Info Security

Subscribe to Info Security  feed
Updated: 2 hours 41 min ago

Nintendo Hacker Pleads Guilty to Downloading Child Porn

Mon, 02/03/2020 - 17:53
Nintendo Hacker Pleads Guilty to Downloading Child Porn

A California man could face up to 25 years in prison after pleading guilty to downloading child pornography and habitually hacking into the computer system of Japanese gaming giant Nintendo. 

Ryan Hernandez was still a minor when, together with an associate, he used a phishing technique to steal the credentials of a Nintendo employee in 2016. The data stolen by the Palmdale resident, who is now 21, was used to gain access to and download confidential Nintendo files related to the company's consoles and games.

That stolen data, which included pre-release information about the anticipated Nintendo Switch console, was leaked to the public, sparking an investigation by the Federal Bureau of Investigation.

The FBI tracked Hernandez down to his parents' house in October 2017 and let him off with a warning, but it wasn't too long before the youngster threw away the second chance he was generously offered. Within nine months Hernandez was back to his old tricks, illegally accessing Nintendo servers and stealing confidential information. 

Hernandez leaked the stolen information to others online via a chat forum he had christened "Ryan's Underground Hangout." There, the egotistical hacker discussed Nintendo products, shared confidential information he had stolen from people with actual talent, and highlighted possible Nintendo network vulnerabilities.

Far from displaying any guilt over his illicit activities, Hernandez brazenly boasted about his cyber-exploits on social media platforms, including Twitter and Discord. 

Hernandez's malicious hacking spree was curtailed in June 2019 when FBI agents seized from his home the computers, hard drives, and circumvention devices he used to access pirated video games and software. 

A search of the devices revealed thousands of confidential Nintendo files and a sickening insight into Hernandez's disturbing sexual predilections. 

The US Department of Justice stated: "Forensic analysis of his devices also revealed that Hernandez had used the internet to collect more than one thousand videos and images of minors engaged in sexually explicit conduct, stored and sorted in a folder directory he labeled 'Bad Stuff.'"

In a US District Court in Seattle, Washington, on Friday, Hernandez pleaded guilty to computer fraud and abuse and to possession of child pornography. Hernandez, who will now be required to register as a sex offender, agreed to pay $259,323 in restitution to Nintendo.

Hernandez will be sentenced on April 21.

Categories: Cyber Risk News

Cybersecurity Incident Mars Australian Freight Giant's Operations

Mon, 02/03/2020 - 16:55
Cybersecurity Incident Mars Australian Freight Giant's Operations

A major Australian freight company is experiencing operational difficulties after a cybersecurity incident caused an IT system shutdown. 

Toll Group announced that it had experienced a "cybersecurity incident" on Friday. The company shut down a number of IT systems at multiple sites across the country in a bid to resolve the issue.

"As a precautionary measure, in response to a cyber security incident on Friday, Toll deliberately shut down a number of systems across multiple sites and business units," said Toll Group in a statement.

"Toll IT teams are working closely with global cyber security experts to resolve the issue."

Customers have reported issues with tracking shipments, reporting that IT systems were down at Toll depots. Until the incident is resolved, Toll Group is recording receipts manually.

The MyToll website, where customers can usually track deliveries and book package collections, has been taken offline and is currently displaying a cybersecurity warning message. 

The company said its first priority was to bring its customer-facing applications back online.

"Toll is making progress with our recovery activities to restore our systems and Toll customer-facing applications," stated the company.

"Our immediate focus is on bringing our systems back online in a controlled and secure manner. Business continuity plans have been activated to maintain customer service and operations."

No information has been released by Toll Group so far regarding the nature or severity of the cyber-incident. The details of how it occurred are currently also being kept under wraps.

Toll Group is often contracted to handle Australia's eBay deliveries. The freight company is also the carrier of choice for many of the country's cell phone companies when sending out new handsets and SIM cards. 

Business Insider reported that Toll operations in Australia, India, and the Philippines had been affected by the incident. 

No timeline has been given for when Toll Group's IT systems will be back up and running. 

Toll Group operates a global express, freight forwarding, and logistics service from its base in Melbourne. The company, which was founded in 1888, was acquired by Japan Post in 2015.

Categories: Cyber Risk News

British Charity Loses Over $1m in Domain Spoofing Scam

Mon, 02/03/2020 - 16:02
British Charity Loses Over $1m in Domain Spoofing Scam

A British community housing charity was conned out of more than $1m in a domain spoofing and contractor impersonation scam.

Red Kite Community Housing announced on Tuesday that it had fallen victim to a cyber-scam in which criminals posed as genuine service providers to steal a staggering £932,000.

In a statement issued on January 28, Red Kite described the heavy financial loss as "absolutely galling."

The charity described how criminals not only spoofed the domain of a genuine contractor but also sent emails to Red Kite that appeared to be from contacts who had already won the charity's trust. 

Detailing how the criminals got the better of the charity, Red Kite wrote: "What they managed to do was to expose a weakness using sophistication and human nature to carry out the theft of this money.

"In essence, they mimicked the domain and email details of known contacts that were providing services to Red Kite. Through this they managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow up to an existing conversation."

Unfortunately, a payment verification process put in place to prevent fraudulent transactions proved ineffective when the error it flagged was not actioned.

Red Kite wrote: "We still had an additional safety net in place; a two-stage process to verify changes to payments and accounts which ordinarily would have caught this attempt.

"This, however, proved to be our weak point, with an error being made by the clear process not been actioned, resulting in a missed opportunity to shut the door before the money was taken. This is the part that upsets everyone involved."

The con was carried out in late August 2019 and is still under investigation by the police. As a result of the incident, Red Kite's governance rating has been downgraded by the Regulator of Social Housing (RSH). 

In a regulatory judgement made public last week, the RSH wrote that Red Kite experienced "a significant financial loss as a result of a fraud due to a basic failure in its system of internal controls"—and urged them to make improvements.

Red Kite, which is based in the southeastern county of Buckinghamshire, owns and manages around 6,500 homes across the town of High Wycombe.

Categories: Cyber Risk News

Thousands Raised for NSPCC’s Childline Service at White Hat Ball

Mon, 02/03/2020 - 12:07
Thousands Raised for NSPCC’s Childline Service at White Hat Ball

An incredible £187,000 was raised for the NSPCC counselling service Childline at the White Hat Ball on Friday January 31 2020.

Over 650 guests attended the event, which was hosted by singer and TV personality Peter Andre, at the Royal Lancaster Hotel in London.

Guests, including members of the Infosecurity Magazine team, enjoyed a champagne reception and a three-course dinner, followed by entertainment including silent and live auctions where fantastic prizes were won such as an exclusive VIP Manchester United experience and painting ‘Bowie’ by Daniel Mernaugh.

Organized by a committee of dedicated volunteers from the information risk and security sector, the event is now in its 15th year.

Speaking at the event, Peter Andre said: “I’ve been supporting Childline for many, many years so I was honored to be asked to host the White Hat Ball and raise lots of money for a cause close to my heart. I love everything Dame Esther Rantzen stands for. Every child is worth fighting for, and I’m proud to have been a part of this evening to support that.”

The money raised from the Ball will help Childline continue to be there 24/7 for young people in need of support for a range of issues, including mental health and concerns about abuse and neglect. On average, a child contacts Childline every 25 seconds, with almost three-quarters of counselling sessions now taking place online.

Sarah Jeffery, NSPCC special events manager, said: “It was fantastic to see so many people gather at the White Hat Ball, raising vital funds for Childline.

“We know that Childline provides a vital lifeline for young people across the country and events like the White Hat Ball enable us to continue to provide this life-changing service.”

Categories: Cyber Risk News

Missile Engineer Arrested After Taking Secret Info to China

Mon, 02/03/2020 - 11:38
Missile Engineer Arrested After Taking Secret Info to China

The FBI has arrested a US defense contractor employee for allegedly taking classified information with him on a secret China trip.

Tucson-resident Wei Sun, 48, worked for Raytheon for over 10 years as an electrical engineer on the firm’s missile systems program. As such, the China-born US resident had access to technical data on highly regulated military technology which requires an export license to take out of the country.

However, he allegedly transported some of this data “knowingly and wilfully” on his work laptop on a December 2018 trip, despite being told by a manager that this would contravene company policy and federal law.

Whilst out of the country, he emailed Raytheon from his laptop and work account to resign, claiming he wanted to study and work overseas.

On returning, he admitted to security staff at the firm that he had taken information on Raytheon’s ballistic missile defense system abroad on his work laptop, but only to Singapore and the Philippines.

However, Sun’s story subsequently changed, as he admitted to travelling to China, Cambodia and Hong Kong — again with no attempt made to obtain an export license under the International Traffic in Arms Regulations (ITAR).

Sun was kicked out of the company after these interviews in January 2019 and arrested a year later for breaking the ITAR.

Reports suggest he was familiar with cutting-edge weapons systems of high strategic value to China, such as defense technology used to shoot down incoming missiles.

The US is clamping down on intelligence leaks of all types. Last week it emerged that a prominent Harvard academic had been arrested and charged with lying about his ties to China.

His case was published alongside news that a PLA officer and a second Chinese national were arrested after posing as students to steal sensitive research information.

Categories: Cyber Risk News

Maze Ransomware Hits Law Firms and French Giant Bouygues

Mon, 02/03/2020 - 11:12
Maze Ransomware Hits Law Firms and French Giant Bouygues

Cyber-criminals behind the Maze ransomware attacks have claimed several more scalps over the past few days, including five law firms and a French industrial giant, all of which are thought to have had sensitive internal data stolen.

Brett Callow, a threat analyst with security vendor Emisoft, alerted Infosecurity to the developments over the weekend. The Maze group has a dedicated website where it first names victim organizations and then releases stolen data if they refuse to pay the ransom.

“This makes sense. The more data they publish and the more sensitive that data is, the less incentive an organization has to pay to prevent the remaining data being published,” said Callow.

“It's the equivalent of a kidnapper sending a pinky finger. If the organization still doesn’t pay, the remaining data is published, sometimes on a staggered basis.”

That’s potentially bad news for the latest firms to fall victim to Maze ransomware. At present, only two of the law firms have had sensitive customer data published but, ominously for the other victims, the group promises that the “proofs” are coming soon.

The French firm struck by Maze, Bouygues Construction, published a brief statement on Friday admitting a “ransomware-type virus” had been detected on its network the day before.

However, there’s no word from the firm so far on whether key data has also been lifted, as alleged by the Maze hackers.

“As a precautionary measure, information systems have been shut down to prevent any propagation,” the statement read.

“Our teams are currently fully focused on returning to normal as quickly as possible, with the support of experts. Installations are progressively being put back into service after being tested. Operational activity on our construction sites has not been disrupted to date.”

Maze has hit a wide range of firms in the past, including the US City of Pensacola, cabling giant Southwire and security company Allied Universal.

It’s not unusual for the group to charge its victims twice, $1m for the decryption key and a further $1m for ‘deletion’ of the stolen data. There’s the added jeopardy that, if they’re not paid, stolen data will be leaked onto Russian hacker forums, as has happened in the past.

Categories: Cyber Risk News

UK Cops Swoop on Malta Bank Heist Suspects

Mon, 02/03/2020 - 09:45
UK Cops Swoop on Malta Bank Heist Suspects

UK law enforcers have tightened the net around the hackers that stole €13m ($14.4m) from one of Malta’s biggest banks, with the arrest of four men last week.

Malware planted on the Bank of Valletta’s servers back in February 2019 enabled hackers to transfer the money to accounts in the UK, US, Hong Kong and Czech Republic. The lender was forced to shut down all its operations after spotting the illegal activity and attempting to prevent the fund transfers.

However, £800,000 ($1m) was funnelled to an account in Belfast, with payments totalling £340,000 ($446,000) then disappearing from the account before it could be blocked.

According to the UK’s National Crime Agency (NCA), some of the money was spent at luxury stores including Harrods and Selfridges, to buy Rolex watches, and to purchase a Jaguar and an Audi A5.

Following the trail of money, NCA officers arrested three men on Friday on suspicion of money laundering, fraud and theft. These included a 33-year-old detained at Heathrow Airport as he returned to the UK from China, and two men aged 23 and 24 who handed themselves into a police station in Belfast.

These were preceded by the arrest of another Belfast man, aged 39, a day earlier, on suspicion on the same crimes, and the apprehension of two men aged 22 and 17 in London on January 22 after raids on properties in West Hampstead and Ladbroke Grove.

The arrests represent the latest stage in a 12-month investigation by the NCA and Malta Police Force Economic Crime Unit.

“The focus of our investigation is those suspected of having helped launder the proceeds of this cyber-attack, a large amount of which were funnelled through a bank account here in Belfast,” said NCA Belfast branch commander David Cunningham.

“It demonstrates how this type of criminality is often international in nature, and how tackling it is a priority for the National Crime Agency and partners, both within the UK and around the world.”

Categories: Cyber Risk News

REvil Ransomware Crew Sponsors Underworld Hacking Competition

Fri, 01/31/2020 - 16:29
REvil Ransomware Crew Sponsors Underworld Hacking Competition

A notorious Russian threat group famed for its devastating ransomware attacks has funded a hacking competition being run on a dark web forum. 

Sodinokibi—the creators of the REvil ransomware—stumped up $15,000 in prize money for the illegal hacking contest, which requires competitors to write original articles containing proof-of-concept videos or original code. 

Articles can be submitted on five different topics, including APT attacks, developing exploits for searching for 0day and 1day vulnerabilities, and how to hack other people's crypto algorithms.

Along with the prize money, Sodinokibi offered the competition's overall winner an opportunity to "work with" the threat actors under "mutually beneficial conditions." 

The competition was announced via the XSS forum, which counts several Sodinokibi representatives among its members.

News of the competition and its nefarious sponsors was published today in a report by researchers at Digital Shadows. While black hat hacking competitions on dark web forums like Exploit and XSS are nothing new, the researchers noted a significant increase in the number of high-stakes prizes on offer recently.

“Since its relaunch as XSS [in 2018], the former Damagelabs has organized three articles competitions, all with four- or five-figure prize funds,” the researchers noted.

By contrast, a 2010 competition that challenged participants to design a graphic that best represented the Russian-language segment of the internet (the "Runet") had as its prize a single iPad.

Digital Shadows’ research indicates that groups like Sodinokibi have taken an interest in these competitions to foster technical skills among forum members, increase awareness of the availability of ransomware on the forum in a savvy sales move, and gain valuable intelligence for future malware development.

For the forums, such high-prize competitions are a way to grow or sustain their membership. 

Researchers wrote: "Cybercriminal forums need to attract and retain members in order to survive and being able to present a site as a valuable repository of articles discussing pertinent cybercriminal issues is a real draw."

Currently, the prize money up for grabs in legal white hat competitions outstrips what can be won on the dark web, but based on Digital Shadows' research, that situation could one day change.

Categories: Cyber Risk News

US County's Computers Still Down Nine Days After Ransomware Attack

Fri, 01/31/2020 - 15:48
US County's Computers Still Down Nine Days After Ransomware Attack

A county in the Pacific Northwestern state of Oregon is yet to fully recover from a ransomware attack that happened over a week ago.

Cyber-criminals hit Tillamook County in a targeted attack last Wednesday, January 22. As a result, all internal computer systems under the county government, which 250 county employees rely on, went down.

The Tillamook County website, which hosts numerous departments, was also taken out in the incident. Other network connections were disabled to contain the spread of the malware.

The Emergency Communications District’s dispatch and 911 services were not affected; however, the County Sheriff's Office has experienced some issues with its phone system and email.

County Commissioner Mary Faith Bell said that the attack was initially thought to be a storage system technical issue. It was later identified as a ransomware attack despite no initial ransom demands being made by the attackers. 

The day after the incident occurred, county officials contracted a forensic computer firm, Arete Incident Response, to investigate the attack. 

Though the potential cost of the ransom is yet to be revealed, the actions of the county earlier this week hint that the attackers may have finally issued a demand. 

On Monday, January 27, Tillamook County commissioners voted unanimously to negotiate with the cyber-attackers for an encryption key in a bid to regain control of the government's computer systems. 

Addressing the board, Information Technology Director Damian Laviolette said: "At this time, we are looking to Arete to potentially begin the process of negotiation for an encryption key for the remainder of the systems we have been unable to protect or retain the integrity of."

Bell acknowledged that paying a ransom could not guarantee the security or safe return of the data. She said: “I think the lesson is to backup absolutely everything because I think this kind of thing will become more common. There are places in the world where people are just doing this for a living.”

To keep functioning, the county has had to revert to non-digital workarounds. 

“A lot of the things like the library, we are checking books out by paper the old-fashioned way,” said Tillamook County Emergency Manager Gordon McCraw.

County phone lines were restored earlier in the week; however, no timeline has been given for when Tillamook's computers will be back up and running.

Categories: Cyber Risk News

Breach at Indian Airline Affects 1.2 Million Passengers

Fri, 01/31/2020 - 14:50
Breach at Indian Airline Affects 1.2 Million Passengers

A data breach at Indian airline SpiceJet has exposed the personal information of over a million passengers.

Access to the airline's computer system was gained last month by a security researcher, who went on to report the breach to TechCrunch.

Using a brute-force attack, the researcher busted into an unencrypted database backup file containing the private information of more than 1.2 million passengers who flew with SpiceJet last month. According to the ethical hacker, the password protecting the data was easily guessable.  

Data exposed in the breach included passengers' names, phone numbers, email addresses, and dates of birth. Among the passengers whose data was exposed were several state officials.  

According to the researcher, the database file was easily accessible for anyone who knew where to look, leaving the budget airline vulnerable to cyber-attackers. 

After successfully gaining unauthorized access to SpiceJet's passenger data, the researcher contacted the airline to warn them that a breach had occurred. The researcher said that their efforts to reach out to the airline elicited no meaningful response from SpiceJet. 

The researcher went on to notify India's computer emergency response team (CERT-In) of the breach. The government-run agency confirmed that the breach had occurred and went on to issue an alert to SpiceJet.

While SpiceJet has now taken steps to secure the exposed database, the airline has declined to confirm CERT-In's findings.

A spokesperson for the airline said in a statement: “At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”

SpiceJet is one of the country's largest privately-owned airlines, commanding an approximate 13% market share in India. The airline, which is headquartered in Gurgaon, flies over a million passengers a month and puts more than 600 planes in the air every day. 

The security researcher who detected the security lapse has chosen to remain anonymous.

Categories: Cyber Risk News

British Council Blocked Over 10 Million Malicious Emails in 2019

Fri, 01/31/2020 - 12:35
British Council Blocked Over 10 Million Malicious Emails in 2019

The British Council, which promotes wider knowledge of the UK and English language in over 100 countries worldwide, was hit by over 10 million malicious email attacks in 2019, according to official figures.

The data was obtained by Nimbus Hosting under the Freedom of Information Act and showed that the British Council blocked a total of 10,336,631 emails last year. Of those, 190,155 emails were intercepted or blocked because of suspected malware such as worms, Trojan horses and ransomware.

Furthermore, the organization also blocked 14,317 suspected phishing emails, whilst a further 10,132,159 emails were intercepted and logged as spam, many of which would have had the potential to contain viruses.

Tim Dunton, MD, Nimbus Hosting, said: “These figures are another reminder that cyber-criminals will continually bombard organizations with scam emails, hoping to trick employees into handing over private data, to breach the organization’s security systems or steal personal information. All it takes is for one hoax email to fall through an email systems’ imperfect filtration system before an organization must face the consequences of a severe breach of customer information.”

Moving forward, he added, it’s vital that all organizations like the British Council have the necessary anti-virus systems in place, as well as robust security procedures to keep hackers at bay.

Categories: Cyber Risk News

US Defense Contractor Hit by Ryuk Ransomware

Fri, 01/31/2020 - 11:45
US Defense Contractor Hit by Ryuk Ransomware

A US government technology contractor has become the latest major target taken down by a ransomware attack.

Electronic Warfare Associates (EWA) counts the Department of Defense, Department of Justice and Department of Homeland Security among its clients. It describes itself as a veteran-owned business with a track record dating back over four decades.

The firm currently claims to be working on cutting-edge projects in areas such as blockchain, anti-drone capabilities, location tracking and quantum technology. However, its own tech credentials appear to have taken a knock with this latest ransomware attack.

At the time of writing, its websites for subsidiaries EWA Government Systems and electronic deadbolt producer Simplicikey are down, but there’s no word on how widespread the attack was and how it has impacted the organization.

Its government customers will want to know if the ransomware hackers have also stolen sensitive corporate information, as is increasingly the case in such attacks.

Late last year new malware with data theft capabilities dubbed “Ryuk Stealer” was discovered. Keywords found in the code including “military,” “engineering,” “defense,” “government” and “restricted” raised suspicions that the authors may be gearing up to target the stealer at organizations like EWA and its clients.

Alexander García-Tobar, CEO and co-founder of Valimail, claimed that a phishing email was the likely attack vector.

“Phishing is implicated in more than 90% of all cyber-attacks, and it is the preferred vector used by the Ryuk ransomware that hit EWA servers,” he added. “Therefore, it’s likely that email played a role in delivering this attack. Additionally, impersonation-based techniques are leveraged in the majority of phishing attempts, so as to convince the target the fraudulent message is from a trusted source.”

Ransomware attacks targeting municipalities caused a trail of chaos across the US last year, but this is the first major raid against a federal government contractor.

Categories: Cyber Risk News

AlphaBay Moderator Faces 20 Years Jail Time

Fri, 01/31/2020 - 11:00
AlphaBay Moderator Faces 20 Years Jail Time

A Colorado man who worked as a moderator on the infamous AlphaBay marketplace is facing two decades behind bars after pleading guilty to racketeering charges this week.

Bryan Connor Herrell, 25, worked on the now-shuttered dark web site settling disputes between buyers and sellers of illicit goods, according to a Department of Justice (DoJ) notice.

Known by the online pseudonyms “Penissmith” and “Botah,” he’s said to have settled over 20,000 such disputes on the site whilst also monitoring transactions for signs of fraud.

It appears Herrell’s identity may have become known to police after FBI, DEA and Royal Thai Police officers raided the home of AlphaBay founder Alexandre Cazes in 2017. At the time they seized an open laptop which contained “the passwords/passkeys for the AlphaBay website, the AlphaBay servers, and other online identities associated with AlphaBay.”

While Cazes subsequently died in prison, of suspected suicide, investigations into his former colleagues continue.

AlphaBay is thought to have been the world’s largest dark web marketplace of its kind when it stepped up to fill the gap left by Silk Road.

However, it suffered the same fate as its predecessor after police managed to infiltrate and shut it down. Announced alongside the takedown of Hansa in July 2017, the site is said to have reached over 200,000 users and 40,000 vendors.

According to Europol, the site hosted over 250,000 listings for illegal drugs and over 100,000 for stolen and fake ID documents, malware, hacking tools, counterfeit goods and more.

The policing organization estimated that at least $1bn flowed through the marketplace since it was launched in 2014.

Herrell was paid in Bitcoin for his efforts, and likely received a handsome remuneration. However, after he pleaded guilty to conspiring to engage in a “racketeer-influenced corrupt organization,” he faces a maximum of 20 years in prison.

Categories: Cyber Risk News

UK Cyber Sector Tops £8bn as Brexit Looms

Fri, 01/31/2020 - 10:20
UK Cyber Sector Tops £8bn as Brexit Looms

New figures cited by the UK government claim the country’s cybersecurity sector has achieved double-digit growth over the past two years, but Brexit threatens to undo much of the good work by making cross-border recruitment and sales harder.

Based on research from Queen’s University Belfast, the sector is now worth £8.3bn, with revenues from UK firms having increased 46% from 2017-19. The number of cybersecurity firms located in the UK also grew significantly over the period, by 44% from 846 in 2017 to over 1200 at year-end 2019.

In addition, investment into the industry was a record £348m last year, and topped £1.1bn over the past four years, the paper claimed.

The university argued that government-backed initiatives like HutZero, Cyber101 and the London Office for Rapid Cyber Security Investment (LORCA) have played a key role in helping start-ups and SMEs develop new products and services.

Andy Harcup, VP EMEA at Absolute Software, welcomed the news, arguing that it’s a reflection of the growing market demand for products designed to mitigate cyber-risk.

“However, whilst it’s great to see that cybersecurity has grown in priority on the corporate agenda as companies are spending more than ever on security, it must be mentioned that the threat landscape is developing even faster,” he added.

“Therefore, we must witness continued dedicated commitment from all organizations to tackle this problem head on. This involves the use or introduction of security tools that not only mitigate risk, but help the organization to respond, recover and actually fix the things that are breaking.”

The news comes as the UK officially leaves the European Union at midnight tonight. Experts and IT security professionals have warned that Brexit could have a “chilling” effect on the country’s nascent cybersecurity industry, by making cross-border intelligence sharing harder, and impacting jobs.

The world is already experiencing a cybersecurity skills shortage in excess of four million positions, with shortfalls in Europe having soared by over 100% from 2018-19.

It is predicted that Brexit will discourage many skilled job-seekers from coming to the UK, while the pipeline from UK universities remains weak.

Over 90% of UK IT professionals told RedSeal last year they believe Brexit will make chronic industry skills shortages even worse.

There are also question marks over UK sales to the continent. Boris Johnson’s government has refused to consider remaining in the single market, meaning likely trade restrictions that will hinder firms’ growth prospects.

Categories: Cyber Risk News

Number of Web Certs Up, More Public Education Needed

Fri, 01/31/2020 - 10:15
Number of Web Certs Up, More Public Education Needed

The number of deployed Extended Validation (EV) SSL certificates has increased, with new measures by browsers to promote “secure” websites.

Speaking at the DigiCert Security Summit in San Diego, DigiCert senior director of business development, Dean Coclin, said that EV certificates are still important, but acknowledged that there is a need for more education around them.

One idea he discussed was to create a whitelist of sources that use an EV certificate, and allow all certificate authorities (CAs) to access the whitelist to improve validation. Another was to establish a minimum amount of time it could take to allow an EV certificate to be issued, but Coclin acknowledged that this was not popular as it may affect new companies who want an EV cert for their domain.

Another idea was to add “validated trademarks” into the certificate as they are recognizable and distinguishable, “and if we put these into the certificates, people would have an extra way of validating that the certificate is authentic.” These will have been validated by the CA, using a standard set of validations and rules.

The last option is to add a requirement that the CA checks the record to see what sort of certificate should be issued for a domain. “If you say you don’t want an EV certificate to be issued for a domain, and someone in a different location tries to issue a certificate, the CA could look at the record and see that they cannot issue one for that domain.”

Looking at the number of TLS certificates issues, Coclin said that around 78 million trusted web certificates are on websites globally, an increase by almost two million since last month, and DigiCert has issued 13 million since the beginning of the year.

For the individual certificates, Coclin said DigiCert had issued 27.4% of the domain validation (DV) certificates (the most was by Lets Encrypt with 49.7%), while DigiCert had issued 59.7% of the EV certificates and 96% of the organization validation (OV) certificates.

Pointing out that the number of TLS certificates had increased in recent years, Coclin said that this was about the move by browsers to highlight those websites not using HTTPS. “No website wants their domain to be seen as not secure, so certificates have increased,” he said.

The next step will be a red line through the address bar to show that a site is not secure, after that there will be an intermediate page saying that the page is not secure with a question of “do you really want to go to it?” The next step will be the same intermediate page saying “the following web page is not secure.”

He added: “Now who wants a website that you cannot get to? That should take us to 100% encryption on the web.”

Looking forward, Coclin predicted that the number of TLS certificates will increase, as well as Verified Mark Certificates in email as DMARC is further deployed. “EV is not going away, it has moved, but I think it is going to change again – maybe for the better or worse – but there are discussions going on and improvements being made, and we’ll see where that goes,” he concluded.

“We used to tell people ‘look for the lock’ but you cannot just do that anymore, as hackers know that is what we were told as they are getting free EV certificates and putting them on their sites and getting verified for 24-48 hours.”

Categories: Cyber Risk News

Need for “Big Data Biology” as Users Create More Data

Fri, 01/31/2020 - 09:30
Need for “Big Data Biology” as Users Create More Data

Speaking at the DigiCert Security Summit in San Diego, DigiCert senior director of business development, Dean Coclin, said that “identity data is created on us all of the time,” but asked how protected it is.

He said that as we browse we create more and more data every day, and this data is about us and we should be sure it is “kept secure and in the right format.” Now with more devices available, cloud computing and IoT, we have ended up with the situation where we have big data, but not the “big data biology” on how it should be managed.

He said: “It is my data, not your data, and what is generated should be known by me and not some other company.” Citing the introduction of the GDPR in Europe in 2018 and the California Consumer Privacy Act (CCPA) this month in the USA, Coclin also referred to other legislations that had not passed, including the New York Privacy Act, which he said was “stronger than CCPA and gave private right of action.” However, he added that this failed in a legislative session, and he suspected that other proposed privacy laws would not pass in the current political climate.

Focusing on anonymity on the web, he said that there is a push to be more anonymous on the web, and particularly in the case of electronic voting “as you don’t want people to know who you voted for.”

Elsewhere, he said it was the same with email and IoT, that with the former you want to know that who has emailed you is actually that person, and with IoT, you want to know which devices are trusted and authorized to join your network.

On the other side, there are those “who do not want to be identified and cases where identity is important” and that is where Tor is important.

“Ideally for consumers, a strong privacy law is something that they need,” he argued. “For companies trying to comply, an over-arching privacy law, whether at state, federal or country level or global level would be even better, would be fantastic.”

Categories: Cyber Risk News

Quantum Computing is Here, Look to a Post Quantum Future

Fri, 01/31/2020 - 09:00
Quantum Computing is Here, Look to a Post Quantum Future

Data is the new oil, but advances in quantum computing could be breaking encryption faster in the future.

Speaking at the DigiCert Security Summit in San Diego, Dr Michio Kaku, futurist and theoretical physicist, talked of the rise of quantum computing and its deployment in modern society.

Saying that after we built the world wide web, television, radio, radar and microwaves “and everything you see in a doctor’s office” the next step will be quantum. “If the first wave was about steam power, the second on electricity, the third on high tech, what will the fourth and fifth be about? The fourth wave we are now entering, it is physics at the molecular level, such as AI, nano and bio technology; then we will see the fifth wave of technology which will be dominated by physics at the atomic level.”

Kaku predicted the end of silicon, saying it “cannot compute at a quantum level” and now millions are being spent on this computing. However, while this technology is in its infancy, the threat is there. 

In a press conference, Kaku said that we will head to a post silicon era and that the use of atoms can be used to break any encryption, so governments are getting ahead of the game “as there is much at stake, so now the race is on for the post quantum era where we want to find defenses against methods used by quantum computers to break codes.”

He added that today’s mainframes will be replaced by quantum computers, but mobile phones will not be replaced due to the need for a cooling infrastructure for the atoms. 

Referring to Google’s announcement about its creation of a quantum computer, Kaku noted it was “premature” as while the computer was workable, it did not have any practical application for the consumer and it was compared with a modern super computer. “IBM said that because of that and not using such a fast super computer, their announcement was not such a big deal.”

However, he praised Google’s efforts, as he said that the tide has shifted, as people are no longer saying that this is a possibility for the future.

He also said that as the industrial age was powered by oil, the fourth and fifth wave will be powered by data. “Data will be the energy source of the future,” he claimed, “but data has to be processed. Oil has to go to refineries, in the same way data has to be raw, then processed. In the future, every aspect of human behavior, every aspect of human endeavor and every aspect of human enterprise will be reduced to data.”

However, this data can be hacked, and needs to be protected by encryption – and this can be broken with advanced quantum computing.

Kaku concluded by saying that all human activity will be digitized as data is wealth, and companies will want that information “and this means that data is vulnerable, and new ways to do encryption have to be devised.”

He also said that the arrival of quantum computing is not an immediate threat, but one for the coming years and decades so it is time to prepare and consider converting now. “Don’t do anything yet, but think about it and study the question” as it may take years for the conversion to take place.

He recommended four things you can do now:

  1. Increase the length of your keys, and you can make it more difficult for a quantum computer to crack things
  2. Consider symmetric, rather than asymmetric encryption, as symmetric gives you an extra layer of encryption
  3. Use increasingly complex trapdoor functions, such as lattice and elliptic curve technologies
  4. Use quantum cryptography, use quantum to fight quantum
Categories: Cyber Risk News

Fake Exec Tricks New York City Medical Center into Sharing Patient Info

Thu, 01/30/2020 - 16:30
Fake Exec Tricks New York City Medical Center into Sharing Patient Info

An employee at a New York City medical center was tricked into giving out patient information by a threat actor purporting to be one of the facility's executives. 

The data was shared by an individual at community-based non-profit the VillageCare Rehabilitation and Nursing Center (VCRN) who had received what they believed to be a genuine email from a senior member of staff. 

VCRN were notified on or about Monday, December 30, that a cruel deception had taken place.

In a Notice of Data Privacy Incident statement published on VCRN's website, the company stated: "The unauthorized actor requested certain information related to VCRN patients. Believing the request to be legitimate, the employee provided the information."

Information obtained by the threat actor included first and last names, dates of birth, and medical insurance information, including provider name and ID number for 674 patients. 

VCRN said: "Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event."

The medical center said that they weren't aware of any personal patient information having been misused as a result of this event.

Becoming a victim of a phishing scam has led VCRN to review its cybersecurity practices.

The center said: "We take this incident and security of personal information in our care seriously. We moved quickly to investigate and respond to this incident, assess the security of relevant VCRN systems, and notify potentially affected individuals. This response included reviewing and enhancing our existing policies and procedures."

VCRN has taken steps to notify all the patients who have potentially been impacted by the cyber-attack. A toll-free dedicated assistance phone line has been established for patients who wish to discuss any concerns they may have as a result of the incident. 

The data breach has been reported to law enforcement and to the relevant regulatory authorities. 

VCRN advised patients "to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution."  

Categories: Cyber Risk News

Cybersecurity Firm to Create 164 New Jobs in Virginia

Thu, 01/30/2020 - 15:28
Cybersecurity Firm to Create 164 New Jobs in Virginia

Cybersecurity firm Expel Inc. has announced a $1.4m investment to expand its operations in Fairfax County, Virginia. 

The huge injection of cash will be used to increase the size of the company's Herndon headquarters and to create 164 new jobs in the company's engineering, customer experience, IT, marketing, and sales departments over the next three years.

News of the planned expansion was announced by the governor of Virginia, Ralph Northam, on Tuesday. 

“Virginia has emerged as a national leader in cybersecurity and continues to be at the forefront of workforce development in this rapidly-evolving industry, thanks to companies like Expel, Inc.,” said Northam. 

“We are thrilled to support this homegrown Northern Virginia business as they grow and expand and look forward to their ongoing success in Herndon.”

Victor Hoskins, president and CEO of the Fairfax County Economic Development Authority (FCEDA), voiced his support for the scheme.

“The security-focused industry cluster and the talent pool around it make Fairfax County and Northern Virginia a great location for Expel, and I am delighted that my office has had the opportunity to help the company expand its footprint in the Town of Herndon. 

“We appreciate the company's vote of confidence in Herndon and Fairfax County and look forward to its continued growth here.”

The FCEDA and the Town of Herndon worked with the Virginia Economic Development Partnership to secure the project for Virginia and will support the company’s job creation through the Virginia Jobs Investment Program (VJIP). 

Expel's co-founder and CEO Dave Merkel described Fairfax County as a prime location in which to grow the business.

“There's a fantastic pool of tech talent located in Northern Virginia, and we have close proximity to strong education institutions and major tech companies,” said Merkel.

Expel offers round-the-clock cybersecurity monitoring, providing transparent managed security both on-premises and in the cloud. The company was founded by Dave Merkel, Yanek Korff, and Justin Bajko in a barn in Virginia in 2015.

The company currently has 171 employees and 14 strategic partners, including Amazon Web Services, Microsoft Azure, CISCO, Crowdstrike, Palo Alto, and Carbon Black.

Categories: Cyber Risk News

Cost of Insider Threats Rises 31%

Thu, 01/30/2020 - 14:49
Cost of Insider Threats Rises 31%

New research released yesterday by the Ponemon Institute reveals a dramatic increase in both the frequency of insider threats and their financial cost to businesses since 2018.  

The report, "2020 Cost of Insider Threats: Global," shows that the average global cost of insider threats rose by 31% in two years to $11.45m, and the frequency of incidents spiked by 47% in the same time period.

To gather data for the study, researchers talked to 964 IT and security practitioners at 204 organizations in North America, Europe, the Middle East, Africa, and Asia-Pacific. All the individuals who contributed worked at a company with a global headcount of 1,000 or more. 

Researchers learned that across all organizations in the past 12 months a total of 4,716 incidents had occurred that had been caused by an insider threat. 

For a more detailed analysis, researchers split the incidents into three different categories of threat: those caused unintentionally by negligent employees or contractors, those perpetrated by credential thieves bent on using insiders' login information to gain unauthorized access to applications and systems, and those instigated by criminal and malicious insiders out to damage an organization from within. 

Of the three profiles, credential thieves caused the most damage per incident, costing organizations an average of $871,000 per incident—three times more per incident than a negligent insider. However, the frequency of credential theft was 25% of all incidents, which limited the average annual cost to $2.79m per year.

Negligent employees or contractors, who were found to have caused 62% of insider threats, created the highest financial burden of the profiles, costing an average of $4.58m per year. 

Malicious criminal insider threats were found to have occurred with the least frequency, making up just 14% of incidents. The financial ramifications of this rarer threat type were still significant, with researchers recording a per-incident cost of $756K and annual losses of $4.08m.

Proving the old adage "a stitch in time saves nine," researchers found that the longer an insider threat lingers the costlier it is to rectify. Incidents that took more than 90 days to contain cost organizations $13.71m on an annualized basis, while incidents that lasted less than 30 days cost roughly half, at $7.12m.

The study was sponsored by ObserveIT, a Proofpoint company, and IBM.

Categories: Cyber Risk News