Info Security
Apple Dropped iCloud Encryption Plans After FBI Complaint: Report
Apple dropped plans to offer end-to-end encrypted cloud back-ups to its global customer base after the FBI complained, a new report has claimed.
Citing six sources “familiar with the matter,” Reuters claimed that Apple changed its mind over the plans for iCloud two years ago after the Feds argued in private it would seriously hinder investigations.
The revelations put a new spin on the often combative relationship between the law enforcement agency and one of the world’s biggest tech companies.
The two famously clashed in 2016 when Apple refused to engineer backdoors in its products that would enable officers to unlock the phone of a gunman responsible for a mass shooting in San Bernardino.
Since then, both FBI boss Christopher Wray, attorney general William Barr and most recently Donald Trump have taken Apple and the wider tech community to task for failing to budge on end-to-end encryption.
Silicon Valley argues that it’s impossible to provide law enforcers with access to encrypted data in a way which wouldn’t undermine security for hundreds of millions of law-abiding customers around the world.
They are backed by world-leading encryption experts, while on the other side, lawmakers and enforcers have offered no solutions of their own to the problem.
Apple’s decision not to encrypt iCloud back-ups means it can provide officers with access to target’s accounts. According to the report, full device backups and other iCloud content was handed over to the US authorities in 1568 cases in the first half of 2019, covering around 6000 accounts.
Apple is also said to have handed the Feds the iCloud backups of the Pensacola shooter, whose case sparked another round of calls for encryption backdoors from Trump and others.
It’s not 100% clear if Apple dropped its encryption plan because of the FBI complaint, or if it was down to more mundane usability issues. Android users are said to be able to back-up to the cloud without Google accessing their accounts.
Microsoft Exposes 250 Million Call Center Records in Privacy Snafu
Microsoft briefly exposed call center data on almost 250 million customers via several unsecured cloud servers late last year, according to researchers.
Bob Diachenko spotted the major privacy snafu a day after databases across five Elasticsearch servers were indexed by the BinaryEdge search engine on December 28.
Each contained a seemingly identical trove of Microsoft Customer Service and Support (CSS) records spanning a 14-year period. The records included phone conversations between service agents and customers dating back to 2005, all password-free and completely unprotected, according to Comparitech.
Most personally identifiable information (PII) was redacted from the records, but “many” apparently contained customer email and IP addresses, support agent emails and internal notes and descriptions of CSS cases.
This presented not just a phishing risk but a valuable collection of data for tech support scammers who impersonate call center agents from Microsoft and other companies to install malware on victim machines and steal financial data.
“With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets,” explained Comparitech’s Paul Bischoff.
“If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.”
However, Microsoft was praised for acting swiftly to lock down the exposed servers.
After being informed by Diachenko on December 29, the firm had secured all data by December 31.
Microsoft is just the latest in a long line of companies that have exposed sensitive consumer data through cloud misconfigurations.
These include Choice Hotels, Honda North America, Adobe and Dow Jones.
Sometimes the leaks come from suspected cyber-criminals. Back in December, over one billion email and password combos were exposed via an unsecured Elasticsearch database, with many collected from a previous 2017 breach.
Campaigners Threaten ICO with Legal Action for AdTech Failings
Campaigners are threatening to take the Information Commissioner’s Office (ICO) to court for failing to enforce data protection laws in tackling what they see as widespread illegality in the adtech industry.
The Open Rights Group (ORG) responded to an update from the ICO last Friday detailing what action has been taken since the latter’s June 2019 report raised serious concerns about real-time bidding (RTB).
RTB is the process where website publishers auction space on their pages to advertisers in near real-time. However, that process often involves the advertiser seeing detailed information about the individual web user they want to reach, including their browsing history and perceived interests.
The ICO duly raised multiple concerns in its report claiming: the methods of obtaining informed consent from data subjects are often insufficient; privacy notices lack clarity; and that the scale of data profiling and sharing is “disproportionate, intrusive and unfair.”
It also argued that the widespread use of contractual agreements to protect how bid request data is shared, secured and deleted is inappropriate given the scale of the supply chain and type of data shared.
However, in an update last week, the ICO seemed to hold back from enforcing GDPR and other relevant laws, choosing instead to focus on positive steps taken by Google and the Internet Advertising Bureau (IAB) to act on its concerns.
That’s not good enough for the ORG’s executive director, Jim Killock, who filed an initial complaint with the ICO regarding RTB practices 16 months ago.
"The ICO is a regulator, so needs to enforce the law. It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance,” he argued.
"Last year the ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally entitled to.”
Killock and co-complainant Michael Veale, a lecturer in digital rights and regulation at UCL, are now considering whether to take legal action against the regulator for failing to act, or individual companies for breaking the law.
“When an industry is premised and profiting from clear and entrenched illegality that breach individuals' fundamental rights, engagement is not a suitable remedy,” argued Veale. “The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”
However, the ICO’s primary impulse has always been to educate rather than punish the industry, so it’s likely that harsher enforcement measures will eventually come for those in the adtech ecosystem that fail to change their ways.
“The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same,” argued ICO executive director for technology and innovation, Simon McDougall.
“I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilize its wider powers.”
KnowBe4 Donates $250,000 to Stetson University College of Law
Security awareness training provider KnowBe4 has donated $250,000 to Stetson University College of Law, Florida’s first law school.
The donation includes:
- Creation of the the KnowBe4 Cybersecurity Law Scholarship Fund which will provide $5000 merit-based scholarships for the next five years;
- Creation of the KnowBe4 Cybersecurity Law Program Fund to support the establishment and growth of the cybersecurity law program at Stetson Law
- A subscription to KnowBe4’s diamond-level new-school security training platform to enhance security and data protection awareness with Stetson’s staff, faculty and students
“We see this donation as a great opportunity to contribute to and build our community,” said Stu Sjouwerman, CEO of KnowBe4. “It’s also an opportunity to help fulfill the need to educate and train more cybersecurity talent. We’re excited to work with Stetson University College of Law to help develop an entire collegiate program that’s focused on cybersecurity in the Tampa Bay area.”
The agreement includes the creation of other initiatives, such as a weekend course on the topics of cybersecurity and data privacy for Stetson Law students, speaking events, student-led research, student organizations, internship opportunities for law students and providing general support for business law initiatives at Stetson Law with cyber-law course offerings and other resources related to cybersecurity law.
“We strive to be at the forefront of all that we do at Stetson Law – whether it is educating students in emerging areas of law or ensuring our faculty and staff are highly trained in new technology – so this collaboration with KnowBe4 is a fantastic opportunity to advance both our mission and theirs,” added Michèle Alexandre, dean of Stetson University College of Law.
Security awareness training provider KnowBe4 has donated $250,000 to Stetson University College of Law, Florida’s first law school.
The donation includes:
- Creation of the the KnowBe4 Cybersecurity Law Scholarship Fund which will provide $5000 merit-based scholarships for the next five years;
- Creation of the KnowBe4 Cybersecurity Law Program Fund to support the establishment and growth of the cybersecurity law program at Stetson Law
- A subscription to KnowBe4’s diamond-level new-school security training platform to enhance security and data protection awareness with Stetson’s staff, faculty and students
“We see this donation as a great opportunity to contribute to and build our community,” said Stu Sjouwerman, CEO of KnowBe4. “It’s also an opportunity to help fulfill the need to educate and train more cybersecurity talent. We’re excited to work with Stetson University College of Law to help develop an entire collegiate program that’s focused on cybersecurity in the Tampa Bay area.”
The agreement includes the creation of other initiatives, such as a weekend course on the topics of cybersecurity and data privacy for Stetson Law students, speaking events, student-led research, student organizations, internship opportunities for law students and providing general support for business law initiatives at Stetson Law with cyber-law course offerings and other resources related to cybersecurity law.
“We strive to be at the forefront of all that we do at Stetson Law – whether it is educating students in emerging areas of law or ensuring our faculty and staff are highly trained in new technology – so this collaboration with KnowBe4 is a fantastic opportunity to advance both our mission and theirs,” added Michèle Alexandre, dean of Stetson University College of Law.
Surge in Ships Seeking Cybersecurity Classification
A leading offshore safety and verification body has reported a rapid rise in the number of ships seeking to gain a cybersecurity classification.
Ship classification society Bureau Veritas Marine & Offshore (BV) says it has seen a surge in the number of ships applying for its "Cyber Managed" notation. The notation is based on BV's rule NR659 on cybersecurity for the classification of marine units, which was co-developed with marine security experts.
To be awarded a "Cyber Managed" class notation, ships must show that their design, construction, commissioning, and maintenance of onboard computer-based systems are in line with existing cybersecurity best practices and standards, such as IMO MSC-Fal 1-Circ3, NIST, and BIMCO.
A BV spokesperson said: "Cyber Managed works because it is based on a security risk assessment developed from an initial mapping of onboard systems that results in a practical set of requirements.
"The initial risk analysis and mapping exercise can be performed either during the newbuilding phase or at any time during the lifecycle of the vessel. As such, the notation is applicable to both new and existing ships."
As part of the risk assessment process, all the ship's onboard handbook and onshore security policies are reviewed by BV. Vessels are then surveyed to ensure that the documentation they supplied accurately reflects the condition of the hardware installed.
The notation doesn't require new equipment to be fitted to the ship, but rather it works by mitigating risk through protecting remote access and network connections. This can often be achieved through software updates.
According to BV, shipowners in Greece have been pioneers in applying the notation, which is now gaining traction across the entire maritime ecosystem with other shipowners, ship managers, charterers, insurers, and offshore operators. By the end of January 2020, BV predicts that more than 100 ships will be operating under the "Cyber Managed" notation.
"We see that shipowners are willing to invest in ensuring they are addressing cyber-risks, and their charterers are increasingly interested as well," said Paillette Palaiologou, vice president for the Hellenic Black Sea & Adriatic Zone, Bureau Veritas.
"We are seeing interest from insurers as well—and that this notation can be expected to be a factor in the response of underwriters’ assessment of risk."
US Cybersecurity Firm Founder Admits Funding DDoS Attacks
An American businessman who co-founded a cybersecurity company has admitted to hiring criminals to carry out cyber-attacks against others.
Tucker Preston, of Macon, Georgia, confessed to having paid threat actors to launch a series of distributed denial-of-service (DDoS) attacks between December 2015 and February 2016.
DDoS attacks prevent a website from functioning by bombarding it with so much junk internet traffic that it can't handle visits from genuine users.
In a New Jersey court last week, 22-year-old Preston pleaded guilty to one count of damaging protected computers by transmission of a program, code, or command. Preston admitted to causing at least $5,000 of damage to the business he targeted.
"In or around December 2015, Preston arranged for an entity that engages in DDoS attacks to initiate attacks against a company. The entity directed DDoS attacks against the victim company, causing damage and disrupting the victim’s business," wrote the Department of Justice in a statement released on January 16.
The count to which Preston pleaded guilty is punishable by a maximum penalty of 10 years in prison and a fine of up to $250,000 or twice the gross gain or loss from the offense.
US Attorney Craig Carpenito credited special agents of the FBI, under the direction of Special Agent in Charge Gregory W. Ehrie in Newark, New Jersey, with the investigation that led to Preston's guilty plea.
The identity of the company that Preston paid criminals to attack has not been revealed, but Carpenito has confirmed that the targeted business had servers in New Jersey.
Preston co-founded the cloud-based internet security and performance company BackConnect Security LLC, which claims to be "the new industry standard in DDoS mitigation" and is currently online using an invalid certificate.
Preston was featured in the 2016 KrebsOnSecurity story "DDoS Mitigation Firm Has History of Hijacks," which detailed how BackConnect Security LLC had developed the unusual habit of hijacking internet address space it didn't own in a bid to protect clients from DDoS attacks.
Preston will reappear before the court on May 7 for sentencing.
Scottish Police Deploy Tech That Extracts Data from Locked Smartphones
Police Scotland has announced plans to establish "cyber kiosks" that will allow officers to scan locked smart devices for evidence.
The 41 new kiosks will be located in police stations across local policing divisions, where they will be operated by over 400 specially trained officers.
Each kiosk is essentially a desktop computer capable of performing data extraction, transfer, and analysis. The extraction devices are manufactured by Israeli company Cellebrite and are used around the world to retrieve data from cell phones, drones, and other types of digital technology.
Police Scotland said the Cellebrite devices will speed up their workflow and get smartphones that are found not to contain any information pertinent to an investigation back into their owners' hands more quickly.
"The technology allows specially trained officers to triage mobile devices to determine if they contain information that may be of value to a police investigation or incident. This will allow lines of inquiry to be progressed at a much earlier stage and devices that are not relevant to an investigation to be returned quicker," said Police Scotland.
Scottish police purchased the Cellebrite devices two years ago; however, legal concerns over how the technology may impact the public's right to privacy have delayed their deployment.
The Scottish Human Rights Commission and Privacy International have each said that the legal powers under which Police Scotland will operate the new technology are "not sufficiently clear, foreseeable or accessible."
Privacy International has expressed concerns over "the failure of Police Scotland to carry out impact assessments" in relation to the new technology.
Deputy Chief Constable Malcolm Graham has said that the technology will only be used by the police where there is a "legal basis and where it is necessary, justified and proportionate" to an incident or crime under investigation.
Graham said: "Increases in the involvement of digital devices in investigations and the ever-expanding capabilities of these devices mean that demand on digital forensic examinations is higher than ever.
"Current limitations however, mean the devices of victims, witnesses and suspects can be taken for months at a time, even if it later transpires that there is no worthwhile evidence on them. By quickly identifying devices which do and do not contain evidence, we can minimize the intrusion on people’s lives and provide a better service to the public."
Hong Kong Looks to GDPR as it Strengthens Privacy Laws
Hong Kong is set to follow the lead of European regulators in applying tougher penalties for data protection infractions, following a serious breach at airline Cathay Pacific in 2018.
Proposed amendments to the regional government’s Personal Data (Privacy) Ordinance, which cited the GDPR, would see fines levied as a percentage of global turnover, according to reports.
The privacy commissioner may even be given powers to levy fines immediately depending on the severity of an incident, without first needing to issue an enforcement notice.
The proposals would also mandate breach notifications to the commissioner within five days, a couple of days longer than GDPR rules but still an improvement on the current situation.
The breach of Hong Kong’s national carrier two years ago, which affected over nine million customers, shone a light on the inadequacies of the Special Administrative Region (SAR)’s existing data protection regime.
It took Cathay seven months to report the incident, although it was under no legal obligation to do so at all.
The privacy commissioner was powerless to levy fines: instead, the only option was an enforcement notice citing violation of privacy laws and ordering the firm to improve its cybersecurity posture. Failure to comply with the order leads to a fine of just HK$50,000 ($6433).
Rights groups have written to Hong Kong’s Legislative Council (LegCo), arguing that the proposals still don’t go far enough.
The government’s current proposal is too narrow, and LegCo now has a critical opportunity to strengthen this outdated law and bring it closer to better models, such as Europe’s privacy laws,” said Sophie Richardson, China director at Human Rights Watch (HRW).
“Strong protections on how people’s personal data can be collected and used will help assuage fears that mass surveillance tactics used elsewhere could spread to Hong Kong.”
HRW also wants to see the definition of personal data under the ordinance broadened, and a distinction to be made between general personal data and sensitive data, with the latter subject to stricter conditions.
It also argued for stronger rights for data subjects over how their data is used: for example, mandating firms to obtain explicit consent before using personal data, and empowering individuals to have data erased if they choose.
Such elements are all key parts of the GDPR. Various parts of the EU regulation can also be found in the new California privacy law, CCPA.
UK Gov Database Leak Exposes 28 Million Children
The UK government is facing urgent questions after it was revealed that betting companies were given access to a Department for Education (DfE) database containing personal information on 28 million children.
Known as the Learning Record Service, the database stores information on students in England, Wales and North Ireland choosing to take post-14 qualifications like GCSEs.
However, according to a report in The Sunday Times, a data intelligence firm known as GB Group was able to sign an agreement with a third-party company to access the data. GB Group’s clients include gambling firms such as Betfair and 32Red, which apparently used the data for age and ID verification on their websites.
The third-party, Trust Systems Software (Trustopia), denies providing database access to GB Group. Both GB Group and the DfE are investigating the reports, with the latter having reportedly disabled access to the data trove and informed privacy watchdog the ICO.
“This was completely unacceptable and we have immediately stopped the firm’s access and ended our agreement with them. We will be taking the strongest possible action,” a spokesperson told the paper.
The children’s commissioner for England, Anne Longfield, reportedly said she was “very shocked to learn that data has been handed over in this way.”
Although the information used by the betting firms appears to have been limited, given it covers a huge number of children, the incident could well lead to a significant GDPR investigation by the ICO.
“This is not just a security breach, but a breach of trust, where there is an expectation of fair, lawful and transparent uses of the data by everyone who has access to it — which in this case has not happened,” argued KnowBe4 security awareness advocate, Javvad Malik.
“In all of this, the responsibility sits squarely with the Department for Education, which has collected vast amounts of children's data for nearly a decade with apparently little oversight.”
Zero-Day IE Bug is Being Exploited in the Wild
Both Microsoft and the US government are warning computer users of a critical remote code execution (RCE) vulnerability in Internet Explorer, which is currently being exploited in the wild.
The zero-day bug, CVE-2020-0674, exists in the way the scripting engine handles objects in memory in IE, according to a Microsoft advisory updated over the weekend.
Attackers could send phishing emails to victims, tricking them into visiting a specially crafted website designed to exploit the flaw through IE, Redmond claimed.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” it continued.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The vulnerability affects IE versions 9, 10 and 11 running on all Windows desktop and server versions, including the no-longer supported Windows 7 and Server 2008.
Despite admitting that the flaw is being exploited in “limited targeted attacks,” Microsoft has yet to release an emergency patch. Instead, it detailed a set of temporary mitigations which revolve around restricting access to the JavaScript component JScript.dll.
Carl Wearn, head of e-crime at Mimecast, advised organizations to enforce the use of alternative browsers until the issue is fixed.
“In addition to the threat from this zero-day vulnerability, I would also be wary of using IE at present due to the current resurgence in the use of exploit kits specifically designed to exploit IE vulnerabilities,” he added.
“Ransomware threat actors in particular are currently utilizing exploit kits such as Fallout and Spelevo. While posing no threat to other browsers these exploit kits will likely compromise any Windows machine utilizing Internet Explorer if it visits a compromised website.”
IE versions still have a combined global market share of over 5%, according to the latest figures from December 2019.
US Could Appoint a Cybersecurity Leader for Each State
The USA is considering legislation that would protect local governments by requiring the appointment of a cybersecurity leader for each state.
Backers of the Cybersecurity State Coordinator Act of 2020 say the proposed law will improve intelligence sharing between state and federal governments and speed up incident response times in the event of a cyber-attack.
Under the legislation, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency would be tasked with appointing an employee of the agency in each state to serve as cybersecurity state coordinator.
Money to create these positions would come from the federal government, which would be required to ring-fence the necessary funding.
The role of each state coordinator would be multifaceted, combining elements of training, advisory work, and program development.
Each leader would serve as a principal federal cybersecurity risk advisor, coordinating efforts to prepare for, respond to, and remediate cyber-attacks. Another core responsibility would be to raise awareness of the financial, technical, and operational resources available to nonfederal entities from the federal government.
Coordinators would be expected to support training, exercises, and planning for continuity of operations to expedite as swift a recovery as possible from cybersecurity incidents. Furthermore, they would be called on to assist nonfederal entities in developing and coordinating vulnerability disclosure programs consistent with federal and information security industry standards.
"State, local, Tribal, and territorial entities face a growing threat from advanced persistent threat actors, hostile nation states, criminal groups, and other malicious cyber actors," reads the bill. "There is an urgent need for greater engagement and expertise from the Federal Government to help these entities build their resilience and defenses."
The bill, which has attracted bi-partisan support, was introduced by Senators Maggie Hassan and Gary Peters and is co-sponsored by senators John Cornyn of Texas and Rob Portman of Ohio.
Portman said: "This bipartisan bill, which creates a cybersecurity state coordinator position, would help bolster state and local governments' cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs."
Possessing Ransomware Could Become Illegal in Maryland
Lawmakers in the state of Maryland are considering making it a criminal offense to be in possession of ransomware.
A bill was introduced on Tuesday, January 14, that seeks to penalize Marylanders who knowingly possess the malware and intend to use it to cause harm. The bill also grants victims of a ransomware attack the right to sue the hacker for damages in civil court.
The state has already outlawed the use of malicious technology to extort money out of victims. Senate Bill 30, which was heard before the Senate Judicial Proceedings Committee last week, would make it a misdemeanor to be in possession of ransomware with the intent to use it in a malicious manner.
Any person convicted of this misdemeanor could face 10 years in prison and/or a fine of up to $10,000.
The proposed law would not apply to cybersecurity researchers who may be in possession of ransomware for innocent research purposes.
Senator Susan Lee, who is the lead sponsor of the bill, said that it "gives prosecutors tools to charge offenders.”
Assuming a remarkable level of naiveté on the part of cyber-criminals who use ransomware to extort vast sums of money from organizations and individuals, Lee said that it was "important to establish [the bill] so criminals know it’s a crime."
In January 2019, the Salisbury, Maryland, police department suffered a ransomware attack that prevented officers from accessing the department's computer network. Four months later, Baltimore, the state's largest urban conurbation, was hit by a ransomware attack that is estimated to have cost around $18m.
Possessing ransomware is already a criminal offense in several US states, including Michigan and California. The fight against ransomware was led by Wyoming, which in 2014 became the first state to make it illegal to possess ransomware, spyware, adware, keyloggers, and several other types of malware.
There's no denying that ransomware is causing problems in the United States. In 2019 alone, this particular strain of malware impacted at least 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts, with estimated costs of $7.5bn.
According to a ransomware report by cybersecurity firm Emsisoft,"the only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid."
Mitsubishi Electric Discloses Information Leak
Japanese company Mitsubishi Electric has today disclosed an information leak that occurred over six months ago.
The century-old electronics and electrical equipment manufacturing firm announced the breach by issuing a brief statement on its website.
An official internal investigation was launched after suspicious activity was observed taking place on June 28, 2019. The company said that upon noting the unusual behavior on the network, measures were immediately taken to restrict external access.
According to Nippon.com, hackers accessed servers and computers at Mitsubishi headquarters and other offices belonging to the company in a large-scale cyber-attack.
Mitsubishi said: "We have confirmed that our network may have been subject to unauthorized access by third parties and that personal information and corporate confidential information may have been leaked to the outside."
Mitsubishi announced the breach today after it was reported by two newspapers, the Asahi Shimbun and Nikkei. A theory put forward by both local papers is that the attack was initiated by a cyber-espionage group with links to the People's Republic of China.
While Nikkei reported that hackers swiped 200 MB of information from Mitsubishi, the manufacturer claims that its investigation of the incident uncovered no evidence that any sensitive data connected to its business partners or government defense contracts had been stolen or misused.
In a statement no doubt intended to reassure Mitsubishi's corporate parents, the company wrote: "As a result of an internal investigation, it has been confirmed that sensitive information on social infrastructure such as defense, electric power, and railways, highly confidential technical information, and important information concerning business partners has not been leaked."
When announcing the incident, Mitsubishi didn't explain why it had waited so long after discovering the breach to go public with the news. However, the inclusion of the comment "to date, no damage or impact related to this matter has been confirmed" could imply that the company chose to hold back information until it had a clear idea of what the effects of the breach might be.
Japan's chief cabinet secretary Yoshihide Suga said the government had been informed of the cybersecurity breach and that there was no leak of information related to defense equipment or to the electric power sector.
€114m in Fines Imposed by Euro Authorities Under GDPR
Data protection regulators have imposed €114m ($126m/£97m) in monetary fines under the GDPR for a wide range of infringements, according to new findings from DLA Piper.
Whilst not all fines were related to data breach infringements, DLA Piper’s latest GDPR Data Breach Survey found that more than 160,000 data breach notifications have been reported across the 28 European Union Member States since the GDPR came into force on May 25 2018.
In terms of the total value of fines issued by geographical region, France (€51m), Germany (€24.5m) and Austria (€18m) topped the rankings, whilst the Netherlands (40,647), Germany (37,636) and the UK (22,181) had the highest number of data breaches notified to regulators.
The highest GDPR fine to date was €50m, imposed by the French data protection regulator on Google, for alleged infringements of the transparency principle and lack of valid consent. Earlier this year, the UK ICO published intentions to fine British Airways £183.39m and Marriott £99m following two high profile data breaches, although neither fine has been finalized at the time of writing.
Ross McKean, a partner at DLA Piper specializing in cyber and data protection, said: “GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year’s report and regulators have been busy road-testing their new powers to sanction and fine organizations.
“The total amount of fines of €114m imposed to date is relatively low compared to the potential maximum fines that can be imposed under GDPR, indicating that we are still in the early days of enforcement. We expect to see momentum build with more multi-million Euro fines being imposed over the coming year as regulators ramp up their enforcement activity.”
Travelex Begins Reboot as VPN Bug Persists
Under-fire foreign currency firm Travelex has claimed its first customer-facing services in the UK have gone live after a crippling ransomware attack in December, with experts suggesting an unpatched VPN bug may have been to blame.
The London-headquartered business has been slammed by customers after the suspected Sodinokibi (REvil) ransomware struck on December 31, forcing it to take systems offline as a precautionary measure.
Several complained that the foreign currency they ordered and paid for online is unavailable, leaving them out of pocket. The outage affected not just Travelex’s websites but its bricks-and-mortar outlets and services it provides to major UK high street banks such as Barclays and RBS.
However, the firm claimed in an update on Friday it has been working hard this month to restore online and customer-facing systems.
“On 17 January 2020, we confirmed that the first of our customer-facing systems in the UK were live and that the phased restoration of our systems globally was now firmly underway. We are prioritizing the UK as this is our single largest market,” it said.
Although unconfirmed, security experts believe that an unpatched critical vulnerability in Pulse Secure VPNs (CVE-2019-11510) may have allowed attackers to remotely execute malicious code on Travelex IT systems.
Troy Mursch of Bad Packets claimed to have reached out to the firm in September to flag the software flaw, which has a CVSS score of 10.0, but received no response.
On Friday, he said that there are still over 3000 vulnerable Pulse Secure VPN servers out there. That’s bad news because the bug is seeing “wide exploitation,” despite the fact that a patch has been available since April 2019, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
“A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server. The attacker may be able to gain access to all active users and their plain-text credentials,” CISA said of CVE-2019-11510.
“It may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.”
Although Travelex maintains that there is “no evidence that any data has left the organization,” the hackers behind the $6 million ransom demand have claimed they exfiltrated 5GB of sensitive customer data last year.
London Councils Lose Nearly 1300 Devices Over Three Years
The number of London councils reporting lost or stolen mobile computing devices has more than doubled over the past three financial years, according to new Freedom of Information (FOI) data.
Think tank Parliament Street compiled responses from 23 out of the 31 local borough councils that operate across the UK capital.
It found that a total of 1293 devices were lost or stolen over the three financial years from 2016, including laptops, mobile phones and tablets. The figure jumped from 304 in 2016-17 to 635 in 2018-19, a 109% increase.
Phones went missing most often, accounting for 951 lost or stolen devices over the period. The figure rose 122%, from 215 in 2016-17 to 478 in 2018-19.
Laptop losses also almost doubled over the period, from 64 to 124, while tablet losses increased slightly from 26 to 33.
Lambeth was most affected by missing devices, recording 281 losses, 84% of which were mobile phones. Next came Richmond and Wandsworth (123) and Brent (170). Richmond and Wandsworth, which reported together, saw a 666% increase in lost and stolen devices, while the figure stood at 74% in Brent.
Absolute Software EMEA VP, Andy Harcup, warned that the rise of flexible working combined with opportunistic thieves is increasing the risk of confidential public sector data going missing.
“If said device ends up in the wrong hands, these councils and the constituents they serve could be facing severe consequences, including a major data breach with citizen details finding their way onto the dark web,” he added.
“It's time for all organizations to wake up to the very real risks posed by stolen devices in terms of data security. Every single council should have robust end-point security measures in place to ensure that devices reported missing can be accessed, tracked, deleted and frozen appropriately.”
Citrix Patches ADC Bug as Attacker Hoards Access
Citrix has begun issuing patches for a serious vulnerability in its Application Delivery Controller (ADC) product which experts have warned is being exploited in the wild.
The tech giant revealed the CVE-2019-19781 bug in ADC and its Citrix Gateway back in December. If successfully exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.
Although the firm announced a series of mitigations to help protect customers as it readied a permanent fix, researchers claimed to have discovered tens of thousands of users that were still exposed, including high value targets across verticals including finance, government and healthcare.
Part of the problem appeared to be that not all of these mitigations worked as intended. The Dutch authorities urged businesses to disable Citrix systems altogether.
With proof-of-concept exploits appearing online in recent days and reports of active attacks, Citrix appeared to accelerate the process of readying patches.
Permanent fixes for ADC versions 11.1 and 12.0 are now ready and it has “moved forward” availability dates for other versions 12.1, 13 and 10.5 to January 24. Its Citrix SD-WAN WANOP product will also be patched on the same day.
The news comes as FireEye warned it had spotted “dozens of successful exploitation attempts” against ADC deployments that had not put in place temporary pre-patch mitigations.
One particular payload, which it named “NotRobin,” appears to be hoarding access to exposed Citrix systems.
“FireEye believes that the actor behind NotRobin has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027,” FireEye explained.
“NotRobin mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.”
Fidelis Cybersecurity Acquired by Skyview Capital
An American company dedicated to thwarting cyber-attacks has been snapped up by a global private equity firm.
Skyview Capital, LLC announced its acquisition of Fidelis Cybersecurity, Inc yesterday. Fidelis is located in the Maryland town of Bethesda, which a 2015 NerdWallet survey found to be the most educated place in America.
Fidelis Cybersecurity is a leading provider of network traffic analysis and of digital forensics and incident response solutions that enable enterprises and government organizations to detect, hunt, and respond to advanced threats that evade traditional security solutions.
The company counts among its 250 employees some of the world's leading cybersecurity experts, including specialists from the US Department of Defense, the intelligence community, and industry.
Solutions developed by Fidelis are delivered as standalone network, endpoint, and deception products; an integrated platform; or as a constantly operational managed detection and response service that augments existing security operations, threat hunting, and incident response capabilities.
Fidelis was acquired from a consortium of investors in a stock transaction in a deal that serves to increase Skyview's existing software technology portfolio.
"With the ever-increasing complexity of digital environments and the pace of cyber threats across the world, we see an opportunity to build upon Fidelis' impressive technology and solidify its position within the IT security industry," said Alex Soltani, chairman and CEO of Skyview.
"This transaction aligns well with our investment philosophy of targeting and investing in mission critical technology businesses across a wide spectrum of verticals, from telecommunications to cybersecurity."
The mission of Fidelis is not set to change as a result of the acquisition.
Soltani said: "Skyview is committed to realizing the full value of Fidelis as a safeguard against cyber threats, and we are enthusiastic about identifying both organic and inorganic growth opportunities."
Nick Lantuh, president and chief executive officer of Fidelis Cybersecurity, sees the deal as a golden opportunity for growth.
He said: "We are excited to partner with Skyview Capital and benefit from their ability to help us take the Fidelis platform, which provides unmatched visibility and empowers security teams to rapidly respond to threats, into other markets."
NortonLifeLock Puts Silicon Valley Real Estate Up for Sale
NortonLifeLock, formerly known as Symantec, has put ten large commercial buildings in California’s Silicon Valley on the market.
The cybersecurity company is seeking a buyer for the properties, which are all based in the Mountain View area, close to the Google Quad Campus. The ten buildings on the market are grouped into three separate campuses, not more than a few minutes' drive from one another.
Commercial real estate firm Cushman & Wakefield has been hired to help shift the properties, which together total 707,000 square feet.
According to The Orange County Register, the buildings are featured in a brochure being circulated on behalf of NortonLifeLock.
"Never before offered to the marketplace, the offering represents a generational opportunity to acquire a portfolio of 10 buildings totaling 706,737 square feet in the heart of Silicon Valley," states the brochure.
Mountain View was the site of Symantec’s headquarters for many years, but in November the company, under its new name NortonLifeLock, relocated its operational nerve center to Tempe, Arizona.
One of the three campuses for sale, described in the brochure as the "headquarters campus," is located at 350 Ellis Street. On this site are five buildings offering a total 428,000 square feet of office space.
The second campus, which is made up of research and office buildings totaling 128,000 square feet, is located at 455, 487, and 501 E. Middlefield Road. The final clutch of office and research buildings, which together offer 150,000 square feet of space, is at 515 and 545 N. Whisman Road.
In an effort to keep the ten properties together, NortonLifeLock is ideally seeking a single buyer for all three campuses.
The brochure states that "it is a strong preference of the seller for one buyer to acquire the entire portfolio," however, "individual offers on the various components may be considered."
NortonLifeLock's decision to put the properties on the market comes amid a concerted effort by the company to downsize. Over the course of 2019, the company announced it would be terminating 320 jobs in Mountain View and a further 82 in San Francisco.
Teen Charged Over $50m SIM-Swapping Scam on Blockchain Experts
A teenager from Montreal is facing four criminal charges in connection with a $50m SIM-swapping scam that targeted two renowned Canadian Blockchain experts.
Eighteen-year-old hacker Samy Bensaci is accused of being part of a crime ring that stole millions of dollars in crypto-currency by gaining unauthorized access to the cell phones of crypto-currency holders in America and Canada.
Spokesperson for the Canadian police force, the Sûreté du Québec, Lieutenant Hugo Fournier, said the elaborate SIM-swapping cyber-fraud was responsible for the theft of "$50 million from our neighbors to the south and $300,000 in Canada."
Police say the crypto-currency thefts, which netted dozens of victims, were perpetrated by the gang in the spring of 2018.
Among the alleged victims are renowned Toronto businessman, author, and head of the Blockchain Research Institute Don Tapscott and his son Alex, a globally recognized investor, advisor, and speaker on Blockchain technology and crypto-currencies. Together, father and son co-authored Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World.
Bensaci was arrested in Victoria, British Colombia, in November and charged with fraudulently obtaining computer service, committing fraud over $5,000, identity fraud, and illegally accessing computer data. In December, the teen was released on $200,000 bail and ordered to live with his parents in northeast Montreal until his next court hearing.
According to La Presse, neighbors described Bensaci as a discreet young man who spends a lot of time on his computer.
While staying at his parents' residence, Bensaci is prohibited from accessing "any computer, tablet, mobile phone, game console, including PS3, PS4, Xbox, Nintendo Switch, or any other device capable of accessing the Internet," and banned from possessing or exchanging any form of crypto-currency.
Many of the individuals allegedly targeted by the gang had attended the Consensus crypto-currency fair, held annually in New York.
"We suspect that hackers spot targets during such events," said American SIM-swapping victim Rob Ross. Ross, who was robbed of $1m in crypto-currency in two separate attacks by 21-year-old hacker Nicholas Truglia, now manages the StopSIMCrime.org website.
Ontario Provincial Police sent out an alert regarding the SIM-swap scam in November, along with a warning that fraudsters sometimes impersonate a target and falsely claim that their phone has been lost or stolen.