America's Federal Communications Commission (FCC) has been warned against fully approving the construction of a subsea cable that will directly link the United States to Hong Kong.
A recommendation to partially deny the application to build the Pacific Light Cable Network (PLCN) was sent to the FCC by Team Telecom, formally known as the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector.
The committee said the PLCN application raised national security concerns as significant financial backing for the project would be provided by a subsidiary of the fourth largest provider of telecommunications services in the People's Republic of China (PRC).
"As submitted to the FCC, the PLCN application would have allowed for the highest capacity subsea cable connection between the United States and Asia and been the first direct connection between the United States and Hong Kong," said a spokesperson for the US Department of Justice.
"This raised national security concerns, because a significant investor in the PLCN is Pacific Light Data Co. Ltd., a Hong Kong company and subsidiary of Dr. Peng Telecom & Media Group Co. Ltd. (Dr. Peng Group), the fourth largest provider of telecommunications services in the PRC."
The committee’s recommendation explained that PLCN’s proposed Hong Kong landing station would expose US communications traffic to collection by the PRC.
The DOJ said: "Such concerns have been heightened by the PRC government’s recent actions to remove Hong Kong’s autonomy and allow for the possibility that PRC intelligence and security services will operate openly in Hong Kong."
Team Telecom further advised that the FCC grant the portions of PLCN’s application seeking to connect the United States, Taiwan, and the Philippines, that do not have any PRC-based ownership and are separately owned and controlled by subsidiaries of Google LLC and Facebook, Inc.
This approval should only be made on the condition that the companies’ subsidiaries enter into mitigation agreements regarding those connections, advised Team Telecom.
Google's request for Special Temporary Authority (STA) to commercially operate the segment of PLCN connecting the United States and Taiwan for six months was granted by the FCC on April 8, 2020. Approval was given based on obligations set forth in a Provisional National Security Agreement between the tech giant and the US Departments of Justice, Homeland Security, and Defense.
The UK government has abandoned its centralized coronavirus contact-tracing app in favor of a decentralized model, according to the BBC's chief tech correspondent.
Rory Cellan-Jones shared news of the UK's U-turn on Twitter earlier today. Posting as @ruskin147, Cellan-Jones wrote: "BBC scoop - NHS abandons centralized contact tracing app, moves to Apple/Google decentralized model."
A petition by ProPrivacy asking the UK government to change their contact-tracing app’s data collection model from centralized to decentralized to protect user privacy attracted over 1,000 signatures.
Digital privacy expert at ProPrivacy, Ray Walsh, called the government's decision "a huge win for privacy."
"A decentralized app will allow consumers across the UK to download the app without fears that their data could be exploited for secondary purposes," said Walsh.
The National Health Service COVID-19 contact-tracing app was created to tell people when they may have been exposed to the novel coronavirus. A pilot scheme is currently under way in the Isle of Wight to test the app's efficacy.
Lord Bethell, the minister for innovation at the Department of Health and Social Care, said participants of the pilot scheme had indicated that they would rather hear bad news from a person than via an automated text or email.
Health secretary Matt Hancock said at the start of May that the NHS COVID-19 contact-tracing app would be rolled out mid-May. However, Lord Bethell, speaking to the MPs on the Commons science and technology committee, said recently that the app will not be ready before the winter.
“We’re seeking to get something going for the winter, but it isn’t a priority for us,” Bethell stated.
The snail-like pace of the government's contact-tracing app implementation was bemoaned by Ray Walsh.
"It is a shame that it took so long for the NHS and the government to come to the same realization privacy experts had months ago—that in order for an app to be effective it is going to need to be accepted by the general public," said Walsh.
"While this is good news, the reality is that we could have had this app up and running weeks if not months ago, which could have greatly reduced the rate of infection and potentially saved lives."
The UK Information Commissioner's Office (ICO) has issued a report on police practices regarding extraction of data from people’s phones, including phones belonging to the victims of crime.
The report, which is the result of a 2018 complaint made by Privacy International (PI), highlights numerous risks and failures by the police in terms of data protection and privacy rights.
Elizabeth Denham, information commissioner, stated in the report: “This report explains how current mobile phone extraction practices and rules risk negatively affecting public confidence in our criminal justice system.
“I am therefore calling on government to introduce modern rules, through a code of practice that improves data extraction practices. This will build public confidence, notably the confidence of victims of crime and witnesses in permitting extraction of their sensitive personal data. It will also better support police and prosecutors in their vital work.”
Other key points in the report state that police should not seize phones merely to go on ‘fishing’ expeditions, but must focus any extraction on clear lines of enquiry and that current police practices regarding extracting data, especially from victims and witnesses, must be reformed.
Dr Ksenia Bakina, PI’s legal officer said: “Today’s critical report by the ICO vindicates what PI has been saying for over two years. The Police are taking data from people’s phones, including the victims of crime, without applying proper safeguards. This has to stop.
Currently, there is no clear policy guidance or independent, effective oversight for the police’s use of MPE technology, Bakina added.
“Considering the extensive use of mobile phones in our everyday lives, and the significant amount of sensitive personal data stored on them, the public need to know that there are rules and safeguards in place – otherwise the police are left to make up their own rules.
“The ICO's report is a welcome step in the right direction. However, it is just a first step. We need to ensure that the report is a wakeup call that the police finally heed.”
The COVID-19 crisis appears to have had an unexpected impact on underground cybercrime sites, leading to a surge in growth which has left many understaffed, according to Digital Shadows.
The dark web monitoring firm’s Digital Shadows Photon Research Team revealed in a new blog that several forums have recently been forced to go on a hiring spree for new moderators.
In April, an administrator post from English-language cybercrime forum Nulled apparently noted that the ‘community’ was “especially growing rapidly during COVID-19,” and that as a result it “require[s] additional assistance.”
Another post in April, this time from the administrator of English-language site CrackedTO, cited “recent events” as the reason for its hiring plea.
“While there have been many predictable consequences of the ongoing global COVID-19 pandemic, few would have foreseen significant growth for multiple cyber-criminal forums. Digital Shadows has observed forums being stretched at the seams due to their newfound pandemic popularity,” the Digital Shadows team wrote.
“In retrospect, it’s not that surprising: the coronavirus has placed enormous economic pressure on millions of people worldwide. It’s not illogical to surmise that some individuals may have turned to cybercrime to plug holes in their finances.”
The firm explained that cybercrime sites run a highly formalized employee set-up with the administrator sitting at the top of a pyramid, while multiple moderators carry out the day-to-day work.
They are often tasked with specific roles, such as technical support, paying for advertising, enforcing site rules and answering user questions.
The “trials moderators” sought by Nulled and CrackedTO are required to enforce the rules and assist users, as well as clean up malware and spam.
Good moderators seem to be highly sought after, making recruitment also a formalized process.
“Elements of the recruitment advertisements come up again and again: the importance of devoting a significant chunk of time to the role, the requirements for applicants to have a thorough knowledge of the section and the perceived prestige associated with the role,” said Digital Shadows.
“Most also emphasized that these positions are unpaid.”
COVID-19-themed cyber-attacks comprised only a tiny amount of overall threat volumes over the past four months despite sensational headlines, according to Microsoft.
In comments echoing those it made at the start of the crisis, the Microsoft Threat Protection Intelligence Team claimed that even the peak of COVID-related attacks in the first two weeks of March was “barely a blip in the total volume of threats we typically see in a month.”
These were opportunistic attempts to exploit huge public interest in the virus via mainly localized phishing lures, which is why they increased 11-fold the week after the World Health Organization (WHO) officially named the pandemic “COVID-19.”
“This surge of COVID-19 themed attacks was really a repurposing from known attackers using existing infrastructure and malware with new lures,” said Microsoft. “In fact, the overall trend of malware detections worldwide did not vary significantly during this time.”
Although COVID-themed attacks remain higher than they were in early February and will continue as long as the virus does, the vast majority of threats are more typical phishing and identity compromise attempts, it continued.
The key takeaway for IT security teams is that while phishing lures can change quickly, the underlying malware remains the same.
They should therefore double down on enhanced user awareness training programs, “cross-domain signal analysis,” and patching, said Microsoft.
“These COVID-19 themed attacks show us that the threats our users face are constant on a global scale. Investments that raise the cost of attack or lower the likelihood of success are the optimal path forward,” it concluded.
“Focus on behaviors of attackers will be more effective than just examining indicators of compromise, which tend to be more signals in time than durable.”
Google claimed back in April that it is blocking 18 million malware and phishing emails linked to COVID each day, although it also admitted that “in many cases” these threats are not new but repurposed from other campaigns.
Zoom has reversed its controversial decision to restrict access to end-to-end encryption (E2EE) for some users and will now offer the feature to customers of both its free and premium services.
The video conferencing app said it had consulted with rights groups, child safety advocates, government representatives, encryption experts and its own CISO council to gather feedback.
“We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform,” the firm's CEO Eric Yuan said in a blog post yesterday.
“This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform.”
Users of the free service will be required to authenticate in a one-off process with information such as their phone number, in order for the platform to “reduce the mass creation of abusive accounts,” Yuan added.
The news came as rights groups, tech firms and internet users petitioned the firm to reverse its policy on E2EE.
They argued that E2EE is too important to be a premium feature, especially in the context of global protests against racial injustice and government oppression. The technology protects activists, journalists and other vulnerable parts of the population from government repression and surveillance, as well as from cyber-criminals, they said.
The campaigners also argued that want to disguise any malicious intent or illegal activity can simply pay for the premium service.
Yuan was reported saying on an analyst call earlier this month that the firm would not be offering free users E2EE “because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.”
Mozilla welcomed the news. The tech non-profit, which wrote an open letter to Zoom earlier in the week signed by tens of thousands of internet users, argued that E2EE should always be the default setting, not a luxury.
“We're heartened that Zoom listened to consumers, especially at a time when millions of people are relying on the platform to stay connected amid the pandemic and to organize in support of Black lives,” it said in a statement.
“Zoom’s decision is part of an emerging trend: Consumers are demanding more of the technology products and services they use every day. And companies are changing their products to meet these demands.”
The number of Business Email Compromise (BEC) attacks being leveled at C-Suite executives has declined as threat actors focus on a new target.
Researchers discovered that cyber-criminals had a new springtime victim in their sights, as BEC attacks on finance employees—who hold the key to routine payments—shot up by more than 87%.
The Abnormal Security Quarterly BEC Report for Q1 2020 notes a shift away from individual attacks to group BEC attacks. Campaigns with more than 10 recipients increased by 27% quarter by quarter.
Researchers found that criminals had switched their focus away from paycheck and engagement fraud and toward payment fraud. Invoice fraud attacks were found to have increased more than 75%.
A section of the report was devoted to trends around email account compromise and security attack patterns observed during the COVID-19 pandemic.
Evan Reiser, CEO and co-founder of Abnormal Security, described the attacks related to the outbreak of the novel coronavirus as "among the most sinister in intent that we have ever seen."
Researchers found that COVID-related attacks more than quadrupled between the second and third weeks of March 2020. Cyber-assaults increased 436%, with an average 173% week-over-week increase during the quarter.
COVID-19 vectors exploited by criminals included vaccines, PPE equipment, stimulus checks, PPP payments, layoff concerns, and the popularity of video conferencing tools.
The majority of the coronavirus attacks Abnormal caught were scams that leveraged trusted entities, using compromised and spoofed accounts in order to scam users and companies out of money, steal their credentials, or install malware on their device.
“The email security trends we witnessed during Q1 are most certainly related to the COVID-19 pandemic and the shift to work from home, but they also reflect greater sophistication and attack strategy by threat actors,” said Reiser.
“By increasing campaign target size, attackers increase the opportunity for social validity and by targeting finance employees who manage third-party payments, they’ve found a new vector for payouts.”
Cyber-criminals stepped up their efforts to victimize gamers while millions of people stayed at home this spring to slow the spread of COVID-19.
In the same month, the number of blocked attempts to force gamers onto phishing pages for one of the most popular gaming platforms also increased by a whopping 40% compared to February 2020.
Kaspersky researchers took a special interest in threats to gamers after lockdown measures saw millions turn to video games as a source of entertainment. Beginning in March, online gaming platform SteamDB saw a record number of users, with 20.3 million people in-game simultaneously over one weekend.
According to data from Kaspersky Security Network, cyber-criminals have exploited the increased interest in video games to launch various attacks.
Minecraft, one of the most popular games ever made, was the title most often used by threat actors. Its name featured in more than 130,000 web attacks. The other games used most frequently to launch attacks were Counter-Strike: Global Offensive and The Witcher 3.
Maria Namestnikova, security expert at Kaspersky, said threat actors used the promise of cheats to lure gamers into clicking malicious links.
“The past few months have shown that users are highly susceptible to falling for phishing attacks or clicking on malicious links when it comes to games—whether they’re looking to find pirated versions or eager for a cheat that will help them win,” said Namestnikova.
Yury Namestnikov, also a security expert at Kaspersky, said that gamers working from home who play and toil on the same device should be particularly wary of cyber-threats.
“Now that many players started using the same machines that they use to enter corporate networks for games, their cautiousness should be doubled: risky actions make not only personal data or money vulnerable but also corporate resources,” said Namestnikov.
Kaspersky researchers urged gamers to protect themselves by using strong passwords and two-factor authentication where possible and to be wary of any cheats and pirated copies of video games.
The founder and CEO of two Illinois software companies has been charged with fraudulently claiming over $400,000 from the Paycheck Protection Program (PPP).
Evanston resident Rahul Shah allegedly lied on an application for a forgivable bank loan guaranteed by the Small Business Administration (SBA) under the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
The 51-year-old was charged in a federal criminal complaint filed in the Northern District of Illinois with bank fraud and making false statements to a financial institution.
Shah is the founder and CEO of tech companies Boardshare LLC and Katalyst Technologies, Inc. Both companies are based on Davis Street in downtown Evanston.
Katalyst, which was founded in 2000, also has offices in Atlanta, London, and in several cities in India.
Shah applied for a PPP loan from the bank of Texas on April 15 for Katalyst. On April 30, he applied for a second loan on behalf of N2N Holdings LLC, which operates under the name Boardshare.
According to the Department of Justice (DOJ), Shah "significantly overstated the payroll expenses of a company that he controlled" and submitted falsified IRS documents to the lender.
On an IRS 1099-MISC form, Shah claimed that one of his companies had made payments to several individuals. These claims turned out to be false upon investigation.
In addition, Shah misrepresented his company's payroll expenses for 2019 in documents that he signed and caused to be submitted to the lender.
"A comparison between the documents submitted to the lender and the company’s IRS filings revealed that Shah’s company reported significantly lower payroll expenses to the IRS," said a spokesperson for the DOJ.
An affidavit from James Sams, an agent with the Treasury Inspector General for Tax Administration, said Shah paid Boardshare's employees less than $10k over a period in which he claimed to have spent $426k on payroll.
In an interview with FBI and Treasury agents on May 29, Sams alleges that Shah acknowledged that there were "errors" in his application and blamed them on employees in India.
If convicted of both counts, Shah could face a sentence ranging from probation to up to 60 years in federal prison.
Half of mobile banks are vulnerable to fraud and theft of funds due to inadequate security on apps, according to a study by Positive Technologies. The analysis found that mobile banking applications have a raft of security flaws which can be exploited by cyber-criminals to access sensitive data and commit fraud.
Positive Technologies said that none of the 14 mobile banking applications tested had an acceptable level of security. In regard to the applications installed by clients, 43% were shown to store important information on the phone in clear text, making the data at risk of being accessed by an unauthorized party. In addition, 76% of the vulnerabilities can be exploited without physical access to the device and over one-third can be exploited without administrator rights.
Each mobile bank analyzed had an average of 23 vulnerabilities on the server side, which contained 54% of all the vulnerabilities found. Close to half (43%) had server-side vulnerabilities in business logic, which attackers can use to access sensitive user information and commit fraud. The report also stated that hackers can steal user credentials in five out of seven mobile banks while card information is at risk in one-third.
There were also variations in the types of security flaws between iOS and android apps; in iOS, no flaws were rated above ‘medium,’ whereas in android, 29% were ‘high risk.’
Olga Zinenko, analyst at Positive Technologies, commented: “Banks are not protected from reverse engineering of their mobile apps. Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in clear text and make errors allowing hackers to bypass authentication and authorization mechanisms and bruteforce user credentials. Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits and the phone number associated with a victim’s card.
“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”
Just last week, the FBI warned that cyber-criminals are seeking to take advantage of the growing use of mobile banking apps during COVID-19.
Technology companies and rights groups are calling on Zoom to reverse its stance on end-to-end encryption, which currently denies users of its free service the strongest possible security and privacy protections.
The video conferencing app controversially announced earlier this month that only users of its premium service would have their conversations protected by end-to-end encryption.
“Free users for sure we don’t want to give [end-to-end encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” CEO Eric Yuan reportedly said.
Now a coalition of non-profits, tech groups and tens of thousands of internet users have called on the firm to change its mind.
An open letter to Yuan from the EFF and Mozilla, signed by over 19,000 internet users, argued that offering the strongest possible security to all users is more important now than ever, at a time when political activists and protesters may be the target of government surveillance.
“Best-in-class security should not be something that only the wealthy or businesses can afford. Zoom’s plan … will leave exactly those populations that would benefit most from these technologies unprotected,” it noted.
“Around the world, end-to-end encryption is already an important tool for journalists and activists that are living under repressive regimes and fighting censorship. We recognize that Zoom's business model includes offering premium features for paid accounts, but end-to-end encryption is simply too important to be one of those premium features.”
A separate petition sent to the firm by Fight for the Future, Daily Kos, MPower Change, Mijente, Kairos, Media Alliance and Jewish for Peace has garnered over 50,000 signatures.
It claimed that Yuan’s defense of the decision, that the firm wanted to help law enforcement, was absurd.
“People with bad intentions can just pay for the account to ensure their calls are secure,” it argued. “Meanwhile, people who can’t afford Zoom’s services are left vulnerable to cyber-criminals, stalkers and hackers.”
Zoom’s recent admission that it suspended the accounts of Chinese human rights activists after a request from Beijing will only add further weight to the calls.
Global digital Security and privacy product provider Avast has announced the appointment of Nick Viney as senior vice-president and general manager for its Telco, Internet of Things (IoT) and Family security business unit.
Viney joins Avast from Cyber 1 – a publicly listed enterprise cybersecurity provider – where he was Group CEO. He has previously held roles at McAfee, Google and Microsoft.
In his new role, he will oversee Avast’s global strategy and lead the development of the company’s position in smart home security while expanding its overall portfolio of security products and partners including telecommunications providers and original equipment manufacturers.
“Avast is a company I have long admired for its commitment to innovation, focus on the customer and for its mission to make the world a safer place for everyone, particularly the most vulnerable in our society,” said Viney.
“These are values I have stood by throughout my entire career and I’m looking forward to leading some important projects for the company that are tackling real-world cybersecurity problems and issues for consumers today.”
Attackers leveraged LinkedIn and posed as recruiters in order to steal information and money from European military and aerospace executives.
According to new research from ESET, the technique involved threat actors contacting the executives via LinkedIn posing as recruiters. Named Operation In(ter)ception, the actions took place from September to December 2019 and began with what ESET called “a quite believable job offer, seemingly from a well-known company in a relevant sector” and contained a OneDrive link which contained a PDF document with salary information related to the fake job offer.
However, ESET malware researcher Dominik Breitenbacher said malware was silently deployed on the victim’s computer giving the attacker “an initial foothold and reached a solid persistence on the system.”
Among the tools the attackers utilized was custom multistage malware that often came disguised as legitimate software, and modified versions of open-source tools.
Speaking on ESET’s Virtual World conference this week, head of threat research, Jean-Ian Boutin, said the job offer was often “too good to be true” and while the conversation would start out as friendly, the attacker would pressure the executive to answer questions more and more rapidly. The attacker would also ask what system the executive was using in order to determine configurations.
Boutin said the PDF file was a decoy, which featured positions with expected salaries. However, the executable creates a scheduled task on the victim’s computer, a built-in functionality in Windows, which is automatically launched. “This can be very useful in an enterprise set up, but is also a common technique used by threat groups to ensure their malicious payload is run periodically once it is installed,” he said.
He explained that the malicious payload in the scheduled task is used by the attacker to connect to an external server “and is able to download and execute arbitrary content.”
Post-attack, Boutin said all of the exfiltrated data was placed in password-protected RAR archives, and uploaded to Dropbox using a command line tool. “What made this threat actor difficult to track was that their operators were really careful and cleaned up their traces when moving from one system to another,” he said. The attackers also removed the LinkedIn profiles once the compromise was successful.
During the research, ESET also determined some similarities with actions by the Lazarus group, who had been attributed as being involved with the Sony Pictures attack and the WannaCry outbreak. Whilst ESET said there was not enough information to definitely attribute these attacks to the Lazarus Group, there were some similarities in the code and tactics used.
In a comment sent to Infosecurity, Paul Rockwell, head of trust and safety at LinkedIn, said: “We actively seek out signs of state-sponsored activity on the platform and quickly take action against bad actors in order to protect our members. We don’t wait on requests, our threat intelligence team removes fake accounts using information we uncover and intelligence from a variety of sources, including government agencies.
“Our teams utilize a variety of automated technologies, combined with a trained team of reviewers and member reporting, to keep our members safe from all types of bad actors. We enforce our policies, which are very clear: the creation of a fake account or fraudulent activity with an intent to mislead or lie to our members is a violation of our terms of service.
“In this case, we uncovered instances of abuse that involved the creation of fake accounts. We took immediate action at that time and permanently restricted the accounts.” -
COVID-19 lockdowns around the world have led to an increase in some of the most common attack types, but also a realization that businesses must change going forward, according to over 80% of IT professionals polled by Bitdefender.
The security vendor interviewed 6724 security and IT staff in May across the UK, US, Australia/New Zealand, Germany, France, Italy, Spain, Denmark and Sweden, covering all sizes of organization.
Some 86% claimed attacks had increased during lockdown, especially phishing (26%), ransomware (22%), social media threats/chatbots (21%), cyber-warfare (20%), Trojans (20%) and supply chain attacks (19%). In some cases, such as ransomware (31%) and DDoS (36%) the increase in volume of attacks was in the double-digits.
Around a third (34%) of respondents warned that home working employees were too relaxed about security, leading to concerns over phishing (33%) and accidental data leaks (31%). A third claimed home workers aren’t following protocol by identifying and flagging suspicious activity.
Other risks from remote working highlighted by respondents include third parties using corporate laptops and devices (38%) and the use of personal messaging services for work (37%).
Unsurprisingly, half (50%) said they had no contingency plan in place for a scenario such as COVID-19.
However, on the positive side, global organizations are taking proactive steps to improve cybersecurity readiness and resilience going forward.
Over a fifth (22%) said they’ve started providing VPN and made changes to VPN session lengths, 20% have shared cybersecurity guides and deployed pre-approved applications and content filtering, and 19% have updated employee training.
Almost a third (31%) said they intend to keep 24/7 IT support once the pandemic recedes and will increase security training. Even better, 23% said they’re going to increase cooperation with key business stakeholders when drawing up cybersecurity policies, and a similar number will increase outsourcing of IT security functions.
Liviu Arsene, global cybersecurity researcher at Bitdefender, argued that customer loyalty, trust and the bottom line are at risk if organizations don’t get cybersecurity right during the pandemic, and beyond.
“COVID-19 has however presented infosec professionals with the opportunity to reassess their infrastructure and refocus on what end users/employees really need and want in terms of cybersecurity support,” he added.
“It is also evident that, despite identifying risks, there is still a need for further investigation into what investments need to be made to ensure that corporate data and employees are both safe from bad actors. While it’s a challenge to make changes now, it will shore up business for the future and many more unknown scenarios.”
A US senator is demanding to know why the CIA is still not following the government’s advice on best practices after he obtained a 2017 report describing the agency’s day-to-day cybersecurity as “woefully lax.”
The internal report was written by the CIA’s WikiLeaks Task Force in the wake of the Vault 7 disclosures to the whistleblowing site, which amounted to the “largest data loss” in its history.
At least 180GB and potentially as much as 32TB of information, including data on a range of cyber-weapons, was stolen by an insider in 2016. The CIA said it didn’t know how much data was taken because there were no safeguards such as user monitoring on the Center for Cyber Intelligence software development network (CCI DevLAN), where much of it was stored.
Democrat senator Ron Wyden on Tuesday wrote to the director of national intelligence, John Ratcliffe, warning that the agency was still lagging behind on implementing even basic cybersecurity used widely elsewhere in federal government.
This includes DMARC to help prevent phishing and email impersonation, and multi-factor authentication for the CIA’s .gov domains and the Joint Worldwide Intel Communications System (JWICS), which is used for top secret comms in the US intelligence community.
According to the report, the CCI had for many years “prioritized building cyber-weapons at the expense of securing their own systems.
“Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls and historical data was available to users indefinitely,” it continued.
“CCI focused on building cyber-weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over the years that too often prioritized creativity and collaboration at the expense of security.”
The irony, said Wyden, is that the intelligence community was not formally required to implement specific security policies mandated to other federal agencies by the Department of Homeland Security (DHS), as it was assumed that it would go “above and beyond.”
Fausto Oliveira, principal security architect at Acceptto, argued that the Department of National Intelligence budget runs into the tens of billions, which should allow the CIA to address the concerns raised by Wyden.
“Based on the findings of the report, it appears that there was a lack of IT and cybersecurity governance that led to a lax adoption of security controls,” he added.
“It is not an operational matter, it is a matter of the agency's management not setting the right goals to manage the risks associated with operating an organization, specifically an organization that is a desirable target for all kinds of attackers.”
Zero-day vulnerabilities have been discovered that could impact millions of IoT devices found in data centers, power grids, and elsewhere.
The flaws, dubbed Ripple20, were detected by the JSOF research lab in a widely used low-level TCP/IP software library developed by Treck, Inc. In research published today, JSOF said Ripple20 includes multiple remote code execution vulnerabilities and affects "hundreds of millions of devices (or more)."
Researchers named the vulnerabilities Ripple20 to reflect the widespread impact they have had as a natural consequence of the supply chain "ripple-effect" that has seen the widespread dissemination of the software library and its internal flaws.
"A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people," wrote researchers.
Ripple20 reached critical IoT devices involving a diverse group of vendors from a wide range of industries. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter.
Researchers said many other major international vendors are suspected of being vulnerable in the medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries.
"The risks inherent in this situation are high," wrote researchers. "Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction."
By exploiting the flaws, an attacker could hide malicious code within embedded devices for years. One potential risk scenario is that a threat actor could broadcast an attack capable of taking over all impacted devices in the network simultaneously.
"This is a classic case of finding critical vulnerabilities in embedded IoT devices that were designed years ago and may now be impossible or impractical to patch," commented Phil Neray, VP of IoT & industrial cybersecurity at CyberX.
"The best strategy is to implement compensating controls such as network segmentation to make it harder for adversaries to connect to these devices, plus Network Traffic Analysis (NTA) with Security Orchestration, Automation, and Response (SOAR) to quickly spot anomalous behavior—and stop it—before they cause a safety incident, shut down production, or steal intellectual property."
Online sports retailer Wiggle is investigating a suspected cyber-attack after receiving a series of complaints from customers.
Concerns were raised after customers received emails confirming orders for items from Wiggle that they had not placed. The suspicious orders were set to be delivered to addresses that the confused customers did not recognize.
The idea that Wiggle had been hit by a possible cyber-attack was first mooted on June 12. One customer reached out to cycling news site Road.cc after failing to illicit a response from Wiggle regarding a £30 order charged to his account that he said was not made by him.
Another Wiggle customer, Kobi Omenaka, took to Twitter to complain that he had received no response from the retailer after informing them that an imposter had used his account to purchase a £237.50 skin-tight cycling suit in dark steel blue.
Along with an attachment of the order confirmation, Omenaka posted "@Wiggle_Sport someone broke into my account and ordered this. I told customer services as it happened but no one has come back to me."
Twitter user George Slokoski responded to Omenaka's tweet, saying that he had also experienced issues with his Wiggle account.
"Mine also hacked this AM," wrote Slokoski. "Got an email saying my email address has changed to email@example.com and shortly after I had a charge for £5."
Another user, Harry Holmes, tweeted, "The same happened to me!" and asked Omenaka if his fake order was also being sent to an address in Twickenham, London.
On June 14, another customer, who uses the handle @hayleybadger on Twitter, tweeted the store: "@Wiggle_Sport Are you under cyber attack? I've received an email to say someone's changed my account to their email address and I can’t access your website."
Wiggle responded to the tweet above with an invitation to discuss the matter over live chat.
Twitter user @Omidpyc claims Wiggle has been aware of a cybersecurity breach for over ten days but has not gone public with the news.
Earlier today he tweeted: "Just had a call from Ross Clemmons. He says Wiggle are going to put out an announcement (Crossed fingers) and apologized for their dire response over the weekend."
According to @Omidpyc, Clemmons "agreed customer account flow was insecure and it’s been reported to ICO."
Six senior eBay employees have been charged with intimidating and cyber-stalking the couple behind an online newsletter whose media coverage they didn't like.
The executives, who no longer work for the online marketplace, allegedly sent a stream of terrifying deliveries to the homes of the newsletter's editor and publisher and their neighbor. Sinister deliveries received by the couple over a period of weeks included a bloody pig mask, a wreath of funeral flowers, and live spiders and cockroaches.
Pornographic magazines with the husband's name on them were sent to the house of one of the couple's neighbors in Natick, Massachusetts. In addition, officials said that a plot had been hatched by the executives to break into the garage of the alleged victims and fit a GPS tracking device to their vehicle.
The former executives allegedly launched their prolonged campaign of terror after a newsletter run by the couple published a piece concerning some litigation in which eBay was embroiled.
It is further alleged that the executives created fake social media accounts that they used to send the couple a series of threatening messages and post about phony events happening at the couple's home address.
“This was a determined, systematic effort by senior employees of a major company to destroy the lives of a couple in Natick all because they published content that company executives didn’t like," said Massachusetts US attorney Andrew Lelling.
"For a while they succeeded, psychologically devastating these victims for weeks as they desperately tried to figure out what was going on and stop it."
Court documents reveal that one member of eBay's executive team directed the company's former senior director of safety and security, James Baugh, to "take her down," referring to the newsletter's editor.
San Jose, California, resident Baugh, along with eBay’s former director of global resiliency, David Harville, of New York City, are charged with conspiracy to tamper with witnesses and conspiracy to commit cyber-stalking.
Other former eBay employees charged in relation to the alleged cyber-stalking are Stephanie Popp, former senior manager of global intelligence; Stephanie Stockwell, former manager of eBay’s Global Intelligence Center; Brian Gilbert, former senior manager of special operations for eBay’s Global Security Team; and Veronica Zea, a former eBay contractor who worked as an intelligence analyst in the Global Intelligence Center.
AI and machine learning technologies need training and human intervention to work as expected.
Speaking as part of ESET’s Virtual World event, CTO Juraj Malcho said there are perceptions that AI is evil or mysterious, but “it is not magic, not self-aware and it is invented and programmed by humans; it doesn’t have any obscure intentions” and it relies on inputs.
“There are some companies out there that claim they have magic solutions, but that is not the case,” he said. “I like to say it is advanced computer assisted automation.” He admitted whilst that made it sound uninteresting, “it is a beautiful thing if you look under the hood,” as we didn’t have computers and technology to utilize machine learning capabilities for many decades, but we have other ways to apply them now.
Citing an how automation can be used in malware detection, Malcho said unique clusters of malware samples are often classified by common traits. In one example, he referred to a case where 7.7 million Emotet attacks had been detected by ESET, and as the company was able to classify using machine learning of a single DNA detection, three million attacks were discovered “thanks to us seeing common traits of a family.”
Malcho admitted that machine learning is not accurate but it is a fast way to detect, and “accuracy is best when you have a human involved and work hand in hand.” However, machine learning also comes with challenges, he added, such as when you feed it with data “you may find you don’t have the capacity of your computing systems to process all of the data.”
This requires a hybrid approach, where you pre-select the samples and train your models. “The trick here is to have it balanced, as if the model is imbalanced and not representing the real world properly, you are basically getting junk in and the result is junk out,” he said.
Consideration also has to be made regarding the malicious use of automation too, he continued, and malicious usage can include generating and distributing spam and phishing, and Malcho said automation is also commonly used in language translation.
He also claimed that attackers can detect intruders in their infrastructure, identify patterns in generated content, create false flags and choose the best target and attack methods.
Concluding, Malcho said that AI “is far from 'Skynet' and trying to control us, it is just a tool that we have at our disposal” and it depends on how well you are able to use it.
He said: “AI without data is just beautiful math, and data without AI is basically just a bunch of ones and zeros. One doesn’t exist without the other. So when the perfect combination of these elements is achieved and properly validated data is fed into the properly-designed systems, a euphoric moment is created.”
Nearly half (46%) of small and medium-sized enterprises (SMEs) regularly share confidential files via email, including financial and employee data in spreadsheets, according to a new study from the Lanop Accountancy Group. This is despite the fact that 60% have not upgraded their organizations’ cybersecurity capabilities since shifting to remote working during COVID-19.
In a survey of 100 company owners of SMEs based in London, UK, which focused on their security habits during the pandemic, 59% revealed they had received an increase in phishing emails since lockdown began.
Cybersecurity expert Tim Sadler, CEO of Tessian, said: “Protecting people on email has to be a priority in this new hybrid world where employees can work from anywhere. All it takes is one simple mistake or typo for sensitive and confidential files to land in the wrong inbox and for a company to suffer a significant data breach.”
SMEs also outlined IT difficulties they have faced as a result of moving to a remote working model. A quarter said they share a Zoom account with another company, and one in five have been forced to cancel a meeting due to conference systems crashing. Meanwhile, 30% reported purchasing additional laptops, mobiles and tablets to manage remote working.
In addition, one third of company owners don’t believe they have the IT systems to continue remote working for a further three months, while 28% said their staff lack the digital skills to work from home.
Lanop also found nearly half (45%) plan to increase their IT spending in the near future, while 23% will not renew their office lease beyond the crisis.
Sridhar Iyengar, managing director of Zoho Europe, added: “The COVID-19 crisis has forced the majority of business owners to quickly implement remote working systems in order to continue trading despite strict lockdown measures. For many companies, successfully managing urgent projects, team meetings and company finances online against the backdrop of economic turmoil has brought with it a myriad of delays.”
A survey published last month by Bitglass found that most organizations are not sufficiently prepared to securely support remote working, even though 84% intend to continue this practice beyond the crisis.