Feed aggregator

National Gallery Fought Nearly Two Million Email Cyber-Attacks in 2019

Info Security - Mon, 03/23/2020 - 12:00
National Gallery Fought Nearly Two Million Email Cyber-Attacks in 2019

The National Gallery was subjected to nearly two million email cyber-attacks last year, official data received by Absolute Software has revealed. Obtained via a Freedom of Information request, the figures displayed the lengths cyber-criminals went to try and steal the personal and financial data of members of the major tourist attraction.

The gallery, which attracts over five million visitors every year, was hit by an astonishing total of 1,875,250 email cyber-attacks in 2019. These came in a variety of forms, including spam and virus attempts.

Andy Harcup, vice-president, Absolute Software, said: “It’s clear that cyber-criminals are mastering the art of malicious email attacks, designed to infiltrate the National Gallery and steal confidential data. With millions of visitors every year and tens of thousands of members, it’s vital that London’s leading tourist hotspots have the right systems in place to protect devices from infiltration.”

The charity, which is a non-departmental public body of the Department for Digital, Culture, Media and Sport, prevented a wide range of sophisticated attacks from reaching their destination. The gallery’s blocked email addresses software was able to quarantine 1,176,656 different attack attempts, while its detection software blocked 18,378 spam emails and 443,741 attempted connection emails. A further 179,844 emails were stopped under the category of anti-spoofing lockout and 10,959 were registered as manual envelope rejection. Finally, another 2810 emails were blocked under the category of Simple Mail Transfer Protocol (SMTP).

“With many major museums now closed due to the COVID-19 outbreak, it’s critical that enterprises have full visibility of the assets allocated to remote workers as well as always having control of those assets in case of the need to take action,” added Harcup.

“It is also necessary to ensure that critical end-point cybersecurity and connectivity controls such as encryption, anti-malware and VPN client software are present and connected. The ability to lock down an endpoint and ensure the safety of the data contained on it in any emergency should be a top priority for any IT team.”

Categories: Cyber Risk News

Sextortion Scam Threatens to Infect Victims with #COVID19

Info Security - Mon, 03/23/2020 - 11:15
Sextortion Scam Threatens to Infect Victims with #COVID19

Online extortionists are now threatening email victims with COVID-19 infection if they don’t pay thousands of dollars, marking yet another evolution in their scam tactics.

Sophos reported the sextortion scam, which follows a similar pattern to others of this type. The attackers divulge previously breached information on the victim, in this case one of their passwords, to lend credence to their claims that they have “every dirty little secret about your life.”

“Tο sταrt with, I κηοw all of yοur passwords. I αm awαre of your whereαbοuτs, what yοu eaτ, wιth whοm you tαlk, every liττle τhing yοu do in α day,” the email continues.

However, instead of directly threatening to release a compromising webcam video of the victim watching adult content, the scammers take another tack in this attack.

“What αm Ι cαpable οf dοιηg? Ιf I wαηt, I cοuld eνen infect yοur whοle fαmily with τhe CοronαVirus, reνeαl all of yοur secrets. There αre cοunτless τhiηgs I cαn dο,” they write.

Interestingly, they have used Greek characters in place of similar-looking English letters such as A, N, O, T and V to disguise the words from the text-matching techniques used by email security filters.

The use of COVID-19 in this attack is just one of many examples of cyber-criminals using widespread anxiety over the pandemic to further their own agendas.

Most common are phishing attempts designed to trick users into clicking on a malicious link or opening a malware-laden attachment with the promise of finding out more info on the virus.

Recipients of this latest sextortion scam are required to pay $4000 in Bitcoin within 24 hours.

“Ι wιll iηfect eνery member οf your family with τhe CοronαVιrus. No matter how smart yοu αre, belieνe me, ιf Ι waητ to αffect, Ι caη,” the note concludes. “Ι will also gο αheαd aηd reνeαl yοur secreτs. Ι will comρletely ruiη yοur lιfe.”

Categories: Cyber Risk News

Military Secrets Exposed by UK Printing Company

Info Security - Mon, 03/23/2020 - 10:30
Military Secrets Exposed by UK Printing Company

Security researchers have warned that as many as 100,000 customers of a UK-based printing company including military organizations may have had sensitive personal and business documents exposed in another cloud leak.

Researchers at vpnMentor found the misconfigured Amazon Web Services S3 bucket on January 22. They quickly discovered its owner was Doxzoo, a British document printing and binding company with global clients.

However, despite boasting multiple ISO accreditations on its website, including information security standard ISO 27001, the firm never responded to vpnMentor’s outreach and only closed the leak around 20 days later when the researchers reached out directly to AWS.

The 343GB database itself contained over 270,000 records from a range of clients, including “complete scripts and screenplays, full-length books, sought-after paid wellness plans and internal military handbooks,” vpnMentor said.

“They also get requests from private individuals who order family scrapbooks (complete with pictures of the kids), bachelorette souvenirs with potentially compromising photos of the bride-to-be, and more,” it continued.

“Additionally, Doxzoo seems to regularly request full scans of photo IDs (such as passports) to fulfill orders.”

Affected customers came from the UK, US, Nigeria, India, Sri Lanka and potentially elsewhere.

The data leak could have led to identity theft of individual customers whose personal information was exposed, and potentially more serious compromise of military security, the researchers claimed.

There are also potential copyright issues if hackers had decided to upload the works they found in the trove to a sharing site. Alongside full-length books and screenplays, the vpnMentor team claimed to have found scripts for one of the world’s “top TV series.”

The privacy snafu is just the latest in a long line uncovered by vpnMentor. Others include a data leak from Canadian telco Freedom MobileBest Western Hotels and Resorts Group; sports retailer Decathlon and photo app PhotoSquared.

Categories: Cyber Risk News

Leaked Plans Reveal Mirai-Like Russian IoT Botnet

Info Security - Mon, 03/23/2020 - 09:43
Leaked Plans Reveal Mirai-Like Russian IoT Botnet

A hacking group has released details of a Russian intelligence project to build a Mirai-like IoT botnet.

Digital Revolution is well known for hacking organizations that do business with the Federal Security Service (FSB). Last week it published technical documents detailing a project known as “Fronton.”

It proposes a scheme to compromise unsecured smart devices by cracking their factory default passwords. The resulting zombie devices would be formed into a botnet and used to launch DDoS attacks on FSB targets.

Originally created in 2017-18, the 12 documents list the Fronton, Fronton-3D and Fronton 18 projects.

They appear to be the work of Moscow-based FSB contractor, 0Day, which Digital Revolution claimed to have hacked back in April 2019.

It may have been commissioned to do so by a main contractor known as InformInvestGroup CJSC by order of military unit No. 64829, aka the FSB Information Security Center, according to BBC Russia.

The leaked documents specify that the botnet be 95% compromised of IP cameras and digital video recorders, making it even more similar to Mirai, which caused major disruption to popular websites back in 2016 after launching a powerful DDoS attack at DNS provider Dyn.

The FSB’s IoT botnet was designed to be controlled by a C&C-based administrative tool obfuscated by VPNs and proxy servers.

Last July, Digital Revolution revealed more details of secret FSB projects after a major Russian defense contractor, SyTech, was breached.

One project, Nautilus-S, described an attempted de-anonymization of the Tor network, which began back in 2012.

Another was linked to an effort to harvest information on Russian social media users, whilst two more projects, dubbed Hope and Tax-3, were related to attempts by the Putin administration to split the country’s internet infrastructure from the global web.

Categories: Cyber Risk News

Former Waymo Executive Passed Trade Secrets to Uber

Info Security - Fri, 03/20/2020 - 17:51
Former Waymo Executive Passed Trade Secrets to Uber

A former executive of Google subsidiary Waymo has admitted stealing trade secrets and sharing them with Uber

Anthony Scott Levandowski has agreed in a legal progress update document to plead guilty to swiping secret information regarding self-driving car technology from Waymo. The 39-year-old former executive stands accused of downloading 14,000 files from Waymo and sharing their contents with Uber.

The files in question contained information regarding Light Detection and Ranging (LiDAR) technology developed by Waymo. LiDAR is a laser-based scanning and mapping technology that uses the reflection of laser beams off objects to create a real-time 3D image of the world. 

Levandowski, of Marin County, California, allegedly downloaded onto an external hard drive 9.7 GB of highly confidential data from an internal password-protected Google server known as “SVN,” which was hosted on Google’s network. He then uploaded the files onto his personal laptop and took them with him when he left Waymo to set up his own startup business, Ottomotto. 

Ottomotto, which develops hardware and software for autonomous driving, was acquired by Uber Technologies in 2016 for $680m. 

The theft of the files was discovered when a Waymo employee was inadvertently copied in on an email from one of its LiDAR component vendors. The email attached machine drawings of what purported to be an Uber LiDAR circuit board but which bore a striking resemblance to Waymo’s own highly confidential and proprietary design.

In a complaint filed against Ottomotto LLC, Otto Trucking LLC, and Uber Technologies Inc in the United States District Court in February 2017 by Waymo LLC, the plaintiff states: "Fair competition spurs new technical innovation, but what has happened here is not fair competition. Instead, Otto and Uber have taken Waymo’s intellectual property so that they could avoid incurring the risk, time, and expense of independently developing their own technology. 

"Ultimately, this calculated theft reportedly netted Otto employees over half a billion dollars and allowed Uber to revive a stalled program, all at Waymo’s expense."

The complaint was settled in 2018, with Google accepting $245m of Uber stock. Then, in August 2019, the US Attorney's office indicted Levandowski on 33 charges, including the theft and attempted theft of trade secrets. 

Levandowski's plea deal proposes to admit guilt for only the charge of stealing a tracking document. Should the court accept his plea, Levandowski will face a maximum sentence of 10 years in prison and a fine of $250,000, plus restitution.

Categories: Cyber Risk News

Norwegian Cruise Line Suffers Data Breach

Info Security - Fri, 03/20/2020 - 15:53
Norwegian Cruise Line Suffers Data Breach

A major cruise operator has suffered a data breach as the travel industry battles the storm created by the COVID-19 outbreak.

Information from a database belonging to Norwegian Cruise Line was discovered on the dark web by an intelligence team at DynaRisk on March 13. 

Data exposed in the incident included clear text passwords and email addresses used to log in to the Norwegian Cruise Line travel agent portal by agents working for companies including Virgin Holidays and TUI. 

DynaRisk said data relating to 29,969 travel agents was breached from the portal on the agents.ncl.eu website on March 12.

"After verifying that the data records are legitimate credentials, we notified a Norwegian Cruise Line representative immediately. Despite opening our message later that day, we received no response. After five days a representative responded to our team to discuss the breach," said a DynaRisk spokesperson.

DynaRisk said that the incident left agents who were "already vulnerable at this time" at higher risk of cybercrime. 

A DynaRisk spokesperson said: "They are now exposed to account takeovers on numerous platforms, sophisticated phishing emails and fraud, which could put further pressure on large travel agents or worse still, put smaller agents out of business."

Norwegian Cruise Lines told Infosecurity Magazine: “It has recently come to our attention that the agents.ncl.eu website may have been compromised. In an abundance of caution, we are in the process of asking certain travel partners that may have been affected to change their password for the site and any site for which they may have used the same password, and to remain vigilant of any suspicious activity or emails. 

"We believe limited personal information was involved, specifically names of travel agencies and business contact information such as business addresses and email. This appears to be a unique and isolated incident that involved only a regional travel partner portal which houses marketing materials and educational information and did not involve guest data. We are deeply committed to protecting the security and confidentiality of information and regret any concern this matter may have caused." 

Norwegian is the third cruise line this month to hit the cybersecurity headlines. Princess Cruises and Holland America Line both reported being hacked on March 2.   

Categories: Cyber Risk News

UAE Drops Cybercrime Charges Against American Who Insulted Vengeful Ex by Email

Info Security - Fri, 03/20/2020 - 14:31
UAE Drops Cybercrime Charges Against American Who Insulted Vengeful Ex by Email

An American who faced two years in a United Arab Emirates prison for calling her ex a "dirty animal" in an email has been released without charge.

Melissa McBurnie was accused of violating the UAE's strict cybercrime laws after allegedly sending an insulting email to an Egyptian ex-boyfriend, whom she said had been cyber-bullying and sexually harassing her for years. 

With the support of British advocate Radha Stirling, who works for UAE civil and criminal justice specialists Detained in Dubai, 57-year-old McBurnie was able to persuade UAE prosecutors to drop the charge against her.

Stirling's organization said that McBurnie's 58-year-old Egyptian ex had waged a four-year digital campaign designed to cause his former lover pain and embarrassment. 

The Egyptian allegedly sent intimate images of McBurnie to strangers and asked third parties to slander her online. He is also accused of sending McBurnie over 120 sexually explicit emails and text messages, some of which included pornographic videos in which he himself featured.

California-born McBurnie, who used to work as a personal assistant to celebrities including Rob Lowe, John Denver, and Joan Rivers, was arrested after allegedly retaliating to her former lover's digital abuse.

“He had stolen photographs of her and circulated them privately and even to the US Embassy,” Radha Stirling explained. 

“When she retaliated, she said, ‘I can’t believe you did that, you are a dirty animal.’ He then raised that with his lawyer and had her arrested.”

Under UAE cybercrime law it is strictly prohibited to insult anyone in any electronic format. 

“They can look through your history,” said Stirling, “and even if you've posted something on Facebook or Twitter from three years ago, and even from outside of the country, that could be considered offensive in the UAE.”

McBurnie, who had been living in the UAE since November, was arrested at the Khalidiya police station in Abu Dhabi on February 24. She was released from a detention that lasted two hours after posting $1,300 bail but was not permitted to leave the country.

Detained in Dubai used the media to raise awareness of McBurnie's case after learning that it wouldn't be heard until May and that the former PA could face two years behind bars. McBurnie has now left the UAE.

Categories: Cyber Risk News

Russian APT28 Group Changes Tack to Probe Email Servers

Info Security - Fri, 03/20/2020 - 12:10
Russian APT28 Group Changes Tack to Probe Email Servers

The infamous Russian threat group known as APT28 or Pawn Storm has spent the past year scanning for vulnerable email, Microsoft SQL Server and Directory Services servers, in what appears to be something of a change in tactics.

The APT group, also known as Sednit, Sofacy and Strontium, has been responsible for some of the most explosive cyber-espionage campaigns of recent years, stealing sensitive information from the Democratic National Committee (DNC) that Hillary Clinton has claimed helped Donald Trump to power.

In line with the wishes of its Kremlin masters, the group also hacked the world anti-doping agency (WADA) multiple times after a massive state-sponsored doping scheme came to light.

The group commonly favors spear-phishing and malware to infiltrate targeted organizations. However, Trend Micro claimed in a new report on Thursday that it has spent much of 2019 scanning port 443 for exposed email servers and Microsoft Exchange Autodiscover servers across the globe.

After finding vulnerable systems, the group looked to brute force credentials, exfiltrate email data and send out more spam waves, according to the report.

On the receiving end were traditional APT28 targets such military and defense organizations, governments, law firms, political parties and universities, but also more unusual ones such as private schools in France and the UK, and even a kindergarten in Germany.

The group also scanned for TCP ports 445 and 1433 to find vulnerable global servers running Microsoft SQL Server and Directory Services, Trend Micro revealed.

Another tactic deployed last year was to use the previously compromised email accounts of high-profile targets to send out phishing emails to their contacts. Defense companies in the Middle East were the main targets.

It’s unclear why the group changed tact in this way: Trend Micro suggests it could be an attempt to evade spam filters. However, the vendor said these tactics failed to result in significantly more inbox deliveries.

Categories: Cyber Risk News

Over Five Billion Breached Records Leaked

Info Security - Fri, 03/20/2020 - 10:30
Over Five Billion Breached Records Leaked

A London-based cybersecurity vendor appears to have leaked a massive database of previously breached user information dating back seven years.

Researcher Bob Diachenko found the unsecured Elasticsearch instance on March 15. It contained two collections, one with 15 million records updating in real-time, and another containing nearly 5.1 billion.

UPDATE: Since the time of publishing, researcher Bob Diachenko has confirmed the company’s data and customer records were not exposed, as the incident involved only previously reported data breaches collections.

He claimed the data was well structured and featured hash type, leak date, password, email, email domain and source of the original breach. Passwords were hashed, encrypted and/or in plain text depending on the incident in question.

The data spanned several years of breaches, from 2012 to last year, and apparently included some notable scalps such as Adobe, Last.fm, Twitter, LinkedIn, Tumblr and VK.

According to Diachenko, the SSL certificate and reverse DNS record check revealed that the publicly available Elasticsearch instance was managed by UK security vendor.

Although the firm apparently didn’t reply to his initial security alert, the database was secured just an hour after it was sent.

“Even though most of the data seems to be collected from previously known sources, such large and structured collection of data would pose a clear risk to people whose data was exposed. An identity thief or phishing actor couldn’t ask for a better payload,” argued Diachenko.

“Fraudsters might target affected people with scams and phishing campaigns, using their personal information to craft targeted messages.”

Major data leaks of this sort are becoming increasingly common, as configuration errors lead to unintended consequences.

In November last year, Diachenko and researcher Vinny Troia discovered an exposed Elasticsearch server containing personal information on over one billion consumers harvested by two data enrichment firms.

A month later, a massive 890GB database containing over one million highly sensitive web browsing records was leaked by a South African IT company.

Also in December 2019, Diachenko found an unsecured Elasticsearch database containing over one billion “combo” lists of breached passwords and emails.

Categories: Cyber Risk News

Twitter Will Try to Ban #COVID-19 Misinformation

Info Security - Fri, 03/20/2020 - 09:40
Twitter Will Try to Ban #COVID-19 Misinformation

Twitter has released details of the steps it’s taking to combat misinformation on COVID-19, but admitted that its increasing reliance on automated systems may lead to more mistakes.

The social network said it was broadening its definition of harm to tackle user-generated content that contradicts guidance from public health authorities and other trusted bodies.

“Rather than reports, we will enforce this in close coordination with trusted partners, including public health authorities and governments, and continue to use and consult with information from those sources when reviewing content,” it said.

The long list of content now prohibited includes: description of harmful or ineffective treatments, denial of official recommendations and established scientific facts, calls to action that benefit third parties, incitement to social unrest, impersonation of health officials and claims that specific groups are either more or less susceptible to the virus.

The new Twitter rules around COVID-19 will be reviewed going forward and amended as appropriate.

Twitter said it’s also rolling out a global content severity triage system to ensure the most serious rule violations are handled first, as well as daily quality assurance checks on content enforcement processes.

However, question marks remain over how effectively harmful content will be removed. The social network explained that it would be increasing its use of machine learning and automation to spot “abusive and manipulative content,” but that these systems may not be as accurate as human moderators.

“We want to be clear: while we work to ensure our systems are consistent, they can sometimes lack the context that our teams bring, and this may result in us making mistakes,” it admitted.

“As a result, we will not permanently suspend any accounts based solely on our automated enforcement systems. Instead, we will continue to look for opportunities to build in human review checks where they will be most impactful.”

Categories: Cyber Risk News

US Launches First Political Campaign Information Sharing and Analysis Organization

Info Security - Thu, 03/19/2020 - 17:01
US Launches First Political Campaign Information Sharing and Analysis Organization

A new organization has been established in the United States to share information regarding cyber-threats with political campaigns.

The US CyberDome PC-ISAO is the first-ever political campaign information sharing and analysis organization to be created in America. It was formed by neutral American non-profit organization US CyberDome and officially launched on March 11.

“US CyberDome is a non-partisan, not-for-profit organization that protects political campaigns from cyber and dis-information threats,” said former US homeland secretary Jeh Johnson, who serves as chairperson on CyberDome’s advisory board. 

“US CyberDome furthers that effort today by announcing the formation of the first-ever information sharing and analysis organization for political campaigns.”

Information sharing and analysis organizations, or ISAOs, were chartered through a US Presidential Executive Order for Promoting Private Sector Cybersecurity Information Sharing issued by President Barack Obama in February 2015. 

The Political Campaign ISAO was founded to give cybersecurity advice, issue alerts on specific threats, and share intelligence specifically to political campaigns, which can be tempting targets for cyber-attackers. Information on cyber-threats can be shared anonymously. 

Five different levels of membership are offered, and campaigns at all levels of United States federal, state, local, tribal, and territorial government are invited to participate.

Former Homeland Secretary Michael Chertoff, who serves on the US CyberDome Board of Advisors, said: “The PC-ISAO is a neutral and non-partisan venue where technologists can share critical cybersecurity alerts and best practices. The PC-ISAO helps members collaborate on critical cybersecurity challenges.”

US CyberDome founder Joseph Drissel hopes the PC-ISAO will help to break down existing barriers to sharing tips on which threats to look out for.

“Commonly occurring conditions within political campaigns create barriers for sharing cyber threat intelligence and collaborating on cybersecurity,” said Drissel. “Our non-profit facilitates fully anonymous cyber threat information sharing and connects campaign technologists to increase the safety of political campaigns.” 

US CyberDome comprises cybersecurity experts who have trained and practiced at the world’s largest accredited computer forensics and incident response institute in the world, the Defense Cyber Crime Center, as well as the US Department of Defense and National Institute of Standards and Technology (NIST).

Categories: Cyber Risk News

WhatsApp Tries to Keep It Real with New Information Hub

Info Security - Thu, 03/19/2020 - 15:42
WhatsApp Tries to Keep It Real with New Information Hub

WhatsApp is partnering with the World Health Organization to fight back against the spread of fake news regarding the COVID-19 outbreak.

The popular messaging platform, which has been used to spread disinformation in the past, has established a new Coronavirus Information Hub that went live yesterday. The hub is designed to help users stay connected with friends and family during the pandemic while also providing them with a reliable source of information.

On the hub's web page, WhatsApp has asked users to "share information responsibly" and to think twice about the messages they are sending and receiving. 

WhatsApp states: "Think about the messages that you receive, because not everything you are sent about coronavirus may be accurate. Verify the facts with other trusted official sources or fact checkers. If you aren’t sure something’s true, don’t forward it."

Along with advice on communicating responsibly during a global health crisis, the hub features links to verified stories regarding the coronavirus and featuring WhatsApp. One such story describes how residents of a retirement home in the Marche region of Italy are using the messaging platform to stay in touch with each other and with their families during the national lockdown. 

The new information hub has been created in partnership with UNICEFWHO, the UNDP, and the Poynter Institute's International Fact-Checking Network (IFCN). 

After announcing the launch of the hub, WhatsApp also said that it would be donating $1m to the ICFN to support fact-checking for the #CoronaVirusFacts Alliance, which spans more than 100 local organizations in at least 45 countries.  

In addition to the coronavirus information web page, WhatsApp said it is working with its partners to set up public messaging hotlines that will provide verified information. Details of the hotlines are to be listed on the WhatsApp Coronavirus Information Hub when they become available.

WhatsApp, together with TikTok, Facebook, and Twitter, has been used to circulate false information regarding COVID-19. On Monday the Washington Post reported a false rumor doing the rounds on social media that a nationwide lockdown was about to take place in the United States. The fake news seemed to have been started with the intention of causing mass panic buying.

Categories: Cyber Risk News

Coronavirus Lockdowns Trigger Privacy-Disrupting Location Tracking

Info Security - Thu, 03/19/2020 - 14:51
Coronavirus Lockdowns Trigger Privacy-Disrupting Location Tracking

A growing number of world governments are using surveillance techniques to gauge whether their citizens are heeding instructions to stay indoors and isolate amid the COVID-19 outbreak. 

Technologies designed to track and analyze terrorists, tourists, and public travel patterns are now being deployed in an effort to prevent the novel coronavirus from spreading further. 

Officials in Italy are making use of location data transmitted by cell phones to see how successfully lockdowns triggered by the virus are being observed. 

While tracking individuals is illegal in Europe, cell phone network operators are able to track people anonymously and supply aggregated data to the appropriate government authorities.  

The data can be used not only to map where individuals are going but also to show via concentrations of cell phone signals whether the public are ignoring bans on congregating. 

Exactly how anonymous the data is remains to be seen in light of a study published in August that showed how reverse engineering powered by machine learning can trace anonymized data sets back to individuals. 

Vodafone Group Plc said in a statement that it is handing Italian officials anonymized customer data relating to the movement of people in the Lombardy area. In this region, where the effects of COVID-19 have been especially virulent, some lockdowns have been in place since February 21. 

In Austria, the nation's largest telecommunications network operator Telekom Austria AG has said it's giving anonymized cell phone data to authorities. In neighboring Germany, health tsar Lothar Wieler said Deutsche Telekom was offering up data on whether people are heeding pleas to remain home as much as possible. 

Wieler, who is president of the Robert Koch Institute, said on Wednesday: "If people remain as mobile as they were until a week ago, it will be difficult to contain the virus."

The Israeli government began deploying cellphone-monitoring technology to track its citizens on Tuesday after issuing directives to the public to stay at home.

Emergency regulations that enable the Shin Bet internal security service to tap into cellular data to retrace the movements of people infected with COVID-19 were approved by Prime Minister Benjamin Netanyahu’s cabinet. 

Meanwhile, China, Taiwan, South Korea, and Vietnam are all using data derived from cell phones and apps to keep tabs on the locations of people who have tested positive for COVID-19.

Categories: Cyber Risk News

Norsk Hydro Outage May Have Been Destructive State Attack

Info Security - Thu, 03/19/2020 - 12:30
Norsk Hydro Outage May Have Been Destructive State Attack

The crippling ransomware attack on Norsk Hydro may have been a state-backed attempt to disrupt rather than extort money, and as such provides a “blueprint” for how similar future campaigns may work, Dragos has warned.

The security vendor’s principal adversary hunter, Joe Slowik, claimed in a new report that the new version of LockerGoga seen in the attack on the Norwegian aluminium giant last year could be a taste of things to come on the cyber-warfare battle front.

While previous state-sponsored destructive ransomware efforts like NotPetya can at best be described as a “blunt tool,” the Norsk Hydro attack was more subtly disruptive, he said.

For example, the new version of the ransomware seen in the latter attack appeared “to work at cross-purposes to monetize the infection.” Local user and administrator account passwords were changed to the same hard-coded value, the system network card was disabled and all logged-in users were forcibly logged out.

“The above chain of events means that systems were not only encrypted but became inaccessible. Even viewing the ransom note associated with the event would require additional work, such as forensically imaging the machine to recover the note from disc or analyzing the malware,” Slowik explained. “While viewing ransom information is certainly possible, such items seem curious and counterproductive for efficient monetization.”

Adding further deniability for state hackers is the fact that financially motivated ransomware attacks are taking place with increasing frequency today, providing perfect cover for those who want to use modified versions of the powerful malware already in use, he continued.

“As ransomware has evolved from wildly propagating host-specific infections to more deliberate network compromise, malicious state-directed entities now have a new and valuable option for future disruptive operations,” Slowik concluded.

“The combination of efficacy (when properly implemented, deniability (due to continued widespread criminal activity), and specificity (as self-propagation gives way to precise network compromise) enables selective and controlled targeting of entities for disruption and effective IT-based destruction.”

Tackling this challenge will require greater industry-wide information-sharing, a rethink on the traditional bifurcation between criminal and state-sponsored activity, and an update of related economic modelling, the report claimed.

Categories: Cyber Risk News

SANS Offers Free Kit to Secure Home Workers

Info Security - Thu, 03/19/2020 - 10:55
SANS Offers Free Kit to Secure Home Workers

The SANS Institute has produced a training kit and additional resources designed to offer organizations, individuals and parents some best practice advice on working from home securely, as the Covid-19 pandemic spreads.

The information security training provider claimed its Security Awareness Work-from-Home Deployment Kit will help to fill knowledge gaps as organizations rapidly transition to new distributed working set-ups.

“For many businesses, managing an entirely remote workforce is completely new, which means they may lack the processes, policies and technologies that enable employees to work from home safely and securely,” it argued. “In addition, many employees may be unfamiliar or uncomfortable with the idea of working from home.”

The home working kit for employers highlights three main risks to remote employees: social engineering, weak passwords and unpatched machines. Other potential challenges to consider include incident detection and response, Wi-Fi security, VPNs, remote workers outside the home and guests/family members who want to use work devices.

It recommends business leaders cooperate closely with their IT security and comms teams to roll-out their remote working strategy, and urges effort be made to create a forum where users can have their questions answered and report incidents, preferably in real-time.

Alongside the deployment guide there’s a factsheet for micro-businesses or sole traders working from home, which outlines five key steps to protect against major cyber-threats.

There are also resources for parents faced with the prospect of children using the internet at home for several weeks whilst schools are closed.

“The key advice is: be suspicious of any emails trying to create a sense of urgency to click on a link or send information; take steps to protect your home Wi-Fi, changing default passwords and restricting access,” SANS director of security awareness, Lance Spitzner, told Infosecurity.

“Also create strong passwords on any websites you use, make sure any device is running the latest software, and don’t let family and friends use work devices.”

Multiple security and tech vendors are stepping in to help businesses that may be struggling to support remote working.

Trend Micro is offering six-months free access to its consumer security product, Trend Micro Maximum Security, while SentinelOne is providing free use of its endpoint security platform until mid-May.

Categories: Cyber Risk News

Cost of Cyber-Events Worsening for Large Businesses

Info Security - Thu, 03/19/2020 - 10:42
Cost of Cyber-Events Worsening for Large Businesses

The Fortune 1000 will face significant cyber-loss events in future and will see costs mount up.

According to a new research paper by the Cyentia Institute, it is estimated that one in four Fortune 1000 businesses will suffer a cyber-related loss event, whilst there is a 6% chance that a Fortune 1000 firm will lose $100m or more in a 12 month period due to cyber-events.

The 2020 Information Risk Insights Study claimed that, in costs accrued to cybersecurity loss events, 10% of incidents would exceed $20m, with information services and retail sectors the most impacted and showing “abnormally high losses that exceed many other sectors by a factor of 10.”

Speaking to Infosecurity, Cyentia partner and co-founder Wade Baker said that having looked at 10 years of data and the frequency in reporting incidents, a larger organization is more likely to have a publicly-reportable incident. He added that Fortune 1000 businesses “are a bigger target and have a bigger target area and it is more likely that incidents make it into the headlines.”

Baker also acknowledged that not every incident is a “black swan,” and minor events were also considered for this research, “like if you violated the telephone privacy act and called a number you were not supposed to.”

The report also dismissed other research aiming to provide a cost per record in a data breach, as it stated that the “traditional method of estimating breach losses — using a flat cost per record — is flat-out wrong” as it results in a $1.7tn margin of error from overestimating losses. Baker said that the typical “cost per breach” research has “been around for a long time, and is a well-run course and that the typical estimations of $150 per record are not accurate and often are “grossly inaccurate.” 

Baker explained that a typical incident can result in a cost of a quarter of a company’s revenue, and in some cases, that can be absorbed by a larger organization who lose more money, but for a small business the cost may be less, whilst the impact on them can be greater.

He said: “One thing we are hoping to give is another option to quote the defacto way to cost a breach.” Baker also said that it is important to have a realistic cost for a breach to be able to do better planning, and if you do have a breach, know what the cost can be.

“Not every breach is a business ending event but it is a material event on the financial reporting sheet,” he said. “Some companies pay expenses to clear it up and go on, and so it is important to have a more accurate assessment of cost and of budget so it is in line with your risk tolerance.”

However, the statistics read more positively for small to medium businesses, as SMBs have breach rates below 2% and are less likely to suffer 10 or more incidents in a year. However, Baker acknowledged that there are more SMBs in the world than businesses in the Fortune 1000, so 2% is, in fact, a lot of companies.

Categories: Cyber Risk News

Google Blocks Third-Party App Store Downloads for Android Users

Info Security - Thu, 03/19/2020 - 09:53
Google Blocks Third-Party App Store Downloads for Android Users

Google is this week rolling out its Advanced Protection Program (APP) to all Android users in a bid to improve protection against malicious apps.

The APP was originally reserved for high-risk users such as journalists, activists, political campaigners and others. However, it will now be available to all users with an Android 7.0+ device.

There are two main benefits for signing up. The service ensures Google Play Protect’s AV scanning functionality is switched on all the time, which is particularly useful if users unwittingly download legitimate-looking malware which subsequently updates to include malicious code.

Second, it prevents users from downloading and installing apps from third-party marketplaces: only those available on Google Play will be allowed.

App stores installed by official Android device makers like Samsung and Huawei will also be allowed.

Unofficial app stores are a hotbed of malicious activity. Last year, malware dubbed “Agent Smith” was downloaded a staggering 25 million times from the 9Apps marketplace run by Alibaba’s UCWeb.

However, limiting downloads to Google Play won’t provide 100% protection: last month Google was forced to remove 600 apps for violating its policy on disruptive advertising, and in June 2019, adware was found in 238 apps on the Play Store, installed by an estimated 440 million Android users.

Google’s homegrown AV tool is also less effective than one might think. In recent AV-Test research it managed to detect just a third of malicious apps, placing it at the bottom of a list of 17 Android security applications.

To put this in perspective, the next ‘worst’ performing was AVG with a near 99% detection rate.

APP also includes protection against phishing thanks to multi-factor authentication (MFA), and attempts to safeguard user data by only allowing Google apps and select third-party apps to access user emails and Drive files.

APP is also available for iOS 10.0+ users that have first installed the Google Smart Lock app for MFA.

Categories: Cyber Risk News

Crypsis Forms Threat Research Labs

Info Security - Wed, 03/18/2020 - 17:39
Crypsis Forms Threat Research Labs

American incident response and digital forensic services company Crypsis today announced the formation of a new research team dedicated to sharing threat data with the public.

Crypsis Threat Research Labs (CTRL) will strive to analyze emerging cybersecurity threats and trends with the goal of making their research publicly available. The Labs hope that sharing their findings will help to improve organizational security.

Tools developed by Crypsis' development team are to be placed at the disposal of the new team, who will also be given access to a hefty helping of threat intelligence data gathered from thousands of historic and ongoing investigations carried out by Crypsis. 

In control of CTRL's team of full-time staff members are directors Tony Cook and Jared Greenhill. Support and advice for the new Labs will also be drawn from Crypsis' professional services staff.  

"The CTRL team helps our clients by advancing the overall state of cybersecurity and staying on top of threats as they emerge," said CEO of Crypsis Bret Padres.

"We have considerable data from years of investigations and the advanced tools to assess and evaluate the meaning of that data from a macro view. This information will help not only our clients, but organizations in general react more quickly to new threats and respond proactively to emerging trends."

In addition to producing research reports, blogs, white papers, and open-sourced tools, the team will also deliver "Flash Alerts," which will provide analysis of newly discovered security risks or malware types.

The first such flash alert was issued by the team today to warn the world about a custom-written new ransomware variant called PwndLocker. Crypsis has had the novel malware under observation since discovering it in early February 2020. 

A CTRL researcher said: "In our observations, this ransomware shows significant deviations from any ransomware behaviors and characteristics our analysts have traditionally encountered. It was developed entirely as location-independent code (shellcode) and implements its own custom encryption algorithm."

Researchers said that the use of location-independent code appeared to be a countermeasure for automated detection tools as it prevents the victim from identifying the ransomware before encryption takes place.

Categories: Cyber Risk News

Royal Philips Scores a Cybersecurity First

Info Security - Wed, 03/18/2020 - 16:32
Royal Philips Scores a Cybersecurity First

Health technology company Royal Philips has become the first medical device manufacturer to receive a new product cybersecurity testing certification.

The certification—catchily titled UL IEC 62304—was created by independent global safety certification and testing nonprofit company Underwriters Laboratories (UL).

The aim of the new certification is to provide an overall framework to evaluate the maturity and robustness of a medical device manufacturer's cybersecurity controls. It also assesses the company's capabilities for product development. 

"To receive this certification from Underwriters Laboratories, a long-established global leader in standards creation and safety testing, is a strong validation of our program and an opportunity to advance healthcare and personal health product security even further," said Michael McNeil, global product security & services officer at Royal Philips.

The UL certification combines security principles from international standards (ISO 13485 and ISO 14971) with cybersecurity testing elements of the established UL 2900-2-1 standard for Software Cybersecurity for Network-Connectable Products, which focuses specifically on the demanding requirements of healthcare and wellness systems.

Dutch company Royal Philips was founded as Philips & Co. back in 1891 to manufacture incandescent lamps and other electrical products. Like the company's global reputation for manufacturing light bulbs, McNeil said being the first medical device manufacturer to earn the certification was not something that was achieved overnight. 

"We've spent years building a successful and effective end-to-end Security by Design program, embedding security principles and best practices throughout a product's life cycle," McNeil said.

To gain the certification, Royal Philips underwent an audit, during which their core product security processes were reviewed and verified. UL researchers examined the company's security risk management and risk control measures, software security verification planning, change management and continuous improvement, and Philips' laboratory quality management system.

McNeil said that cybersecurity was something that the public expects medical device manufacturers to take seriously.

He said: "At Philips, we understand that our customers have high and growing expectations for the security of the solutions that they rely on. In addition, global regulatory authorities have also increased the scope and scale of product cybersecurity compliance requirements to help protect patients and consumers. We look forward to continuing to meet these critical commitments."

Categories: Cyber Risk News

Companies Offer Free Cybersecurity Support to Combat Threats Posed by COVID-19

Info Security - Wed, 03/18/2020 - 15:40
Companies Offer Free Cybersecurity Support to Combat Threats Posed by COVID-19

Companies are offering businesses free cybersecurity support as coronavirus scams proliferate and over-stretched healthcare providers become more vulnerable to cyber-attacks.

Irish cybersecurity awareness training company Cyber Risk Aware announced yesterday that it would be providing free COVID-19 phishing tests for businesses. Companies are invited to run a phishing simulation in which up to 100 staff can learn how to avoid falling for COVID-19 lures. 

Along with the free simulation, companies can download a checklist of Do's and Don'ts designed to keep employees who are working remotely cyber-safe. 

Cyber Risk Aware CEO Stephen Burke told Infosecurity Magazine: "As a former CISO I wanted to give something back to the community. When I read hospitals were crippled and turning COVID-19 patients away owing to ransomware having been installed by a COVID-19 phishing email, I said enough is enough."

Asked what his thoughts were on the criminals attempting to profit from the outbreak of the deadly virus, Burke said: "It shows that they have no moral compass. To shut the hospital down is just so wrong. Lives will be lost, and all because they want to make money. Total greed, and they should be ashamed of themselves.

"They should ask themselves, if they or a loved one were to become very ill and were refused entry to a hospital as a consequence of a cyber-attack, how would they feel? I would hope they think again."

Also stepping in to help thwart conscious-free criminals hoping to profit from the global health crisis are American ransomware recovery company Coveware and New Zealand antivirus solutions company Emsisoft.

The pair have teamed up to offer free help to critical care hospitals and other healthcare providers that are on the front lines of COVID-19 and have been impacted by ransomware. 

"We’re anticipating an increase in ransomware incidents which could be significantly in excess of the typical seasonal spikes and, unfortunately, may coincide with COVID-19’s peak, creating a perfect storm," said Emsisoft threat analyst Brett Callow.

"In partnership with incident response company Coveware, we’ve just launched an initiative that will enable healthcare providers to access both companies' complete range of ransomware-related services at no cost for the duration of the COVID-19 crisis. The aim: to get impacted providers operational again in the shortest possible time so that patient care is minimally disrupted."  

Categories: Cyber Risk News