Cyber Risk News

World’s Largest E-tailers to be Investigated Over Fake Reviews

Info Security - Fri, 06/25/2021 - 16:01
World’s Largest E-tailers to be Investigated Over Fake Reviews

A trade watchdog in the United Kingdom is launching an investigation into what the world's largest e-tailers are doing to combat fake reviews on their platforms.

The Competition and Markets Authority (CMA) announced earlier today that it has opened a formal probe into Amazon and Google over concerns that the companies' efforts to protect consumers from falsified reviews are insufficient.

Following the announcement, the CMA will now begin gathering information to determine whether the two firms may have broken consumer law.

News of the probe comes after an initial CMA investigation, opened in May 2020, raised concerns about the systems currently in place at Google and Amazon to handle fake reviews.

The investigation assessed several platforms’ internal systems and processes for identifying and dealing with the issue. Its findings suggest that Amazon and Google may not have been doing enough to detect fake and misleading reviews or suspicious patterns of behavior, such as a review that suggests that the reviewer received a payment or other incentive to leave positive feedback.

CMA's initial investigation also suggested that Google and Amazon may have failed to adequately investigate and, where necessary, promptly remove misleading and fake reviews. Investigators also found that the sanctions imposed by the two companies on the businesses and reviewers behind the fake reviews may be inadequate. 

"Our worry is that millions of online shoppers could be misled by reading fake reviews and then spend their money based on those recommendations," said Andrea Coscelli, the CMA’s chief executive.

She added: "Equally, it’s simply not fair if some businesses can fake 5-star reviews to give their products or services the most prominence, while law-abiding businesses lose out."

The CMA voiced further concerns that Amazon has failed to prevent and deter some sellers from manipulating product listings – for example, by co-opting positive reviews from other products.

"We are investigating concerns that Amazon and Google have not been doing enough to prevent or remove fake reviews to protect customers and honest businesses," said Coscelli. 

"It’s important that these tech platforms take responsibility, and we stand ready to take action if we find that they are not doing enough."

Categories: Cyber Risk News

AWS BugBust Aims to Fix One Million Vulnerabilities Globally

Info Security - Fri, 06/25/2021 - 09:41
AWS BugBust Aims to Fix One Million Vulnerabilities Globally

Amazon Web Services (AWS) has launched an ambitious initiative to fix one million vulnerabilities and, as a result, reduce technical debt by over $100 million.

The cloud giant’s principal evangelist, Martin Beeby, said its new AWS BugBust would take the idea of a bug bash to a new level.

“AWS BugBust allows you to create and manage private events that will transform and gamify the process of finding and fixing bugs in your software. It includes automated code analysis, built-in leaderboards, custom challenges, and rewards,” he explained.

“AWS BugBust fosters team building and introduces some friendly competition into improving code quality and application performance. What’s more, your developers can take part in the world’s largest code challenge, win fantastic prizes, and receive kudos from their peers.”

The program will see participants use Amazon’s CodeGuru Reviewer and CodeGuru Profiler tools, which utilize automated reasoning and machine learning to find vulnerabilities in applications.

“A traditional bug bash requires developers to find and fix bugs manually,” continued Beeby. “With AWS BugBust, developers get a list of bugs before the event begins so they can spend the entire event focused on fixing them.”

Each time developers fix a vulnerability at a private event, they receive an allocation of points and be added to a global leader board — although only profile names and points will be visible here, not details of the vulnerabilities themselves.

Use of CodeGuru Reviewer and CodeGuru Profiler will be free for 30 days per AWS account. Developers will also be incentivized by various prizes handed out when they reach specific milestones.

An AWS BugBust varsity jacket is on offer for those reaching 2000 points, while the top 10 finalists on the leaderboard will get a free ticket to AWS re:Invent.

There were no more details on how AWS arrived at the $100 million figure, although technical debt is an ongoing challenge for the developer industry.

It stems from a focus on time-to-market at the expense of better written and more secure code at the outset. The result is that, while a project might be delivered quickly, it could be of poor quality and may need to be refactored in time. However, Amazon will have to pay back the debt eventually. 

A 2018 report claimed that fixing technical debt could be worth as much as $3 trillion globally over a decade.

Categories: Cyber Risk News

Newly Discovered Dell Bugs Impact 30 Million PCs

Info Security - Fri, 06/25/2021 - 09:03
Newly Discovered Dell Bugs Impact 30 Million PCs

Security researchers have warned that at least 30 million Dell computers may be at risk after discovering multiple vulnerabilities that could allow attackers to execute arbitrary code within the machines’ BIOS.

Security vendor Eclypsium said 129 Dell models were affected by the chain of four bugs, which have a cumulative CVSS score of 8.4 (high).

“These vulnerabilities enable an attacker to remotely execute code in the pre-boot environment. Such code may alter the initial state of an operating system, violating common assumptions on the hardware/firmware layers and breaking OS-level security controls,” it explained in a blog post.

“As attackers increasingly shift their focus to vendor supply chains and system firmware, it is more important than ever that organizations have independent visibility and control over the integrity of their devices.”

The vulnerabilities affect BIOSConnect, a feature of SupportAssist which enables users to perform a remote OS recovery or update the firmware on the device by connecting its BIOS to Dell backend services over the internet.

The main issue centers around CVE-2021-21571, which describes an insecure TLS connection from a machine’s BIOS to the Dell backend, meaning it will accept “any valid wildcard certificate.” This could enable an attacker with a privileged network position to impersonate Dell and deliver malicious content back to the victim device, Eclypsium said.

The other three flaws — CVE-2021-21572, CVE-2021-21573 and CVE-2021-21574 — are overflow vulnerabilities, two of which affect the OS recovery process, while the other impacts the firmware update process.

“All three vulnerabilities are independent, and each one could lead to arbitrary code execution in BIOS,” Eclypsium explained.

The attack scenario described by Eclypsium would require an attacker to redirect a victim’s traffic, such as via “machine-in-the-middle” techniques. However, it claimed this would be a relatively low bar for sophisticated attackers capable of ARP spoofing and DNS cache poisoning or exploiting bugs in VPNs and home office networking equipment.

“Successfully compromising the BIOS of a device would give an attacker a high degree of control over a device,” explained Eclypsium.

“The attacker could control the process of loading the host operating system and disable protections in order to remain undetected. This would allow an attacker to establish ongoing persistence while controlling the highest privileges on the device.”

Dell has urged customers to update to the latest Dell Client BIOS version as soon as possible to mitigate the risk of attack.

Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said the discovery was “highly concerning.”

“BIOS is critical for a device boot process and its security is vital to ensure safety of the entire device. This is especially important in the current environment due to the increased wave of supply chain attacks,” he added.

“This chain of security vulnerabilities allow for bypass of secure boot protections, can be exploited to take complete control of the device and hence organizations should prioritize patching.”

Categories: Cyber Risk News

Cloud Database Exposes 800M+ WordPress Users' Records

Info Security - Fri, 06/25/2021 - 08:31
Cloud Database Exposes 800M+ WordPress Users' Records

A misconfigured cloud database exposed over 800 million records linked to WordPress users before its owner was notified, according to Website Planet.

Security researcher Jeremiah Fowler explained that the trove was left online with no password protection by US hosting provider DreamHost.

The 814 million records he found were traced back to the firm’s managed WordPress hosting business DreamPress and appeared to date back to 2018.

In the 86GB database, there was purportedly admin and user information, including WordPress login location URLs, first and last names, email addresses, usernames, roles, host IP addresses, timestamps, and configuration and security information.

Some of the leaked information was linked to users with .gov and .edu email addresses, Fowler claimed.

Fortunately, the database was secure within hours of DreamHost receiving a responsible disclosure notice from Fowler.

However, the researcher said it was unclear how long it had been exposed, potentially putting users at risk of phishing. Threat actors scanning for exposed databases like this have in the past also stolen and ransomed the information contained within.

Fowler also pointed to the database’s record of “actions” such as domain registrations and renewals.

“These could potentially give an estimated timeline of when the next payment was due and the bad guys could try to spoof an invoice or create a man-in-the-middle attack,” he argued. “Here, a cyber-criminal could manipulate the customer using social engineering techniques to provide billing or payment information to renew the hosting or domain registration.”

The complexity of modern cloud environments makes misconfigurations of this type increasingly common.

Just last week, Fowler revealed an unprotected database containing one billion records belonging to CVS Health.

Categories: Cyber Risk News

Cyber-stalker Blackmailed Nebraska Legislature Candidate’s Wife

Info Security - Thu, 06/24/2021 - 19:31
Cyber-stalker Blackmailed Nebraska Legislature Candidate’s Wife

A man has been found guilty of cyber-stalking his former girlfriend in an attempt to prevent her husband from being elected to the Nebraska Legislature. 

Forty-eight-year-old Nebraskan Dennis Sryniawski obtained a sexually explicit photograph of La Vista resident Dianne Parris with her consent when the pair were in a romantic relationship more than two decades ago. However, Parris told the World-Herald that she never gave her former boyfriend consent to distribute the image.

When Dianne's husband, Jeff Parris, was seeking the District 14 seat in the Nebraska Legislature in 2018, Sryniawski began sending him threatening and sexually explicit emails. The couple reported the cyber-stalking to the La Vista Police Department and the FBI.

FBI investigators determined that Sryniawski had emailed Dianne Parris and threatened to publish the indecent photograph of her along with personal details about her unless her husband dropped out of the electoral race.

According to Dianne Parris, who managed her husband's electoral campaign, one of the threatening emails read: “All we are asking, is Quit the Race. Step down from running for State Legislature, Never run for any Political Office again, & All will be Sweet, especially for the ‘Good Life'."

Although Jeff Parris did not give in to the demands, his candidature proved unsuccessful.

Dianne Parris testified before a legislative committee in 2019 in support of a proposal to outlaw the sharing of sexually explicit photos or videos with the intent to harass. A different bill was passed later that year making "revenge porn" illegal in Nebraska. 

Sryniawski, who resides in Bellevue, was charged with cyber-stalking and intent to extort. On Monday, a jury in the US District Court of Nebraska found him guilty of only the first charge. 

Convicted cyber-stalker Sryniawski is due to be sentenced on September 22. He faces a fine of up to $250,000 and could be ordered to serve a prison term of up to five years. 

Speaking on behalf of herself and her husband on Tuesday, Dianne Parris said: “We’d just like to say that we are happy that he was found guilty on that charge."

Categories: Cyber Risk News

Data Breach at WorkForce West Virginia

Info Security - Thu, 06/24/2021 - 18:45
Data Breach at WorkForce West Virginia

Personal information belonging to job seekers residing in the Mountain State may have been exposed during a security incident at WorkForce West Virginia.

The breach was confirmed yesterday by West Virginia governor Jim Justice, who addressed the incident during a press conference held earlier today. 

WorkForce has begun sending notification letters to individuals whose personal data was compromised. The letters state that WorkForce learned on April 13 that an unauthorized individual had accessed a job-seekers database.

The unknown cyber-criminal may have gained access to the database via the Mid-Atlantic Career Consortium Employment Services database, or MACC website. West Virginians use the MACC to register for job services before applying for unemployment benefits.

“Upon discovery, immediate steps were taken to secure the network, and WorkForce immediately began an investigation,” states the letter.

“An experienced computer forensic firm was hired to help determine what happened and what information may have been accessed,” it continues.

MACC remained offline for 45 days while investigators probed the incident. In May, they concluded that job seekers' personal information could have been exposed. 

Data compromised in the incident may have included names, addresses, phone numbers, dates of birth and Social Security numbers.

“The security incident was investigated,” said WorkForce. “The risk was assessed, and the agency engaged a professional third-party forensic firm to manage ongoing risk mitigation.”

While sensitive data may have been accessed, WorkForce said that no files were downloaded, exfiltrated or altered. The agency has made improvements to its cybersecurity that include switching to a different software in the hope of preventing any similar incidents from occurring. 

“Mitigating any potential risk for constituents continues to be our top priority,” said WorkForce West Virginia commissioner Scott Adkins.

“Constituents should follow the guidance provided in the letter they received from WorkForce if they have any questions.”

The agency is offering those impacted by the data breach a year's worth of credit report monitoring and $1m in fraud loss reimbursement, fraud consultation and identity theft restoration.

WorkForce did not state how many West Virginians may have been impacted by the incident.

Categories: Cyber Risk News

Linguist Jailed for Sharing US Defense Secrets

Info Security - Thu, 06/24/2021 - 16:22
Linguist Jailed for Sharing US Defense Secrets

A linguist employed by the US Department of Defense has been sent to prison for more than two decades for leaking the identities of American spies to a lover with ties to a foreign terrorist organization.

Mariam Taha Thompson was charged in March 2020 with sharing highly sensitive classified national defense information with a Lebanese national connected to Hizballah. 

A year later, the 62-year-old former resident of Rochester, Minnesota, pleaded guilty to placing American spies and US military personnel in grave danger by collecting and transmitting data. 

Thompson began communicating with her unindicted co-conspirator in 2017 via video chats and voice messages when she was working as contract linguist at an overseas US military facility. The pair stayed in touch and Thompson developed romantic feelings for her co-conspirator.

In January 2020, the co-conspirator asked the smitten Thompson for information on the "human assets" who had helped bring about the death in 2019 of Iranian Revolutionary Guard Corps Quds Force commander Qasem Suleimani. 

Thompson admitted knowing that her love interest intended to pass the information to Lebanese Hezbollah, and that it would be given to an unnamed high-ranking military commander.

Using her top secret government security clearance, Thompson began accessing dozens of files concerning human intelligence sources. Information accessed by the linguist included true names, personal identification data, background information and photographs of the human assets, as well as operational cables detailing information the assets provided to the US government. 

Thompson used a variety of techniques to pass this information on to her co-conspirator, including handwritten notes. 

By the time she was arrested by the FBI in February 2020, Thompson had provided her co-conspirator with the identities of at least eight clandestine human assets; at least 10 US targets; and multiple tactics, techniques and procedures. 

On Wednesday, Thompson was sentenced to 23 years in prison. 

“The defendant’s decision to aid a foreign terrorist organization was a betrayal that endangered the lives of the very American men and women on the battlefield who had served beside her for more than a decade,” said Acting US Attorney Channing Phillips for the District of Columbia. 

“Let today’s sentence serve notice that there are serious consequences for anyone who betrays this country by compromising national defense information.”

Categories: Cyber Risk News

Google Pushes Back Cookie Removal Plans to 2023

Info Security - Thu, 06/24/2021 - 16:19
Google Pushes Back Cookie Removal Plans to 2023

Google Chrome users will have to wait until at least 2023 before third party cookies are blocked as part of the browser's Privacy Sandbox initiative.

Google had first disclosed its plans to block third party cookies, which advertisers and marketers use to track users, in August 2019. In January 2020, Google provided more details on the Privacy Sandbox effort with the company stating that it intended to have the cookie blocking technology in place within two years. Now it looks like the timeline for implementation will take a bit longer due to the complexity of the challenge.

"The Privacy Sandbox initiative aims to create web technologies that both protect people’s privacy online and give companies and developers the tools to build thriving digital businesses to keep the web open and accessible to everyone, now, and for the future," Vinay Goel, privacy engineering director for Google Chrome wrote in a blog post.

Addressing Regulatory Concerns in the UK

The United Kingdom’s Competition and Markets Authority (CMA) has been investigating Google's Privacy Sandbox initiative since January of this year, when it launched a formal investigation.

As part of the investigation, Google has made a series of commitments to CMA and the industry at large about the Privacy Initiative process. A key commitment is that the effort will not provide any data advantage for Google's own advertising products.

"The CMA is concerned that Google’s Proposals, if implemented without the regulatory scrutiny and oversight provided for by the Proposed Commitments, would be likely amount to an abuse of a dominant position in the market for the supply of web browsers in the UK," the CMA stated.

Building Consensus for Cookie Removal

The effort to remove third-party cookies has involved multiple proposals for potential replacements for third-party cookies that provide more privacy assurance for web browser users. According to Goel, over 30 different proposals have been made, four of which are currently in some form of usability trial.

One of the technologies that Google is proposing to replace third-party cookies is FLoC (Federated Learning of Cohorts), which privacy experts have widely criticized as failing to protect user privacy. The basic idea behind FLoC is that groups of users can be clustered together by interests, hiding individual users and providing a way for advertisers to reach an appropriate audience.

Google is now expecting that it will enter into what it refers to as Stage 1 in late 2022, providing APIs for third-party cookie replacement in Chrome. Stage 2 of the cookie removal process is now expected to begin in 2023, with Chrome removing support for third-party cookies.

Categories: Cyber Risk News

Ransomware Attacks Decline as Gangs Focus on Lucrative Targets

Info Security - Thu, 06/24/2021 - 10:46
Ransomware Attacks Decline as Gangs Focus on Lucrative Targets

Ransomware attacks fell by 50% in Q1 2021 as threat actors shifted from using mass spread campaigns to focusing on fewer, larger targets with unique samples, according to the McAfee Threats Report: June 2021.

The researchers noted that the traditional approach of using one form of ransomware to infect and extort payments from many victims is becoming less prominent, mainly because the targeted systems can recognize and block such attempts over time. Instead, they see a trend towards fewer, customized Ransomware-as-a-Service (RaaS) campaigns tailored to larger, more lucrative organizations.

As a result of this shift, the analysis found that the number of prominent ransomware family types declined from 19 in January 2021 to nine in March 2021. The most detected ransomware group in Q1 2021 was REvil, followed by RansomeXX, Ryuk, NetWalker, Thanos, MountLocker, WastedLocker, Conti, Maze and Babuk strains.

Raj Samani, McAfee fellow and chief scientist, explained: “Criminals will always evolve their techniques to combine whatever tools enable them to best maximize their monetary gains with the minimum of complication and risk. We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see RaaS supporting many players in these illicit schemes holding organizations hostage and extorting massive sums for the criminals.”

Numerous high-profile ransomware incidents have taken place this year; these include the attacks on the US East Coast fuel pipeline operator Colonial Pipeline and meat processor JBS, both of which led to substantial payments being paid.

Another important finding from the report was that there was a 117% rise in the spread of cryptocurrency-generating coin mining malware, which McAfee said is as a result of a spike in 64-bit CoinMiner applications. Unlike ransomware, in which victims’ systems are locked up and held hostage until a cryptocurrency payment is made, Coin Miner malware infects organizations’ systems and then silently produces cryptocurrency using those systems’ computing capacity. This tactic means criminals do not need to interact with the victim, who may be completely unaware they are under attack.

Samani added: “The takeaway from the ransomware and coin miner trends shouldn’t be that we need to restrict or even outlaw the use of cryptocurrencies. If we have learned anything from the history of cybercrime, criminals counter defenders’ efforts by simply improving their tools and techniques, sidestepping government restrictions, and always being steps ahead of defenders in doing so. If there are efforts to restrict cryptocurrencies, perpetrators will develop new methods to monetize their crimes, and they only need to be a couple steps ahead of governments to continue to profit.”

In total, McAfee detected an average of 688 new malware threats per minute in Q1 of 2021, representing an increase of 40 threats per minute compared to Q4 of 2020.

Categories: Cyber Risk News

Ransom Leak Sites Reveal 422% Annual Increase in Victims

Info Security - Thu, 06/24/2021 - 09:13
Ransom Leak Sites Reveal 422% Annual Increase in Victims

Over three-quarters of consumers and cybersecurity professionals want to see ransom payments made illegal, as new figures showed a triple-digit year-on-year increase in victim organizations.

Mandiant claimed to have detected a 422% increase in victim organizations announced by ransomware groups on their leak sites between Q1 2020 and the first quarter of 2021.

That amounted to over 600 European organizations, with those in manufacturing, legal and professional services and retail most affected.

The new figures come as research from Talion revealed that 78% of UK consumers and 79% of security professionals believe payments to these groups should be banned by law.

It’s an increasingly controversial area, with many commentators blaming cyber-insurance policies for effectively bankrolling threat groups and encouraging more malicious actors to join the fast-growing ransomware cybercrime industry.

It recently emerged that corporate victims that pay up may even be able to deduct these sums from their US tax bills, providing another incentive to hand over money to cybercrime groups.

However, there have also been signs that things are shifting the other way: in France, AXA recently said that it would not be reimbursing policyholders for ransom payments.

The research was released to publicize a new #RansomAware initiative backed by the Research Institute for Sociotechnical Cyber Security (RISCS), which aims to encourage organizations to speak up about attacks.

Former National Cyber Security Centre (NCSC) CEO, Ciaran Martin, now professor at the Blavatnik School of Government, welcomed the initiative.

“We need to look at all the different reasons why ransomware is causing so much harm,” he said.

“That includes tackling the tough questions like the flows of money, including looking seriously at payment bans. But we need to provide more support for victims too, and help them protect themselves in the first place.”     

The Talion study also revealed that 81% of security professionals believe information sharing between victim organizations is key to building better defenses against ransomware.

Categories: Cyber Risk News

Nuisance Call Company Fined £130,000 After Eight-Month Blitz

Info Security - Thu, 06/24/2021 - 08:54
Nuisance Call Company Fined £130,000 After Eight-Month Blitz

A home improvement company has been fined £130,000 by the UK’s data privacy watchdog for inundating consumers with nearly a million nuisance calls.

ColourCoat Ltd of St Leonards on Sea in East Sussex provides insulation and wall and roof coatings, as well as roof repairs and cleaning, according to its website.

However, the firm is said to have made over 900,000 nuisance marketing calls to recipients in just over eight months.

After scores of complaints to the Information Commissioner’s Office (ICO), the regulator launched an investigation, finding that many of the recipients had signed up to the UK’s “Do Not Call” register, known as the Telephone Preference Service (TPS).

According to the ICO, the firm repeatedly called people who had asked not to be called again and withheld its phone numbers to prevent being contacted. It also used false company names on these calls, such as “Homes Advice Bureau,” and “EcoSolve UK,” the regulator claimed.

Along with the fine, the firm was hit with an enforcement notice demanding it stops all illegal activity or faces court action.

ICO investigations manager, Natasha Longson, said ColourCoat had no regard for the law or the individuals it inundated with nuisance calls.

“Businesses employing these tactics are very likely to come to our attention. The catalog of contraventions we uncovered, as well as the manner in which calls were made in this case, resulted in a fine and a legal notice to stop,” she added.

“Some of the complainants described the calls received as ‘rude,’ ‘aggressive’ and ‘abusive,’ and made one complainant feel ‘threatened.’ People also reported that the calls made them feel ‘annoyed’ or ‘anxious’.”

The firm was fined not under the GDPR but the UK’s Privacy and Electronic Communications Regulations (PECR), which governs privacy rights regarding marketing calls, emails and texts.

Unlike the better-known data protection law, the PECR only grants the ICO fining powers of up to £500,000.

Categories: Cyber Risk News

Cyber-Attacks Are Primary Funding Source for North Korea

Info Security - Thu, 06/24/2021 - 08:28
Cyber-Attacks Are Primary Funding Source for North Korea

Cybercrime is now the primary means by which the North Korean state is funded, according to researchers at Venafi.

The security vendor’s threat intelligence specialist, Yana Blachman, and her team analyzed publicly available information on state-sponsored attacks directed by the hermit kingdom over the past four years.

They concluded that the Asian dictatorship now monetizes cyber-attacks to circumvent economic sanctions and keep the Kim Jong-un regime alive.

However, global democracies must take more assertive action to mitigate the cyber-threat from North Korea or risk the funding model being exported to Myanmar, Belarus and other countries shunned by the international community, Blachman warned.

“North Korean attacks are often much more brazen and reckless than those sponsored by other states, because they are not afraid of getting caught — this makes them particularly dangerous. It gives the cyber-criminals it sponsors free reign to engage in highly destructive, global attacks, such as the 2017 WannaCry attacks, affecting more than 200,000 users across at least 150 countries,” she argued.

“Worse still, North Korea is setting an example for other rogue states to follow. Belarus and even Myanmar can now see that cybercrime offers them a way of countering the worst effects of sanctions, while making themselves more of a threat to the wider community.”

Blachman, who started her professional career working in signals intelligence for the Israel Defense Forces' Unit 8200, said North Korea’s Lazarus, APT38 and other groups are coordinated through the military’s Reconnaissance General Bureau (RGB).

These groups have been responsible for some major money-making raids over recent years, including the notorious $81 million cyber-heist at Bangladesh Bank in 2016 and a theft of $32 million in crypto-funds at South Korean exchange Bithumb two years later.

In 2019, the United Nations issued a report claiming that the Kim regime had managed to generate as much as $2 billion from attacks on banks and cryptocurrency exchanges, in part to raise money for its nuclear weapons program.

Blachman published a blog today explaining more.

Categories: Cyber Risk News

Anti-virus Pioneer John McAfee Found Dead in Spanish Prison Cell

Info Security - Wed, 06/23/2021 - 21:11
Anti-virus Pioneer John McAfee Found Dead in Spanish Prison Cell

John McAfee was found dead in a Barcelona prison cell  on Wednesday afternoon, June 25 2021. McAfee was 75 years old. The cause of death, according to Spanish authorities, is suspected to be suicide.

An outspoken cybersecurity pioneer and reclusive millionaire, McAfee was being held by Spanish authorities after being arrested in October 2020 at Barcelona's El Prat airport on charges of alleged tax evasion in the U.S.

A Spanish court ruled earlier in the day on Wednesday June 23 that he could be extradited to the U.S to stand trial.

The tax evasion charges were in addition to charges from the U.S Securities and Exchange (SEC) commission that were also made public in October 2020 about McAfee's cryptocurrency investments. McAfee was indicted on charges of money laundering and cryptocurrency fraud by the U.S. Department of Justice in March of this year.

"I think there's more wrong than right in the security industry - because it's a business like anything and the purpose of business is to make money and survive"John McAfee

In one of his final tweets, sent on June 10, McAfee provided a very sombre view of his time in prison, providing some insight into his state of mind.

"There is much sorrow in prison, disguised as hostility. The sorrow is plainly visible even in the most angry faces. I'm old and content with food and a bed but for the young, prison is a horror - a reflection of the minds of those who conceived them."

McAfee: The Man and the Company He Hated

John McAfee was born in Cinderford, Gloucestershire, the child of a British mother and a father that was stationed at a U.S Army based in the U.K. He spent much of his early life in the U.S. and got a degree in mathematics.

John McAfee founded McAfee Associates in 1987, as one of the earliest anti-virus vendors in the market. The company McAfee founded had early success in the nascent security market of the late 1980's and made the man incredibly wealthy. John McAfee himself left the company in 1994 and hasn't been associated with the computer security vendor that still bears his name for decades.

While McAfee has purposely and actively distanced himself from the McAfee security company, he has remained an active voice in various matters of security and public affairs. Over the years, McAfee has tried to disassociate himself with the company and the core anti-virus technology that bore his name.

One of his most famous diatribes against McAfee anti-virus is a somewhat 'unsuitable for viewing at work' ranting video that shows John McAfee snorting white powder while effusively proclaiming he has nothing to do with the anti-virus vendor.

McAfee was quoted and interviewed by Infosecurity Magazine over the years about his views on security. At the Infosecurity Europe 2015 event, the ever combative McAfee spoke on stage with Infosecurity editor, Eleanor Dallaway, and later slamming the state of the security industry in an interview.

“I think there’s more wrong than right in the security industry – because it’s a business like anything and the purpose of business is to make money and survive," McAfee said at the time.

Categories: Cyber Risk News

Mr. Double’s Operator Jailed

Info Security - Wed, 06/23/2021 - 19:29
Mr. Double’s Operator Jailed

A 65-year-old man from Texas has been sentenced to prison for operating a website devoted to stories in which violence occurs against minors.

In January, a federal jury convicted 65-year-old Brewster County resident Thomas Alan Arthur of three counts of trafficking in obscene visual representations of the sexual abuse of a child, five counts of trafficking in obscene text stories about the sexual abuse of children, and one count of engaging in the business of selling obscene matters involving the sexual abuse of children.

The charges were all related to the website Mr. Double, which Arthur launched from his home address in 1996. On it he published writings that described the sexual abuse, rape, torture, and murder of infants and children.

In 1998, Arthur began charging a membership fee to access the site, which was hosted on a server in the Netherlands. He made enough money from Mr. Double for the site to be his sole source of income for more than two decades. 

Users were invited to upload their own content, which included drawings depicting children engaged in sexually explicit conduct. The evidence at trial showed that all submissions for publication were personally reviewed and approved by Arthur before being added to the site. 

The site remained online until November 2019, when the FBI executed a search warrant of Arthur's residence. 

Court documents and statements made at the sentencing showed that Arthur sexually assaulted two females who came forward during the investigation of this case. 

The court heard that in approximately 1992, Arthur drugged an adult woman who resided with him, sexually assaulted her and captured the assault on video. In another instance, in the early 1980s, Arthur molested the daughter of a friend and business associate when she was four or five years old.

On June 22, Arthur was sentenced in the Western District of Texas to 40 years in prison. He was further sentenced to three years of supervised release and fined $50,000.

This case was brought as part of Project Safe Childhood, a nationwide initiative  launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse.

Categories: Cyber Risk News

Cyber-attack Exposes Eye Clinic Patient Data

Info Security - Wed, 06/23/2021 - 18:18
Cyber-attack Exposes Eye Clinic Patient Data

A cyber-attack on an eye clinic with locations across Iowa may have exposed the records of hundreds of thousands of patients. 

On Tuesday, Wolfe Eye Clinic announced that it had suffered a digital assault in February of this year. During the attack, an unauthorized third party gained access to the clinic's computer network. 

According to the clinic, the perpetrators behind the cyber-attack may have compromised the records of roughly half a million past and present patients. 

Wolfe Eye Clinic stated that the breach occurred on February 8. The clinic hired an independent IT firm to probe the security incident, but it wasn't until months later that the scale of the breach was realized.

"Upon detecting this incident, we moved quickly to secure our network environment and launched a thorough investigation," stated Wolfe Eye Clinic.

"The investigation was performed with the help of independent IT security and forensic investigators to determine the scope and extent of the potential unauthorized access to our systems and any sensitive information," the clinic continued. 

"Given the complexity and scale of the cyber-attack detected, the full scope of information potentially impacted was not fully realized until May 28, 2021."

The firm completed its investigation on June 8. After examining the digital forensic evidence, it found that patient data exposed in the attack may have included patient names, mailing addresses, dates of birth, Social Security numbers, and protected medical/health information.

Wolfe Eye Clinic is in the process of contacting all patients that may have been impacted by the data breach with a mailed breach notification. Affected patients are being offered a complementary year of identity monitoring services. 

The clinic said that it is "taking steps to prevent a similar event from occurring in the future by implementing additional safeguards and enhanced security measures to better protect the privacy and security of information in our systems."

Wolfe Eye Clinic, which was founded by Dr. Otis Wolfe, first opened its doors in 1919. The business, which today serves more than 700,000 patients, started with one clinic in Marshalltown, Iowa. It now includes 11 main clinics, 9 family vision centers, a surgical center and more than 25 outreach locations across the state.

Categories: Cyber Risk News

Employee Privacy Gap Discovered

Info Security - Wed, 06/23/2021 - 17:33
Employee Privacy Gap Discovered

Two thirds of organizations are not effective at protecting the privacy of their employees, according to new research conducted by the Ponemon Institute.

While gathering information for DTEX Systems' inaugural State of Workforce Privacy & Risk Report, the Institute discovered a significant workforce privacy gap. 

The report, created with sponsorship from cyber-intelligence company DTEX, surveyed a global pool of 1,249 IT and IT security practitioners. Participants were questioned about their organizations’ approach to securing sensitive information and reducing workforce risks. 

Findings revealed that 63% of respondents believe it is important or very important to protect employees’ privacy in the workforce. However, only slightly more than a third (34%) of organizations are effective or very effective in doing so.

Researchers also found that most organizations struggle to balance respecting workforce privacy against a perceived need to monitor employee engagement and internal risk. 

Sixty-four percent of survey respondents said that tracking employee activity and performance without damaging their morale or diminishing their trust in the organization was a difficult task. 

More than half (53%) of companies believe their employees expect their personal behaviors and activities to remain private. However, fewer than half (47%) of companies anonymize the data they collect on their employees for the purposes of monitoring for security risk and operational performance.

Fewer than half (49%) of companies were transparent about what information about their employees was being collected onsite and remotely. 

The shift to remote work was seen as a reason to keep an even closer eye on the workforce. However, only 35% of organizations enable their employees to express any concerns about the protection of their privacy in remote locations.

A key takeaway from this research is that workforce privacy "must be a top priority, not simply just a feel-good goal,” said DTEX Systems chief customer officer, Rajan Koo. 

“The workforce is a source of incredible intelligence, yet organizations continue to fall into a 'big brother' surveillance approach that erodes trust and transparency. Draconian tech solutions in the marketplace are only worsening this problem. The findings of this report make it clear – a reckoning is coming.”

Categories: Cyber Risk News

Gaming Industry Experiences 340% Spike in Web App Attacks

Info Security - Wed, 06/23/2021 - 14:00
Gaming Industry Experiences 340% Spike in Web App Attacks

Web application attacks targeting the video game industry grew by a higher rate than any other sector during the COVID-19 pandemic, according to a new report by Akamai.

The Gaming in a Pandemic found that attacks of this nature surged by 340% in 2020 compared to 2019, totaling more than 240 million attempts against the video game industry.

The most prominent web application attack vector was SQL injection, making up 59% of all attacks against the gaming sector. This method targets the login credentials and personal information of players. This was followed by local file inclusion, which comprised 24% of all attacks;. This method focuses on sensitive details within apps and services that can further compromise game servers and accounts. Other prominent vectors in this category were cross-site scripting and remote file inclusion, accounting for 8% and 7% of attacks detected by Akamai, respectively.

The video game industry also experienced a 224% increase in credential stuffing attacks in 2020 compared to 2019, a total of nearly 11 billion. Akamai observed that these attacks took place at a large, steady rate throughout last year, with millions of attacks registered each day and two days seeing spikes of more than 100 million. It added that credential stuffing became so common that bulk lists of stolen usernames and passwords were available for as little as $5 on illicit websites.

Surprisingly, there was a 20% reduction in DDoS attacks targeting the gaming industry.

Another key finding from the report was that cyber-criminals consistently targeted mobile games incorporating in-app purchases. These are in-game purchases of virtual items like skins, character enhancements and additional levels.

Steve Ragan, Akamai security researcher and author of the report, commented: “We’re observing a remarkable persistence in video game industry defenses being tested on a daily – and often hourly – basis by criminals probing for vulnerabilities through which to breach servers and expose information. We’re also seeing numerous group chats forming on popular social networks that are dedicated to sharing attack techniques and best practices.”

There have been several high-profile hacks on video game companies over the past year. Earlier this month, gaming giant EA suffered a major data breach in which 780GB of data, including source code for games, was stolen and advertised for sale on the dark web.

Categories: Cyber Risk News

EU Proposes Joint Cyber Unit Amid Rising Attacks

Info Security - Wed, 06/23/2021 - 10:56
EU Proposes Joint Cyber Unit Amid Rising Attacks

The European Union (EU) has proposed creating a Joint Cyber Unit to improve the ability to respond to rising cyber-attacks on member states.

The ambition is for the unit to enable a coordinated EU response to large-scale cyber incidents and crises by pooling together nation-state resources and improving knowledge sharing among the relevant bodies.

To implement this vision, the EU Commission has proposed developing a physical and a virtual platform for the unit. The physical platform will provide “a physical space where cybersecurity experts can, in case of need, come together to conduct joint operations, share knowledge and work together.” The virtual platform will be used “for collaboration and secure information sharing, leveraging the wealth of information gathered through monitoring and detection capabilities.”

With the creation and maintenance of secure communication channels and improved detection capabilities, the platforms will be primarily funded through the EU’s Digital Europe Programme.

The commission has suggested that the Joint Cyber Unit is built in four stages, with a completion date of June 2023.

  1. Assess (by December 31 2021) – to establish how the unit will be organized and understand EU operational capabilities.
  2. Prepare (by June 30 2022) – Roll out joint preparedness activities alongside national incident and crisis response plans, with a view to outline the roles and responsibilities of participants in the unit.
  3. Operationalize the Joint Cyber Unit by mobilizing EU rapid reaction teams (by December 31 2022)
  4. Involve private sector partners (by June 2023) – in particular, increasing information sharing with users and providers of cybersecurity solutions and services.

The main parties involved in the unit fall under four categories: Resilience, Law enforcement, Diplomacy and Defense.

The proposal has come amid a growing number of serious cyber incidents, which are impacting critical services in the EU and other parts of the world. Recent examples include a ransomware attack on Ireland’s health service and the theft of official COVID-19 vaccine data from the European Medicines Agency.

Security experts have been quick to welcome the proposal but cautioned that it requires the cooperation of member states in areas such as intelligence sharing to work effectively. Matt Lock, technical director at Varonis, commented: “Any new initiative to tackle cybercrime is to be welcomed, so the launch of the Joint Cyber Unit is good news and shows the EU is taking the problem seriously. 

“However, organizations should not think that they can take their eyes off the road. Once a ransomware attack or another breach has taken place, it’s often too late - the damage has already been done. 

“Organizations need to take responsibility for their own cybersecurity and securely lock down their data to avoid falling victim to hackers. 

“It’s important also to note that the EU views this reactive force as a ‘recommendation’ to governments and institutions. The launch of this initiative should therefore be a message to every business, both large and small. Prepare for the worst and raise your defenses, because cyber-criminals won’t be giving up.”

Steve Forbes, government cybersecurity expert at Nominet, said: “The new effort includes rapid response teams ready to be deployed in the instance of an attack, as well as a game-changing platform for collaboration across the EU, including intelligence, resources and expertise. This is exactly what’s needed to stem the tide against attacks that are only becoming more brazen and sophisticated.

“Until now, it has been reported that countries were hesitant to give away any control of their national security, and that is completely understandable when you consider that cyber is increasingly being seen alongside traditional methods of defence such as the army, navy and air force. There is a middle ground, however, where countries can benefit from centralized intelligence, overarching strategies and broad-reaching tactics. With similar threats faced across the EU – particularly against critical infrastructure – often with the same adversaries, pulling together will allow the bloc to make step changes in its cyber defense.

“The new cyber unit will set a powerful precedent for international collaboration as central to our future global cyber defense.”

Today, the EU has also published a progress report on its EU Security Union Strategy, which emphasizes combatting cybercrime and other malicious activity online.

Categories: Cyber Risk News

UK Banks Drive £77 Million Reduction in European Fraud Losses

Info Security - Wed, 06/23/2021 - 09:47
UK Banks Drive £77 Million Reduction in European Fraud Losses

UK banks led the way in Europe last year with fraud protection efforts, driving an overall drop in associated losses of £77 million (€90 million) year-on-year, according to new data from FICO.

The predictive analytics firm claimed that British financial institutions cut fraud losses by an impressive £46 million (€69 million) in 2020, the equivalent of a 7% reduction on 2019 figures.

They were joined by their counterparts in Denmark, who managed to drive down fraud by €20 million (£17 million).

However, this is largely where the good news ends for Europe, as only three more out of the 18 countries studied managed to achieve a reduction and none on the same scale as the UK and Denmark. FICO claimed that without the “focus, robustness, resilience and adaptability” of UK banks, European fraud losses would have increased over the period by around £8 million (€10 million).

In France (€6 million), Poland (€5 million) and Germany (€3 million), fraudsters all increased their takings.

Norway saw the biggest year-on-year rise (172%) from €8 million to €22 million, driven by prolific phishing and smishing campaigns designed to trick users into divulging their log-ins.

According to banking industry association UK Finance, financial institutions prevented £1.6 billion in unauthorized fraud by implementing real-time transaction analysis and other technologies.

Other steps included improved collaboration and intelligence sharing between law enforcement, government and industry, and the roll-out of the Banking Protocol, which allows bank branch staff to alert the police when they think a customer is being scammed.

UK Finance also pointed to collaborative industry efforts to block scam text messages and number spoofing, as well as an account name-checking service known as "Confirmation of Payee" designed to prevent authorized push payment scams.

The new figures are at odds with many predictions that cited COVID-19 as providing fraudsters with new opportunities to scam consumers and their banks.

However, a respected think tank earlier this year branded escalating fraud a national security risk, requiring a "major systemic shift” in government strategy. A separate paper from the same organization warned of “silent stealing” tactics in which fraudsters target large numbers of consumers for very small amounts they may not notice.

Categories: Cyber Risk News

Nearly 10% of SMB Defense Contractors Show Evidence of Compromise

Info Security - Wed, 06/23/2021 - 09:01
Nearly 10% of SMB Defense Contractors Show Evidence of Compromise

More than half of SMB contractors in the US defense supply chain are critically vulnerable to ransomware attacks, a new report has claimed.

Cybersecurity vendor BlueVoyant chose to analyze a representative sample of 300 smaller contractors from a defense industrial base (DIB) estimated to have anywhere from 100,000-300,000 suppliers.

The resulting Defense Industry Supply Chain & Security 2021 review uncovered concerning signs of weaknesses in this complex ecosystem of contractors — potentially putting national security at risk.

It found that over half of the companies studied had unsecured ports vulnerable to ransomware attacks. In contrast, 48% had vulnerable ports and other weaknesses, including unsecured data storage ports, out-of-date software and operating systems, and other vulnerabilities rated severe by NIST.

Unpatched flaws were particularly concerning: more than six months after critical F5 and Microsoft Exchange vulnerabilities were published, nine companies were yet to fix them.

A fifth (20%) of SMB contractors were found to have multiple vulnerabilities and evidence of targeting, while 7% also featured evidence of compromise.

In total, BlueVoyant found evidence of over 1300 email security issues, more than 400 vulnerabilities, and 344 indications that suggest “company resources are involved in anomalous or criminal activity.”

Perhaps unsurprisingly, over a quarter (28%) of appraised contractors showed evidence indicating they would fail to meet the most basic tier-1 requirement for the Cybersecurity Maturity Model Certification (CMMC). This is a critical compliance standard designed to improve security best practices among US defense contractors.

Austin Berglas, global head of professional services at BlueVoyant, argued that as primary contractors improve cybersecurity, threat actors have pivoted towards SMBs in the same supply chain. He highlighted manufacturers and R&D firms as particularly exposed to the risk of attack.

“For an industry with such an expansive, interconnected digital ecosystem, supply chain security should be a fundamental consideration. Prime contractors are under enormous pressure to reduce the attack surface of the entire supply chain but are partly blind to the vulnerabilities that exist,” he added.

“For smaller companies, identifying ongoing risks and understanding overall supply chain health is a daunting but vital process, and more attention and resources should be dedicated to combating the growing threat.”

Categories: Cyber Risk News