Feed aggregator

University Launches Cyber-Toolkit for Detectives

Info Security - Thu, 03/05/2020 - 18:18
University Launches Cyber-Toolkit for Detectives

An American university has launched an ingenious new toolkit that can help detectives catch cyber-criminals. 

The Toolkit for Selective Analysis and Reconstruction of Files (FileTSAR), built by cybersecurity experts at Purdue University, is an all-in-one tool that tracks and reconstructs files and online activity. 

Cleverly, the tool lets law enforcement access data that criminals believe has been safely swept under the digital carpet.

Kathryn Seigfried-Spellar, an associate professor of computer and information technology in the Purdue Polytechnic Institute who helped lead the FileTSAR research team, explained: "FileTSAR allows forensic investigators to capture, selectively analyze and reconstruct files from network traffic.

"The main functions of this tool are capturing data flows and providing a mechanism to selectively reconstruct documents, images, email and VoIP conversations."

So far, over 100 law enforcement agencies from around the globe have requested access to the technology, which is being licensed through the Purdue Research Foundation Office of Technology Commercialization. 

"Knowing that we created an affordable tool that will help law enforcement with their network forensic investigations is incredibly rewarding," Seigfried-Spellar said.

Aside from being a useful tool for digital forensic law enforcement teams tasked with tracking down cyber-criminals, the versatile Purdue toolkit has useful applications for the business world. 

For example, by recovering a company's network traffic, FileTSAR can detect employees who abused technology for their own purposes. It can also identify staff who have acted as insider threats, sending out trade secrets or sabotaging data.

The Purdue team developed its FileTSAR toolkit by collaborating with law enforcement agencies from around the country, including the High Tech Crime Unit of Tippecanoe County, Indiana, which is housed in Purdue’s Discovery Park.

In return for their help, law enforcement agencies were given access to the project for three years. 

The Purdue Research Foundation Office of Technology Commercialization operates one of the most comprehensive technology transfer programs among leading research universities in the US. 

Services provided by this office support the economic development initiatives of Purdue University and benefit the university's academic activities through commercializing, licensing, and protecting Purdue's intellectual property. 

Funding for the project was made available by the National Institute of Justice.

Categories: Cyber Risk News

US to Give Ukraine $8m for Cybersecurity

Info Security - Thu, 03/05/2020 - 17:26
US to Give Ukraine $8m for Cybersecurity

The United States has pledged $8m to support a Ukrainian cybersecurity project. 

The generous commitment was announced by the State Department on Tuesday as part of a "cyber-dialogue" that took place between the two countries in Ukraine's capital, Kyiv. 

A new cybersecurity project sponsored by USAID (the US Agency for International Development) will be the beneficiary of the promised injection of American dollars. Over the next four years, it is anticipated that the project will raise a total of $38m, all of which will be spent on improving Ukraine's cybersecurity. 

Among other things, the money will be used to expand and develop the country's cyber-workforce and to support legal and regulatory reform. 

The $8m pledge comes just three years after the US gave Ukraine $10m of cybersecurity assistance. America's first cash injection was agreed upon in 2017 as part of the first ever cyber-dialogue held between the two countries. 

A review of the cybersecurity projects in operation between Ukraine and the US followed in 2018.

According to the State Department, the third cyber-dialogue held on March 3 and its accompanying financial pledge served to reaffirm "our shared commitment to ensure an open, interoperable, reliable, and secure cyberspace in which all states behave responsibly."

Issues discussed at the meeting included how to respond to a serious cyber-incident, how to strengthen critical infrastructure against cyber-attackers, and how to secure the security of the 5G network.

On the agenda also were cyber-capacity building and international cyber-policy issues, including engagements in multilateral fora and policies around public attribution.  

Attending the dialogue were America's acting deputy chief of mission at the US embassy in Kyiv, Joseph Pennington, various officials from the Federal Bureau of Investigation, and representatives from the US Defense, Energy, Homeland Security, and Treasury departments.

Ruslan Nimchynskyi, Ministry of Foreign Affairs director general for international security, led Ukraine’s interagency delegation.

America's pledge to offer further financial support to Ukraine follows a request by Ukrainian authorities for support from the United States to investigate a cyber-attack. Ukraine asked for assistance from the FBI to examine an attack on Ukrainian gas company Burisma, which it believes was engineered by Russian military hackers.

Categories: Cyber Risk News

UK Cybersecurity Defense Standards Slip, Calls Made for Improvement

Info Security - Thu, 03/05/2020 - 12:00
UK Cybersecurity Defense Standards Slip, Calls Made for Improvement

UK businesses need to further strengthen their defenses against cyber-attacks, according to new research which has revealed that cybersecurity performance in the UK has declined in the last year compared to other EU countries.

The research from BitSight found that the UK has slipped backwards in the last year in terms of its overall cybersecurity rating and is now behind Germany, Austria and Finland among the G7, whilst insurance, defense and legal sectors are the highest performing overall when it comes to cybersecurity.

Speaking at an event held at the House of Lords on February 5, CTO and co-founder of BitSight Stephen Boyer said that “the number of vulnerabilities in the attack surface continues to explode” and this was because of digital transformation, which had its benefits to the organization but also could “leave the doors unlocked” when it comes to defense issues.

As for the research, Boyer said that the UK ranking regarding cybersecurity ratings is down slightly, but this is in the wrong direction and there is room for improvement. “There are threats that are out there, and things that organizations are doing that are causing risk that could cause catastrophic scenarios,” he said.

Boyer added that Belgium was the most noted country for cybersecurity in the G7, because of its public and private sector collaboration and efforts to inform the private sector of threats and issues. “They are also very focused on measurement, how they are doing and as most of the IT infrastructure is owned and operated by the private sector, they report to the Prime Minister how they are doing as a country, and how they compare,” he said.

Boyer explained that this level of reporting was the future of metrics for economies as “almost everything we do will have some sort of cybersecurity component.”

Also speaking at the event was former Home Secretary Lord Blunkett, who is also chair of Cyber Essential Direct. He said the data “encourages us that we are doing alright, not brilliantly,” but fresh NCSC reports about IoT devices shows that challenges around supply chain require better collaboration. “The message is clear: we’ve got a major challenge ahead of us and we can do so much more,” he argued.

Matt Warman, MP for Boston and Skegness, said that despite the “continued misconceptions of too many businesses, cyber-risk is enormous and growing, and it is clearly in the national interest for this industry as a whole” to have better defenses.

Warman also said that the economic opportunity for Britain to build on its enormous reputation in this area is huge “and if we get this right, we can make sure this is an industry in which Britain continues to have that great reputation.”

Categories: Cyber Risk News

UK’s ICO Fines Cathay Pacific £500,000 for 2018 Breach

Info Security - Thu, 03/05/2020 - 11:20
UK’s ICO Fines Cathay Pacific £500,000 for 2018 Breach

The UK’s data protection watchdog has issued the maximum possible fine to Cathay Pacific in response to a major breach at the Asian airline which resulted in the compromise of millions of customers’ data.

The £500,000 penalty from the Information Commissioner’s Office (ICO) comes under the old Data Protection Act 1998, which was superseded by the GDPR, and its UK version the Data Protection Act 2018.

Over 111,000 of the Hong Kong airline’s 9.5 million global passengers were from the UK. The ICO judged that between October 2014 and May 2018 insufficient security measures were put in place, enabling hackers to compromise an internet-connected server and install data harvesting malware in the 2018 breach.

Specifically, it called out a “catalog of errors” including: back-up files that weren’t password protected unpatched internet-facing servers, inadequate AV and use of unsupported operating systems.

“People rightly expect when they provide their personal details to a company, that those details will be kept secure to ensure they are protected from any potential harm or fraud. That simply was not the case here,” said ICO director of investigations, Steve Eckersley.

“This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.”

The size of the UK fine also shines a light on the inadequacies of Hong Kong’s domestic data protection regime.

It took Cathay Pacific seven months to report the incident, although it was under no legal obligation to do so at all. The privacy commissioner was also powerless to levy fines. The only option was an enforcement notice citing violation of privacy laws and an order that the firm improved its cybersecurity posture.

Even if the airline had failed to comply with the order, it would only have faced a fine of HK $50,000 ($6433).

The Special Administrative Region (SAR) of China is looking to update its privacy laws in line with the GDPR, to include major fines levied in the future as a percentage of global turnover.

Categories: Cyber Risk News

Let’s Encrypt: One Million Certificates Non-Compliant After Bug

Info Security - Thu, 03/05/2020 - 10:30
Let’s Encrypt: One Million Certificates Non-Compliant After Bug

Let’s Encrypt has revealed that over one million of its HTTPS certificates containing a bug in its automatic validation code will not be revoked by the March 5 deadline, despite being non-compliant.

The free TLS certificate organization discovered the flaw in late February. It lies in the code which checks for a Certificate Authority Authorization (CAA) whenever users renew their certificates, to make sure the domain owner hasn’t put any restrictions on who can renew.

The bug means that for web owners with multiple domains, Let’s Encrypt’s automatic checks only scanned one of these, missing the others. That could in theory expose them to the risk of hijacking by cyber-criminals.

As a result, Let’s Encrypt announced it would be revoking around 2.6% of active registrations by 3 am today (GMT), amounting to three million certificates. Josh Aas, executive director of the non-profit Internet Security Research Group (ISRG), explained that he was doing this because “industry rules require that we revoke certificates not issued in full compliance with specific standards.”

Yet although the organization has been working with web owners to replace the affected certs as quickly as possible, things didn’t go to plan and many of these certificates are still theoretically exposed to exploitation.

“Unfortunately, we believe it’s likely that more than one million certificates will not be replaced before the compliance deadline for revocation is upon us. Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the internet for us to not revoke those certificates by the deadline,” explained Aas on Wednesday night.

“Let’s Encrypt only offers certificates with 90-day lifetimes, so potentially affected certificates that we may not revoke will leave the ecosystem relatively quickly. We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to web users.”

The news comes just days after the ISRG-backed initiative issued its billionth certificate, in what it claimed was a milestone for user privacy and security online.

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, argued that incidents such as these highlight the worrying lack of insight many firms have into how many certificates, or “machine identities,” they’re running.

“When an event such as this happens, organizations need to be able to quickly swap out their old machine identities for new, secure ones. However, most do not understand or have visibility of their machine identities,” he added.

“They don’t know how many identities they have — a figure that could be in the tens of thousands — they do not know who issued them, or what they are being used for. Added to this, the only way they can update them is to go through and manually find and replace every single one.”

The answer is to invest in tools which automate the discovery and management of certificates, Bocek concluded.

Registration is now open! Join the Infosecurity Magazine Online Summit. Download the full agenda & find out more #IMOS20 https://bit.ly/2IigL69

Categories: Cyber Risk News

J.Crew Customer Accounts Breached a Year Ago

Info Security - Thu, 03/05/2020 - 09:23
J.Crew Customer Accounts Breached a Year Ago

J.Crew has informed customers that their accounts and personal information may have been compromised by an unauthorized third party, in what appears to be a credential stuffing attack.

The popular US clothing retailer claimed the hacker obtained customer usernames and logins and used them to access the accounts in around April 2019.

“The information that would have been accessible in your jcrew.com account includes the last four digits of credit card numbers you have stored in your account, the expiration dates, card types, and billing addresses connected to those cards, and order numbers, shipping confirmation numbers, and shipment status of those orders,” the notice read.

“We do not have reason to believe that the unauthorized party gained access to any additional information within your account.”

Still, these details would be enough to craft highly convincing phishing emails designed to elicit further information from customers, with the aim of full-scale identity fraud.

The firm has reset passwords for the affected accounts and urged customers to change the credential if they use it across any other sites.

However, the notice raises one important question: if the incident was detected “through routine and proactive web scanning” by J.Crew, why did it take almost a year to alert customers?

Red Canary co-founder, Chris Rothe, argued that this “scanning” may refer to the firm’s dark web searches for customer data, which may not have elicited the stolen data for months.  

“This is an interesting aspect of breaches that I don't think most people realize. The time from when a breach is discovered to when it is disclosed can be a long time depending on how difficult the investigation is, how sensitive the data is, etc,” he said.

“As a J.Crew consumer I may have an expectation that if someone compromises my account, the company will tell me immediately. The reality is it could take a very long time especially for organizations with weak detection and response capabilities.”

Retail is one of the most frequently targeted sectors for credential stuffing attacks. Akamai detected nearly 28 billion attempts on retail customer accounts in an eight-month period in 2018.

Registration is now open! Join the Infosecurity Magazine Online Summit. Download the full agenda & find out more #IMOS20 https://bit.ly/2IigL69

Categories: Cyber Risk News

Zynga Facing Lawsuit Over Data Breach

Info Security - Wed, 03/04/2020 - 18:32
Zynga Facing Lawsuit Over Data Breach

A class-action lawsuit has been filed against gaming company Zynga Inc. over a data breach that exposed the personal information of 173 million users. 

The casual-gaming giant, which made its name with Farmville, warned mobile players of Words With Friends and Draw Something to update their passwords after the breach occurred in September 2019. 

That month, Pakistani hacker Gnosticplayers claimed to have breached Zynga’s user database and accessed 218 million user accounts.

A player security announcement made by Zynga on September 12 in the wake of the breach dispassionately touted cyber-attacks as "one of the unfortunate realities of doing business today." 

The company took a fairly coy line on what information had been accessed in the attack, admitting only that "certain player account information may have been illegally accessed by outside hackers." 

Players were assured by Zynga at the time the attack was publicized that their financial information had not been compromised.

Now two plaintiffs have filed a class-action lawsuit against Zynga in the district court of California and accused the company of "failure to reasonably safeguard" players' personal information.

Personal data specifically mentioned by the plaintiffs in the suit includes usernames, email addresses, login IDs, password reset tokens, Facebook IDs, Zynga account IDs, and passwords stored with outdated cryptography.

The plaintiffs, one of whom is a minor represented by an adult, allege in particular that Zynga failed to uphold the special duty of care it owes the many minors who play its games. 

According to the complaint, Zynga didn't just neglect to take adequate steps to protect players' data. Plaintiffs also allege the gaming company acted deliberately to "intentionally and unconscionably" deceive users regarding the safety of their personal information.

Furthermore, the lawsuit accuses Zynga of unjust enrichment and criticizes the company for allegedly failing to notify users of the breach in a timely manner. The plaintiffs claim that Zynga never officially notified users of the breach via email, but merely posted statements regarding the breach online. 

In total, the lawsuit lists 14 separate counts of action and claims for relief, ranging from the violation of state data breach statutes to negligence.

Damningly, the suit says the company seems to be “far more concerned with protecting itself than with safeguarding the valuable and confidential information of its users.”

Categories: Cyber Risk News

Carnival Cruise Lines Hacked

Info Security - Wed, 03/04/2020 - 17:05
Carnival Cruise Lines Hacked

Two cruise lines operated by Carnival Corp have fallen victim to a cyber-attack.

Carnival announced on Monday that Princess Cruises and the Holland America Line had both been hit by cyber-criminals in late May last year.

Investigations into the incident carried out by Princess and Holland America revealed that an unauthorized third party had gained access to a substantial amount of personal information belonging to both passengers and crew.

Data accessed in the attack included email accounts, names, Social Security numbers, government identification numbers, passport numbers, health-related information, and credit card information of guests and employees. Not all guests were impacted by the incident.

In a statement released on March 2 by Princess Cruises, the company said it had "identified a series of deceptive emails sent to employees resulting in unauthorized third-party access to some employee email accounts."

The company said it notified law enforcement of the incident and are notifying affected individuals where possible. 

Princess and Holland America said that they acted promptly to contain the attack and prevent further unauthorized access from occurring. They also retained "a major cybersecurity firm to investigate the matter while reinforcing security and privacy protocols to further protect systems and information."

So far, the investigators have not found any evidence that the data accessed without authorization during the attack has been misused. Both cruise lines said they would be offering credit monitoring and identity protection services free of charge "to give those affected peace of mind."

It is unclear precisely how many people have been affected by the incident, but the number could potentially be high. Together, the lines account for roughly 30% of Carnival Corp's capacity as of November 30.

The news is another blow to Princess, which has been featured relentlessly in the media after the coronavirus COVID-19 ripped through its ship Diamond Princess, infecting hundreds and triggering evacuations of some passengers. After completing a period of quarantine in Yokohama, Japan, all guests have now disembarked from the ship.

Princess Cruises stated on February 9 that all guests on board the beleaguered Diamond Princess will receive a full refund. Rather optimistically assuming passengers will want to take to the water again, the company has also issued guests with future cruise credit.

Categories: Cyber Risk News

Mobile Attacks Outpace Desktop Assaults

Info Security - Wed, 03/04/2020 - 16:07
Mobile Attacks Outpace Desktop Assaults

For the first time in cybercrime's history, more attacks have been waged against mobile devices than have been hurled at desktops.

This seminal shift in attack strategy was recorded by researchers at LexisNexis Risk Solutions during the creation of their latest cybercrime report, "Fraud Without Borders."

The report is based on the analysis of 19 billion transactions that took place on LexisNexis' Digital Identity Network between July and December last year. Among those transactions, researchers identified 401 million attacks, 264 million of which targeted mobile devices, while 137 million struck at desktops. 

Although criminals showed a marked preference for mobile in terms of the volume of attacks, the attack rates targeting transactions were virtually identical. While researchers noted a 56% rise in the mobile attack rate year on year and a 23% decline in the desktop attack rate, the rate of attacks targeting transactions was 2.7% and 2.5% for desktops and mobile devices, respectively.  

Commenting on the online crime world's historic change of tack, researchers wrote: "Although this is heavily influenced by a key global bot attack, it nevertheless shows a shift in focus of global cybercrime towards targeting the mobile channel.

"These bots are vast, automated and come from multiple global geographies and were particularly targeting new account creation transactions during the second half of 2019."

When comparing different types of attacks on mobile devices, researchers found that mobile browser transactions were attacked at a higher rate than mobile app transactions. However, attacks on mobile apps were observed to have grown at a rate of 171% year on year. 

In terms of the financial impact of cybercrime, researchers deduced from the data that during a one-month period alone, $40m was at risk from cross-organizational fraud exposure. 

The report portrays cybercrime as borderless, innovative, and highly sophisticated, with researchers noting that criminal networks now mirror legitimate enterprises in their organizational structure. 

Criminal "finance departments" deal with the laundering of money, while "procurement" enlists money mules and "engineering" develops cutting-edge attacks to bypass the latest advances in cyber defenses.

"Analysis in this report shows that cybercrime is operating on a global scale in vast, interconnected networks that are unrestricted by regional, country or industry borders," wrote researchers. "It’s clear that cybercrime is a highly networked, complex and ever-evolving beast."

Categories: Cyber Risk News

Security by Sector Interview: Cybersecurity and the Gaming Industry

Info Security - Wed, 03/04/2020 - 14:00
Security by Sector Interview: Cybersecurity and the Gaming Industry

The gaming industry is a huge commercial market, but as Infosecurity has previously explored, it is also, by its very nature, rife with information security risks, challenges and implications.

Percona is an organization that has worked directly with gaming companies such as Big Fish Games and MathsCircle to help them secure their open source deployments. As such, the company is uniquely positioned to provide key insight into and advice about the cybersecurity landscape within the modern gaming sector.

As part of it’s Security by Sector content series, Infosecurity recently spoke to Percona’s chief experience officer Matt Yonkovit to learn more.

What pressures are gaming companies under when it comes to cybersecurity?

The biggest challenge is the risk that a breach would pose. Too many companies, in general, have been hit by incidents due to poor database security and operations, so this area needs a lot of work. There are good best practices, like data encryption and role-based access control, but they are often ignored or missed due to a lack of skills.

What security challenges are specific to the gaming sector?

The real-time element of gaming is a big issue as it puts the emphasis across a team on scaling up and down. This can make it harder for teams to address security concerns. Gaming companies are highly sensitive to performance and outage issues. Their users are passionate and vocal when they can’t access a game when and how they want to. Missing user expectations can doom the reputation of a game.

The other element here is that the gaming sector covers a huge variety of companies, from international giants through to smaller firms that address niche markets. Each of these companies will have the same problems – keeping customer data secure, available and performant – but the smaller ones may find it harder to get the right skills in place. Bringing in consulting expertise around open source databases can help those smaller firms achieve their goals.

What lessons must gaming companies learn about their cybersecurity strategies?

The number of breach stories out there today should mean that everyone is aware of the issues that exist around security. There’s no excuse for not thinking about these issues and putting plans in place to keep your infrastructure protected.

Being prepared around security is just essential these days. If you don’t have contingency plans in place, then you are at risk.

Are there any security lessons that companies in other markets can learn from the gaming industry?

I think there are two key lessons to be learned. First, gaming firms have to do a good job of balancing their services and keeping them running. Maintaining performance while keeping data secure is a good example of where security and IT teams can work together effectively.

The second is around DevOps and data management. There are a lot of DevOps teams across the industry that have been developed specifically to support the need to release games faster and provide what customers want, and this is really obvious in the gaming sector. If you don’t have the right pipeline of new content or launches taking place, then you will lose customers. However, ensuring the pipeline works while keeping it secure and well managed, that’s the bigger challenge. The gaming industry is uniquely positioned to confront and respond to this challenge. Where gaming firms get this right is a good example that other companies can learn from.

Categories: Cyber Risk News

NCSC Updates Guidance to Tackle Smart Camera Hijacking

Info Security - Wed, 03/04/2020 - 11:30
NCSC Updates Guidance to Tackle Smart Camera Hijacking

The UK’s National Cyber Security Centre (NCSC) has been forced to issue new guidance on how smart home users can protect their connected cameras from being hijacked.

The public-facing GCHQ body warned that live feeds from such cameras, and smart baby monitors, could be monitored remotely when devices are shipped with easy-to-guess or crack factory default passwords.

This has led to numerous cases in the past of terrified parents and home users finding out they’ve unwittingly made their families less secure by installing such equipment.

The new advice from NCSC urges users to change any default passwords to a unique, strong credential, to keep device firmware regularly updated and to disable the feature that allows them to view camera footage remotely if not needed.

The guidance also suggests users should disable UPnP and port forwarding on their home routers to further reduce the attack surface.

The password flaw is essentially how Mirai hackers managed to hijack hundreds of thousands of connected endpoints and conscript them into botnets over the past few years, launching some of the largest DDoS attacks ever seen.

Seeking to tackle some of these concerns, the UK government is planning to introduce a landmark new consumer law designed to prohibit the sale of IoT products that fail to meet minimum security standards.

The law would ensure “IoT device passwords must be unique and not resettable to any universal factory setting.” It would also force manufacturers to provide a public point of contact as part of a vulnerability disclosure policy, and state the minimum length of time a product would receive updates for.

Kiri Addison, head of data science overwatch at Mimecast, warned that camera footage is starting to be used by hackers to blackmail victims.

“Basic cyber-hygiene, such as changing default passwords and regularly updating software, can go a long way to improving device security,” she added.

“Their capabilities will inevitably increase rapidly in the next few years and the legislation and any accompanying guidance will then need to be updated to maintain an adequate minimum standard of security.”

Categories: Cyber Risk News

Tesco Issues 600,000 New Clubcards After Brute Force Attack

Info Security - Wed, 03/04/2020 - 10:30
Tesco Issues 600,000 New Clubcards After Brute Force Attack

UK supermarket giant Tesco is issuing 600,000 customers with new loyalty cards after some accounts were compromised by an unauthorized third party.

Although Tesco’s own IT systems were not compromised, it’s believed the hackers used a combo list of breached usernames and passwords sourced from elsewhere and conducted a brute force attack.

The supermarket also reassured customers that no financial details were taken.

“We are aware of some fraudulent activity around the redemption of a small proportion of our customers' Clubcard vouchers,” a Tesco spokesperson told the BBC.

“Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts.”

Chris Miller, regional director, UK & Ireland at RSA Security, argued that credential stuffing attacks are one of the biggest causes of data loss.

“From the end user’s perspective, it really is important not to use the same password for multiple accounts — especially between work and personal accounts. If there has been a data breach such as this, which involves a company they have an account with, they need to change the password not just on that account, but also any other account that uses the same one,” he added.

“After all, if attackers have tried to log into Tesco Clubcard with stolen credentials, in all likelihood they’ll be trying the credentials on other sites too. Finally, some sites and apps will offer two-stage authentication, asking for both a password and, for example, a code delivered to a mobile phone. It’s a good idea to tick this option, as it can offer an extra degree of security.”

According to Akamai, there were 28 billion credential stuffing attacks on e-commerce accounts from May to December of 2018, amounting to 115 million attempts to log-in each day.

Categories: Cyber Risk News

Hackers Steal Customer Data from UK FinTech Loqbox

Info Security - Wed, 03/04/2020 - 09:45
Hackers Steal Customer Data from UK FinTech Loqbox

A UK-based fintech was hit by a “sophisticated” cyber-attack last month, compromising the payment information and personal details of its customers.

The firm, which helps customers improve their credit score by taking out and repaying loans with it, revealed the incident in an email to customers seen by MoneySavingExpert.

It happened on February 20 this year, and although the number of customers affected is thus far unknown, the variety of personal information compromised should set alarm bells ringing for those affected.

It includes customers' names, dates of birth, postal addresses and phone numbers alongside: the first six and last four digits of their card number, expiry date, sort code and two digits from their bank account number.

This information isn’t enough on its own for hackers to use in payment or account takeover fraud, but it could certainly be deployed to make follow-on phishing attacks more convincing.

If a victim responded to such an email with more of their details, hackers could piece together enough digital information to commit a range of identity fraud scams.

“Cyber-criminals are quick to create genuine-looking fake sites and emails designed to manipulate further information out of their victims including passwords or other missing data,” warned ESET cybersecurity specialist, Jake Moore.

Loqbox itself has claimed to have notified the relevant regulatory authorities and police, and has taken steps to address the security issues which led to the breach.

It reassured customers that any funds paid into accounts were still secure. However, there’s no public breach notification on its website or Twitter feed, the latter not having been updated since June 2019.

Categories: Cyber Risk News

Californian Jailed for Cyber-Stalking Mass Shooting Victims' Families

Info Security - Tue, 03/03/2020 - 17:49
Californian Jailed for Cyber-Stalking Mass Shooting Victims' Families

A California man who used social media to stalk and threaten the families of American mass shooting victims has been sentenced to 66 months in a federal prison.

Brandon Michael Fleury, of Santa Ana, was convicted of cyber-stalking and sending a kidnapping threat to the friends and family of people who were killed in the Marjory Stoneman Douglas High School shooting in Parkland, Florida. The mass shooting, which occurred in 2018, left 17 students dead.

To commit his crimes, 22-year-old Fleury created 13 different Instagram accounts, using a barrage of aliases, including alleged Parkland shooter Nikolas Cruz and executed serial killer Ted Bundy. 

Fleury would then post malicious messages, tagging the friends and families of Parkland shooting victims. 

These messages, posted from December 28, 2018, to January 11, 2019, included statements like, “I’m your abductor I’m kidnapping you fool,” “With the power of my AR-15, you all die,” and “With the power of my AR-15, I take your loved ones away from you PERMANENTLY.”

Many of the messages, including ones written under usernames referring to Cruz and containing Cruz’s profile picture, directly taunted victims' friends and families about the deaths of their loved ones in the Parkland shooting. 

One message, targeting Jesse Guttenberg, who lost a sister in the attack, read: "I took Jaime away from you. You'll never see her again hahaha."

Aliases used on Instagram by Fleury included @teddykillspeople and @nikolas.killed.your.sister.

Upon examining tablets owned by Fleury, law enforcement found thousands of saved images of the notorious Bundy along with images of Fleury's targeted victims. Police also found saved screenshots of the messages that Fleury had sent to his victims.

Fleury was arrested in the Santa Ana home he shared with his father and brother and charged in January 2019. Law enforcement tracked him down after subpoenaing Instagram for IP addresses and account information related to the threatening and harassing posts. 

Following his convictions for interstate transmission of a threat to kidnap and interstate cyber-stalking, US District Judge Rudolfo A. Ruiz II sentenced Fleury on Monday to a 66-month custodial sentence.

Categories: Cyber Risk News

CIA Accused of Mounting 11-Year Cyber-Attack Against China

Info Security - Tue, 03/03/2020 - 17:12
CIA Accused of Mounting 11-Year Cyber-Attack Against China

A security company has accused America's Central Intelligence Agency (CIA) of waging an 11-year campaign of cyber-espionage against critical industries in the People's Republic of China.

Qihoo 360 announced yesterday that it had "discovered and revealed cyber-attacks by the CIA hacking group (APT-C-39) which lasts for eleven years against China."

The company claims to have evidence that several different industry sectors have been targeted by the CIA's cyber-spying campaign, including aviation organizations, scientific research institutions, the petroleum industry, internet companies, and government agencies.

Further claims are made that the CIA also targeted hundreds of commercial airlines in countries other than the PRC. 

Researchers said a former CIA employee, Joshua Adam Schulte, "was responsible for the research, development and production of cyber weapons" unleashed during the prolonged spying campaign.

According to Qihoo 360, Schulte was employed at the CIA’s National Clandestine Service (NCS) as a Directorate of Science and Technology (DS&T) Intelligence Officer. They claim Schulte was "directly involved in the development of the cyber weapon - Vault 7," which they say was used by the alleged CIA hacking group APT-C-39. 

Evidence of the existence of a hacking tool with the code name Vault 7 was among the 8,716 CIA documents disclosed to WikiLeaks in 2017 and subsequently made public, wrote the researchers. 

They allege that the document cache included 156 confidential documents that provide a record of the CIA hacking group’s attack methods, targets, tools, and technical specifications and requirements. 

Researchers wrote: "Qihoo 360 analyzed the leaked material of Vault 7 and associated with the team’s researches, it discovered a series of targeted attacks against China's aviation industry, scientific research institutions, petroleum industry, large Internet companies and government agencies. 

"These eleven-year attacks can be traced back to 2008 (spanning from September 2008 to June 2019), and are mainly distributed in provinces such as Beijing, Guangdong, and Zhejiang." 

According to Qihoo 360, APT-C-39 has used CIA-exclusive cyber-weapons such as Fluxwire and Grasshopper to carry out cyber-attacks against China.

Since being established in 2014, the company claims to have discovered more than 40 APT hacking groups and "a number of APT operations" launched against the PRC by other countries.

Categories: Cyber Risk News

Canada's Auditor General: "Our Main IT System Is Running on DOS"

Info Security - Tue, 03/03/2020 - 15:49
Canada's Auditor General: "Our Main IT System Is Running on DOS"

Canada's auditor general has said outdated technology, staffing issues, and a chronic lack of funding are making it difficult for his office to fulfill its mandate. 

Speaking at a meeting of the country's Public Accounts committee on Thursday, Sylvain Ricard bemoaned the fact that his office was forced to rely on antiquated computer systems that pose a security threat.

Ricard, who took up the auditor general position in March 2019, told the committee: "Our main IT system is running on DOS. That creates all sorts of issues for us, both in a security perspective and an operational perspective because they’re not supported anymore."

DOS, or disk operation system, was a smash hit when it was introduced in the late 1970s, but the technology was essentially retired in the mid-1990s. Today, the beyond retro system is considered obsolete.

Ricard said that failure to upgrade to newer technology has left the office of the auditor general (OAG) isolated and vulnerable. 

"You can’t turn to a supplier and get updates, because they don’t exist. That’s our reality,” said Ricard.

Canadian members of Parliament were stunned to learn that Ricard and his team were trying to perform audits with technology that went out of fashion back when Brad Pitt was dating a cigarette-smoking Gwyneth Paltrow. 

Upon learning that the country's auditor general was forced to work with a DOS system put in place in the late 1980s, a flabbergasted NDP MP Matthew Green said: "That’s wild."

Reliance on last century's technology has made attracting a new generation of auditors and analysts an uphill struggle for the OAG. Recruits who do accept a job offer from the office quickly find that they are not able to use many of the tools they learned in school. 

"You cannot interest young people these days with old technologies. That’s a major challenge for us. Our direct competitors are companies like Deloitte (and) our technology is in the way," said Ricard.

Painting a generous picture of how outdated the OAG's technology really is, Ricard said: "The new staff we hire arrive with modern skills, but they aren’t able to use them because they’re in a workplace that is behind by 10 years."

Ricard said that to bring the office's technology up to date, an extra $10.8m was needed on top of the office's current $88m annual budget.

Categories: Cyber Risk News

Washington in Super Tuesday Fake News Warning

Info Security - Tue, 03/03/2020 - 12:00
Washington in Super Tuesday Fake News Warning

Eight US government departments and agencies have issued a statement warning voters in today’s Super Tuesday primaries to be on their guard for foreign-led misinformation on social media.

Voters in 14 states will go to the polls today to choose who they want to see fight the next Presidential election later this year. As such, it represents a major opportunity for Russian or other state-led efforts to undermine specific candidates, or more generally, faith in the democratic process.

The government notice warned foreign governments that firm reprisals would come their way if any such activity was detected.

“We continue to work with all 50 states, US territories, local officials, political parties and private sector partners to keep elections free from foreign interference,” it said.

“We remain alert and ready to respond to any efforts to disrupt the 2020 elections. We continue to make it clear to foreign actors that any effort to undermine our democratic processes will be met with sharp consequences.”

The threat to US elections is three-fold: hackers have already been discovered probing voting infrastructure, and could use unauthorized access to disrupt the e-voting systems themselves. Or they could go down the Guccifer 2.0 route and try to hack and release sensitive internal documents from candidates’ teams, in order to smear them.

Fake social media accounts spreading misinformation on candidates are a third option.

On the latter, the government warned voters to “remain aware that foreign actors continue to try to influence public sentiment and shape voter perceptions.

“They spread false information and propaganda about political processes and candidates on social media in hopes to cause confusion and create doubt in our system,” it said.

However, in reality, there’s not much that Washington could do in the event of a serious incident. In the past, Vladimir Putin has blamed activity on “patriotic hackers,” thus giving the Kremlin plausible deniability.

The statement was issued by: secretary of state Mike Pompeo; attorney general, William Barr; defense secretary, Mark Esper; acting secretary of Homeland Security, Chad Wolf; acting director of national intelligence, Richard Grenell; FBI director, Christopher Wray; US Cyber Command commander and NSA director Paul Nakasone and Cybersecurity and Infrastructure Security Agency (CISA) director, Christopher Krebs.

Categories: Cyber Risk News

Chinese Nationals Charged With $100m Crypto Money Laundering

Info Security - Tue, 03/03/2020 - 10:40
Chinese Nationals Charged With $100m Crypto Money Laundering

Two Chinese nationals have been indicted and placed under sanctions after being accused by the US government of helping to launder over $100m in cryptocurrency funds stolen by North Korean hackers.

Tian Yinyin and Li Jiadong were charged with money laundering conspiracy and operating an unlicensed money transmitting business, although they’re unlikely to face trial in the US.

Between December 2017 and April 2019 they’re accused of laundering over $100m in virtual currency stolen from exchanges and elsewhere by Pyongyang’s infamous state-backed Lazarus Group.

One of these hacks was a massive $250m heist at an unnamed exchange in 2018, while another involved the theft of $48.5m in virtual currency from a South Korean exchange in November 2019.

In the case of the $250m theft, Tian moved $34m of $91m transferred to the duo to a Chinese bank account, and transferred $1.4m into iTunes gift cards, according to the US Treasury.

It’s also claimed that their North Korean co-conspirators bypassed virtual currency exchange know-your-customer controls by submitting doctored photographs and identification documents. In total, 113 virtual currency accounts and addresses were allegedly used to launder funds.

Although the two are unlikely to face justice, the Treasury has slapped them with sanctions which mean that any of their “property and interests in property” that might be in the US or under control of US persons “must be blocked and reported to Office of Foreign Assets Control.”

North Korea has long targeted cryptocurrency exchanges as a method of skirting US sanctions to fill the Kim Jong-un regime’s coffers. A UN report from 2019 claimed that state-backed hackers have managed to amass as much as $2bn by targeting these and regular banks with malware.

Categories: Cyber Risk News

SpaceX Contractor Hit by Data Breach

Info Security - Tue, 03/03/2020 - 09:41
SpaceX Contractor Hit by Data Breach

An aerospace and industrial manufacturer has become the latest firm to have sensitive internal documents published online by ransomware attackers.

Visser Precision, which makes parts for Tesla and SpaceX as well as defense contractors Boeing and Lockheed Martin, was hit by the DoppelPaymer variant, according to security vendor Emsisoft.

The hackers have apparently already published NDAs the firm signed with Tesla and SpaceX, and product-related plans.

DoppelPaymer has already been deployed against various targets including the government of Canadian territory Nunavut and Mexican state petroleum giant Pemex.

Publishing stolen data is an increasingly common tactic for cyber-criminals keen to force their victims into paying a ransom, even if the latter have already backed-up their systems according to best practices.

Rapid7 principal security researcher, Wade Woolwine, argued the case highlights the importance of conducting full incident investigations for all security breaches.

“In ransomware situations, organizations typically focus on restoring normal business operations at the expense of conducting a full investigation,” he added.

“At the very least, victims should determine what volume of network data was transmitted by the infected hosts, and to where. This will help establish whether there might have been data exfiltration and justify additional technical investigation like forensics and malware analysis.”

Jonathan Knudsen, senior security strategist at Synopsys, argued that organizations increasingly need to reach out to their supply chains to ensure security best practices are being observed.

“How can you defend against such attacks? Obviously, the first priority is getting your own house in order. Adopt good security practices, educate your employees and plug all the holes in the dam,” he said.

“Beyond that, it’s in your own best interests to make sure your vendors and your customers are doing the same. Ask your partners what they’re doing about cybersecurity. Share best practices, techniques and tactics. Cybersecurity is a community effort; the only way we’ll make significant gains against our adversaries is through cooperation.”

Categories: Cyber Risk News

Walgreens App Error Has Customers Viewing Each Other's Personal Messages

Info Security - Mon, 03/02/2020 - 19:10
Walgreens App Error Has Customers Viewing Each Other's Personal Messages

America's second-largest pharmacy store chain has disclosed an app error that let customers view the private personal messages of other customers.    

For nearly a week last month, users of the Walgreens mobile app were able to view the first and last names and shipping addresses of other customers together with their prescription numbers, the names of the drugs they had been prescribed, and the store number of the branch fulfilling their order. 

Walgreens filed a data breach report with the California Department of Justice on Friday, February 28, including a sample of the breach notification letter the company sent out to affected customers. 

In the letter, the company explains: "We recently learned of unauthorized disclosure of one or more of your secure messages within the Walgreens mobile app."

The company goes on to state that from January 9, 2020, to January 15, 2020, personal messages from Walgreens that were stored in a database were viewable by other customers using the Walgreens mobile app.

According to the chain, the breach was due to an internal error in the Walgreens mobile app personal secure messaging feature. 

Walgreens said that swift action was taken once the breach came to light but gave no information regarding how the exposure was discovered. 

The pharmacy chain said that only a small percentage of its customer base was affected by the cybersecurity incident and that no financial data or Social Security numbers were exposed. 

The store then promised to carry out additional testing of the app in the future to make sure changes won't compromise the privacy of customer data.

Fausto Oliveira, principal security architect at Acceptto, believes a lack of testing and poor design were to blame for the error that caused the breach.

"If the error conditions in the app had been properly tested, this type of issue should have been caught by the QA department and never [been] seen in production. It is unfortunate that often in the rush to go to market, shortcuts are taken, and due diligence testing is skipped in favor of meeting a release date," he commented.

"A proper design would have ensured that any records accessible on the mobile device would be encrypted using per user keys and that the device would only have access to the information that was relevant to the specific user."

Categories: Cyber Risk News