Cyber Risk News
Two US senators have introduced a bill to ban cyber-flashing and penalize repeat offenders with hefty fines.
The term "cyber-flashing" describes the act of sending unsolicited sexually explicit images and videos to strangers. Lewd images can be sent via social media, dating platforms, text messages, and email.
In some cases, unsolicited sexually explicit material is sent to unsuspecting recipients in public spaces via the iPhone AirDrop function.
According to the Pew Research Center, 53 percent of young American women and 37 percent of young American men have been sent unsolicited explicit material while online.
The bill, otherwise known as SB 1182 or as the FLASH (Forbid Lewd Activity and Sexual Harassment) Act, was introduced yesterday by senators Connie Levya and Lena Gonzalez.
"It is unacceptable that any person would ever be sent a sexually explicit picture or video without their consent. SB 1182 will finally hold these perpetrators accountable," Senator Leyva said.
"Cyber flashing—which primarily affects women—is a modern form of sexual harassment, and we have to put a stop to this inexcusable and offensive behavior.
"When over half of all young women have received unwanted explicit pictures and videos, it is clear that this problem has reached epidemic levels."
Under the new legislation, first-time offenders would receive a $500 fine, while serial cyber-flashers would be fined $1,000 for each subsequent offense.
Bumble, a dating app that, when helping to pair up heterosexual couples, requires women to initiate contact, has voiced its support for the new bill.
Whitney Wolfe Herd, Bumble CEO, said: "An overwhelming majority of our time is spent online and there are simply not enough laws and deterrents in place to protect us, and women and children in particular.
"It falls upon us in the technology and social media space to work hand in hand with local government and legislators to isolate the problems and develop solutions just like the FLASH Act being introduced by Senator Leyva."
The FLASH Act is due to be considered by a committee or committees in the Senate later this spring.
Earlier this week, cyber-flashing made the headlines in the UK when the British Transport Police revealed that the recorded incidents of unsolicited lewd images being AirDropped to women on trains had doubled.
With this new 10-year contract, the Virginia-based firm will become the SEC's leading provider of cybersecurity services. The contract was awarded on December 12, 2019, but was kept under wraps until yesterday.
According to a statement released February 20 on Booz Allen's website, the SEC picked the 106-year-old company for the job after being impressed by its ability to comprehend the commission's standing and aims.
The statement read: "Booz Allen was selected for its clear understanding of the agency’s mission and the firm’s reputation for building and operating modernized cyber defenses for federal and commercial clients that deliver rapid, durable improvements to security program maturity and effectiveness while generating cost savings."
Booz Allen pledged to employ the same tools, techniques, and mindsets as today’s most advanced threat actors to defend the SEC. The company said one element of its strategy would be to discover unknown vulnerabilities before they can be used for malicious purposes.
"Our team will provide the SEC with leading-edge, threat-centric, proactive cyber defense with the ability to detect and proactively address unknown threats, keep up with the rapid pace of change in the cyber industry and provide advanced cyber capabilities at scale," said Booz Allen's senior vice president, Mark Gamis.
Booz Allen is the largest provider of cybersecurity professional services in North America and the only company to hold all three of the federal government’s elite cybersecurity accreditations: NSA’s Cyber Incident Response Assistance (CIRA) accreditation, NSA’s Vulnerability Assessment Service (VAS) accreditation, and GSA’s Highly Adaptive Cybersecurity Services schedule.
Gamis said the company would draw on its existing knowledge and experience to protect the SEC from bad actors.
"The SEC is essential to the strong functioning of the U.S. and world economy, so we are proud the agency is entrusting Booz Allen to deliver cyber defense operations to protect its data and other critical assets from increasingly aggressive and destructive cyber-attacks," said Gamis.
"We will leverage our deep expertise and experience delivering cyber tradecraft across US Government and commercial clients and deploying groundbreaking cyber capabilities to protect mission-essential services and high-value assets."
A proposed class-action lawsuit has been filed against New Jersey's largest hospital health network over a ransomware attack that happened in December.
Threat actors infected the computer systems of Hackensack Meridian Health, causing a system-wide shutdown on December 2. The attack disrupted services at 17 urgent care centers, hospitals, and nursing homes operated by the network.
News of the attack was leaked to the media on December 5. Eight days later, Hackensack confirmed that it had paid an undisclosed sum to retrieve files encrypted in the ransomware attack.
Now, a proposed class-action lawsuit has been filed in a Newark district court by two plaintiffs seeking compensation, reimbursement of out-of-pocket expenses, statutory damages, and penalties.
The plaintiffs are also seeking to secure injunctive relief that will require Hackensack Meridian Health to undergo annual data security audits, make improvements to its security systems, and provide three years of credit monitoring services to breach victims free of charge.
In the 45-page complaint, the plaintiffs allege that Hackensack Meridian Health failed to adequately protect patients' data. They accuse the healthcare provider of running its network in a “reckless manner” that left its computer systems vulnerable to cyber-attackers.
The lawsuit further alleges that as a result of the attack, patients suffered major disruptions to their medical care for two days and were forced to seek alternative care and treatment.
An investigation conducted by Hackensack Meridian Health found no evidence that patient data had been stolen as a result of the ransomware attack. However, the plaintiffs allege that attackers stole their personal and protected health information and disclosed it to “other unknown thieves,” putting them at imminent risk of identity theft and fraud.
The plaintiffs allege that Hackensack Meridian Health has failed to officially notify patients of the attack and has not reported the attack to the OCR, as required by the Health Insurance Portability and Accountability Act (HIPAA). Notice of the ransomware attack had not yet appeared on the breach portal run by the US Department of Health and Human Services Office for Civil Rights (OCR) at press time.
Hackensack Meridian Health, which is based in Edison, New Jersey, has more than 35,000 employees and generates around $6bn in annual revenue.
Google is unlikely to be moving UK users’ data to the US because of Brexit-related uncertainty and GDPR privacy rights will continue to be protected after any such move, according to a leading data protection lawyer.
Reports this week claimed that the tech giant is looking to move user accounts to US datacenters following Brexit, because it’s unclear whether UK law will be aligned with the EU’s GDPR after the transition period ends this year, a status known as “adequacy.”
In such circumstances, it would be more difficult for UK law enforcers to request access to user data for criminal investigations if it were still stored in Google’s Irish datacenter, it was claimed.
However, the UK has already enshrined GDPR into its own law (Data Protection Act 2018) and intends to recognize the EU’s data protection system as adequate, even in a no-deal scenario, because it believes free data flows to the continent are vital to economic growth.
This means that “Brexit should not affect UK to EEA data flows,” according to Toni Vitale, partner and head of data protection at JMW Solicitors.
He told Infosecurity that a move across the Atlantic would not affect Google UK users’ privacy rights or the ability of the British authorities to access such data.
“The rationale for the move is unlikely to have anything to do with Brexit, the EU GDPR or uncertainty of what will happen with UK data protection laws,” Vitale argued.
“The current position is that adequacy is likely and desirable and indeed possible by December 2020. However, it is unlikely this is the reason to move the Ireland datacenter. The EU GDPR and the UK version in the Data Protection Act 2018 will apply to Google wherever it cites its datacenter. UK law enforcers will still be able to take action against Google — but this is the same position as today, moving the datacenters does not affect this.”
Google itself has released a statement confirming this.
“Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information,” it noted. “The protections of the UK GDPR will still apply to these users.”
However, there are still concerns that, once located in the US, data on UK users could be subject to the country’s mass surveillance apparatus.
“Moving people's personal information to the USA makes it easier for mass surveillance programs to access it. There is nearly no privacy protection for non-US citizens,” argued Open Rights Group executive director, Jim Killock.
“We have no reason to trust a Donald Trump government with information about UK citizens. The possibilities for abuse are enormous, from US immigration programs through to attempts to politically and racially profile people for alleged extremist links.”
Vitale speculated that Google’s move may be motivated more by a desire to consolidate user data across multiple services under a single US-based data controller.
“Recent tax changes in the US made it more attractive to onshore jobs to the US so this may also be part of the reason,” he added.
The UK government has again named and shamed Russian military intelligence for attempting to destabilize a foreign nation via cyber-attacks, this time a wide-ranging operation on targets in Georgia last October.
The attacks led to the defacement of over 15,000 web pages in the former Soviet country with messages designed to undermine pro-Western former President Mikheil Saakashvili. Thousands more were forced offline and computers at several TV stations were hit with destructive malware, interrupting their service.
The UK’s National Cyber Security Centre (NCSC), part of GCHQ, said it was 95% certain the attacks came from Russia, as part of the same GRU program responsible for BlackEnergy and Industroyer attacks against Ukrainian power stations, and the infamous BadRabbit and NotPetya destructive operations.
The government claimed the Kremlin was attempting to undermine Georgia’s sovereignty, sow discord and disrupt the lives of ordinary Georgian people.
“The GRU’s reckless and brazen campaign of cyber-attacks against Georgia, a sovereign and independent nation, is totally unacceptable. The Russian government has a clear choice: continue this aggressive pattern of behavior against other countries, or become a responsible partner which respects international law,” said foreign secretary Dominic Raab in a statement.
“The UK will continue to expose those who conduct reckless cyber-attacks and work with our allies to counter the GRU’s menacing behavior.”
The UK has publicly attributed a number of attacks over recent years to Russia as the Putin regime becomes ever more brazen in its attempts to sow discord overseas.
These include: VPNFilter, BadRabbit and NotPetya in 2017, attacks on the Democratic National Committee (DNC) ahead of the 2016 Presidential election, and anti-doping agency WADA the same year. It also blamed the GRU for information-stealing attacks on a “small UK TV station” in 2015.
Stolen data from millions of MGM Resorts guests widely reported to have been posted to the dark web this week has actually been circulating on hacking forums for over six months, according to experts.
Irina Nesterovsky, head of research at cyber intelligence firm KELA, claimed that the most recent upload of breached data on nearly 10.7 million hotel customers was simply a repackaged bundle — as often happens on the dark web.
“The posting of this data was originally executed by threat actor ‘NSFW’ or his partners on July 10 2019. The data published this week has already been circulating in other forums for more than six months,” she revealed.
Nesterovsky shared a screenshot of the upload in Russian, confirming that the data dump included names, emails, dates of birth, phone numbers and addresses of former guests. However, it clarified that there are no passwords included, and that not all the fields are filled with data.
According to Nesterovsky, NSFW is a “close associate” of notorious cyber-criminal Gnosticsplayers, the individual responsible for releasing almost one billion user records from breaches at MyHeritage, UnderArmor, ShareThis, 500px, GfyCat and other firms.
The hacker was also linked to the September 2019 breach at leading game developer Zynga, which resulted in the compromise of 172.9 million unique email addresses, along with usernames and passwords.
Although the data on MGM Resorts guests has been circulating for some time, the latest upload could rekindle a new wave of scams, Nesterovsky warned.
“Affected MGM customers should expect to see fraud attempts made again because the information is being refreshed,” she told Infosecurity.
Hotels are an increasingly popular target for both cyber-criminals and nation state operatives.
The biggest incident of recent years affected Marriott International and exposed around 339 million guest records. The UK’s ICO has stated its intent to fine the firm £99m for security failings that led to the breach.
Based on a series of Twitter polls hosted by Sumo Logic, 40.3% of Twitter users that responded said that SIEM is valued most as a “security control” whilst less than a quarter saw it used for threat detection or data collection.
According to 5766 votes, threat detection accounted for 23.3% of responses, while data collection accounted for 24.3%. Commenting, Michael Thoma, principal consultant, risk management at the Crypsis Group, told Infosecurity that a SIEM can be used as a form of security control as some SIEMs can detect if a user was added to a domain admin account without a ticket and use APIs to disable that user automatically.
“There are many tools that can supplement threat detection in lieu of a SIEM,” he explained. “In fact, a SIEM is typically centralization of the technology platforms that alert and log in the first place. For instance, you may have an Intrusion Prevention System (IPS) that is sending events and alerts to your SIEM based on malicious network activity. The SIEM can allow for additional correlation and retention of system logs, but the IPS by itself can still provide alerts on what is happening within your environment.”
In another Twitter vote, of 621 respondents, 38.5% said that administration was the biggest struggle of SIEM complexity, whilst 32% cited deployment and 29.5% opted for operations. Thoma said that SIEM is “absolutely one of the most valued security controls for security operations and IT teams; however, it's only as useful as its implementation.”
He claimed that SIEM engineering and management requires a dedicated team that is both intimately familiar with the platform itself and the internal infrastructure and operations. “A SIEM is not an off-the-shelf product, and too many teams implement a SIEM for a fraction of the capabilities offered,” he said. “There are likely just as many teams using it for the full effectiveness as there are those hoping to use it as a silver bullet.”
Thoma said he suspected that an out-of-the box SIEM solution was not likely in the coming years, as “SIEMs are inherently complex as they must be able to integrate with a multitude of technology stacks across many business verticals and allow for the creation of custom metrics and alerts specific to an organization's environment.”
The surveys were done in advance of Sumo Logic announcing the availability of its new Cloud SIEM Enterprise offering, which includes capabilities to ease the burden on security operations center personnel. The company said that the new capabilities help identify and prioritize high fidelity threats and automate the analyst workflow, allowing SOC personnel to better manage real security events and effectively enforce security and compliance policies.
Jon Oltsik, senior principal analyst and fellow at ESG, said: “Despite the central role SIEM plays, the research indicates that SOC teams use additional tools beyond SIEM for threat detection and response, investigations and query, threat intelligence analysis and process automation and orchestration. Sumo Logic’s Cloud SIEM Enterprise can help bridge this gap with a broader set of automation capabilities targeted directly at the modern SOC.”
Greg Martin, general manager, security business unit, Sumo Logic, added: “With the industry’s fast-moving transformation to public cloud, we wanted to give security teams a cloud-native solution with robust features they can use to navigate today’s cloud-centric world.”
HP Inc. has announced that it has joined the Buyers Lab (BLI) Security Validation Testing program for MFPs and printers to help drive more stringent industry standards for printer security.
Common endpoint devices such as office printers have proven to be serious security weak spots for organizations of all sizes in recent years, chiefly due to modern printers being produced with various forms of in-built connectivity, without the same sophistication of security to go with it. Printers have therefore become an attractive target for cyber-attackers looking for an easy foot into corporate networks.
The BLI Security Validation Testing program was designed to verify printers that pass through its program,so that they are equipped to combat the increasingly sophisticated threat landscape, thus helping to establish standards so customers can select the best options for their desired security posture.
“Our decision to engage in this testing program is driven by our desire to help raise the bar for the entire industry,” said Tuan Tran, president, imaging, printing and solutions business, HP Inc. “We believe more can and should be done to mitigate security risks. This is an important step in driving more stringent industry standards for IoT devices, like printers, and pushing our industry to a higher standard. We encourage all our industry counterparts to join in this effort.”
As an inaugural participant of the BLI Security Validation Testing program, HP has passed the first two rounds of testing and earned the Security Validation Testing seals for Device Penetration and Policy Compliance for its HP FutureSmart v4 Enterprise firmware platform.
The news comes a year-and-a-half after HP Inc. became the first company to launch a bug bounty scheme dedicated to printing services, offering rewards of up to $10,000 for researchers who correctly report vulnerabilities in its printing technology.
Chinese hackers linked to state-backed groups have been observed targeting gambling companies in southeast Asia as part of another cyber-espionage campaign.
A new report from Trend Micro and Talent-Jump Technologies, Uncovering DRBControl, details the work of the eponymous group, whose activities were uncovered in 2019.
Attackers first deploy a spear-phishing email containing .DOCX files, which trigger a backdoor malware download if opened.
“The campaign uses two previously unidentified backdoors. Known malware families such as PlugX and the HyperBro backdoor, as well as custom post-exploitation tools were also found in the attacker's arsenal,” Trend Micro claimed.
“Interestingly, one of the backdoors used file hosting service Dropbox as its command-and-control (C&C) channel.”
The group also uses Dropbox to deliver different payloads to victims, and to store commands, post-exploitation tools and stolen files.
Post-exploitation tools used by the group range from password dumpers and clipboard stealers to UAC bypass tools, code loaders and brute forcing tools.
DRBControl also uses malware associated with the state-linked Winnti and Emissary Panda groups, although it’s unclear whether the campaign itself has links to Beijing.
“Links to the Winnti group range from mutexes to domain names and issued commands,” said Trend Micro. “The HyperBro backdoor, which appears to be exclusive to Emissary Panda, was also used in this campaign.”
The campaign is ongoing, with researchers believed to have detected hundreds of compromised endpoints in the region.
Given that the exfiltrated data so far has consisted of internal databases and source code, it is thought the hackers are focused on cyber-espionage and gaining competitive intelligence, according to the report.
Over 2000 mobile devices used by UK government employees have gone missing in the space of a year, with a significant number unencrypted, according to new Freedom of Information (FOI) data.
Requests were sent by global communications company Viasat to 47 government departments, with full or partial replies received back from 27 of them.
During the period June 1 2018 to June 1 2019, a total of 2004 devices were reported lost or stolen, which amounts to eight per working day or 39 per week, according to the firm.
Even more concerning is the fact that the vast majority (767) were lost by the Ministry of Defence (MoD), followed by HMRC (288), the Department for Business, Energy and Industrial Strategy (197) and the Foreign Office (193).
On the plus side, the majority (1824) of the missing smartphones, laptops, PDAs, external storage devices and tablets were reported as encrypted. However, scores (65) were not, and the status of a further 115 is unknown.
Viasat’s UK managing director, Steve Beeching, argued that mobile security must be a top priority for government.
“Despite the progress made on encrypting devices, the fact that unencrypted government devices are still being lost is concerning, suggesting more needs to be done to ensure data is protected at all times. For devices this means total encryption – going beyond password protection to secure data at a hardware level,” he said.
“While the necessity for security is clear in areas such as defense and security, all government departments run the risk of a damaging security breach. It only takes one device getting into the wrong hands to give malicious actors access to sensitive content, whether top-secret information or personal data.”
In fact, the loss of personal data puts missing devices like these in the realm of GDPR regulation.
Viasat asked the government departments when they had last been audited by privacy watchdog the Information Commissioner’s Office (ICO), which is good practice for public sector organizations. In total, eight of those that replied said they had never been audited, while some had not been checked for years: the MoD’s last audit was in 2010, for example.
Departments can proactively ask for an audit free of charge whenever they like, to ensure they're meeting commitments to data protection laws.
“Individual departments cannot assume that their data will not be of interest to attackers – with the right strategy, any data can be a threat,” continued Beeching. “UK government departments must take a zero-tolerance approach to non-encrypted devices in order to safeguard data from falling into the wrong hands.”
Security experts have this week warned Italian and Swiss businesses to be on their guard as ongoing ransomware campaigns continue to target vulnerable systems.
In Switzerland, the Reporting and Analysis Centre for Information Assurance (Melani) issued an alert for local firms, claiming that it has already been forced to deal with a dozen cases where SMEs and large organizations have had their systems encrypted.
“The attackers made ransom demands of several tens of thousands of Swiss francs, in some cases even millions,” it said. The Swiss Franc is virtually 1:1 with the US Dollar at present.
“A technical analysis of the incidents revealed that the IT security of the companies affected was often incomplete and the usual best practices were not fully observed. Furthermore, warnings from the authorities were not heeded.”
The best practices that firms have been ignoring include AV installation, RDP endpoints protected with two-factor authentication (2FA), regular offline backups and patching, network segmentation and restricted user rights.
It’s unclear what strain of ransomware is targeting the businesses, but Melani urged victims not to pay up.
“If a ransom payment is nevertheless being considered, it should be noted that although systems and data might be decrypted, the underlying infection from malware such as Emotet or TrickBot will remain active,” it added. “As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware or steal sensitive data from it.”
The news comes as security experts spotted a new campaign targeting Italian users with the Dharma ransomware variant.
Hackers are this time using malicious spam to spread the ransomware, alongside the Ursniff data stealing trojan.
The phishing email in question purports to contain an invoice from a client, but if the user clicks on a link in the body of the message, they will be taken to a OneDrive page where an automatic malware download will begin.
The deadline for filing taxes in the United States is eight weeks away, but new research has shown that small businesses are already being hit by tax season–related cyber-attacks.
The first strategy is to send tax-themed emails with enticingly titled malicious attachments, such as "Important changes, filing due date and charges to form 1099."
The second tactic is to compromise legitimate tax-focused websites to deliver malware to people who visit the sites. Data gathered so far indicates that small businesses that specialize in tax preparation are a particular focus for website compromise cyber-attacks this tax season.
“If you have the word 'tax' in your domain name, you're a target this year. And while the tax-themed email attacks hit businesses in all sectors, we also saw financial firms and construction industries targeted disproportionately,” said senior director of threat research and detection at Proofpoint, Sherrod Degrippo.
Attackers were observed gaining access to legitimate tax-focused websites via unpatched and out-of-date WordPress and other content management system installations. Code planted by attackers on compromised sites downloads malware onto the systems of people who visit in an attempt to access and steal their data. Researchers noted that code was often hosted elsewhere to make the compromise harder to spot.
Degrippo said: “In these attacks, we’ve seen the sites of smaller tax preparation and accounting firms targeted and compromised. This makes sense because smaller companies often have fewer resources and less expertise to prevent these attacks and detect them when they’ve happened.”
Describing the most sophisticated threat observed by researchers and how dangerous such attacks can be, Degrippo told Infosecurity Magazine: "A recent attack observed spoofed the full branding of a very well-known tax preparation service in the US for both the lure and the landing page for credential phishing. If a threat actor is successful in obtaining an authentic W2, they can potentially file taxes on behalf of that person, receiving the refund to their own account instead of the actual taxpayer."
Degrippo warned that phishing emails are now dangerously sophisticated.
"With the introduction of social engineering, phishing emails have become nearly indistinguishable from legitimate emails. They use trusted brands, and the correct logos, format, and wording as an email that might be expected from that brand.
"Attackers are adept at using LinkedIn and Google to conduct reconnaissance on potential individuals that have access to the information they want and are laser-focused on targeting them directly through email. And they are continuing to use email because it’s cheap, easy to use, and above all, effective."
The United States Air Force is offering students who failed to gain cybersecurity certification the first time around a second opportunity to qualify.
Previously, students who didn’t pass the Security+ exam on their first go had to rethink their chosen area of specialization within the Air Force. The new Pathfinder program gives students a precious second chance to pursue their dream of working in cybersecurity.
To acquire the Security+ certification, students must prove that they have the necessary skills to perform in a security-based information technology career by passing the Security+ exam.
“The exam is known to be complex and difficult and many Airmen fail and lost their designated career field,” said Airman 1st Class Seth Haddix, 81st Training Wing, Public Affairs.
Under the new program, selected re-classed students who failed to pass the exam the first time can retake the test during their first six months at their duty station.
The program has worked out well for Senior Airman Jennica Ripoli, 21st CD communications technician at Peterson Air Force Base in Colorado.
“Missing my chance of getting my desired job in the Air Force crushed me. It felt like I wasn’t able to achieve what I worked so hard for, and I would never be able to follow the career I wanted,” said Ripoli.
“Being able to eventually transfer over to cybersecurity after passing amazed me and made me feel like the Air Force is really trying to help me follow the right path.”
Being able to finally pass the exam and follow her dream career has been a real confidence boost for Ripoli.
She said: “This opportunity proved that I could overcome failure. I worked hard and continued to pursue the path I wanted, and I was successful.”
By switching fields, airmen who complete the Pathfinder program gain the distinction of possessing two Air Force Specialty Codes (AFSCs) instead of the usual one.
The first airman to complete the Pathfinder program was Airman 1st Class Johnathan Garcia, 75th Communications Squadron client systems technician, Hill Air Force Base, Utah.
“I feel I am more qualified with the knowledge of two AFSCs,” Garcia said. “I have more knowledge working with the other cyber jobs on base.”
British Transport Police have reported an alarming increase in the number of women being sent sexually explicit images by strangers while traveling via train.
In 2018, 34 cases of cyber-flashing offenses were reported to British Transport Police. In 2019, the number of recorded cases rose to 66, almost doubling over a one-year period.
Cyber-flashing occurs when a sexual predator sends an unsolicited pornographic image or video to a stranger via the iPhone file-sharing function AirDrop.
Police fear the actual figures could be vastly higher as most incidents of cyber-flashing go unreported. Reasons for this could include the fear and/or embarrassment experienced by the victim, the difficulty in identifying the offender who sent the image, and a lack of serious consequences for offenders who are caught cyber-flashing.
AirDrop allows files to be sent anonymously, allowing offenders to harass women with impunity. All that victims receive is a preview of the image and the name of the phone being used to commit the crime.
Despite a huge increase in the number of recorded cases of this particular crime on British trains, only one sexual predator was arrested for cyber-flashing in 2019. Although the crime creates a sickening imposition upon women who enter what should be a safe public space, police don't always take reports of this crime seriously.
Last year, a woman who reported a cyber-flashing incident that occurred while she was traveling on London's Bakerloo line was told by the British Transport Police officer that the crime was impossible to investigate. The officer belittled the victim's experience by suggesting to her that it was "just photos."
Under current British law, cyber-flashing is not considered a sexual offense. However, it's not hard to imagine that offenders who can violate a woman's privacy through cyber-flashing, and who are not caught and punished, could go on to commit sexual offenses.
ESET cybersecurity specialist Jake Moore said: "I recommend people set up AirDrop for contacts only to stop people you don’t know sending you unsolicited messages—or even better just turn it on when you need it."
Moore said that women could reduce their chances of receiving unwanted porn while going about their daily lives by pretending that they are not female.
Shifting the onus onto women to take preventative actions against this unwarranted and abhorrent behavior by men, he said: "Another way of mitigating the chance of being sent an unsolicited message could be to change the name on your device to something neutral, rather than your name."
Medical devices represent a major risk to healthcare organizations (HCOs), and are twice as likely as standard network devices to be vulnerable to Bluekeep, according to CyberMDX.
The security vendor’s 2020 Healthcare Security Vision Report claimed that a third (30%) of US HCOs have experienced a cyber-attack in the past 12 months.
Connected devices are an increasing source of risk, as many are left unpatched and unmanaged, the report claimed. For example, 55% of imaging devices run unpatched or outdated Windows versions which could leave them vulnerable to Bluekeep.
This is an RCE flaw in Windows Remote Desktop Services (RDS) which could enable an attacker to take complete control of a machine to spread malware or launch info-stealing attacks. It affects Windows XP to Windows 7 and Server 2003 to Server 2008 R2 computers, and could spread without user interaction in a way similar to the EternalBlue exploit that enabled WannaCry to do so much damage to the NHS.
CyberMDX uncovered a range of security issues among HCOs, claiming that 11% don’t patch devices at all, and that a typical hospital will have patched only 40% or fewer vulnerable devices four months after a bug disclosure.
There’s more: a quarter (25%) don’t possess a full inventory of connected devices, while a further 13% admit theirs is unreliable. A third (34%) say they don’t identify, profile or continuously monitor medical devices and a further 21% do this manually, which is is not sustainable given the explosion in such endpoints.
It’s perhaps no surprise that the average hospital has lost track of 30% of its devices, according to the report.
The challenges extend to staff cybersecurity training and awareness: 23% of respondents said they have no such program in place and 17% claimed they do but it hasn’t launched yet.
Over a third (36%) still lack a formal BYOD policy.
According to IBM’s latest Cost of a Data Breach report, HCOs suffered the highest cost of a breach – nearly $6.5m on average – for the ninth year in a row in 2019. CyberMDX also claimed that at least 10 hospitals had to turn away patients last year due to ransomware attacks.
A US natural gas facility was forced to shut down operations for two days after becoming infected with commodity ransomware, the Department of Homeland Security (DHS) has revealed.
The unnamed “natural gas compression” plant was first targeted with a spear-phishing email, allowing the attacker to access its IT and then pivot to its OT network, according to the technical alert from the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
The ransomware used was not named, but described as a “commodity” type designed to infect Windows systems, rather than the new strain spotted recently that had ICS-specific functions.
As such, it didn’t manage to impact any of the programmable logic controllers (PLCs) responsible for directly reading and manipulating physical processes. Still, the ransomware was able to compromise human machine interfaces (HMIs), data historians and polling servers on the OT network.
The victim organization was ill-prepared for such an attack: a worrying sign that some critical infrastructure providers still haven’t evolved their threat modelling to take account of modern black hat techniques.
Specifically, the organization failed to implement robust segmentation between IT and OT networks, allowing the attacker to infect both. It also did not build cyber-risk into its emergency response plan, focusing solely on threats to physical safety.
“Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyber-attacks,” the CISA alert noted.
“The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”
CISA urged critical infrastructure organizations to: add cyber-risk planning to their incident response strategies, practice failover to alternate control systems, use tabletop exercises to train employees, identify technical and human points of failure for operational visibility and recognize the safety implications of cyber-attacks, among other steps.
Among the physical security controls it recommended were network segmentation, multi-factor authentication, regular data backups, least privilege access policies, anti-phishing filters, AV, whitelisting, traffic filtering and regular patching.
Security experts are warning of a new extortion email campaign threatening to bombard websites using AdSense with fake traffic, thereby triggering Google’s anti-fraud systems.
A website owner wrote to journalist and researcher Brian Krebs claiming to have received just such a threat. The extortionists demanded $5000 in Bitcoin, or else they would bombard the site with bot-driven traffic.
This in turn, they claimed, would set off alarm bells with Google and force the tech giant to suspend the web owner’s AdSense account, depriving him of valuable advertising revenue.
“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended,” the email reportedly argued.
“It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to a second AdSense ban that could be permanent.”
Google itself claimed such threats are rare, and in any case it has the tools to detect and prevent sabotage like this from succeeding.
Jake Moore, cybersecurity specialist at ESET, urged users to treat these extortionists as they should ransomware authors, by refusing to engage.
“I would firmly advise people not to pay any extortionists as there is no guarantee that this will stop the traffic. If anything, these criminals will likely place your name on their suckers list, and possibly come back with higher payment demands,” he added.
“This should be reported to the police, and I suggest you do not communicate with these attackers.”
The concern about intentional data breaches has increased year-on-year, with 75% of IT leaders believing that employees have put data at risk intentionally.
According to research by Egress of 528 CSOs and IT leaders, 97% of respondents said “insider breach risk” is a significant concern. Of those surveyed, 78% said that employees have put data at risk accidentally, while 75% believed employees have put data at risk intentionally. This is a rise of 14% since last year’s research.
Chief marketing officer, Tim Pickard, said he was not surprised that 97% of CISOs and IT leaders would be concerned, and too many companies are relying on employees to report breaches.
Egress CEO Tony Pepper added that the “severe penalties for data breaches mean IT leaders must action better risk management strategies, using advanced tools to prevent insider data breaches.”
Of those employees that have accidentally leaked data, 41% said it was due to a phishing message, 31% said that this was due to information being sent to the wrong recipient and 29% said that they or a colleague had intentionally shared data against company policy in the last year.
Looking at the causes of an intentional breach, 32% of those polled said that this was due to employees sharing data to personal systems, while 22% blamed employees leaking data to a contractor and 21% said that employees share data directly to cyber-criminals. Also, 18% said that employees take data to a new job, with only 4% saying that they “don’t have malicious insider breaches.”
Speaking to Infosecurity at the launch of the research, Pickard said that, from a point of view of intentionally leaking data, “there is a general awareness around the potential risks that exist from employees, and it doesn’t have to be malicious to be intentional, it could be mis-guided by someone trying to get their job done and putting data at risk.
“There are a number of elements at play, as none of us see the work environment getting any easier and there will be increased pressure at work for most people,” Pickard argued. “People have access to all sorts of technologies that IT leaders would rather they did not have, and cloud is a great thing, but it makes available some powerful technologies to people for a very small amount of money.”
Speaking to Infosecurity, Panaseer CEO Nik Whitfield cited the case of Sergey Aleynikov who was charged with stealing code from Goldman Sachs and giving it to his next employer. “There are different types of insider: some help themselves while some do it maliciously – but to them it is normal behavior,” he said. “Malicious insiders are also being placed by cyber-criminals and getting jobs in companies to steal information or to do corporate espionage.”
A 19-year-old American man has been arrested for allegedly engaging in a six-year cybercrime wave that involved swatting, computer fraud, and the stalking of multiple victims, including a New York schoolgirl.
Tristan Rowe was arrested on February 12 after allegedly threatening to kill one victim and bomb their school. Cops say he sent multiple disturbing messages to the victim, including one depicting a knife accompanied by the words "you don't deserve to live."
Another chilling message allegedly sent by Rowe showed a detailed map from Tennessee to a victim's home address in the Bronx, New York.
Rowe, who refers to himself as Angus, is alleged to have engaged in a persistent online stalking and harassment campaign against one particular victim. Police say he hacked online accounts belonging to the victim and to members of their family and even hacked into the computer systems of the victim's former high school to interfere with the grading system.
Tennessee resident Rowe is further accused of orchestrating multiple incidents of swatting, sending armed police to respond to false reports of an emergency at a victim's residence.
One such incident, brought about by 19-year-old Ohio gamer Tyler Barriss, resulted in the death of Kansas father 28-year-old Andrew Finch, who was shot and killed by a member of the responding SWAT team in 2017. Rowe allegedly used this potentially fatal tactic not only to terrorize his intended victim, but also to stage swatting incidents at the homes of the victim's friends and family.
In a message that demonstrated he was fully aware of the danger to life caused by swatting, Rowe allegedly told the victim, "Your choice u can wind up dead cause the armoured cops will come raid u."
Cops say that evidence obtained from Rowe's computer indicates that he conducted a number of computer intrusions of government and private-sector websites. They say Rowe was planning to compromise, or had already compromised, an inmate tracking website used by federal and local law enforcement, a police department website, the website of a hospital in New York, and a website for a state Department of Motor Vehicles.
Rowe has been charged with one count of cyberstalking and one count of unauthorized access to a computer. He faces a ten-year custodial sentence if convicted on both counts.
India has made its first arrest of an alleged dark web narcotics vendor.
Recent Amity University graduate Dipu Singh was taken into custody in Alambagh, Lucknow, on February 9 by India’s Narcotics Control Bureau (NCB). The 21-year-old is accused of selling psychotropic drugs disguised as erectile dysfunction remedies on dark web marketplaces in exchange for cryptocurrency.
Singh, whom the NCB described as "a major player on the dark net," allegedly sold illegal drugs to clients in several European countries, including Romania and Spain, and to customers in the UK and the US.
The illegal pills were mostly sold through dark web sites Majestic Garden and Empire Market, then shipped via global post offices and international courier services. The NCB suspects Singh also made sales via WhatsApp.
"Singh had mastered the technique to disguise the identity while making a shipment. It was learnt that the said parcel was devoid of KYC details," said deputy director general of operations at the NCB, Rajesh Nandan Srivastava.
In three seizures, NCB’s Mumbai Zonal Unit recovered 33,000 Tramadol and Zolpidem tablets, which they claim can be linked to Singh’s alleged drug dealing operation. Another 22,000 tablets were seized by the Delhi team.
A total of 55,000 psychotropic tablets, which include tramadol, zolpidem, and alprazolam, were seized as part of a two-month-long operation into Singh's alleged activities.
Singh gained a bachelor’s degree in Hotel Management last year. To help fund his studies, Singh accepted a part-time job at a legitimate internet pharmacy in 2018. There he earned a commission from the sale of fitness supplements and erectile dysfunction medicines, but the NCB alleges that the then student was lured over to the dark side by the promise of more money.
An NCB spokesperson said Singh "further learnt that the major profit is in the sale of controlled psychotropic medicines."
Singh allegedly worked with an associate, who took orders for the drugs and shared details of where to deliver each package. After using couriers to collect the drugs from various cities in India, Singh is accused of sending them out to his customers packaged as erectile dysfunction medicine.
If convicted, Singh is likely to face a stiff sentence.