Feed aggregator

Trustworthy AI Initiative Launched

Info Security - Tue, 06/09/2020 - 17:00
Trustworthy AI Initiative Launched

A digital intelligence company has launched a global initiative to promote the development of trustworthy artificial intelligence (AI) technology.

ABBYY was moved to take action by the growing prevalence of AI systems in our day-to-day lives and the anticipated growth in expectation for those systems to be fair, transparent, and ethical. 

By 2025, Gartner estimates 30 percent of large enterprise and government contracts for the purchase of digital products and services that incorporate AI will require the use of explainable and ethical AI. Furthermore, three-quarters of consumers say they won’t buy from unethical companies, while 86% say they’re more loyal to ethical companies.

To get the ball rolling, ABBYY has publicized its core guiding principles on developing, maintaining, and promoting trustworthy AI technologies. The company is now advocating for other technology leaders to do likewise.

“Innovation and ethics go hand in hand. As the use of AI grows, it is important for technology leaders to adhere to and promote the use of technologies that are transparent, fair, unbiased and respect data privacy,” commented Anthony Macciola, chief innovation officer at ABBYY. 

“By adhering to high standards with regards to the performance, transparency and accuracy of our products, we are able to deliver solutions that have a tremendous impact for our customers.”

Principles that ABBYY is committed to upholding include protecting confidential customer and partner data and providing visibility into the performance characteristics and metrics of its technologies, as well as providing opportunities for product feedback.

Looking beyond financial gain, the company has sworn to deliver AI technologies that are socially and economically beneficial and has affirmed that it will actively foster a culture that promotes the ethical use of AI and its social utility.

"AI has the power to yield significant social and economic benefit,” added Macciola. “With ethics in mind, we have the ability to transform the future in a manner that promotes innovation, accelerates technological advancements, and augments human intelligence, creativity and capabilities responsibly.”

Privacy is another area of concern that ABBYY has considered. The company, which uses machine learning, natural language processing, neural networks, and optical character recognition on data, has incorporated a privacy-by-design principle as an integral part of its software development processes.

Categories: Cyber Risk News

Cyber-Incidents Surge 366% at NASA

Info Security - Tue, 06/09/2020 - 16:29
Cyber-Incidents Surge 366% at NASA

Cybersecurity incidents at NASA increased by 366% last year as the organization's cybersecurity budget was slashed by $3.1m.

New research published yesterday by virtual network provider AtlasVPN found NASA suffered 315 cyber-incidents in 2018. In 2019, that figure shot up to 1,469. 

"Being one of the nation’s most important federal agencies, this is an alarming finding," wrote Atlas researchers. "Cyber incidents at NASA can affect national security, intellectual property, and individuals whose data could be lost due to data breaches."

The findings were based on data gathered by the Office of Management and Budget (OMB) in 2018 and 2019. OMB reviews government agencies annually and shoulders the responsibility for developing and overseeing the implementation of cybersecurity policies, guidelines, and standards in federal agencies.

A digital security incident is defined by the researchers as "any attempted or actual unauthorized access, use, disclosure, or destruction of information" plus digital incidents that include "interfering with operations within the organization and violations of NASA’s computing policies and regulations."

Incidents recorded as "improper usage" accounted for 90.5% of the massive increase. The term "improper use" refers to any incident whereby an authorized user violates an organization’s acceptable usage policies.

A positive finding made by researchers was that despite NASA's large size, only 15 incidents in which equipment owned by the company was lost or stolen were reported in 2019, down from 23 such occurrences in 2018. 

"It has to be noted that NASA does employ more than 17,000 people, so some of them are bound to lose or get equipment stolen, even if cybercriminals are not targeting NASA directly," wrote researchers.

NASA is one of the few major federal agencies whose cybersecurity budget was lower in 2019 than it had been in 2018 after it was cut from $170,700,000 to $167,600,000. 

The news comes just days after NASA astronauts made history by entering the International Space Station from a commercially made spacecraft (a SpaceX Crew Dragon) for the very first time. Astronauts Doug Hurley and Bob Behnken were blasted into orbit by the SpaceX Falcon 9 rocket on Saturday, May 30, from the Kennedy Space Center.

Categories: Cyber Risk News

41% of UK Workers Haven’t Received Adequate Cybersecurity Training

Info Security - Tue, 06/09/2020 - 14:42
41% of UK Workers Haven’t Received Adequate Cybersecurity Training

An average of 41% of UK employees across all sectors have not received adequate cybersecurity training, which is leaving businesses and individuals vulnerable to attacks, according to a new study by Specops Software. Travel and hospitality was the sector with the worst record, with 84% of staff stating they have not received sufficient training. The findings come just weeks after easyJet suffered a data breach in which details of nine million of its customers were accessed.

The survey of 1342 businesses across 11 different sectors in the UK also discovered that 69% of workers in education and training have not received adequate cybersecurity training from their employers, with the figure 56% for those in customer service, 47% in marketing, advertising and PR, 42% for medical and health, and 37% in the creative arts and design sector.

The industries which had the highest levels of adequate cybersecurity training according to the study were legal services (16%), recruitment and HR (19%) and accountancy, banking and finance (23%).

The results are especially concerning considering the recent spike in attacks in areas such as education and, during COVID-19, healthcare. Earlier this year, the UK Information Commissioner’s Office (ICO) revealed that human error was the cause of 90% of cyber data breaches in 2019.

There does appear to have been a bigger emphasis on cybersecurity training as a result of COVID-19, with 21% of respondents stating they had been trained a lot more since the crisis began. However, the analysis also found just 29% of business sectors have initiated additional cybersecurity training since the pandemic, despite the additional risks posed by the recent surge in remote working.

Darren James, cybersecurity expert at Specops Software, commented: “The fact of the matter is that you can put as many security systems and procedures in place as you wish, but usually the weakest link is always the human being involved. Providing cybersecurity training is essential. Subjects such as password hygiene, email scam/phishing/malware awareness, social media usage etc. are important and the more attention we can bring via training at work, the less likely people in general will fall victim to these crimes.”

Categories: Cyber Risk News

Microsoft Predicts Escalation of Zero Trust in Lockdown Environments

Info Security - Tue, 06/09/2020 - 13:30
Microsoft Predicts Escalation of Zero Trust in Lockdown Environments

Speaking during a Microsoft webinar, the company’s EMEA chief security advisor Cyril Voisin said he does not expect companies to “fully revert to the IT state that they were in before” COVID-19 lockdown, predicting more cloud usage in the future.

Whilst he acknowledged that this will lead to more questions about how to secure a cloud deployment, he expected more use of Zero Trust strategies. Voisin also said he expects remote working to remain an option for many companies, and he explained that there is the potential for compromises in the shift of working in an office to working from home. He acknowledged that whilst the original goal “was to make things work and security may have been an afterthought,” employees still need to be trained and receive security education.

As well as that, he said he expects VPN policies to evolve. “Companies that were already doing this notion of ‘you must use a VPN for everything you do when you are not in the office’ are starting to relax,” he said, due to latency and bandwidth issues, and he predicted companies will require more VPNs going forward.

Alongside that, he said keeping corporate resources secured whilst keeping users productive will lead to greater encryption of documents, and the deployment of endpoint detection and response (EDR) will enable that. Also, companies will invest in application management, with strategies like bring your own device (BYOD) and bring your own application important to offer more flexibility and “keep a company competitive.”

In terms of the financial impact of the COVID-19 pandemic, Voisin said companies may have to choose between investments to keep the company afloat and investing in security practices. “There will be a tension here, but I’ve had conversations with customers and they understand the need for security, and understand it is a requirement to sustain a long term business.”

Asked by Infosecurity if he had seen more companies deploy a Zero Trust approach since lockdown procedures began, Voisin said he had seen many companies “intensify what they are doing” and some were ahead of the curve, “but the people who had not done Zero Trust had started to do it slowly because they relied on a ‘VPN for everything approach’ to security and when they realized the limitations of VPN, they started to do Zero Trust.”

He said that, in some cases, people could not be armed with a laptop to work from home, and so had to use personal devices for work, “and we’ve seen adoption of Teams skyrocket, with 75 million unique users every day, so people are impacted by that and started to implement Zero Trust based on their situation.”

Categories: Cyber Risk News

CSA Virtual Summit: Future of European Cloud Services Scheme Detailed

Info Security - Tue, 06/09/2020 - 12:19
CSA Virtual Summit: Future of European Cloud Services Scheme Detailed

Speaking at the Cloud Security Alliance European Virtual Summit Eric Vétillard, lead certification expert, ENISA, talked about the concept and development of a European certification scheme for cloud services as part of the EU Cybersecurity Act..

Intended to revamp and strengthen the EU Agency for Cybersecurity (ENISA) and establish an EU-wide cybersecurity certification framework for digital products, services and processes, the EU Cybersecurity Act will introduce the first EU-wide cybersecurity certification framework for ICT products, services and processes.

After the announcement of the Cybersecurity Act, ENISA was tasked in November 2019 by the European Commission to design a candidate scheme for cloud services. Vétillard said there were two missions around the establishment of a European Certification Framework: to make ENISA permanent, and to define a cybersecurity certification framework, in particular to support the drafting of new policies through certification schemes.

“The idea here is to define a framework to increase the use of cybersecurity certification throughout Europe and extending to all counties,” he said. “To do that, we need to go beyond national schemes and offer mutual recognition at the European level.”

Vétillard explained that the framework will also allow users to make “informed decisions” on cybersecurity, and ultimately only require one certificate throughout Europe. “In order for the scheme to be successful it needs to be accepted by a majority of the member states of the European Union,” he added.

He explained that the certification is being drafted by ENISA, along with the European Cybersecurity Certification Group – a member group of member states – and an advisory group, who will assist in drafting the scheme. When a scheme is selected, around 20 experts representing stakeholders, institutions and observers will work together to build a candidate scheme, which will be submitted to the next phase to get an opinion from the ECCG.

In terms of building the scheme, Vétillard said there are 22 questions to be answered, including the “specific evaluation criteria and methods to be used” which he said will represent a significant part of the work. He also said there is a mandate to monitor compliance of certified and self-assessed products.

As for what the scheme will achieve, Vétillard said this will include determining what a cloud service is. “If you look around, there are many definitions of what is meant by cloud computing” and ultimately the definition from ISO/IEC 17788 was selected “as it determines any service run on top of a cloud system.”

The next determination will be on cloud capabilities, where the same ISO standard was again used in order to determine that all cloud capabilities support some aspect of infrastructure, platform and application. Also all deployment models will be considered, including private, public and hybrid clouds.

The third consideration is three assurance levels, including “basic,” “substantial” and “high” which will be assessed by an accredited third party. Basic means that the cloud security provider has shown some intentions to implement security controls. Substantial means that the provider has correctly implemented security controls and there is some vulnerability testing, and High means that the effectiveness of the provider’s controls against attacks has been demonstrated, requiring penetration testing and intended for “critical applications in sensitive fields.”

Vétillard said the choice of the level is based on the level of risk, and the number of parameters of the activity and size of the cloud service.

ENISA’s objective is to have answers to key questions and to know the structure of the scheme by the end of June 2020 “and to know how to move forward into the writing of the scheme itself.”

By September, the first draft will be completed, and after internal reviews, the final delivery of the candidate scheme is due by the end of the year. Vétillard said this is intended to be part of a larger framework, and ultimately used to provide baselines to other schemes.

Categories: Cyber Risk News

IBM Quits Facial Recognition Over Rights Concerns

Info Security - Tue, 06/09/2020 - 10:45
IBM Quits Facial Recognition Over Rights Concerns

IBM has claimed it no longer sells facial recognition software and has called for a “national dialogue” on how it should be used by police in the wake of recent US protests against systemic racism.

In an open letter to Congress on racial justice reform, CEO Arvind Krishna revealed that the tech giant “has sunset its general purpose facial recognition and analysis software products.”

While technology can help to improve transparency and protect police it shouldn’t be used to promote discrimination, Krishna argued.

“IBM firmly opposes and will not condone uses of any technology, including facial recognition technology offered by other vendors, for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency,” the letter continued.

“We believe now is the time to begin a national dialogue on whether and how facial recognition technology should be employed by domestic law enforcement agencies.”

IBM added that AI technology in general can be a powerful tool for helping law enforcers keep the streets safe, but that both vendors and users have “a shared responsibility to ensure that Al is tested for bias, particularity when used in law enforcement, and that such bias testing is audited and reported.”

In the UK, a government-backed report from noted think tank the Royal United Services Institute (RUSI) warned that AI-powered facial recognition and other technologies using machine learning such as predictive crime mapping and individual risk assessments can amplify discrimination if they’re based on flawed data containing bias.

That hasn’t stopped British police using facial recognition technology with increasing frequency, despite complaints by rights groups that it is racially biased, inaccurate and tramples on civil liberties.

Even privacy watchdog the ICO has warned forces to go slow and ensure any pilots comply with data protection laws, while a statutory code of practice is drawn up.

In the US, facial recognition tech has been banned in many cities.

However, IBM’s Krishna argued that technology can still have a positive role to play in modern policing, by bringing greater transparency and accountability through body cameras and “modern data analytics techniques.”

Categories: Cyber Risk News

More S3 Buckets Compromised with Magecart and Malicious Redirector

Info Security - Tue, 06/09/2020 - 09:35
More S3 Buckets Compromised with Magecart and Malicious Redirector

Security researchers are once again warning website owners to ensure any cloud storage resources linked to their site are locked down, after discovering Magecart and malicious redirector code lurking in misconfigured S3 buckets.

RiskIQ threat researcher, Jordan Herman, said his team made the discovery on May 12, after finding Magecart code residing on three websites all run by a company known as Endeavor Business Media. They apparently host content and chat forums designed for firefighters, police officers and security professionals.

Alongside Magecart they found a malicious redirector dubbed “jqueryapi1oad” which they first discovered back in July 2019 on compromised S3 buckets that had also been seeded with digital skimming code.

On closer inspection, RiskIQ discovered the redirector first appeared in April of last year and is still in use, connected with 362 unique domains.

It’s linked to the Hookads malvertising campaign that Herman claimed “has historically been connected to exploit kits and other malicious behavior.”

They found the redirector on other sites with misconfigured S3 buckets, including a Colombian football news site that’s in the top 30,000 global Alexa rankings. So far, 277 sites have been identified as affected by jqueryapi1oad, potentially exposing countless unsuspected web users.

“As attacks involving misconfigured S3 buckets continue, knowing where your organization is using them across its digital attack surface is imperative,” argued Herman.

“In today’s threat environment, businesses cannot move forward safely without having a digital footprint, an inventory of all digital assets, to ensure they are under the management of your security team and properly configured.”

Back in July 2019, RiskIQ warned that attackers were actively scanning for misconfigured S3 buckets to spread malicious code, seeding skimming code into AWS instances associated with 17,000 domains, including some of the top 2000 Alexa-ranked websites in the world.

The latest discovery proves such attacks are ongoing, and represent an immediate threat to organizations.

Categories: Cyber Risk News

New HMRC SMS Phishing Scam Targets Self-Employed

Info Security - Tue, 06/09/2020 - 08:50
New HMRC SMS Phishing Scam Targets Self-Employed

Cyber-criminals have launched a new phishing scam designed to steal personal and financial details of self-employed workers using the Self-Employment Income Support Scheme (SEISS) during the COVID-19 outbreak.

The scam was uncovered by litigation company Griffin Law and begins with a text message sent to self-employed workers offering a tax rebate purporting to be from HMRC. This is in the wake of chancellor Rishi Sunak’s recent announcement of an extension to the SEISS.

According to Griffin Law, the text message informs victims that they are eligible for a tax refund and redirects them to a bogus website which leads to a realistic copy of the official HMRC site. Users are then met with a form which asks them to enter their email address, postcode and HMRC log-in details, before a fake refund amount is calculated.

From there, victims are taken to another page and asked to enter personal information including card number, name on card, account number, security code and expiry date.

Griffin Law estimates that around 100 self-employed workers have so far reported the scam to their accountants and business networks.

Commenting on the news, cyber-expert Chris Ross, SVP, Barracuda Networks, said: “This is the latest in a series of sophisticated HMRC-branded phishing scams designed to target vulnerable workers during the COVID-19 outbreak. We’ve seen a sharp rise in these kinds of schemes, often carefully crafted and timed alongside new government funding announcements to increase the likelihood of duping unsuspecting workers into handing over personal financial data.”

Andy Harcup, VP, Absolute Software, added: “The scam uses official government branding, logos and layouts, including a disclaimer about the site using cookies to fool users into thinking this is a legitimate way to reclaim money. It is vital that users remain vigilant to such attacks, checking the origin and legitimacy of sites before handing over confidential financial data. It’s also critical that companies ensure they have the necessary cybersecurity systems in place to protect against malicious communications across all workplace laptops and devices, to keep hackers at bay.”

Categories: Cyber Risk News

Honda Tackling Suspected Ransomware Infection

Info Security - Tue, 06/09/2020 - 08:36
Honda Tackling Suspected Ransomware Infection

Honda is investigating a cyber-attack on its IT network in Europe which researchers are claiming is Ekans ransomware.

The carmaker has issued a brief statement after problems were uncovered on Sunday, confirming there was an issue with its network.

It said it had “experienced a disruption in its computer network that has caused a loss of connectivity, thus impacting our business operations.

“Our information technology team is working quickly to assess the situation,” it added, according to The Detroit Bureau.

However, on Twitter, security researchers were less circumspect. One, known as @milkr3am, posted several screenshots including one with purported Ekans (aka Snake) code that checks specifically for the mds.honda.com domain, indicating that this variant has been specially customized to target the firm.

They also posted a ransom note, which requests the victim organization to get in touch with a secure Tutanota email address to discuss purchasing the private decryption key, which it says was “created specifically for your network.”

Alongside these are links to Virus Total which apparently show the code detected by 40 out of 71 vendors as Snake or Ekans ransomware.

This isn’t the first time Honda’s cybersecurity posture has come under scrutiny. Back in 2011 its American arm admitted to a data breach which compromised the personal details of over two million customers.

Then in 2019, the carmaker suffered two separate incidents. In July a researcher discovered an exposed Elasticsearch instance leaking 134 million corporate documents (around 40GB of data). Then in December, a similar incident exposed around 26,000 unique customer records from the firm’s North American business.

“Unfortunately, conventional approaches to ransomware threats tend to be minimally effective. Employee training can never completely remove the potential for human error, while software designed to stop malware rapidly becomes obsolete as threats and their identifying signatures evolve,” explained Cloudian VP of engineering, Neil Stobart.

“As such, organizations often encrypt data as a safeguard against ransomware. However, while encryption can be useful where cyber-criminals just want to access and share the data itself, in the case of ransomware, they can simply re-encrypt the data to prevent access by its rightful owner.”

Categories: Cyber Risk News

Animal Rights Group Hacked Over Exploded Elephant Comments

Info Security - Mon, 06/08/2020 - 17:58
Animal Rights Group Hacked Over Exploded Elephant Comments

The website of an animal rights group has been hacked after its founder made accusations regarding the killing of a pregnant elephant in Kerala.

The 15-year-old elephant suffered a broken jaw and died on May 27 in the Velliyar River after allegedly eating a pineapple filled with firecrackers. Such traps are commonly set in India's forest fringe areas to keep boars and other wild animals from damaging crops.

Following the expectant animal's tragic demise, Indian politician, animal rights activist, and founder of the organization People for Animals Maneka Gandhi said that "action should be taken against everyone who is suspected in Malappuram."

The politician's comments were considered to be controversial since it is not yet clear who may have laid the trap and whether it was intended specifically for the elephant, or whether the incident occurred in Malappuram district or in the adjoining Palakkad district. 

According to Asian News International, Gandhi also said: "Kerala government has not taken any action in Malappuram, it seems they are scared. An elephant is killed every three days in Kerala. We have less than 20,000 elephants left in India, they are rapidly declining."

On June 4, following Gandhi's comments, a group of cyber-criminals hacked the official website of the PFA. The group, who call themselves Kerala Cyber Warriors, replaced the PFA site with a message that read "Maneka Gandhi dragged the sad death of pregnant elephant for dirty politics."

PFA trustee and wildlife activist Gauri Maulekhi said the hacked organization is now considering taking legal action against the malicious hackers. 

Gauri told THE WEEK: "This kind of bullying, trolling and one-upmanship is not going to work."

Maulekhi said the elephant's violent death had transpired as a result of the Kerala government's attitude toward the hunting of wild animals.

"Hunting was banned in the country in 1972," said Maulekhi. "The Kerala government, in a recent order, has incentivized hunting. Poor people have started hunting wild boar to make money. They are forced to kill wild animals because of the absurd and wicked policies of the state government."

Categories: Cyber Risk News

US University to Host INTERPOL Digital Forensics Conference

Info Security - Mon, 06/08/2020 - 16:50
US University to Host INTERPOL Digital Forensics Conference

The International Criminal Police Organization (INTERPOL) 2020 Digital Forensics Expert Group conference is to be virtually hosted by the University of New Haven in partnership with MITRE Corporation.

The event aims to bring together leaders in digital forensics to learn about new developments in the field while also providing an opportunity for some professional networking.

INTERPOL approached Elder Family Chair and director of the university's Connecticut Institute of Technology Dr. Ibrahim Baggili and nonprofit MITRE with a hosting request last year. Baggili had planned to host the event with Cory Hall, principal cybersecurity engineer at MITRE, as his co-chair. 

However, plans to physically site the event at the university were left in tatters by the global outbreak of COVID-19. Had the conference been able to take place on site at the university as originally intended, it would have been the first time in history that the event was held in the United States. 

Eager to ensure the event went ahead despite the challenges of lockdown measures and travel restrictions designed to slow the spread of COVID-19, the university and MITRE are now hosting the conference in cyberspace.

Baggili said that in light of the increased reliance placed on technology by society in the wake of the coronavirus pandemic, cybersecurity was more important now than ever before. 

“Cyber criminals will always take advantage of people, and how we investigate these crimes is of the utmost importance,” said Baggili. “From what we have learned from COVID-19, our livelihood, at this point, depends on technology.”

Hall commented that although a physical venue might be missing from the INTERPOL event, the need for digital forensics experts to be up to speed on the latest developments in their field was not.

“Digital forensics experts worldwide still require updates on new tradecraft and a place to connect and learn from one another,” said Hall. “This is a great example of collaboration across academia, nonprofits, and international law enforcement. It shows that our human spirit will prevail against this pandemic.”

The virtual conference will take place on four days over two weeks in June. For the first time, participants will be given the chance to solve a digital forensics challenge. 

Categories: Cyber Risk News

Ransomware Strikes Third US College in a Week

Info Security - Mon, 06/08/2020 - 15:56
Ransomware Strikes Third US College in a Week

Columbia College, Chicago has become the third US college in a week to fall victim to a cyber-attack involving the Netwalker family of ransomware. 

The Illinois educational establishment, along with Michigan State University and the University of California, San Francisco, was targeted by cyber-criminals and given six days to pay a ransom to recover its files.

Netwalker, also known as Mailto or as an updated version of Kokoklock ransomware, was first observed operating in September 2019. The malware works by encrypting data and renaming files with the developer's email address and an extension made up of the victim's unique ID. 

Like the attack on the University of California, the assault on Columbia occurred on June 3, exactly one week after Michigan State University was hit. On the Netwalker blog, the cyber-criminals claimed to have exfiltrated "very highly sensitive data like social security numbers and other private information" from Columbia. 

Columbia's chief of staff, Laurent Pernot, told the Columbia Chronicle on June 5 that the Netwalker attack was detected by the college's IT systems and contained to a limited number of college servers. 

“Some college, employee and student data was accessed by the perpetrators, though the exact nature and extent of that is still being determined,” wrote Pernot, adding that steps had been taken to prevent further breaches.

Updates made to the Netwalker blog yesterday suggest some of the colleges may have succumbed to the attackers' demands.

Emsisoft's Brett Callow told Infosecurity magazine yesterday: "UCSF and Columbia are no longer listed on Netwalker’s leak site, which likely means they paid (making it a lucrative week for the criminals) or that they asked to be delisted pending negotiations. So it appears only MSU is still holding out and refusing to negotiate."

Threat group REvil recently switched from publishing data if a ransom isn't paid to auctioning it off to the highest bidder. 

Asked if Netwalker's operators might follow suit, Callow said: "I wouldn’t be at all surprised if Netwalker were to adopt a REvil-like auction process for stolen information. Like other businesses, criminal enterprises adopt each other’s strategies and the introduction of mechanisms enabling stolen data to be monetized would seem to be a logical progression. We saw this with data exfiltration and publishing: the strategy was pioneered by Maze and then quickly adopted by multiple other groups."

Categories: Cyber Risk News

Open Source Software Vulnerabilities Increased By 130% in 2019

Info Security - Mon, 06/08/2020 - 15:00
Open Source Software Vulnerabilities Increased By 130% in 2019

The number of open source software (OSS) vulnerabilities more than doubled in 2019 compared with 2018, a new RiskSense report has shown. Total common vulnerabilities and exposures vulnerabilities (CVEs) reached 968 last year, up from 421 in 2018, a rise of 130%. CVEs have remained at historically high levels into the first three months of 2020 too, suggesting this is a long-term trend.

The report also revealed that it takes an average of 54 days for OSS vulnerabilities to be added to the National Vulnerability Database (NVD) following public disclosure. These delays mean organizations are often exposed to serious application security risks for around two months. The lags were observed across all severities of vulnerabilities, including those rated as ‘critical’ and ones that are weaponized.

The OSS projects that had the most CVEs were the Jenkins automation server (646) and MySQL (624), each of which had 15 weaponized vulnerabilities. While HashiCorp’s Vagrant only had nine CVEs, a very high proportion (six) were weaponized. Other OSS projects that had vulnerabilities that were trending or popular in real-world attacks included Apache Tomcat, Magento, Kubernetes, Elasticsearch and JBoss.

Cross-site scripting weaknesses were the second most common form of vulnerabilities, and the most weaponized. This was followed by input validation issues, which were the third most common and second most weaponized. Additionally, the study showed that some weaknesses, such as deserialization issues (28) and code injections (16) were far less common but remained very popular in active attack campaigns.

“While open source code is often considered more secure than commercial software since it undergoes crowdsourced reviews to find problems, this study illustrates that OSS vulnerabilities are on the rise and may be a blindspot for many organizations,” said Srinivas Mukkamala, CEO of RiskSense. “Since open source is used and reused everywhere today, when vulnerabilities are found, they can have incredibly far-reaching consequences.”

Categories: Cyber Risk News

CPA Canada Breach Hits Over 300,000 Accountants

Info Security - Mon, 06/08/2020 - 10:50
CPA Canada Breach Hits Over 300,000 Accountants

Over 300,000 Canadian accountants and related stakeholders have been hit by a breach of a professional member association, it emerged late last week.

The Chartered Professional Accountants of Canada (CPA Canada) revealed in a statement that an unauthorized third party had managed to access personal information after compromising the organization’s website.

Over 329,000 individuals including members and others have been notified and warned of follow-on attacks.

The compromised information relates mainly to the CPA Magazine and includes names, addresses, email addresses and employer names. CPA Canada claimed that passwords and full credit card numbers were encrypted, although didn’t specify what type of algorithm was used to scramble these details.

“CPA Canada today has notified affected individuals that the information involved could be used for the purposes of targeted phishing scams,” the organization said.

“CPA Canada is encouraging affected individuals to remain vigilant about any emails they may receive asking them to provide sensitive information or click on links or attachments, even if they appear to come from CPA Canada or an individual or company they know or trust.”

Although CPA Canada said it took “immediate steps” to secure its systems and work out what had happened, in reality the breach may have taken place several months ago. The organization linked the incident to an alert it issued back in April about an apparent phishing campaign in which users were requested to change their CPA Canada passwords because of a website breach.

“We are told that these emails appear to originate from the IT department of the employer of the individual receiving the message. These emails suggest that their IT department suspects a cybersecurity compromise with the cpacanada.ca domain,” it explained at the time.

“It is important that you do not act on the directions in any such email. CPA Canada continues to monitor the security of its web platform and is not experiencing anything unusual. In addition, the integrity of our password reset process remains secure.”

Categories: Cyber Risk News

Phishers Hide #COVID19 Malware in CVs and Medical Leave Forms

Info Security - Mon, 06/08/2020 - 09:40
Phishers Hide #COVID19 Malware in CVs and Medical Leave Forms

Cyber-criminals are taking advantage of the evolving jobs market and employee health situation under COVID-19 to disguise malware in various emailed documents.

The phishing campaigns spotted by Check Point over recent days center around spoofed CVs and medical leave forms. Unemployment in the US remains at levels not seen since the Great Depression of the 1930s, with close to 40 million currently without jobs due to the pandemic.

The security vendor said that the ratio of CV-related malware to all detected malicious files doubled over the past two months. One campaign featured banking Trojan Zloader hidden in malicious .xls files in emails with subject lines such as “applying for a job” or “regarding job.”

Separately, cyber-criminals have been taking advantage of interest in the US Family and Medical Leave Act (FMLA) to lure administrative staff into opening attachments.

Attachments with names like “COVID -19 FLMA CENTER.doc” have been sent via emails with subjects like “the following is a new Employee Request Form for leave within the FMLA,” according to Check Point.

Once again, the payload is info-stealing banking Trojans like Icedid or Trickbot. Different sender domains are used to try and trick email filters.

Overall, the number of COVID-19 attacks reduced in May by 7% to 158,000 per week, the vendor claimed. However, overall, attacks are starting to pick up as businesses begin to open again.

“In March, when the pandemic was at its peak, we saw a 30% decrease in malware attacks compared to January 2020. This was because many countries went into quarantine and most businesses and other organizations were shut as a result, greatly reducing the potential number of targets for attackers,” Check Point explained.

“Now that the world is seeing some relief from the pandemic as a result of the quarantine measures, things have started to open up and businesses are running again and – guess what?  – cyber-criminals are also ramping up their malicious activities. In May, we saw a 16% increase in cyber-attacks when compared to the period between March and April, when coronavirus was at its peak.”

Categories: Cyber Risk News

IT Services Firm Conduent Felled by Maze Ransomware

Info Security - Mon, 06/08/2020 - 08:41
IT Services Firm Conduent Felled by Maze Ransomware

A multi-billion-dollar IT services firm has become the latest victim of the infamous Maze ransomware group after it appeared to target a widely publicized Citrix vulnerability.

New Jersey-headquartered Conduent claims to provide mission-critical services and solutions for “a majority of Fortune 100 companies and over 500 governments.”

The firm admitted in a statement that its European operations were hit by an attack on May 29, early in the morning local time.

“Our system identified ransomware, which was then addressed by our cybersecurity protocols,” it explained. “This interruption began at 12.45 AM CET on May 29 with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored.”

It said the incident resulted in only “partial interruption” to its services for customers, and an ongoing investigation is being undertaken featuring “internal and external security forensics and anti-virus teams.”

Although Conduent didn’t name its attacker, security researchers have seen Maze post stolen financial data from the firm online as proof of its raid.

Bad Packets claimed that, according to its own research, a Citrix server run by the IT services giant was left unpatched for at least eight weeks.

The Maze group has been observed previously exploiting the CVE-2019-19781 vulnerability in the ADC and Citrix Gateway products, which was first disclosed in December 2019.

The bug can allow an unauthenticated attacker to perform arbitrary code execution on a victim machine.

The Maze group also has previous in this area: hitting IT services firm Cognizant back in April in an attack which the firm admitted could cost it $70m in Q2 2020.

“Making sure you are using up-to-date operating systems and that software is running on the latest version is a critical part of cyber-hygiene,” argued CyberSmart CEO, Jamie Akhtar.

“Ransomware is a game of economics and incentives. By not protecting our systems, not backing up our files and giving into paying ransoms we increase the reward for the attackers and the general viability of these kinds of attacks. If we all do our part in reducing incentives, we can develop a kind of digital herd immunity where criminals in future may no longer feel the attacks are worth the effort."

Categories: Cyber Risk News

North Dakota Contact Tracing App Ends Data Share with Foursquare

Info Security - Fri, 06/05/2020 - 15:47
North Dakota Contact Tracing App Ends Data Share with Foursquare

The operators of a North Dakota contact tracing app have had a rethink when it comes to sharing users' data with third-party services. 

Care19 was created by ProudCrowd LLC to track the spread of COVID-19 in the Peace Garden State. Following the app's launch, cybersecurity company Jumbo Privacy discovered that Care19 was sending user data to third-party services.

The information being shared was the Identifier for Advertisers (IDFA), an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.

North Dakota stated that the Care19 app "does not have any information that is tied to an individual person” and information uploaded via the app is "100% anonymous." 

However, Jumbo found that users accessing the Care19 app via the iOS on their iPhone could be unmasked through the IDFA on their device. 

One of the third-party services receiving Care19 users' IDFA data was Foursquare, a location service that provides advertisers with tools to reach people who have visited specific locations. That arrangement has now ceased.

Jumbo CEO Pierre Valade told Infosecurity Magazine: "Care19 shared with us on June 3rd that the new version of their app (v3.3) was no longer sharing users’ IDFA to Foursquare. We’ve reviewed the app and can confirm this is true."

Care19 and Foursquare told Jumbo that the IDFA data was collected automatically by using Foursquare's SDK, Pilgrim, and there was no way for developers to disable this collection. 

Valade said: "After you published our research and in response to our concerns, Foursquare made an important change to its geolocation SDK 'Pilgrim' to permit developers to disable collection of a user’s IDFA and prevent it from being shared with Foursquare."

Jumbo's CEO described the change of heart as "a big win for privacy" but said that there were still concerns about Care19 that needed to be addressed. 

"Care19’s privacy policy does not indicate how a user can exercise their privacy rights, what the officials intend to do with the data once recent contacts have been identified, and how long will this data be retained for," said Valade.

In addition, Care19 has not yet confirmed that pushing the deletion tab will also delete user data anywhere else it was stored, notably in third-party servers.

Categories: Cyber Risk News

Florida Student Discovers Flaws in Leading Doorbell Security Cameras

Info Security - Fri, 06/05/2020 - 15:15
Florida Student Discovers Flaws in Leading Doorbell Security Cameras

"Systematic design flaws" have been discovered in leading internet-connected doorbell and security cameras by a Florida Institute of Technology student.

Blake Janes unearthed vulnerabilities in devices manufactured by Ring, Nest, SimpliSafe, and eight other companies relating to the removal of active user accounts. The flaws allow a shared account to remain in place and continue accessing the video feed despite appearing to have been removed.

The flaws could allow malicious actors to covertly record audio and video from vulnerable devices indefinitely, invading the privacy of victims on their very own doorsteps. In electronic stalking cases, or cases where a cohabiting couple who shared access to a device have ceased to live together, such flaws could have serious repercussions. 

The vulnerability arose from devices' being designed in such a way that decisions to grant access are completed in the cloud and not made locally on either the camera itself or the users' smartphones. 

Computer science major Janes's discovery was presented in "Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices," by the student and two Florida Tech faculty members from the university’s top institute for cybersecurity research, the L3Harris Institute for Assured Information—Terrence O’Connor, program chair of cybersecurity, and Heather Crawford, assistant professor in computer engineering and sciences.

"Our analysis identified a systemic failure in device authentication and access control schemes for shared Internet of Things ecosystems," the paper concluded. "Our study suggests there is a long road ahead for vendors to implement the security and privacy of IoT produced content."

Janes informed vendors about the vulnerabilities and also suggested several fixes. For identifying a major flaw in the Nest suite of devices, Google awarded the hard-working student a bug bounty payment of $3,133. 

Other vendors, including Samsung, have been communicating with Janes about recommended solutions to fix the vulnerability.

Janes and his co-authors found the flaws in the Blink Camera, Canary Camera, D-Link Camera, Geeni Mini Camera, Doorbell and Pan/Tilt Camera, Merkury Camera, Momentum Axel Camera, Nest Camera Current and Doorbell Current, NightOwl Doorbell, Ring Pro Doorbell Current and Standard Doorbell Current, SimpliSafe Camera and Doorbell, and the TP-Link Kasa Camera.

Categories: Cyber Risk News

Maine Community College Becomes First in State to Offer Cybersecurity Program

Info Security - Fri, 06/05/2020 - 14:30
Maine Community College Becomes First in State to Offer Cybersecurity Program

Maine residents hoping to pursue a career in cybersecurity will finally be able to study the subject at community college.

Starting in fall 2020, Northern Maine Community College (NMCC) will be the first community college in the state to offer a cybersecurity program. NMCC said a group of at least 15 first-year students has already signed up to the course, which is comparable to those already available at Maine's other higher education institutions. 

The new two-year program is a revised version of NMCC's network administration and cybersecurity associate degree program. Instructor Reuben Caron said the reworking of the course reflected the changes that have occurred in the technological landscape since its creation. 

“The program began with computer electronics and evolved into computer networking and technology,” said Caron.

“As the program has evolved to meet industry needs, we knew there was a demand for graduates to be trained in network administration and security.”

NMCC’s program features a practical curriculum that will teach students how to build their own computers and private networks that will exist beyond the college's campus network. Students will learn how computers react to different cyber-attacks and experiment with various recovery tactics. 

Encompassed in the program are courses on computer security, ethical hacking, and computer forensics. 

With ethical hacking, you learn how someone might attack your network in order to understand how to better defend it,” Caron said. “Students learn how to hack in a way that doesn’t go beyond ethical hacking and into illegal situations.”

Students will end the program qualified for positions as computer technicians, network technicians, network administrators (Microsoft and Linux), and desktop support technicians. NMCC is currently pursuing accreditation for the program from the Accreditation Council of Business Schools and Programs. 

Business department chair Dwight Clayton said the new program was an excellent starting point for Mainers dreaming of a cybersecurity career, especially for those hoping to earn while they learn.

He said: "The great thing about a two-year program is that students can enter the workforce as they continue toward a bachelor’s degree."

The news follows the 2019 launch of a four-year cybersecurity program at local university the University of Maine at Presque Isle.

Categories: Cyber Risk News

Sophos Confirms Restructuring Plans, Denies Blog Closure

Info Security - Fri, 06/05/2020 - 11:00
Sophos Confirms Restructuring Plans, Denies Blog Closure

Sophos has confirmed that it is implementing some internal restructuring, but denied that it plans to close its Naked Security blog.

Following reports which emerged last night about Sophos’ plans to furlough staff and close the award-winning blog, a spokesperson for Sophos has confirmed plans to restructure in response to market conditions associated with COVID-19 and “to accelerate the evolution already underway to our next-gen product portfolio, which features our most advanced cloud-managed protection capabilities and is the fastest growing part of our business.”

The spokesperson added: “A restructuring is always a difficult decision, but we believe it is necessary to position Sophos for continued growth and success in the years to come, and to continue to provide advanced, world-class protection for our customers.

“Sophos is appreciative of the contributions made by all our team members in supporting the company’s mission to protect people from cybercrime by developing powerful and intuitive products and services that provide the world’s most effective cybersecurity for organizations of any size.”

In the first quarter of 2020, Sophos grew billings 14% overall, its next-gen products represented over 63% of its business and the company grew 37% year-on-year.

Answering a question with regard to the future of the 10-year-old Naked Security blog, which earlier this week collected two European Security Blogger Awards for Best Corporate Blog and Best Overall Blog, Sophos said: “We can assure you that Naked Security will continue to be a source of information moving forward. Sophos is increasing focus on threat research and security investigations. As a result, we’ll do more original reporting and deep analysis.”

Security blogger and speaker Graham Cluley said in his blog that he had heard that Naked Security would be “mothballed” and he sent his “best wishes to old friends at Sophos facing possible redundancy.

“So many vendors over the years were jealous of the power that Naked Security commanded, and how it helped Sophos punch far above its weight in terms of brand awareness and thought leadership,” he said.

Categories: Cyber Risk News