Info Security

Subscribe to Info Security  feed
Updated: 1 hour 28 min ago

Shoppers Choose Guest Checkouts Over Security Fears

Wed, 05/05/2021 - 08:50
Shoppers Choose Guest Checkouts Over Security Fears

A quarter (22%) of shoppers use guest checkouts because they’re concerned about handing more personal data over to e-commerce providers, according to a new study.

E-commerce search specialist Empathy.co commissioned Censuswide to poll a representative sample of 4000 British consumers to better understand their online preferences.

It revealed widespread mistrust of online stores and a desire to gain more control over personal data.

Only 13% said they’re not concerned about how their data is used at all, while over two-fifths (42%) claimed that they’re extra careful when providing personal data and accepting legal notices.

A further two-fifths (40%) agreed that they don’t like being asked for unnecessary or sensitive data.

They’re right to be concerned. Although there are strict GDPR rules around what organizations can do with data subjects’ information and how they must protect it, online retailers remain a popular target for fraudsters.

A common tactic is account takeover (ATO), where scammers use credential stuffing or other efforts to crack open customers’ online accounts and raid them of personal data stored within or try to make purchases with stored cards.

A survey from April by fraud prevention specialist Ravelin revealed that 45% of global retailers have seen a spike in ATO of late. In October 2020, Akamai claimed  60% of credential stuffing attacks detected over the previous two years were targeted at retail, hospitality and travel businesses, with most of these (90%+) affecting retailers.

Empathy’s research also revealed 28% of consumers would like to take back information from brands they don’t like or trust, while 37% want more control of the data businesses have on them.

These sentiments may be a sign that consumers still aren’t aware of their rights under the GDPR, which has provisions for data subjects to have their information deleted under the “right to erasure” principle.

There are also parts of the law that make it easier for consumers to object to how their data is being processed and/or whether or not their consent for processing was informed and freely given.

Categories: Cyber Risk News

Fake Vaccine Domain Seized

Tue, 05/04/2021 - 17:04
Fake Vaccine Domain Seized

A fraudulent website impersonating a biotechnology company to allegedly steal data has been seized by the United States Attorney's Office for the District of Maryland.

"Freevaccinecovax.org" purported to be the domain name of a company that was developing a vaccine for COVID-19. However, the site was allegedly set up to collect the personal information of visitors and use it for nefarious purposes.

According to the affidavit filed in support of the seizure, the apparently fraudulent website “freevaccinecovax.org” was discovered by the Homeland Security Investigations Cyber Crimes Center (“C3”) and the Homeland Security Investigations Intellectual Property Rights Center (“IPRC”).

A domain analysis conducted by HSI revealed that the domain name was created on April 27, 2021, using an IP address located in Strasbourg, Germany. The registrant country was listed as Russia.

The creators of the fake site used the real trademarked logos for Pfizer, the World Health Organization (WHO), and the United Nations High Commissioner for Refugees (UNHCR) on the homepage to make the domain appear authentic. 

The seizure of the domain name was announced by Acting United States Attorney for the District of Maryland Jonathan Lenzner and Special Agent in Charge James Mancuso of Homeland Security Investigations, Baltimore.

Mancuso said the HSI wants the public to understand that "all a bad guy needs to defraud thousands of Americans in search of COVID-19 information is the ability to create a website combined with malicious intent."

The site is the latest in a string of fraudulent websites seeking to capitalize on the outbreak of coronavirus that have been seized by the Maryland US Attorney's Office. The Office said the data collected by the site could potentially have been used to commit fraud, to deploy malware, or to carry out phishing attacks. 

“This is the ninth fraudulent website seeking to illegally profit from the COVID-19 pandemic that we have seized,” said Lenzner. 

“Members of the public should not provide personal information or click on links in unsolicited e-mails and should remember that the COVID-19 vaccine is not for sale."

The federal government is providing the vaccine free of charge to people living in the United States.

Categories: Cyber Risk News

Virgin Active SA Suffers Cyber-Attack

Tue, 05/04/2021 - 16:18
Virgin Active SA Suffers Cyber-Attack

The South African arm of fitness group Virgin Active has been targeted by "sophisticated cyber-criminals."

The company took all its computer systems offline after being targeted by cyber-criminals on Thursday. Late on Friday, Virgin Active warned clients of the attack by posting a message on its website.

“Virgin Active South Africa became aware of a cyberattack yesterday and our security teams immediately started working with cybersecurity experts to carefully contain, manage and investigate the cyber event,” the message read.

The company's 136 health clubs remain open while Virgin Active IT staff work behind the scenes to determine the nature and extent of the attack. With computer systems down, the fitness facilities are operating on a "first come, first served" basis. 

Virgin Active is yet to reveal what kind of attack it was subjected to; however, the company said that no data had been removed by unauthorized third parties.

“While we take the necessary steps to protect data, we have been targeted by sophisticated cybercriminals," said Virgin Active.

"As a precautionary measure, we have taken all systems offline while we resolve this. Our clubs are operating as normal and we sincerely apologize for any inconvenience while we address this event.” 

The company said that it had notified South Africa's Information Regulator “as a precaution” and is working with law enforcement to bring about a return to normal operations.

In an FAQ published online, Virgin Active emphasized that the attack was not the result of sloppy security practices.

"We have passed security audits and all our data is protected. In addition, all financial and banking data has been encrypted," stated the company.

Addressing what if any data had been compromised, Virgin Active said: "All our customer data is protected and, at this point in time, we are not aware of any data expropriation. As a precautionary measure, we have taken all systems offline while we work to resolve this."

The company added that they were still "unsure as to the extent of the cyberattack" as "an investigation being done by forensic experts" remained ongoing.

Categories: Cyber Risk News

Third Parties Caused Data Breaches at 51% of Organizations

Tue, 05/04/2021 - 15:53
Third Parties Caused Data Breaches at 51% of Organizations

Remote access is becoming an organization's weakest attack surface, according to new research published today by the Ponemon Institute and third-party remote access provider SecureLink.

The new report, titled “A Crisis in Third-party Remote Access Security,” reveals a disparity between an organization's perceived third-party access security threat and the protective measures it puts in place. 

Researchers found that organizations are exposing their networks to non-compliance and security risks by not taking action to reduce third-party access risk. 

Nearly half (44%) of organizations were found to have experienced a security breach within the last 12 months. Of those organization, three-quarters (74%) said that the breach had occurred because too much privileged access had been given to third parties.

Researchers found that organizations are not doing the necessary security checks before sharing data access with third parties. Just over half (51%) of organizations said they had not been assessing the security and privacy practices of all third parties before granting them access to sensitive and confidential information. 

“Providing remote access to third parties without implementing the appropriate security safeguards is almost guaranteeing a security incident and a data breach involving sensitive and confidential information,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. 

“It is important that organizations assess the security and privacy practices of the third parties that have access to their networks and ensure that they have just enough access to perform their designated responsibilities and nothing more.”

Other key findings were that 54% of organizations do not have a comprehensive inventory of all third parties with access to their network, and 65% of organizations have not identified the third parties with access to their organization's most sensitive data.

“The findings in this report showcase the lack of security, management, and accountability that’s needed to adequately secure third-party remote access, which is very worrying,” commented Joe Devine, CEO of SecureLink. 

"While recent high-profile breaches have done a good job of highlighting the serious risks of unsecure vendor relationships, there is still a lot of work to be done to shift organizations’ mindset when it comes to protecting not only their data, but their customer and partner data too.”

Categories: Cyber Risk News

UK Cyber Security Association Officially Opens for Membership

Tue, 05/04/2021 - 14:16
UK Cyber Security Association Officially Opens for Membership

The UK Cyber Security Association has officially launched and is open for membership, it has been announced.

The body is designed to provide a community for anyone working in, or who has an interest in, the sector, helping promote best practices and information sharing both in the UK and internationally. It also aims to work alongside government, trade bodies, and cybersecurity groups to share information and initiatives.

Membership has now opened for individuals and organizations actively working in the cybersecurity industry. Those who join will be given access to an online portal and forum to engage with other members and the chance to participate in a program of events and training sessions, among other benefits.

First started in 2019 by industry expert Lisa Ventura, the UK Cyber Security Association has been in an expressions of interests phase until now. So far, it has undertaken project work and campaigns in areas such as growing neurodiversity and women in cybersecurity, addressing the cyber-skills gap, and helping individuals and small businesses stay secure online during the COVID-19 pandemic.

Commenting on the launch, Ventura, CEO & founder of the UK Cyber Security Association, said: “In 2019 I spotted a gap for a membership/trade association in cybersecurity and the UK Cyber Security Association was born. Since then, it has been in an expressions of interest phase which has exceeded all my expectations and we are now fully open for membership. Cybercrime has grown exponentially in recent years, especially during the global pandemic, and it has never been more important for individuals and organizations to take their cybersecurity seriously.

"Our aim is to be a caring and sharing membership organization in cybersecurity with a primary focus on delivering value to our members. We are delighted with the response to the idea of a membership association for cybersecurity and look forward to welcoming and helping our members as the association grows and develops.”

The announcement has come shortly after another industry body, the UK Cyber Security Council, was launched as an independent body last month. The council is responsible for boosting professional standards and career prospects for those working in cybersecurity.

Categories: Cyber Risk News

Scripps Health Knocked Offline by Ransomware

Tue, 05/04/2021 - 11:21
Scripps Health Knocked Offline by Ransomware

A leading Californian healthcare provider has been hit by a cyber-attack forcing the postponement of some patient appointments and a reversion back to offline processes.

Non-profit Scripps Health posted several updates to Twitter over the weekend, claiming that an incident detected on Saturday forced it to suspend access to some applications, including MyScripps and scripps.org.

“While our information technology applications are offline, patient care continues to be delivered safely and effectively at our facilities, utilizing established back-up processes, including offline documentation methods,” it continued.

“Some patient appointments scheduled for today and Monday, May 3, will need to be postponed as a result of this. We are working on how best to notify these patients about the need to reschedule.”

The San Diego-headquartered provider said that outpatient urgent care centers and Scripps HealthExpress locations and emergency departments remain open for patient care, and tried to reassure patients that its “physicians and employees are well-trained and thoroughly prepared to respond to this sort of situation.”

Local reports confirmed ransomware as the cause of the attack, adding that patients with life-threatening conditions would be diverted from the group’s hospitals where possible.

Scripps is reported to generate revenues of around $3 billion annually and treats an estimated 700,000 patients each year.

Unfortunately, the healthcare sector continues to be a major target for threat actors who see the pandemic as a perfect opportunity to turn up the heat on hospitals for their own gain.

Cyber-attacks on global healthcare organizations (HCOs) surged by more than double the rate of those targeting other sectors at the end of 2020, with ransomware the primary cause, according to Check Point.

In the meantime, Scripps Health said it was working hard to restore systems.

“Our technical teams and vendor partners are working around the clock to resolve these issues as quickly as possible. We have notified law enforcement and the appropriate governmental organizations,” it added.

Categories: Cyber Risk News

Pulse Secure Patches Critical Zero-Day Flaw

Tue, 05/04/2021 - 10:38
Pulse Secure Patches Critical Zero-Day Flaw

Pulse Secure has patched a critical zero-day vulnerability that was being exploited by multiple APT groups to target US defense companies, among other entities.

The security update fixes CVE-2021-22893, a critical authentication bypass vulnerability in the Pulse Connect Secure VPN product which has a CVSS score of 10.0.

It was being exploited in combination with bugs from 2019 and 2020, patched by the vendor but not applied by some organizations, to bypass multi-factor authentication on the product. This allowed attackers to deploy webshells for persistence and perform surveillance activities.

Mandiant said at the time that it had tracked 12 malware families to the exploitation of the vulnerability, and at least one state-sponsored attack group, APT5.

Reports of these attacks first started to appear around two weeks ago, with both the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) issuing warnings to organizations.

Phil Richards, CSO or Pulse Secure’s parent company Ivanti, argued that the firm was making “significant investments” to improve its security posture, including enhancements to its application development processes.

“The Pulse Secure team has worked closely with CISA as well as leading forensic experts and industry groups, including Mandiant/FireEye and Stroz Friedberg, among others, to investigate and respond quickly to malicious activity that was identified on a very limited number of customer systems,” he added.

“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we are pleased to be able to deliver a security patch in such short order to address the vulnerability.”

Richards also encouraged Pulse Secure customers to take advantage of an integrity checker tool to see if they’ve been impacted by the threat.

Categories: Cyber Risk News

Suspected Iranian Ransomware Group Targets Israeli Firms

Tue, 05/04/2021 - 08:18
Suspected Iranian Ransomware Group Targets Israeli Firms

Suspected Iranian hackers have reportedly hit multiple Israeli companies with ransomware, in a new campaign of attacks.

A group describing itself as 'N3tw0rm' (Networm) on Sunday added the logo of H&M Israel to their naming and shaming website, just three days after another local firm, Veritas Logistics, was hit.

Networm is threatening to publish 110GB of data stolen from the fashion retailer and 9GB from transport firm Veritas, including information on customers, invoices, employees and possibly payment data, according to Haaretz.

The group reportedly demanded 3 Bitcoin ($168,000) from Veritas Logistics to delete the data.

A local cybersecurity firm that Haaretz spoke to claimed it was providing incident response for three Israeli companies that had recently been hit by ransomware. There are suspicions an unnamed non-profit may also have been targeted in the ongoing campaign.

The Networm group has been linked to 'Pay2Key' — an Iranian cyber-attack group that hit scores of Israeli firms at the end of last year in what some commentators described as an ideological rather than financially motivated operation.

If that’s true, the attackers have no intention of releasing the stolen information but instead want to undermine the status of Israel as a pre-eminent cyber power, the report claimed.

In fact, it’s not uncommon for ransomware threat actors to hold onto some or all of the data they’ve stolen. A Sophos report out last week claimed that although a third (32%) of victim organizations now elect to pay, only 8% got all their data back last year and 29% didn’t manage to grab more than half of what they lost.

Categories: Cyber Risk News

Contact Tracer Breach Hits the Keystone State

Mon, 05/03/2021 - 16:37
Contact Tracer Breach Hits the Keystone State

Personal health information (PHI) belonging to tens of thousands of Pennsylvanians has been exposed following a data breach at a Department of Health vendor.

Atlanta-based company Insight Global was contracted by the Keystone State's DOH in 2020 "to provide contact tracing and other similar services" following the outbreak of COVID-19. Now the Department is accusing the company of exposing the data of 72,000 individuals by willfully disregarding security protocols.

Pennsylvanians contacted by Insight Global in a contact tracing data collection operation reported to have cost $28.7m shared their information on the understanding that it would be kept confidential. 

Department of Health spokesperson Barry Ciccocioppo stated "certain employees of Insight Global—a vendor contracted by DOH in 2020 to provide contact tracing and other similar services—disregarded security protocols established in the contract and created unauthorized documents outside of the secure data systems created by the Commonwealth. 

"These documents existed separately from the official data that Insight Global employees were collecting and providing to DOH within secure data platforms."

Information exposed in the data breach reportedly included names, phone numbers, and medical information. The DOH said that their data systems were not impacted by the breach. 

“From the briefing I got this morning from the Governor’s Office, there were several employees of Insight Global that ignored or purposefully avoided security protocols, I don’t know whether to make their job easier or what,” said State Representative Jason Ortitay, who serves portions of Washington and Allegheny counties.

He added: “They were basically putting information and people’s names into Google documents and then they were sharing them amongst each other.”

A spokesperson for Insight Global told WXPI that contact tracing information "may have been made accessible to persons beyond authorized employees and public health officials."

The company has launched an investigation into the security incident and taken steps to secure the PHI that was exposed. Free credit monitoring and identity protection services will be offered by the company to individuals affected by the breach. 

Insight Global's contract with the Department of Health expires on July 31. The Department has stated that it will not be renewed.

Categories: Cyber Risk News

Online Child Abuse Platform with 400k Users Taken Down

Mon, 05/03/2021 - 15:52
Online Child Abuse Platform with 400k Users Taken Down

A website through which more than 400,000 users accessed child sexual abuse material (CSAM) has been taken down in an international operation led by German police.

The Boystown site had existed on the Darknet since at least June 2019 and had users all over the world. After creating an account, users could download videos and images depicting the sexual abuse of children, exchange content of this nature with one another, and also chat together via voice channels.

"Among the images and video recordings shared were also recordings of the most severe sexual abuse of young children," German prosecutors said on Monday.

DW reports that administrators of the platform sent advice to users on how to access the site securely to avoid criminal prosecution. 

Four German citizens have been arrested on suspicion of being involved with the Boystown platform. Three of those people are accused of operating and maintaining the site.

During mid-April raids on seven properties, police took into custody a 40-year-old man residing in Paderborn in western Germany, a 49-year-old man from the Munich area, and a 58-year-old man from northern Germany who has been living in Paraguay for several years. 

The fourth suspect, a 64-year-old man living in Hamburg, is accused of creating an account on the Boystown platform in July 2019 and using it to post over 3,500 pieces of content to the site. If proven to be true, his alleged activity would make this man one of the site's most active users. 

An international taskforce set up by the German Federal Criminal Police (Bundeskriminalamt) to target Boystown and its users included Europol and law enforcement agencies from the Netherlands, Sweden, Australia, Canada, and the United States. 

Europol said that several other chat sites on the dark web that were used by child sexual offenders were also seized as part of the Boystown takedown operation. 

"The image and video data seized during this investigation will be used for Victim Identification Taskforces organized on a regular basis at Europol," stated Europol. 

"More arrests and rescues are to be expected globally as police worldwide examine the intelligence packages compiled by Europol."

Categories: Cyber Risk News

US Mulling Domestic Spying Partnership with Private Companies

Mon, 05/03/2021 - 14:20
US Mulling Domestic Spying Partnership with Private Companies

The Biden administration is reportedly considering teaming up with private companies to monitor American citizens' private online activity and digital communications.

According to news source CNN, multiple sources have said that the Department of Homeland Security (DHS) is actively seeking a way to monitor citizens online without having to first secure a warrant or prove that such monitoring is an essential part of an ongoing investigation.

The sources said that a plan is being formed for the DHS to circumvent these established checks to the government's power by working directly with private firms.

Currently, only the unprotected information that Americans share on social media sites and public online platforms can be accessed by federal authorities. 

However, the alleged plan being formed by the DHS would allow authorities to see what Americans are writing and sharing online in access-restricted spaces such as private Facebook groups. 

The plan is reportedly not centered on the decryption of data belonging to Americans but is instead focused on getting outside entities with legal access to the information being shared online to report what is being said to the government.

Limits are also in place at the Central Intelligence Agency (CIA) and National Security Administration (NSA) when it comes to domestic espionage. 

After WikiLeaks published data in 2017 that Julian Assange said included evidence that the CIA may have hacked smartphones to spy on US citizens, the CIA denied that such activity had taken place.

"It is . . . important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so," said CIA spokesperson Jonathan Liu.  

"CIA's activities are subject to rigorous oversight to ensure that they comply fully with US law and the Constitution."

The alleged new DHS plan comes after the PRISM domestic surveillance program, in which the NSA, FBI, and CIA gathered and searched through Americans’ international emails, internet calls, and chats without obtaining a warrant, came under criticism from the American Civil Liberties Union.

ACLU described the program as "violating the Fourth Amendment on a massive scale" and "one of the NSA's worst spying programs."

Categories: Cyber Risk News

British Prime Minister’s Cell Phone Number Exposed

Fri, 04/30/2021 - 16:56
British Prime Minister’s Cell Phone Number Exposed

A personal cell phone number belonging to the UK's prime minister, Boris Johnson, has reportedly been publicly accessible online for fifteen years. 

Johnson's number was listed on a think tank press release published on the internet back in 2006 when he was the Member of Parliament for the riverside town of Henley in Buckinghamshire. 

The security breach was first reported by the website Popbitch in a piece headlined 'Hoping not to butt-dial Boris'.

“It’s not as though the Prime Minister’s personal phone number could just be floating out there on the internet, is it?" quipped the site. 

"It would be absolutely insane if it was tacked on to the bottom of an old press release that he dished out freely while MP for Henley, and Shadow Minister for Higher Education.”

According to the BBC, the exposed number appears to still be in use by the Conservative prime minister.  

Leader of the opposing Labor party Sir Keir Starmer described news of the number's availability as "a serious situation [that] carries a security risk."

Starmer said: "A lot of people will be concerned, not just about who has got the number but who has been using it."

Johnson has come in for criticism recently concerning his use of messaging apps and SMS messages after it was reported that he personally texted businessman Sir James Dyson with a promise to "fix" Dyson's tax issue.

"What has come out in recent weeks is [about] privileged access—those who can WhatsApp the prime minister for favors—and this all is further evidence that there is one rule for them and another rule for everybody else," said Starmer.

Speaking on BBC Radio 4's Today program, former national security adviser Lord Ricketts said that “hostile states with sophisticated cyber capabilities or criminal gangs" could have exploited Johnson’s number.

He added that for a prime minister to change their number after taking office is an "elementary security precaution these days."

Home Office minister Victoria Atkins said that the PM was "aware of his responsibilities" on national security and that she had "complete and utter confidence" that he and his advisors would meet those responsibilities.

Categories: Cyber Risk News

Software Company Self-Reports Illegal Exports

Fri, 04/30/2021 - 15:23
Software Company Self-Reports Illegal Exports

A software company based in Germany has self-disclosed violating United States sanction laws by exporting American products and services to Iran.

SAP SE, which is headquartered in Walldorf, admitted to carrying out thousands of export violations over a seven-year period. 

After self-reporting its transgressions, the company agreed to pay combined penalties of more than $8m as part of a global resolution reached with the United States Departments of Justice (DOJ), Commerce, and Treasury. 

SAP entered into a non-prosecution agreement with the three agencies that requires the company to disgorge $5.14m of ill-gotten gains. 

From around January 2010 through approximately September 2017, SAP and its overseas partners released US-origin software more than 20,000 times to users located in Iran. Software exported by SAP without a license included upgrades and patches. 

"Certain SAP senior executives were aware that neither the company nor its U.S.-based content delivery provider used geolocation filters to identify and block Iranian downloads, yet for years the company did not remedy the issue," stated the DOJ.

Most of the Iranian downloads went to 14 companies, which SAP's partners in Turkey, United Arab Emirates, Germany, and Malaysia knew to be under Iranian control. The remaining downloads were sold to several multinational companies then downloaded by their Iranian-based operations.

During the same period, SAP’s Cloud Business Group companies (CBGs) permitted approximately 2,360 Iranian users to access US-based cloud services from Iran.

The DOJ praised SAP for voluntarily confessing its violations, running an extensive internal investigation, and for cooperating with the US government over a three-year period. 

"During this time, SAP worked with prosecutors and investigators, producing thousands of translated documents, answering inquiries and making foreign-based employees available for interviews in a mutually agreed upon overseas location," stated the DOJ.

SAP also spent more than $27m on remediating its export compliance and sanctions program. Changes introduced by the company included the implementation of GeoIP blocking, the deactivation of thousands of Iran-based user accounts for cloud services, and the suspension of SAP partners who sold to customers affiliated with Iran. 

Assistant Attorney General John Demers said: “SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated."

Categories: Cyber Risk News

INSA Forms Critical Infrastructure Subcommittee

Fri, 04/30/2021 - 14:49
INSA Forms Critical Infrastructure Subcommittee

A new Critical Infrastructure Subcommittee has been established by the Cyber Council of the Intelligence and National Security Alliance (INSA).

The creation of the delegation was officially announced yesterday along with an overview of the subcommittee's mission.

The main goal of the newly formed assemblage will be to assess cyber-threats to America's critical infrastructure and examine actions taken by the government and industry to secure the nation's essential networks. 

Privately owned infrastructure across the defense industrial base and telecommunications, finance, and energy and electric sectors will be evaluated in terms of what impact they could have on national security.

Another goal that the group has been set is the promotion of strategies that will mitigate cyber-threats to select critical infrastructure operations.

Meeting quarterly, the subcommittee also aims to foster a spirit of cooperation by identifying and addressing obstacles to greater public-private collaboration, with a specific focus on how this could be achieved through Sector Coordinating Councils (SCCs), Information Sharing and Analysis Centers (ISACs), and other forums.

INSA said that the goal of the subcommittee is to also "serve as a forum for government and industry experts to share perspectives, develop new insights, better account for risk, build resiliency, and promote best practices."

Chris Boyer, vice president of global security and technology policy at telecommunications giant AT&T, has been named as the subcommittee's chair. 

Vice chair positions have been accepted by Amentum's vice president for mission engineering Rich Johanning and by the CME Group's global information security external engagement team lead, Sydney Jones. 

Initial areas that the subcommittee will focus on include threat briefs on cyber-threats to critical infrastructure sectors, securing critical infrastructure supply chains, and expediting the process of securing clearances for critical infrastructure. 

They will also get cracking with a look at ways in which the speed of declassification and tearline report publication could be improved to facilitate faster industry response to cyber-threats.

INSA vice president for policy Larry Hanauer said: “It’s critical that government agencies and critical infrastructure operators improve their cybersecurity cooperation and share information on cyber threats more effectively."

Categories: Cyber Risk News

Cautious Welcome for Ransomware Task Force Proposals

Fri, 04/30/2021 - 10:27
Cautious Welcome for Ransomware Task Force Proposals

Security experts have welcomed the proposals of a new ransomware report from big tech and law enforcers, but argued that tackling the menace must begin with improved cyber-hygiene.

Convened by the Institute for Security and Technology and trailed since last December, the Ransomware Task Force (RTF) is a team of over 60 experts from software companies, cybersecurity vendors, government agencies, non-profits, and academic institutions.

It includes representatives from the FBI, Europol, the UK’s National Crime Agency and many of the world’s biggest tech companies including Amazon, Cisco and Microsoft.

Its framework document makes five key recommendations to tackle the cyber-threat. The most eye-catching of these is that governments require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading 'desks' to adhere to the same regulatory standards as banks. That means following anti-money laundering (AML), Know Your Customer (KYC) and Combatting Financing of Terrorism (CFT) laws.

Other recommendations include that the US government “execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House.”

It emerged last week that a new Department of Justice taskforce will work to manage efforts across the federal government to disrupt C&C infrastructure, seize profits, coordinate training and intelligence sharing and more to try and disrupt ransomware groups.

The RTF also called for prioritized law enforcement efforts across jurisdictions and "a clear, accessible, and broadly adopted” international framework to help organizations prepare for, and respond to, ransomware attacks.

However, some security experts were skeptical about the RTF’s recommendations.

ImmuniWeb founder, Ilia Kolochenko, argued that even if cryptocurrencies were regulated, cyber-criminals would find ways to bypass regulations. Indeed, the current AML regulatory regime is widely seen to have failed.

“I’d rather suggest treating the root cause of ransomware: the widespread lack of basic cyber-hygiene,” Kolochenko argued.

“Even the largest organizations from regulated industries often fail to follow the basics: maintain an up-to-date asset inventory, implement risk-based and threat-aware security controls, perform continuous security monitoring and anomaly detection, conduct ongoing security training and awareness, maintain software and patch management programs, and to enforce centralized identity management.”

Others were more welcoming of the task force’s efforts, but agreed that organizations must do more from a corporate cybersecurity perspective.

“It is important for cyber-awareness training to be regular in the workplace, as only then will it build employee knowledge of security and educate them on the significant part they play in protecting the organization,” argued Mimecast’s head of e-crime, Carl Wearn.

“In the face of this increasing level of threat to all organizations, cyber-hygiene and user awareness training will be critical to maintaining security. Hopefully this news will help businesses to understand just how big of a threat ransomware is.”

Fedor Sinitsyn, security expert at Kaspersky, explained that the ransomware landscape had fundamentally changed over the past year, putting enterprises in the crosshairs.

“The primary focus will likely continue to be on companies and large organizations, and that means ransomware attacks will continue to become more sophisticated and more destructive,” he added. “It’s imperative that businesses adopt a holistic, comprehensive set of security practices to protect their data.”

Categories: Cyber Risk News

Paleo Lifestyle Site Found Leaking PII on 70,000 Users

Fri, 04/30/2021 - 08:56
Paleo Lifestyle Site Found Leaking PII on 70,000 Users

A misconfigured AWS S3 bucket is leaking personal information on 70,000 customers of a popular paleolithic lifestyle site, security researchers at vpnMentor have revealed.

The research team, led by Noam Rotem, discovered the 290MB trove on February 4, and traced it back to Paleohacks, a US health and lifestyle brand that offers content and resources about the paleo diet.

“At the time of writing, the company has ignored every attempt we’ve made to help them close the vulnerability and told us they’re ‘not interested’,” vpnMentor claimed in a blog post yesterday.

The leaky database apparently exposed the personally identifiable information (PII) of around 70,000 users of the site worldwide, dating back to 2015.

The exposed PII includes full names, usernames, dates of birth, email and IP addresses, hashed passwords, employer details, location and more.

Also exposed were password reset tokens for some subscription account holders.

“While the passwords were protected by the bcrypt hashing algorithm (a sophisticated form of password encryption), a hacker could easily use the tokens to reset a person’s password, gain access, and lock the original user out of their account,” vpnMentor argued.

“Doing so would allow the hackers to take control of thousands of Paleohacks accounts and any additional data stored therein.”

Affected users could also be targeted by follow-on phishing attacks and other identity fraud schemes, if attackers got hold of their data, the researchers warned.

Paleohacks may also invite the scrutiny of Californian privacy regulators and even the GDPR, if EU citizens have had their data exposed, vpnMentor argued.

The S3 bucket was discovered as part of a large web scanning project in which the research team scans for exposed cloud databases. It found the offending bucket unsecured and unencrypted.

Categories: Cyber Risk News

DC Officer Info Leaked Online by Ransomware Group: Report

Fri, 04/30/2021 - 08:30
DC Officer Info Leaked Online by Ransomware Group: Report

The personal safety of Washington DC police officers may be at risk after it emerged that ransomware threat actors had managed to steal personnel files in an attack earlier this month.

The acting chief of the US capital’s Metropolitan Police Department (MPD), Robert Contee, said in an email to staff that 'HR files' containing personal information were part of the haul, according to CNN.

That adds extra jeopardy for officers in the event that the ransomware group in question, Babuk, decides to permanently post the information on its dark web naming and shaming site. A separate report claimed that information on at least five officers was temporarily leaked by the group to show it means business.

The gang has already claimed to have 250GB of internal data from the MPD in its possession following the raid, including information on informants which it threatened to share with local gangs unless a ransom was paid.

Such 'double extortion' tactics are increasingly common among ransomware groups. According to a Coveware report this week, they now appear in a majority (77%) of attacks.

However, rarely do threat actors have stolen information that could endanger lives.

The case is further complicated by the fact that Babuk appears to be calling it a day after having reached its financial goals.

One version of a widely reported note on the group’s dark web site, titled 'Hello World 2' said that breaching the police department was its “last goal.”

“Only they now determine whether the leak will be or not, in any case regardless of the outcome of events with PD, the babuk project will be closed,” it said.

Unfortunately for future potential victims, the gang is planning to open source its malware for others to use in ransomware-as-a-service campaigns.

Security experts were alarmed at the developments in Washington.

“Our research data shows that cyber-criminals are making a conscious effort to hit high-value targets, but the reality is no one is immune from ransomware. The best defense against ransomware is therefore prevention,” argued Nozomi Networks CEO, Edgard Capdevielle.

“This includes training staff on the threat and the techniques cyber-criminals will use to get it onto systems, and performing continuous security monitoring across the entire IT and OT estate, to identify malicious activity or vulnerabilities which cyber-criminals could exploit.”

Categories: Cyber Risk News

White House Asked to Increase Crypto Regulation

Thu, 04/29/2021 - 17:41
White House Asked to Increase Crypto Regulation

A task force organized by the Institute for Security and Technology has urged the White House to tackle the rise in ransomware attacks and make it harder for cybercrimes to be committed.

Law enforcement agencies, cybersecurity experts, and governments came together to make a series of recommendations to the Biden administration that aim to disrupt the illegal activities of threat actors.   

report submitted by the task force contained 48 recommendations, including advice to step up the regulation of cryptocurrencies and to root out safe havens sheltering ransomware attackers from capture and prosecution. 

The task force noted in the report that the volume of cyber-attacks has increased by four times year on year and that cybercrime is now a $350m criminal industry. 

The report is based on consultations carried out with researchers at Chainalysis Inc, cybersecurity experts at Palo Alto Networks Inc, and law enforcement agencies in Canada, the United Kingdom, and the United States. 

Among the recommendations contained within the report are five priorities described as “foundational and urgent.” These include using the long arm of the law and diplomatic channels to dissuade countries from offering cyber-criminals a safe haven in which to operate.

“Most ransomware criminals are based in nation-states that are unwilling or unable to prosecute this cyber crime, and because ransoms are paid through cryptocurrency, they are difficult to trace,” states the report. “This global challenge demands an ‘all hands on deck’ approach, with support from the highest levels of government.”

In the report, the task force notes that cyber-criminals favor cryptocurrencies when extorting payments from their victims as they are largely unregulated and transactions can be difficult to track. 

The task force called for governments to step up cryptocurrency regulation and make it a requirement for crypto exchanges and trading desks to enforce basic “know your customer,” anti-money laundering, and financial terrorism laws.

Chainalysis director of market development Don Spies said: “Believe these recommendations can go a long way to combating a problem that’s out of control.”

The report comes a week after the United States Justice Department created its own independent task force specifically to tackle ransomware.  

Categories: Cyber Risk News

Accenture to Acquire Openminded

Thu, 04/29/2021 - 16:40
Accenture to Acquire Openminded

Accenture has entered into an agreement to acquire 12-year-old French cybersecurity services company Openminded

The Irish multinational consulting and processing services company said that the acquisition would strengthen its security presence and capabilities in France and stimulate Accenture’s growth in Europe.

Openminded is a provider of advisory, cyber-defense, cloud & infrastructure security, and managed security services. The company was founded in 2008 and now has over 100 internal staff working in four business units. 

In 2020, Openminded’s turnover was €19m. According to its website, the company has 120 active customers in the public and private sectors and 40 editor partners.

Customers of Openminded include Chanel, BNP Paribas, Sarnoff, Etam, La Banque Postal, Banque De France, Thales, AXA, and Accor Hotels. 

Kelly Bissell, global leader of Accenture Security’s worldwide workforce of nearly 7,000 professionals, said that the resilience of today’s organizations was dependent on their approach to cybersecurity.

“With cyberattacks becoming more complex, constant and costly every day, companies must fully embed cybersecurity into the different layers of their organizations to ensure resilience,” said Bissell.

He added that the planned purchase of Openminded would help to protect the digital estates of Accenture’s clients going forward. 

“The acquisition of Openminded supports our commitment to leveraging technology and human ingenuity to help clients be confident and secure in the face of constant change,” said Bissell.

“We look forward to welcoming Openminded’s team to Accenture and helping clients defend against cyber threats more effectively across their entire ecosystem—now and in the future.”

Hervé Rousseau, Openminded’s founder and CEO, said his company aimed to build a synergy with Accenture that would support the delivery of services worldwide. 

“Joining forces with Accenture is a great opportunity for our teams and our clients,” said Rousseau. “The alliance of our talent and capabilities perfectly leverages our expertise and would allow us to deliver on a global scale. 

“Today, the fight against cyberattacks requires the implementation of the most advanced technologies, as well as the human resources to make them efficient. This is the synergy we are going to build and put at the service of our clients.”

Financial terms of the deal have not been disclosed.

Categories: Cyber Risk News

Boston Nanny Arrested After Cyber-Tip

Thu, 04/29/2021 - 15:39
Boston Nanny Arrested After Cyber-Tip

Law enforcement have arrested a nanny based in Boston on suspicion of sharing child sexual abuse material (CSAM) over the messaging app Kik.

An investigation was launched into 36-year-old Roxbury resident Stephanie Lak by the Boston Police Department Crimes Against Children Unit following the submission of a cyber-tip to the National Center for Missing and Exploited Children (NCMEC) on March 2. 

Kik’s operator, MediaLab, notified NCMEC of an IP address that had been used to send at least eight files containing images of children aged five or younger being sexually abused. 

Police traced the address back to Lak and obtained a search warrant for her home, which was executed on April 15. A laptop and three cellphones were seized by police as evidence from a boarding house on Woodville Street.

Lak was held on $5,000 bail after being arraigned on Wednesday on charges of possessing and distributing CSAM and was instructed by a judge to stay away from children. 

District attorney Rachel Rollins said Lak had confessed to sharing more than 100 files depicting the sexual abuse of minors via Kik under the user name ‘sallydally69.’

Lak has worked in the childcare industry as a nanny and as a babysitter. Prosecutors said that she was active on the childcare services website Sittercity as recently as March 19. 

Describing the threat Lak allegedly poses to children, prosecutor Nicole Poitier told the judge: “It’s clear she has access to children. She has a long history of being a nanny and a babysitter on that site as well as potential other sites and she has a sexual interest in children.”

In a statement, Sittercity said they had run four background checks on Lak before allowing her to advertise childcare services on their platform and none of them had found evidence of criminal activity. Lak’s Sittercity account was removed when the site’s operators learned of the police’s investigation into her digital communications. 

Law enforcement are asking people who have had contact with Lak and think they may be able to identify alleged victims in this case to email [email protected]

Categories: Cyber Risk News

Pages