including one million containing info about Honda owners and their vehicles — including names, contact details and vehicle information.

Although he was unable to confirm the volume of exposed records, Honda put the figure at just shy of 30,000.

“We are basing this number on a detailed review of the databases on this server, eliminating duplicate information and eliminating the data that does not contain consumer PII,” it said in a statement sent to Diachenko. “We can also say with certainty that there was no financial, credit card or password information exposed on this database.”

On the plus side, the company acted promptly to resolve the security issue, shutting the server on December 13, just a day after it was informed. However, it claimed the misconfiguration happened on October 21 and the database was first indexed by search engine BinaryEdge on December 4, leaving plenty of time for hackers to potentially scan for and find the trove.

Diachenko warned that it could be used to craft convincing follow-on phishing emails.

“The security issue you identified could have potentially allowed outside parties to access some of our customers’ personal information. We quickly investigated this issue, determined the specific breach in protocol, and took immediate steps to address the vulnerability,” the statement continued.

“Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations.”

The incident comes just months after Honda leaked 40GB of data on its internal security systems, via another unsecured Elasticsearch server.

Categories: Cyber Risk News

Former Palo Alto IT Admin in Insider Trading Charges

Info Security - Thu, 12/19/2019 - 10:24
Former Palo Alto IT Admin in Insider Trading Charges

A former IT administrator at Palo Alto Networks and four others have been charged with insider trading, in a three-year conspiracy said to have netted them over $7 million in profits.

According to a complaint filed by the SEC, Janardhan Nellore used his IT credentials and work contacts to access confidential information about his former employer’s financial performance and quarterly earnings.

He then allegedly traded Palo Alto Networks shares based on that information, and tipped off four friends: Sivannarayana Barama, Ganapathi Kunadharaju, Saber Hussain, and Prasad Malempati.

To cover up the scam, he is alleged to have told the group to use the code word “baby” to refer to the technology company’s stock. It’s also claimed that some of the group kicked back profits to Nellore in small sums to avoid scrutiny.

Nellore is said to have bought one-way tickets to India for himself and his family following an interview with the FBI, and was arrested at the airport. Reports suggest the group made over $7 million from insider trading activity that ran from 2015 to 2018.

“As alleged in our complaint, Nellore and his friends exploited Nellore’s access to valuable earnings information and attempted to hide their misconduct using code words and carefully tailored cash withdrawals,” said Erin Schneider, director of the SEC’s San Francisco Regional Office. “This case highlights our use of enhanced data analysis tools to spot suspicious trading patterns and identify the traders behind them.”  

Nellore and Barama are also the subject of criminal charges issued by the US Attorney’s Office for the Northern District of California.

Insider trading is increasingly facilitated by unauthorized IT access to digital information. In January this year, two Ukrainian nationals were charged with hacking the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system, which stores documents related to company disclosures including test filings made before announcements go public.

They then allegedly sold this information to insider traders, making over $4 million in the process.

Categories: Cyber Risk News

FBI: Don’t Dabble with Public Wi-Fi This Holiday Season

Info Security - Thu, 12/19/2019 - 09:40
FBI: Don’t Dabble with Public Wi-Fi This Holiday Season

The FBI has issued a warning to holiday travelers not to use public Wi-Fi on the road this Christmas because of cybersecurity concerns.

As internet users cross countries and continents to be with friends and family over the holiday period, the Feds argued that Wi-Fi hotspots should be avoided.

“Don’t allow your phone, computer, tablet, or other devices to auto-connect to a free wireless network while you are away from home. This is an open invitation for bad actors to access your device. They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera,” it said in a “Tech Tuesday” post this week.

“If you do need to connect to a public hotspot — such as at an airport or hotel — make sure to confirm the name of the network and the exact login procedures. Your goal is to avoid accidentally connecting to a fraudster’s Wi-Fi that they are trying to make look legit.”

If using a public hotspot is unavoidable, the FBI urged users not to log-in to any sensitive accounts like their online banking. Where possible, the Bureau advised individuals to use their smartphones as a private hotspot for other devices.

Although these best practices have long been promoted by the information security community, users, including business travelers, continue to expose themselves to unnecessary risks by using public Wi-Fi without adequate security.

A 2018 study from iPass revealed that 81% of global IT leaders had recorded staff Wi-Fi-related security incidents over the previous year.

VPNs are seen as the best way to ensure traffic and web browsing sessions are protected from Wi-Fi snoopers. However, UK IT leaders were least confident (38%) that their mobile workers are using a VPN every time they go online.

The FBI warning comes just weeks after LA County’s district attorney issued a public security notice warning people not to use public USB charging points for fear of so-called “juice jacking” malware attacks.

Categories: Cyber Risk News

US Senators Introduce Bill to Protect Schools Against Cyber-Threats

Info Security - Wed, 12/18/2019 - 17:58
US Senators Introduce Bill to Protect Schools Against Cyber-Threats

A bill designed to enhance the cybersecurity of K–12 schools was introduced to the US House of Representatives on Monday. 

If passed into law, the K-12 Cybersecurity Act would require the Department of Homeland Security (DHS) to create a list of cybersecurity recommendations and a cybersecurity toolkit for educational institutions to use when making improvements to their cyber-protections. 

The bill was introduced by Senators Rick Scott and Gary Peters, who both serve on the Senate Homeland Security Committee. 

Peters, who also serves on the Governmental Affairs Committee, said: "Schools across the country are entrusted with safeguarding the personal data of their students and faculty, but lack many of [the] resources and information needed to adequately defend themselves against sophisticated cyber-attacks."

Support for the bill has been expressed by the National Education Association, the American Federation of Teachers, the National Association of Secondary School Principals, and the Consortium for School Networking.

It would further require the DHS to research and report back on the overall cyber-risks faced by schools.

Scott said: "The safety of our schools is always my top priority, and that includes protecting the information of our students and teachers. I’m proud to sponsor the K–12 Cybersecurity Act of 2019 to further protect our schools, students and educators, and give them the resources they need to stay safe."

The bill closely mirrors the State and Local Government Cybersecurity Improvement Act, which was introduced to the House in August but has yet to see any action.

According to data collected by Armor, over 1,000 schools in the United States have been affected by ransomware alone in 2019. In Louisiana, Governor John Bel Edwards declared a statewide emergency in July in response to ransomware attacks on three school districts.

It isn't just malware that poses a risk to American schools. In August 2019, a high school in Spotsylvania County, Virginia, wired $600,000 to a fraudulent football field turf provider after being deceived in an elaborate email phishing scam.

"School districts are a treasure trove for cyber-criminals seeking to pilfer valuable information, such as social security numbers and financial information until a ransom has been paid. From January through November of this year, SonicWall detected almost nine million intrusion attempts, demonstrating the tenacity and dedication of online threats and threat networks," commented Bill Conner, CEO of cybersecurity firm SonicWall.

Categories: Cyber Risk News

Siemens Contractor Jailed for Planting Logic Bombs

Info Security - Wed, 12/18/2019 - 17:05
Siemens Contractor Jailed for Planting Logic Bombs

A Siemens contractor who sabotaged computer programs so that he would later be re-hired to fix them has been jailed.

David Tinley of Harrison City, Pennsylvania, pleaded guilty in federal court to a charge of intentional damage to a protected computer back in July 2019. 

Between 2014 and 2016, the 62-year-old computer programmer inserted malicious pieces of code known as logic bombs into software used at the Monroeville branch of Siemens in Pennsylvania. The logic bombs were designed to unleash code that would cause the software to malfunction after specific circumstances arose.

"The logic bombs ensured that the programs would malfunction after the expiration of a certain date. As a result, Siemens was unaware of the cause of the malfunction and required Tinley to fix these malfunctions," reads a statement released July 19, 2019, by the United States Attorney's Office of the western district of Pennsylvania.

Deceived by Tinley's despicable ruse, Siemens reputedly paid tens of thousands of dollars to the contractor to fix the masterfully orchestrated problems of his own sinister creation. According to a pre-sentence memorandum, Tinley paid Siemens $42,000 in restitution for that work.

For his criminal actions, Tinley faced a maximum prison term of 10 years and a maximum fine of $250,000. On Monday, December 16, United States District Judge William S. Stickman handed the corrupt contractor a six-month federal prison sentence and ordered him to pay a $7,500 fine.

Once his custodial sentence has been served, Tinley will spend a further two years under court-ordered supervision.

According to Law360 (registration required), the computer programs that prosecutors said Tinley had damaged were in fact spreadsheets that Siemens used to manage orders. 

Siemens rumbled Tinley's logic bomb–planting scheme in May 2016, when the contractor, who was out of town and unable to visit the office to carry out a fix in person, was able to provide a password that unlocked the spreadsheets to Siemens staff. 

Assistant United States Attorney Shardul S. Desai prosecuted this case on behalf of the government.

United States Attorney Scott W. Brady lauded the Federal Bureau of Investigation for its investigation, which led to the successful prosecution of Tinley.

Categories: Cyber Risk News

LifeLabs Pays to Secure Sensitive Customer Data After Cyber-Attack

Info Security - Wed, 12/18/2019 - 15:59
LifeLabs Pays to Secure Sensitive Customer Data After Cyber-Attack

A Canadian laboratory testing company has made a payment to secure the sensitive information of millions of customers that was exposed during a cyber-attack.

LifeLabs opted to pay up after criminals gained unauthorized access to the information of 15 million customers. Most of the customers impacted were in British Colombia and Ontario.

In an open letter to customers, president and CEO of LifeLabs Charles Brown said customer information exposed in the incident may have included names, addresses, email addresses, logins, passwords, dates of birth, health card numbers, and lab test results.

The information accessed by the cyber-criminals has not been exposed publicly. 

Brown wrote: "I want to emphasize that at this time, our cybersecurity firms have advised that the risk to our customers in connection with this cyber-attack is low and that they have not seen any public disclosure of customer data as part of their investigations, including monitoring of the dark web and other online locations."

After identifying that a data breach had occurred, the laboratory engaged security experts to isolate and secure the affected systems and determine the scope of the incident. 

LifeLabs then took steps to strengthen their system against future attacks and paid an undisclosed amount to retrieve the data that had been accessed.

Brown wrote that the payment had been made "in collaboration with experts familiar with cyber-attacks and negotiations with cyber-criminals."

The laboratory's investigation into the incident indicates that the lab-test results of around 85,000 Ontario customers, who underwent tests in 2016 or earlier, may have been impacted in the incident. Similarly, any health and information accessed by cyber-criminals is thought to have dated from 2016 or earlier.

LifeLabs has offered any customers who are concerned about this incident a year's worth of free security protection that includes dark-web monitoring and identity-theft insurance.

Brown wrote that the attack occurred despite the laboratory's efforts to increase their cybersecurity in recent years. 

"While we’ve been taking steps over the last several years to strengthen our cyber defenses, this has served as a reminder that we need to stay ahead of cybercrime, which has become a pervasive issue around the world in all sectors," wrote Brown.

Brown gives no indication as to where the attack originated, when it happened, or who perpetrated it. 

Government partners were notified of the breach on October 28, and the incident is currently under investigation by law enforcement.

Categories: Cyber Risk News

Data Leak Exposes Thousands of US Defense Contractor Staff

Info Security - Wed, 12/18/2019 - 11:44
Data Leak Exposes Thousands of US Defense Contractor Staff

A digital consultancy has accidentally leaked the personal details of thousands of US defense contractor employees after yet another misconfiguration of cloud infrastructure, it has emerged.

Washington DC-based IMGE accidentally exposed the names, phone numbers, home and email addresses of more than 6000 Boeing staff, according to The Daily Beast.

The trove featured government relations staff and senior executives, including one who apparently worked at the contractor’s advanced prototyping unit on highly sensitive technologies.

“This information was exposed as a result of human error by the website’s vendor,” a Boeing spokesperson told the news site. “Boeing takes cybersecurity and privacy seriously and we require our vendors to protect the data entrusted to them. We are closely monitoring the situation to ensure that the error is resolved quickly.”

The information itself is said to have been harvested by IMGE from a website called Watch US Fly, dedicated to “advancing and protecting American aerospace and manufacturing.”

That site requests that supporters leave their contact details for future campaigns and in order to direct their demands to fund Boeing projects to the right lawmakers, according to the report.

However, it is blocked in the UK so Infosecurity could not confirm these details.

It’s unclear how long the data was left exposed in the Amazon S3 bucket, although the Boeing employees were just a small fraction of the 50,000 individuals whose personal information was reportedly compromised by the snafu.

Chris DeRamus, CTO of DivvyCloud, explained that cloud misconfigurations like this are increasingly common as many users aren’t familiar with cloud security settings and best practices.

“It is especially concerning that the database contained information about 6,000 Boeing employees, many of whom are heavily involved with the US government and military, as the exposed data is more than enough information for cyber-criminals to launch highly targeted attacks against those impacted to gain more confidential government information,” he added.

“Companies who manage large amounts of sensitive data, especially data related to government and military personnel, need to be proactive in ensuring their data is protected with proper security controls. Companies must adopt robust security strategies that are appropriate and effective in the cloud at the same time they adopt cloud services – not weeks, months, or years later.”

Categories: Cyber Risk News