Info Security

Subscribe to Info Security  feed
Updated: 1 hour 59 min ago

Dell in Talks to Sell RSA Cybersecurity Firm

Tue, 02/18/2020 - 15:02
Dell in Talks to Sell RSA Cybersecurity Firm

Dell is said to be finalizing a $2bn deal to sell its RSA cybersecurity company to a private equity firm, according to the Wall Street Journal

Citing sources “familiar with the matter,” the Journal reported Monday that a deal concerning the sale of RSA Security LLC could be finalized as early as today between Dell Technologies Inc. and STG Partners LLC.

Multiple award-winning security company RSA is best known for its software tokens, which generate random codes to enable access to corporate networks. According to its website, the firm has 30,000 customers around the globe. 

RSA Security was founded as an independent company in 1982 and was acquired by EMC Corporation in 2006 for $2.1bn. Dell acquired RSA a decade later with the purchase of EMC.

Reports that Dell was considering divesting the security company were first shared back in November 2019 by Bloomberg. Back then, RSA Security was expected to fetch at least $1bn, including debt.  

A month later, PE Hub reported that Morgan Stanley had been engaged by Dell to complete the sale of RSA in a deal estimated at the time to be worth $3bn.  

News of the possible finalization of the transaction comes one week before RSA's annual conference is due to take place in San Francisco. The conference hit the headlines last week when major sponsor IBM Corporation withdrew its support from the event, citing concerns over the spread of the coronavirus. 

If given the green light, the RSA deal will be the latest in a string of acquisitions of cybersecurity companies by private equity firms. In January, Insight Partners shelled out $5bn to acquire Swiss cloud data management company Veeam Software Inc and set aside a further $1.1bn in an agreement to acquire Armis Inc. 

Then, earlier this month, news broke that PE firm Advent International and Crosspoint Capital Partners would be acquiring Forescout Technologies Inc for $1.9bn

Currently Dell has two different endpoint security products. The computer manufacturer bought a controlling stake in Secureworks in 2011 and through its acquisition of EMC, the company owns 81% of VMware, which last year bought Carbon Black for $2.1bn.

Categories: Cyber Risk News

Two-Thirds of CISOs Struggling with Skills Shortages

Tue, 02/18/2020 - 12:01
Two-Thirds of CISOs Struggling with Skills Shortages

Two-thirds (66%) of global CISOs say they are struggling to recruit the right talent and a similar number believe shortages will only get worse, according to a new study from Marlin Hawk.

The global executive recruiter surveyed 500 cybersecurity leaders working in businesses with 500 or more employees across the US, Europe and APAC, to compile its report, Global Snapshot: The CISO in 2020.

It found CISOs in APAC are encountering most difficulties with recruitment: 91% of respondents there said it was hard to find the right talent, versus 61% in the UK and 54% in the US. Globally, the main challenges revolved around candidates lacking the right technical knowledge (34%), the right experience (30%) and being the right culture fit (10%).

Although 73% of respondents are under 45-years-old, there may be long-term trouble ahead for many companies. The average tenure as CISO is four years globally, and 85% of respondents said they are actively looking for a new role or would consider one if approached.

The report warned in particular of a “brain drain” from the public sector, where over a quarter of respondents are actively pursuing new roles. Over half (52%) said they wanted a new challenge whilst 37% pointed to better compensation.

A further 62% of CISOs think the global cybersecurity talent shortage will get worse over the next five years.

This chimes with data from other sources, including the (ISC)2, whose most recent study reported a global shortfall in security professionals in excess of four million. This included 561,000 in North America and a 2.6 million shortfall in APAC, while the shortage in Europe rose by over 100% from the previous year to 291,000.

Ron Green, CSO at Mastercard, argued that the right technology could help to alleviate skills challenges.  

“Machine learning and automation are going to be really helpful to current and future CISOs,” he said.

“Businesses are still going to need smart humans on security but already the humans that are in our security operations centers are being overwhelmed with things they have to monitor and you can't simply keep putting in more people because there aren't enough.”

Categories: Cyber Risk News

Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Tue, 02/18/2020 - 11:00
Remote Wipe Plugin Bug Hits 200,000+ WordPress Sites

Security researchers are warning of a new plugin vulnerability which is exposing over 200,000 WordPress sites to the risk of being remotely wiped by an attacker.

The problem lies with versions 1.3.4 and above and 1.6.1 and below of the ThemeGrill Demo Importer plugin, according to WebARX.

The firm said that the bug could allow any unauthenticated user to wipe the entire database to its default state and then log in as administrator.

“The prerequisite is that there must be a theme installed and activated that was published by ThemeGrill. In order to be automatically logged in as an administrator, there must be a user called ‘admin’ in the database. Regardless of this condition, the database will still be wiped to its default state,” the firm explained.

“Based on the SVN commit history, this issue has existed in the code for roughly three years, since version 1.3.4.”

WebARX warned that the vulnerability is particularly dangerous as it doesn’t require a suspicious-looking payload to exploit. For that reason, firewalls are not likely to block attacks by default and security admins would need to create a special rule for them to do so.

ThemeGrill is a popular provider of WordPress themes which users can deploy to customize their websites. The plugin in question can be used to demo content, widgets and theme settings quickly and easily.

The vulnerability is the second in the space of a month which could allow attackers to effectively wipe targeted WordPress sites.

Back in January, Wordfence warned of critical flaw CVE-2020-7048 which affects the WP Database Reset plugin that has been installed over 80,000 times.

“Without proper security controls in place, the WP Database Reset plugin contained a serious flaw that allowed any unauthenticated user the ability to reset any table in the database,” the firm explained. “This reset would result in a complete loss of data availability. An attacker could send a simple request and a site would be completely reset to the WordPress standard defaults.”

Categories: Cyber Risk News

Iranian Hackers Backdoored VPNs Via One-Day Bugs

Tue, 02/18/2020 - 10:12
Iranian Hackers Backdoored VPNs Via One-Day Bugs

Security researchers have joined the dots on a long-running Iranian cyber-espionage campaign that targeted unpatched bugs in VPN and RDP to infiltrate target organizations globally.

Building on previous research from Dragos, which named the campaign “Parasite” and attributed it to the state-backed APT33 group, ClearSky has gone further with more details.

Its new report claimed the three-year-long campaign “Fox Kitten” is most likely the product of APT33 (Elfin) and APT34 (OilRig) and APT39 (Chafer).

Dozens of companies working across IT, telecoms, oil and gas, aviation and defense industries were affected by the campaign, which is said to have been focused on reconnaissance and planting backdoors to create a “long-lasting foothold” in the target companies.

The initial incursion into these organizations was achieved by exploiting one-day vulnerabilities in VPN services, such as those offered by Pulse Secure, Fortinet and Palo Alto Networks’ Global Protect.

The Pulse Secure vulnerability is also thought to have been exploited by ransomware attackers to compromise Travelex, among other victims.

“Upon gaining a foothold at the target, the attackers tried to maintain the access to the networks by opening a variety of communication tools, including opening RDP links over SSH tunneling, in order to camouflage and encrypt the communication with the targets,” the report noted.

“At the final stage, after successfully infiltrating the organization, the attackers have performed a routine process of identification, examination and filtering of sensitive, valuable information from every targeted organization. The valuable information was sent back to the attackers for reconnaissance, espionage, or further infection of connected networks.”

The groups used a combination of open source tools such as Juicy Potato and Invoke the Hash, and custom malware like open ports mapping tool STSRCheck and RDP over SSH tunneling backdoor POWSSHNET.

Although the purpose of the operation appears to be reconnaissance, there’s a concern that the same attack infrastructure could be used in the future to spread destructive malware like ZeroCleare and Dustman, which has been previously linked to APT34.

Categories: Cyber Risk News

Six-Year-Old Brits Suspects in Sexting Offenses

Mon, 02/17/2020 - 18:40
Six-Year-Old Brits Suspects in Sexting Offenses

British police have been investigating children as young as six over their involvement in sexting offenses. 

Figures released by London's Metropolitan Police Service reveal that between January 2017 and August 2019, a total of 353 children aged from six to thirteen were investigated in relation to sending and receiving sexual images. 

Sexting investigations involving children under age 14 have increased dramatically since figures began to be recorded two and a half years ago. In 2017, 92 under-14s were investigated. In 2018, the figure rose to 151, and in the first six months of last year, 110 under-14s were recorded as sexting suspects.

The true figures could be far higher, said the Met, which is not seeking to prosecute children, but to raise awareness among kids and their parents about the law. 

"We do not want to criminalize young people unnecessarily—we want to educate them so that they can be better informed about the legal position and mindful about the potential pitfalls of an activity many of them might regard as nothing out of the ordinary," said Detective Superintendent Zena Marshall.

The Met said that many youngsters had no idea that taking, sharing, or possessing sexually explicit pictures of children under age 18 was a crime. Others said that images of them had been distributed without their consent. 

"We know that many young people do not realize that creating or sharing explicit images of an under-18 is against the law, even if the persons doing it are children themselves, and as police we have a duty to record allegations concerning sexting when they are reported to us," said Marshall.

"Someone could be classed as a victim, witness or suspect, depending on the circumstances."

Scotland Yard—the Met's London headquarters—said that the force received sexting reports involving children from a number of sources, including parents, schools, youth clubs, local authorities, and the children themselves. 

report published by the Internet Watch Foundation (IWF) last month found that a third of child sex abuse images online are originally posted by the children themselves in the hopes of winning social approval.

The Met said that the exchange of sexually explicit images amongst teenagers was now a "societal norm," and that online indecent image offenses as a whole had risen by 130 percent since 2016.

Categories: Cyber Risk News

Personal Data of 144K Canadians Breached by Federal Government

Mon, 02/17/2020 - 17:49
Personal Data of 144K Canadians Breached by Federal Government

New figures tabled in Canada's House of Commons have revealed that at least 144,000 Canadians have had their personal information mishandled by federal departments and agencies over the past two years. 

The figures were part of an 800-page document written in response to an Order Paper question filed last month by Conservative MP Dean Allison. No information as to how the data came to be mishandled was included in the federal government's lengthy answer.

In total, 7,992 breaches were found to have occurred at 10 different agencies and departments. The errors range in severity from minor infractions to serious data breaches that resulted in the exposure of sensitive personal information. 

The Canada Revenue Agency (CRA) was the worst offender, with 3,020 breaches affecting 60,000 Canadians recorded between January 1, 2018, and December 10, 2019. 

A spokesperson for the CRA, Etienne Biram, said: "Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents."

One of those three major incidents occurred when some CRA employees were accidentally given access to a hard drive containing personal information belonging to 11,780 individuals in January 2019. 

Biram said that no evidence had been uncovered that indicated the files had actually been accessed by any unauthorized personnel. 

Over the same time period, 122 breaches affecting 24,000 people were reported by Health Canada. In one breach, a government employee received an email containing personal information.

Health Canada spokesperson Tammy Jarbeau said: "The majority of the reported breaches were the result of human error and did not release sensitive personal information."

The figure of 144,000 tabled in the House was based on estimates, meaning the real number of breaches could be higher. Not all the departments were able to state with accuracy how many people were affected by individual breaches or how many breach victims were contacted after a particular breach had occurred. 

Under current law, federal departments are only obliged to notify individuals in the event of a breach affecting large numbers of people or in the event of "material" breaches, in which sensitive personal information that could reasonably be expected to cause serious injury or harm to an individual is exposed.

Categories: Cyber Risk News

New York Post Reporter Investigated Over Leaks

Mon, 02/17/2020 - 17:03
New York Post Reporter Investigated Over Leaks

New York cops, on the hunt for a source of leaked police photographs, have subpoenaed the Twitter account of a journalist at the New York Post.

The New York Police Department (NYPD) sought access to the Twitter data of New York Post police bureau chief Tina Moore after the reporter displayed an almost uncanny knack for sniffing out photos of the latest scoops.

In a subpoena dated December 9, police demanded that Twitter turn over information connected to the account @tinamoorereport from October 9 to October 14, 2019. 

Around that period, Moore tweeted a series of gory crime scene photos depicting a massacre in a Harlem gambling den that left three dead and four injured. 

Twitter was ordered to give the police access to all email accounts, servers, and internet protocol addresses associated with Moore's social media account, along with info on any connected devices.

Strangely, the Patriot Act—a post-9/11 anti-terrorism piece of legislature—was cited as a reason for Twitter to comply with the request.

Police told Twitter not to inform anyone about the subpoena for 90 days after its date of issue. Disclosing its existence could, they said, impede the course of any investigation.  

Twitter appears to have ignored this advice, however, as the subpoena ended up in the hands of the New York Post, which published the document in full on its website on Thursday, February 13. 

The NYPD withdrew the subpoena on Wednesday after lawyers from the Post contacted the department.

"We are conducting an investigation to identify the person who leaked crime scene photos," said the NYPD in a statement. 

"Tina Moore was never the focus of our investigation."

The wording of the subpoena implied that the police were more interested in obtaining information about the devices that Moore used to connect to Twitter than in discovering information regarding the account itself. 

News that Moore's records had been the subject of a subpoena came just days after the NYPD placed two officers on modified duty for allegedly leaking video of a dramatic shooting incident that took place inside a Bronx station house.

Categories: Cyber Risk News

PhotoSquared: App Leaks Data on Thousands of Users

Mon, 02/17/2020 - 11:30
PhotoSquared: App Leaks Data on Thousands of Users

A popular photo app has leaked the personal data and images of thousands of customers via an unsecured Amazon Web Services (AWS) storage bucket, it has emerged.

Researchers at vpnMentor discovered the misconfigured S3 database, which was left without any password protection, belonged to PhotoSquared, a company which creates printed photo boards for users that send in their digital images.

They found a 94.7GB trove containing over 10,000 records dating from November 2016 to January 2020. The data included user photos, order records and receipts and shipping labels.

As such, a hacker with access to the database could harvest full names and home delivery addresses from customers.

This doesn’t just present a reputational risk for PhotoSquared, which vpnMentor notes is operating in a crowded marketplace, and possible compliance fines, but a serious security risk for its customers.

This could include follow-on phishing and identity fraud as well as potential physical attacks.

“By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes,” argued vpnMentor.

“Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.”

Discovered by a simple port scanning exercise, the leak was eventually fixed by PhotoSquared on February 14, 10 days after the firm was contacted by the researchers.

The app has over 100,000 installs on Google Play.

PhotoSquared joins multiple other brands that vpnMentor has found to have leaked data in a similar way, including Yves Rocher, Freedom Mobile and LightInTheBox.

Categories: Cyber Risk News

IBM Confirms #RSAC Withdrawal Over Coronavirus Fears

Mon, 02/17/2020 - 10:55
IBM Confirms #RSAC Withdrawal Over Coronavirus Fears

IBM has confirmed that it plans to not participate in next week’s RSA Conference in San Francisco.

Citing the “health of IBMers” as its primary concern, the company said it is continuing to monitor upcoming events and travel relative to Novel Coronavirus (COVID-19) and as part of that, “we are cancelling our participation in this year’s RSA conference.”

In a statement, RSA Conference said that “we understand and respect their decision” and that “RSA Conference is still planning to proceed as scheduled.” It has also confirmed that eight exhibitors have canceled their participation, six of whom are from China. Also, the number of individuals, including those from IBM, who have canceled their registration is approximately 0.79% of the total number of expected attendees.

In an update released last week, RSA Conference said that approximately 83% of its current registered attendees are from the US, as are 82% of the exhibiting organizations.

To deal with concerns, it has added several new health and safety measures for the event including: disinfecting registration counters and floors continuously throughout the event, offering disinfectant wipes at all check-in counters, in each session room for the speaker computers and microphones and adding hand sanitization stations and disinfectant wipes near each touch screen interactive campus map and wayfinding station.

The news follows the cancelation of a March Facebook conference, due to also be held at San Francisco’s Moscone Center, due to fears over the virus.

Meanwhile, Mobile World Congress, which was due to take place next week in Barcelona, has also been canceled after exhibitors including BT, Facebook, LG, Nokia, Sony and Vodafone pulled out of the annual event.

Categories: Cyber Risk News

UK Anti-Doping Agency Deflects 11,000+ Malicious Emails in Q4

Mon, 02/17/2020 - 10:30
UK Anti-Doping Agency Deflects 11,000+ Malicious Emails in Q4

The UK’s anti-doping agency has been on the receiving end of over 11,000 malicious emails in the final three months of 2019, according to new Freedom of Information (FOI) data.

Think tank Parliament Street collected the FOI evidence from UK Anti-Doping (UKAD) and found the agency had been bombarded by 11,148 spam and malicious emails in Q4 last year.

Over a fifth (21%) were phishing emails, while the number of messages containing malware rose from just four in October to 41 in December, totalling 52 for the entire quarter.

Fortunately, UKAD believes none of the attempts were successful, although it would certainly be on the radar of state-sponsored attackers.

Russian hackers from the infamous Fancy Bear group (aka APT28, Sofacy) that hacked the Democratic Party officials ahead of the 2016 US Presidential election were named by the UK’s National Cyber Security Centre (NCSC) as behind attacks on UKAD’s global equivalent, WADA.

They were looking for internal data to damage the agency’s reputation for fairness after it banned Russian athletes from competing globally as punishment for a major doping operation orchestrated by the Kremlin.

Those hackers were apparently at it again when Russian athletes received a new four-year ban, which will cover the 2020 Olympics and 2022 FIFA World Cup.

“These figures are a reminder of the cybersecurity hurdles faced by athletics and sports organizations tasked with managing the confidential data of high-profile individuals. Many of these agencies require staff members to travel regularly, meaning mobile devices like laptops and tablets are a top target for hackers and opportunistic thieves,” explained Absolute Software VP Andy Harcup, of the FOI data.

“Addressing this problem requires all organizations to embrace a resilience-first approach to cybersecurity. This means making critical apps self-healing and gathering insights to remedy end-point vulnerabilities, so that hackers are kept locked out. Additionally, having the ability to track, freeze and wipe lost devices will guarantee that lost or stolen devices containing highly confidential data are protected at all times, in all circumstances.”

Categories: Cyber Risk News

Cyber-Attack Takes Down Redcar Council Services

Mon, 02/17/2020 - 09:35
Cyber-Attack Takes Down Redcar Council Services

A local authority in the north-east of England appears to have suffered a major ransomware attack, leaving online public services down for 135,000 locals, for over a week.

At the time of writing, the website of Redcar & Cleveland Borough Council was still down.

An update on the council’s official Twitter account as of February 13 said: “We are still experiencing issues with our IT systems, which means we are working with a reduced capacity. We are able to receive and answer limited calls and emails and we will be prioritizing urgent messages.”

According to reports, the council’s IT systems were attacked at 11am the previous Saturday, with external cybersecurity experts including those from the National Cyber Security Centre (NCSC) drafted in to help.

Although the council refuses to publicly specify whether it was a ransomware raid or not, the attack has all the hallmarks.

Council leader, Mary Lanigan, told the BBC that systems had been taken offline and are “being rebuilt.

“We have a massive team here — including cybersecurity experts — working around the clock flat out to get it fixed,” she added.

“They have to go through [IT systems] bit by bit to make sure everything is clean. A lot of our staff are not able to work without computers but they are coping quite well here. The main problem is that we have no email systems. So we have extra phone lines for residents.”

The council is using its social media pages to update residents with phone numbers to call if they need to book appointments, make payments and more.

Council tax payments are apparently unaffected, but online bookings for appointments, social care systems, council housing complaints and other services have been knocked offline.

In response to one concerned resident’s tweet, the council claimed that “as it stands, we have no evidence so far of any data being lost.”

UK councils will be hoping Redcar isn’t the first salvo in a new onslaught by cyber-criminals that has already seen municipalities across the US suffer a barrage of outages.

Mimecast head of e-crime, Carl Wean, argued that an attitude of “it will always happen to someone else, not us” can’t be allowed to persist.

“Ransomware continues to be the preferred attack method for threat actors due to the monetary gains available if successful,” he added. “It should be considered a key threat across all regions, not just in the UK, as criminal seeks to exploit the perceived success of this form of cyber-attack before significant regulatory and industry-based resilience measures render this attack more difficult to carry out.”

Categories: Cyber Risk News

Chattanooga Cybersecurity Firm to Double Workforce

Fri, 02/14/2020 - 17:12
Chattanooga Cybersecurity Firm to Double Workforce

A Chattanooga, Tennessee, information technology infrastructure and cybersecurity consulting firm has unveiled an $8m expansion plan that will see its workforce double by 2023.

Currently, the Conversant Group operates with 46 employees from its headquarters on Cowart Street. On Monday, the company's president and chief listening officer, John Anthony Smith, revealed plans to relocate the firm to a new site on Chattanooga's Southside.

To facilitate the move, Conversant has purchased property at 1600 Broad Street on which it plans to erect a new four-story building. Upon completion, the building will become the company's new headquarters.

According to Smith's executive assistant, Chris Roach, the new headquarters will cost between $8m and $9m to erect and should be in use within the next two to three years. 

The city's Industrial Development Board awarded a $10,000 small business incentive grant to Conversant on Monday to assist the company with the creation of new jobs. 

Conversant said the expansion would create around 46 new jobs for the city. 

"These are jobs you want in Chattanooga," said Smith, adding that about two-thirds of the company's employees receive an annual salary greater than $80,000.

Conversant was founded by Smith in 2009. The majority of the company's work comes from large North American cities, including Cincinnati, Los Angeles, San Francisco, and Chicago. 

Describing what the company achieves in laymen's terms, Smith said: "You've heard of cities and companies getting hacked. It can be devastating. The Chinese, the Russians—they don't stop. 

"We're constantly fighting to keep them out. If they do get in, we kick them out."

Expanding to a larger site on Cincinnati's Southside will cause Conversant employees to inhale more than just the sweet smell of success. The area is known for the odors that emanate from the Pilgrim's Pride chicken processing plant.

"The chicken plant is bad for our city," said Smith. "Our city stinks."

Smith began his IT career in 1994 at the age of 14 at Thompson Machinery Commerce Corporation of Lavergne in Tennessee. Two years later, Smith founded his first company, Computech. 

Conversant is Smith's third company. The dynamic entrepreneur founded his second company, NetAlliant Technologies, in 2002 and sold it in 2008.

Categories: Cyber Risk News

Report Reveals Worst State for Healthcare Data Breaches in 2019

Fri, 02/14/2020 - 15:48
Report Reveals Worst State for Healthcare Data Breaches in 2019

A report into the spate of data breaches that ripped through America's healthcare industry last year has revealed that more breaches happened in Texas than in any other state. 

The "2019 Healthcare Data Breach Report" published yesterday by HIPAA Journal shows that healthcare data breaches involving the exposure of 500 or more records occurred in every state with the exception of North Dakota and Hawaii. The Lone Star State was the worst hit, with 60 breaches recorded, followed by California, which suffered 42. 

Citing figures from the Department of Health and Human Services’ Office for Civil Rights' breach portal, the report showed a huge year-on-year increase in both the number of breaches that occurred and the quantity of patient records exposed. 

The report found that 510 healthcare data breaches in which 500 or more records were exposed were reported in 2019, representing a 37.4% increase over the 371 such breaches reported in 2018. The total number of patient records exposed shot up from 13,947,909 in 2018 to 41,335,889 in 2019. 

Shockingly, the report disclosed that in 2019 alone, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen. 

According to the report, "more healthcare records were breached in 2019 than in the six years from 2009 to 2014."

The largest single healthcare data breach in the US last year occurred when a network server at Optum360, LLC, was compromised after hackers illegally gained access to the systems of their business associate American Medical Collection Agency (AMCA). 

The Optum360 breach alone resulted in the exposure of 11,500,000 records; however, the AMCA hack affected 24 healthcare organizations in total, resulting in the exposure of 26,059,725 records.

Nearly a quarter—23.33%—of last year's breaches "involved business associates to some extent," according to the report. 

Of the breaches that occurred last year, most—59.41%—were classified as hacking/IT incidents, accounting for 87.60% of all breached records in 2019. The second biggest cause of data breaches, accounting for 28.82% of incidents that occurred, were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached.

Email and network servers proved the most vulnerable locations for personal health information, with the majority of incidents involving phishing and spear-phishing attacks. Of the 510 breaches to occur, 214 involved records located on email and 132 affected records on network servers.

Categories: Cyber Risk News

Alleged Source of Soccer Leaks to Stand Trial

Fri, 02/14/2020 - 14:29
Alleged Source of Soccer Leaks to Stand Trial

The alleged source of a series of information leaks that rocked soccer and sparked an FFP investigation into the finances of Manchester City Football Club is to be tried before a Portuguese court.

An appeal lodged by Portuguese national Rui Pinto to have the accusations against him dismissed as "unfounded" was rejected earlier this month by the Lisbon Court of Appeal. The 31-year-old, who has been held in jail since his arrest in March 2019, will now stand trial on 93 charges related to hacking, violation of correspondence, computer sabotage, illegitimate access, and attempted extortion.

Pinto is accused of gaining unauthorized access to the email accounts of a number of football clubs throughout Europe. It is further alleged that Pinto sent information pilfered from those clubs to German media for publication. 

Revelations allegedly leaked by Pinto regarding the English Premier League football club Manchester City prompted the Union of European Football Associations (UEFA) to open an investigation to determine whether the club breached Financial Fair Play (FFP) rules. 

The investigation is ongoing, with a result expected from UEFA's adjudicatory chamber in the next few months. If evidence of a breach is detected, Manchester City could be expelled from the Champions League. The club, which denies the allegations, will be allowed to appeal against whatever decision UEFA reaches. 

Information allegedly leaked by Pinto seemed to reveal that Manchester City had falsely inflated the amount of money it was making in sponsorship deals secured from firms linked to its Abu Dhabi ownership. If the deception proves to be true, then the club will have been caught out in a deliberate attempt to circumvent UEFA's financial fair play rules. 

To share the information allegedly obtained from various football clubs, Pinto created the website Football Leaks. Pinto is accused of using this platform to share illegally obtained secret transfer documents and players' contracts.

According to a press release put out by his own lawyers, Pinto is also the source of leaked documents that led the Angolan justice system to accuse Isabel dos Santos, daughter of former Angolan president José Eduardo dos Santos, of mismanagement and embezzlement when she was an administrator of the state oil company Sonangol.

Categories: Cyber Risk News

US Education Non-Profit Leaks Data on Thousands of Students

Fri, 02/14/2020 - 11:30
US Education Non-Profit Leaks Data on Thousands of Students

A US education non-profit appears to have unwittingly leaked the personal information of thousands of students after leaving two online MongoDB databases exposed.

The privacy snafu was discovered by noted researcher Bob Diachenko and affected the Institute of International Education (IIE), an organization set up to promote educational and cultural exchanges with other countries.

“Although the database itself did not contain documents, it did contain links with active access tokens to documents stored elsewhere,” explained Security Discovery. “Links to passport scans, application forms, visas, emails, and other documents were discovered.”

Also among the leaked data were medical forms, funding information, student dossiers, US arrival documents and tax forms.

As the links to the sensitive personal documents were contained in around three million log files, it’s hard to estimate the total number of affected students, but Diachenko claimed they run into the thousands “if not more.”

Two identical MongoDB databases hosted at different IP addresses were left unsecured in the same manner, allowing anyone scanning for exposed systems to open them and take a look inside.

If either database was accessed it could provide a treasure trove of sensitive information for use in follow-on fraud, according to Security Discovery.

“An identity thief couldn’t ask for a better payload. The alarming amount of personal and financial data would make it easy for a criminal to open up new accounts and lines of credit in victims’ names, for example,” it warned.

“College-aged students are prime targets for identity theft because they often have clean credit reports and decent credit scores. We strongly urge impacted students to check their credit reports regularly in the upcoming months. Tax fraud is another threat, so impacted students should be on the lookout for tax scams during the upcoming tax season.”

Although IIE secured the data on February 6, eight days after being alerted to the leak by Diachenko, it did not respond personally to any of his messages, or to provide any public comment to those affected.

Categories: Cyber Risk News

US Slaps More IP Theft and Sanctions Charges on Huawei

Fri, 02/14/2020 - 10:20
US Slaps More IP Theft and Sanctions Charges on Huawei

The US Department of Justice (DoJ) turned the heat up on Huawei on Thursday by filing new charges of racketeering and conspiracy to steal trade secrets.

The new charges build on a January 2019 23-count indictment against Huawei, its affiliates and CFO Meng Wanzhou which accused the Chinese firm of conspiracies to break sanctions on Iran and to steal trade secrets from T-Mobile USA, as well as wire fraud and other charges.

The latest superseding indictment focuses again on Huawei and subsidiaries Huawei Device, Huawei Device USA, Futurewei Technologies and Skycom Tech, as well as Meng, who is founder Ren Zhengfei’s daughter and remains in Canada under house arrest awaiting extradition to the US.

It alleges a “decades-long effort” by the company and its subsidiaries to misappropriate IP from six US companies including “trade secret information and copyrighted works, such as source code and user manuals for internet routers, antenna technology and robot testing technology.”

The means by which the Shenzhen giant is alleged to have done this will be familiar to China-watchers: entering into confidentiality agreements with the IP owners and then breaking them by misappropriating the IP, recruiting employees of the US firms to steal the IP, and using third-parties like professors to obtain and pass across the tech.

It’s even claimed that, on one occasion in 2004, a Huawei employee broke into a trade conference at night to take photos of a rival’s networking device, although the company maintains the man was acting alone.

The DoJ claimed Huawei ran an employee bonus scheme to reward those who obtained competitor information. It alleged that by gaining access to non-public IP for router source code, phone antenna tech and robotics, Huawei was able to cut its R&D budget and accelerate development, giving it an unfair commercial advantage.

There are also new allegations centered around sanction-busting business activity in Iran and North Korea, and apparent attempts by Huawei to keep this a secret, as well as lying about Huawei’s relationship to Skycom and trying to obstruct the DoJ investigation.

Huawei is claiming the charges are based largely on “recycled civil disputes from the last 20 years that have been previously settled, litigated and in some cases, rejected.” It argued in a statement sent to Infosecurity that they are an attempt to damage the firm’s reputation for reasons related to competition rather than law enforcement.

Categories: Cyber Risk News

US Chain Rutter’s Hit by POS Malware Dating Back to 2018

Fri, 02/14/2020 - 09:34
US Chain Rutter’s Hit by POS Malware Dating Back to 2018

Rutter’s has become the latest US convenience store chain to suffer a breach of customer card data via Point of Sale (POS) malware.

Notified by a third party about potential unauthorized access to cards used at the firm’s locations, it launched an investigation and on January 14 discovered the malware installed on payment processing systems.

“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through the payment processing systems,” the firm explained in a statement.

“However, chip-enabled (EMV) POS terminals are used inside our convenience stores. EMV cards generate a unique code that is validated for each transaction, and the code cannot be reused. As a result, for EMV cards inserted into the chip-reader on the EMV POS devices in our convenience stores, only card number and expiration date (and not the cardholder name or internal verification code) were involved.”

This means that users with old magstripe cards may have had their cards cloned for use in face-to-face fraud. On the EMV side, most e-commerce providers ask for a CV2 number and the name of the cardholder, so these customers would seem to be more insulated from follow-on fraud.

However, the number of cards affected in this breach could be huge. Over 70 outlets in Pennsylvania and West Virginia were affected and the malware is said to have been active October 1 2018 to May 29 2019. However, access to card data began as early as August 30 2018 for one outlet and September 20 2018 for nine more.

The news comes just weeks after convenience store chain Wawa notified customers of a similar breach. One dark web marketplace claimed last month that as many as 31 million cards may have been stolen in the raid, and are being uploaded to the site by the hackers.

Categories: Cyber Risk News

Cyber-criminals Lure Victims with Coronavirus Cure Conspiracy Theories

Thu, 02/13/2020 - 17:41
Cyber-criminals Lure Victims with Coronavirus Cure Conspiracy Theories

Threat actors exploiting public interest in the ongoing coronavirus outbreak have baited their phishing traps with a new lure—conspiracy theories about unreleased cures.

The new tactic was noted by researchers at Proofpoint, who have been monitoring global malicious activity related to the life-threatening virus in the form of hundreds of thousands of messages. 

Alongside a flurry of phishing scams that hook victims with tall tales of secret remedies, researchers observed the emergence of campaigns that abuse perceived legitimate sources of health information to manipulate users. 

One malicious message, titled "Confidential Cure Solution on Corona virus," presented the sickness as a "deadly virus developed and sprayed by wicked scientists to reduce the population of the world so the government will have control over you."

The message then invited victims to download a document allegedly containing information about a cure for the virus.  

It's not just the subject matter of coronavirus phishing scams that is changing; researchers also detected differences in the malware being used to net victims.

In a report published today, Proofpoint researchers wrote: "In this latest round of campaigns, attackers have expanded the malware used in their Coronavirus attacks to include not just Emotet and the AZORult information stealer, but also the AgentTesla Keylogger and the NanoCore RAT—all of which can steal personal information, including financial information.

Researchers also reported seeing fake Office 365, Adobe, and DocuSign sites, linked to coronavirus-themed emails, that had been specifically set up to steal credentials.

Initial coronavirus-themed attacks focused on the United States and Japan, which recorded its first fatality from COVID-19 today. More recently, researchers have observed threat actors targeting Australia and Italy, using lures written in Italian against the latter.

Other noticeable differences observed by the researchers include an increase in the number and variety of industries that these threat actors are hitting. 

"We have previously written about Coronavirus-themed attacks centered on concerns around economic disruptions in light of the outbreak, specifically around shipping. This trend is continuing and has expanded to include manufacturing as well," wrote researchers.

"Consistent with this level of tailoring and focus on economic concerns, we are also seeing dedicated attacks against construction, education, energy, healthcare, industry, manufacturing, retail, and transportation companies."

The prolonged focus on coronavirus as a theme suggests that the topic is proving to be a successful earner for the morally bankrupt cyber-criminals who have no qualms exploiting human suffering for financial gain.

Categories: Cyber Risk News

Report Finds Cybersecurity Issues with US 2020 Census

Thu, 02/13/2020 - 16:49
Report Finds Cybersecurity Issues with US 2020 Census

A report looking into the US 2020 Decennial Census has flagged concerns over cybersecurity and questioned whether the personal data collected during the study can be kept private. 

The US Census Bureau kicked off the 2020 Census count of the population with the enumeration of Alaska in January. However, a report into the ongoing operation by the Government Accountability Office (GAO) has found that the bureau faces "significant cybersecurity challenges in securing its systems and data."

Pressure to resolve these challenges is great, as the online launch of the census is just one month away. 

According to the GAO report, published on Wednesday, the 2020 Census was designated a high-risk operation in February 2017 and remains so to this day.

The report states: "Our prior and ongoing work has identified significant challenges that the Bureau faces in securing systems and data for the 2020 Census. Specifically, the Bureau continues to face challenges related to addressing cybersecurity weaknesses, tracking and resolving cybersecurity recommendations, and addressing numerous other cybersecurity concerns."

Over the past decade, the GAO has made 112 recommendations for the 2020 Census to help address a raft of concerns over IT system testing, recruiting census staff, securing partnerships, cybersecurity, safe data storage, and more, but many remain unaddressed. 

"As of February 2020, 28 of the recommendations have not been fully implemented of which six are designated priority recommendations," states the report.

Priority recommendations are defined as those that the GAO believes warrant priority attention from heads of key departments or agencies because, upon implementation, they may significantly improve government operations; for example, by saving money, eliminating fraud, or addressing a duplication issue.

The GAO found that a contingency plan developed in August 2019 for the bureau's internet response system had not yet been finalized. A further cybersecurity concern flagged in the report was the bureau's recent decision to change the primary system it intends to use to provide the internet response capability.

"Given that internet response for the 2020 Census starts in March 2020—approximately 1 month away—it is important that the Bureau expeditiously finalize and test the contingency plan for its internet response capability and ensure that the plan reflects the approach the Bureau has recently decided to implement," states the report.

Categories: Cyber Risk News

Puerto Rico Government Loses $2.6m in Phishing Scam

Thu, 02/13/2020 - 15:38
Puerto Rico Government Loses $2.6m in Phishing Scam

A Puerto Rican government agency unintentionally gave cyber-criminals $2.6m after being taken in by an email phishing scam.

A senior official of the island's government confirmed that money allocated for remittance payments had been wired by a government agency to what appeared to be a genuine bank account on January 17. It later transpired that the account was fraudulent. 

The money was transferred by an unsuspecting employee of Puerto Rico's Industrial Development Company, a government-owned corporation whose mission is to work with local and foreign investors to drive economic development on the island along. 

The agency's finance director said a complaint was filed with police on Wednesday in relation to the incident, which was uncovered earlier this week.

According to a police statement, director of the Industrial Development Company Rubén Rivera said the government agency made the transfer after receiving an email regarding a change in how remittance payments should be processed.

The email falsely claimed that the existing bank account used for remittance payments should no longer be used for this purpose and informed the agency that the money should be sent to a new bank account. It was this new account that turned out to be fraudulent and in the control of cyber-criminals. 

Word of the incident was first reported yesterday by the Associated Press, though no details were given as to how the deception was uncovered. It is unclear whether Puerto Rican officials have been able to recover any of the $2.6m or who may have been behind the scam. 

"This is a very serious situation, extremely serious," Manuel Laboy, executive director of the Industrial Development Company, told the Associated Press. 

"We want it to be investigated until the last consequences."

Email phishing scams were a top crime complaint reported to the Federal Bureau of Investigation (FBI) in 2019, according to the IC3 annual cybercrime report released by the bureau earlier this week. 

Last year, this type of attack swindled media conglomerate Nikkei out of $29m, scammed $2.3m from a Texas school district, and conned a British community housing non-profit into forking over $1.2m.

Categories: Cyber Risk News