Info Security

Subscribe to Info Security  feed
Updated: 2 hours 57 min ago

ECU Student Charged with Cyber-Stalking

Fri, 10/08/2021 - 19:37
ECU Student Charged with Cyber-Stalking

A student at East Carolina University has been charged with cyber-stalking after allegedly posing as a member of a rival fraternity to upload a racist post to social media.

A police investigation was launched after an offensive message, purporting to be from the university's Theta Chi chapter, was uploaded anonymously to Yik Yak in August. 

The post read:  "Theta Chi rush party, PNMs (potential new members) and girls only. No blacks. Girls 5$ @door. Call or text."

The party invitation then listed the name and contact information of a genuine member of the Theta Chi fraternity. 

The rush event mentioned in the post never took place, and the members of Theta Chi fraternity have denied having anything to do with the Yik Yak post. 

Officers at the Greenville Police Department traced the Yik Yak invite to James Daniel Edwards IV, a black 19-year-old political science major at ECU.

Edwards was charged with cyber-stalking and turned himself in to the Pitt County Detention Center on October 1. 

The investigation by Greenville PD found no affiliation between Edwards and the Theta Chi fraternity. 

“It is the Greenville Police Department’s understanding he is a member of another ECU fraternity,” said police.

In an email to McClatchy News, Greenville PD spokesperson Kristen Hunter wrote: “The motive is still under investigation; however, the post was made during Rush Week, when fraternities try to recruit members, so we believe that was a factor.”

According to The Finger Lake Times, East Carolina University said that Edwards is a member of the Pi Lambda Phi fraternity. On Pi Lambda Phi’s website, Edwards is reportedly listed as vice president of recruitment for the fraternity.

Edwards told news source WITN that he couldn't comment on the incident until he had obtained a lawyer. 

In a statement, East Carolina University said: “We appreciate the efforts of the Greenville Police to identify the individual who made the post and to clear the name of the student and the Theta Chi fraternity listed in the original post. We will continue to work with our students and campus to build a welcoming and inclusive community for all.”

Categories: Cyber Risk News

ECU Student Charged with Cyber-stalking

Fri, 10/08/2021 - 19:37
ECU Student Charged with Cyber-stalking

A student at East Carolina University has been charged with cyber-stalking after allegedly posing as a member of a rival fraternity to upload a racist post to social media.

A police investigation was launched after an offensive message, purporting to be from the university's Theta Chi chapter, was uploaded anonymously to Yik Yak in August. 

The post read:  "Theta Chi rush party, PNMs (potential new members) and girls only. No blacks. Girls 5$ @door. Call or text."

The party invitation then listed the name and contact information of a genuine member of the Theta Chi fraternity. 

The rush event mentioned in the post never took place, and the members of Theta Chi fraternity have denied having anything to do with the Yik Yak post. 

Officers at the Greenville Police Department traced the Yik Yak invite to James Daniel Edwards IV, a black 19-year-old political science major at ECU.

Edwards was charged with cyber-stalking and turned himself in to the Pitt County Detention Center on October 1. 

The investigation by Greenville PD found no affiliation between Edwards and the Theta Chi fraternity. 

“It is the Greenville Police Department’s understanding he is a member of another ECU fraternity,” said police.

In an email to McClatchy News, Greenville PD spokesperson Kristen Hunter wrote: “The motive is still under investigation; however, the post was made during Rush Week, when fraternities try to recruit members, so we believe that was a factor.”

According to The Finger Lake Times, East Carolina University said that Edwards is a member of the Pi Lambda Phi fraternity. On Pi Lambda Phi’s website, Edwards is reportedly listed as vice president of recruitment for the fraternity.

Edwards told news source WITN that he couldn't comment on the incident until he had obtained a lawyer. 

In a statement, East Carolina University said: “We appreciate the efforts of the Greenville Police to identify the individual who made the post and to clear the name of the student and the Theta Chi fraternity listed in the original post. We will continue to work with our students and campus to build a welcoming and inclusive community for all.”

Categories: Cyber Risk News

Brewer’s Token Gaffe Causes Massive PII Breach

Fri, 10/08/2021 - 18:24
Brewer’s Token Gaffe Causes Massive PII Breach

An authentication error left the personal data of hundreds of thousands of BrewDog customers and Equity for Punks shareholders exposed for a year and a half. 

The gaffe involving an API bearer token was discovered by researchers at security consulting and testing company Pen Test Partners

"Every mobile app user was given the same hard-coded API Bearer Token, rendering request authorization useless," wrote the researchers in a blog post published today.

The mistake allowed any user to access the personal identifiable information (PII) belonging to another user. Other information exposed in the incident included users' shareholding details and bar discount.

Researchers said that the details of over 200,000 shareholders "plus many more customers" were exposed "for over 18 months."

The token error left BrewDog vulnerable to theft, according to researchers, who noted that shareholders can claim a free beer in the three days before or after their birthday under the terms of the Equity for Punks scheme. 

"One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!" wrote the researchers.

Pen Test Partners has criticized BrewDog's handling of the cybersecurity issue, claiming that "disclosure was rather fraught."

"Instead of being ‘cool’ as we had hoped, given their reputation as being a bit counter-culture, BrewDog instead declined to inform their shareholders and asked not to be named," said Pen Test.

The security consulting company added: "It took four failed fixes to properly resolve the problem."

Michael Isbitski, technical evangelist at Salt Security, told Infosecurity Magazine: "BrewDog all but laid out customers’ private information on a silver platter for attackers.”

Isbitski said that instead of using the kind of dynamic, expiring authorization tokens typically seen within a proper OAuth2 implementation, the brewer used static authorization tokens, which were hard coded within the application source code. 

"Those static tokens granted access to BrewDog’s back-end APIs, which attackers could call directly to extract data," said Isbitski. 

"Additionally, BrewDog used account identifiers which could be easily predicted, making it a trivial task for an attacker to enumerate through user accounts and siphon PII."

Categories: Cyber Risk News

US Shutters Psychic Mass Mail Fraud

Fri, 10/08/2021 - 16:50
US Shutters Psychic Mass Mail Fraud

An international psychic mail fraud scheme that sold the promise of good fortune to tens of thousands of victims has been shut down by a United States court.

Earlier today, the US District Court for the Southern District of Florida entered a permanent injunction against three residents of France and two corporate defendants who had been carrying out the highly lucrative scheme.

According to a complaint, Robert Lhez, Mireille Dayer and Julie Poulleau, using Arcana Center, a company in Delaware, and a Swiss corporation named Partners VAD International Sàrl, mailed hundreds of thousands of solicitations to victims in the United States.

The mailouts were purportedly sent on behalf of companies or individuals offering psychic, clairvoyant, or astrological services. 

Individuals targeted by the scheme were told that they would come into some money soon if they paid an upfront fee. However, none of the victims who handed over their cash received any of the promised benefits.

"These solicitations were riddled with false and misleading statements that gave the false impression that in exchange for payment of a small fee, typically of $45 or $50, the individual recipient would come into good fortune resulting in an imminent financial windfall though the lottery, inheritance or other game of chance," said the Department of Justice Office of Public Affairs in a statement. 

Thousands of victims, most of whom were elderly or vulnerable, sent payments totaling millions of dollars to the defendants. From March 2017 to June 2018 alone, the defendants received more than $1.4m from more than 34,000 payments. 

According to Eric Shen, inspector in charge of the US Postal Inspection Service’s Criminal Investigations Group, the defendants "have been known to Postal Inspectors for years, constantly changing their fraudulent schemes in the attempt to stay one step ahead of the law.” 

Lhez, Dayer, Poulleau and the two companies are now barred from operating or otherwise engaging in a psychic mailing scheme and, more broadly, from engaging in any mass-mail or prize-promotion marketing in the United States.

Acting US Attorney Juan Antonio Gonzalez for the Southern District of Florida urged the public to question promotions that seem too good to be true and report suspected fraud to law enforcement.

Categories: Cyber Risk News

Microsoft: Russia Dominates State-Sponsored Attacks

Fri, 10/08/2021 - 09:10
Microsoft: Russia Dominates State-Sponsored Attacks

Russia accounted for the majority of state-sponsored attacks over the past year, with the SolarWinds attackers dominating threat activity, according to Microsoft data.

The firm’s Digital Defense Report 2021 covers the period from July 2020 to June 2021 and details state and cybercrime activity.

Kremlin-backed raids accounted for 58% of all nation-state attacks during the period, with Nobelium (aka APT29, Cozy Bear) generating the vast majority (92%) of notifications Microsoft made to customers about attacks.

The threat group was responsible for the notorious and highly sophisticated SolarWinds campaign, which compromised at least nine US government departments.

Worryingly, Microsoft claimed that Russian state-backed attacks are increasingly successful: compromise rates jumped from 21% to 31% year on year.

They’re mainly focused on intelligence gathering from government agencies in the US, UK and Ukraine.

After Russia, the largest volume of attacks came from North Korea (23%), Iran (11%), and China (8%). It’s not always about cyber espionage: Iran has ramped up destructive attacks against Israel, while North Korea continues to generate funds by targeting cryptocurrency companies, according to Microsoft.

China appears more traditional in its intelligence-gathering activities. However, it has used a range of previously unidentified vulnerabilities to achieve these ends, particularly the Hafnium attacks on Exchange servers earlier this year.

Chinese threat groups also have a range of strategic goals but tend to focus on gleaning social, economic and political intelligence about strategic adversaries and neighboring countries.

Microsoft said it had notified customers 20,500 times about nation-state breach attempts over the past three years.

“To be clear, Microsoft does not observe every global cyber-attack. For example, we have limited visibility into attacks targeting on-premises systems that organizations manage themselves, like the Exchange Server attacks earlier this year, and attacks targeting customers of other technology providers,” it added.

“We believe sharing the data we do have on these threats is helpful to customers, policymakers and the broader security community, and we invite others to share what they’re seeing with their visibility.”

Categories: Cyber Risk News

NatWest Pleads Guilty in £400m Money Laundering Case

Fri, 10/08/2021 - 08:20
NatWest Pleads Guilty in £400m Money Laundering Case

A leading UK high street bank has pleaded guilty to failing to stop a massive money-laundering operation carried out by a business customer.

Criminal charges were brought against NatWest by regulator the Financial Conduct Authority (FCA) under the UK’s Money Laundering Regulations 2007.

The lender, which is state-backed, entered a guilty plea at Westminster Magistrates Court in the first case of its kind. It covers four years between November 2012 and June 2016, during which the bank was accused of failing to monitor deposits amounting to hundreds of millions of pounds.

According to the BBC, the customer in question, Bradford-based jeweller Fowler Oldfield, was predicted to have a turnover of around £15m when NatWest onboarded it. However, it subsequently deposited £365m over the period, £264m of which was in cash, even though it was agreed the bank would not handle cash deposits.

NatWest is now likely to face a hefty fine.

John Dobson, CEO of regtech firm SmartSearch, said he hoped the case would be a wake-up call for the industry and predicted a fine above £400m.

“Change is long overdue. Despite tools being readily available to prevent this illegal activity, currently 99% of ill-gotten gains are successfully laundered by criminals, and regulated businesses need to do much more to prevent this,” he added.

“If the moral obligation to stop terrorists, drug smugglers and sex traffickers legitimizing their money isn’t enough motivation, through this case the FCA has shown it is willing to severely punish those who don’t take their responsibilities seriously.”

The scale of global money laundering is famously hard to estimate, but the UN believes it could be between 2-5% of global GDP annually, which amounts to as much as $4tn or more today.

However, global fines for anti-money laundering (AML) and data privacy compliance breaches fell by nearly 50% year-on-year in the first half of 2021.

Categories: Cyber Risk News

UK Firms Hit by One Attack Every 47 Seconds Over Summer

Fri, 10/08/2021 - 07:57
UK Firms Hit by One Attack Every 47 Seconds Over Summer

Cyber-attacks targeting UK firms are back on the increase, reaching a rate of one every 47 seconds over the summer, according to new data from Beaming.

The business ISP had noted a 9% year-on-year drop in the second quarter, but it now appears that was a temporary blip. Attacks increased 4% between July and September over the same period last year.

The firm claimed that this amounts to an average of 168,975 attacks per company in the third quarter or 1837 per day.

IoT applications and systems attracted the most compromise attempts, amounting to 162 per day, while attempts to breach web applications increased by 21% to reach 48 per day on average.

Beaming has been recording attack traffic patterns since 2016, and Q2’s decline was the first since 2018. However, that now seems to have been merely a slight interruption of the general upward trend in attacks.

Beaming managing director, Sonia Blizzard, urged companies to remain vigilant as they transition to new hybrid working practices.

“More people are accessing company data and IT systems via personal devices and unmanaged domestic internet connections, and more data is flowing beyond traditional business boundaries that could be protected with a simple firewall,” she explained.

“There is plenty that specialist ISPs like Beaming can do to reduce the risk, but businesses need to get serious about cybersecurity too and build resilience through a combination of training, technology and documented policies.”

Her company identified over 260,000 unique IP addresses used to launch attacks on UK firms during the period, tracking a plurality of them (41,175) to China, 22,894 to the US and 16,020 to Brazil. However, that’s no indication that attacks were actually controlled from these countries, merely that compromised PCs from these locations were used.

In a study over the summer, more than half (54%) of senior executives admitted they’re struggling to adapt security policies to keep up with changes to working practices and the threat landscape.

Categories: Cyber Risk News

Smishing on the Rise

Thu, 10/07/2021 - 18:49
Smishing on the Rise

A new financial crime report by risk management tool developer Feedzai has found an increase in phishing scams perpetrated via text message, a practice known as smishing.

The report analyzed over 1.5 billion global transactions completed in the second quarter of 2021 to paint a picture of the state of financial crime, consumer spending habits, and the top fraud trends.

Purchase scams, where consumers pay for products or services that never arrive, topped the list of fraud scams, followed by scams involving social engineering, impersonation, and account takeover (ATO). 

Smishing, where scammers send text messages to trick consumers into clicking on dangerous links and sharing personal information, made it onto Feedzai's top five list for the very first time as the fifth most common fraud scam.

Analysis of the data also revealed a continuous move to cashless transactions, with a 146% increase in peer-to-peer (P2P) payments and a 44% decrease in cash transactions. Online transactions grew by 109% to nearly double the number of in-person or card-present transactions. 

Financial criminals have exploited the shift, with the result being that the number of online card fraud attempts increased by 23% between April and July 2021.  

“Cashless payments were already on the rise, but the pandemic accelerated all forms of digital transactions when lockdowns hit,” said Jaime Ferreira, senior director of global data science at Feedzai. 

“Millions more people experienced just how convenient digital payments and banking are when they couldn’t go to a bank branch or a restaurant or grocery store."

Ferreira warned that the convenience of cashless transactions comes with a cost. 

"Cashless transactions are not the future anymore, they are today," he said. "Financial institutions and retailers need to address the financial risk and higher complexity attacks that arise with the digital evolution.”

Researchers analyzed the rate of fraud geographically in the United States to reveal the cities with the highest increase in fraud over the past year. Las Vegas, Nevada, which has seen a fraud increase of 411%, topped the list, with New York (up 396%) and Charleston, South Carolina (up 251%) in second and third place, respectively. 

Categories: Cyber Risk News

Patching Too Tortuous for IT Pros

Thu, 10/07/2021 - 17:43
Patching Too Tortuous for IT Pros

Patching vulnerabilities is too labor intensive and convoluted a process for most IT security professionals, according to new research by Ivanti

The Utah-based software company surveyed over 500 enterprise IT and security professionals across North America, Europe, the Middle East, and Africa about their patch management challenges. 

Nearly three-quarters of respondents (71%) found patching to be "overly complex, cumbersome, and time consuming," with more than half (54%) saying that remote work has increased the intricacy and scale of patch management.

Despite the Equifax breach and WannaCry ransomware both involving the exploitation of unpatched vulnerabilities, 62% of IT pros said that other tasks often take priority over patching. 

Patching was reported to have an impact upon productivity, with more than half (60%) of respondents saying that the process disrupts the workflow of users. 

Receiving orders from line-of-business owners once a quarter to skip or delay patching to avoid system shutdowns was reported by 61% of IT and security professionals. 

“These results come at a time when IT and security teams are dealing with the challenges of the Everywhere Workplace, in which workforces are more distributed than ever before, and ransomware attacks are intensifying and impacting economies and governments," said Srinivas Mukkamala, senior vice president of security products at Ivanti. 

"Most organizations do not have the bandwidth or resources to map active threats, such as those tied to ransomware, with the vulnerabilities they exploit." 

The research comes as Untangle's fourth annual SMB IT Security Report, based on a global survey of 740 small-to-medium businesses conducted in August, found that 80% of SMBs feel more secure now than they did last year.

Most companies surveyed (71%) named finding and fixing vulnerabilities as their most important security priority. More than half (64%) said breaches were their top security concern. 

To protect their business, most companies surveyed (73%) employ firewalls and more than half (62%) use antivirus/anti-malware protection.

“With a changing workplace landscape, and a continued rise in cyberattacks, SMBs have shifted their mindset from ‘it can’t happen to me’ to taking security threats seriously,” said Untangle CEO Scott Devens.

Categories: Cyber Risk News

#DTX2021: A Beginner's Guide to Chaos

Thu, 10/07/2021 - 16:30
#DTX2021: A Beginner's Guide to Chaos

What is chaos engineering is and how to get started? What are the different types of tests and how does it compare to other options? These were questions that Holly Grace Williams, founder of Akimbo Core, aimed to tackle during a technical session at the Digital Transformation EXPO Europe 2021.

The 'A Chaos Podcast Presents: A Beginner's Guide to Chaos' session began by highlighting Facebook's recent global outage, which lasted almost six hours. "Facebook runs 'storm' drills to ready itself to cope with outages," Williams affirmed, and this is a form of chaos engineering. 

"But what is chaos engineering?" Williams questioned. Simply, chaos engineering is the concept that "we experiment on production systems in order to build confidence in how those systems will perform under duress." 

Yet, there is a lot of "incorrect" ideas circulating regarding what chaos engineering is and the experiments involved. "Chaos engineers are not breaking things in production to prove production systems can handle it," she emphasized. For Williams, chaos engineers are not bringing the chaos; "the chaos is the production system." 

Examples of chaos engineering include "taking something down" — what happens when you cause a failure on some part of a system? Others include "slowing something down" — what happens if a certain system element performs slowly? 

A central benefit of chaos engineering is that, according to Williams, organizations can use it to identify vulnerabilities before a hacker does or before a system failure. In addition, changes made as a result of chaos engineering testing bolsters confidence in an organization's systems. With the rise in cyber threats, businesses must ensure their physical resilience and the resilience of their IT systems, stressed Williams. 

Chaos engineering is significant in complex computing environments since these systems can break when unexpected situations occur. 

Williams mentioned that business people are not always open to the idea of "experimenting on production," a crucial part of chaos engineering. Yet, there is "vast potential" for organizations if they leverage chaos engineering. 

Shifting the focus to practical steps organizations can do to implement forms of chaos engineering, the first is to "start small." Additionally,"start in test, start on a schedule," she said. Organizations should also "build-up to production."

Despite the benefits that chaos engineering introduces, there are challenges. Williams told the audience to beware of the blast radius and cascading failures. Additionally, organizations that want to experiment less frequently "are more likely to slip back into bad practices."

Wrapping up the session, an audience member queried what role AI and Automation can play in chaos engineering. Williams pointed to the role AI can play in helping track experiments organizations are performing. "Humans aren't good at randomness," she stressed. "Machine learning can help chaos engineers track and operate in different ways." Crucially, ML can also help analyze systems to find problems in a system.

Categories: Cyber Risk News

US Creates National Cryptocurrency Enforcement Team

Thu, 10/07/2021 - 16:25
US Creates National Cryptocurrency Enforcement Team

The United States Department of Justice (DOJ) has formed a new task force to oversee complex investigations and prosecutions of criminal misuses of crypto-currency.

The creation of a National Cryptocurrency Enforcement Team (NCET) was announced yesterday by Deputy Attorney General Lisa Monaco.

"Today we are launching the National Cryptocurrency Enforcement Team to draw on the Department’s cyber and money laundering expertise to strengthen our capacity to dismantle the financial entities that enable criminal actors to flourish – and quite frankly to profit – from abusing crypto-currency platforms,” said Monaco in a statement dated October 6. 

She added that the DOJ was "poised to root out abuse on these platforms and ensure user confidence in these systems.”

The DOJ's Office of Public Affairs said that the team's focus would be on criminal acts committed by virtual currency exchanges, money laundering infrastructure actors, and mixing and tumbling services. 

Working under the supervision of Assistant Attorney General Kenneth Polite Jr., NCET will also assist in tracing and recovering assets lost to fraud and extortion, including crypto-currency payments to ransomware gangs.

NCET will also train and advise federal prosecutors and law enforcement agencies in developing investigative and prosecutorial strategies and provide guidance on matters including search and seizure warrants, restraining orders, criminal and civil forfeiture allegations, and indictment.

“The Criminal Division is already an established leader in investigating and prosecuting the criminal misuse of crypto-currency,” said Polite. 

“The creation of this team will build on this leadership by combining and coordinating expertise across the Division in this continuously evolving field to investigate and prosecute the fraudulent misuse, illegal laundering, and other criminal activities involving crypto-currencies.”

Team members will be drawn from the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section (MLARS), the Computer Crime and Intellectual Property Section (CCIPS), and detailees to the Criminal Division from US Attorneys’ Offices across the country.

The search is now on for "an individual with experience with complex criminal investigations and prosecutions, as well as the technology underpinning crypto-currencies and the blockchain," to fill the role of NCET team leader, who will report to the assistant attorney general in the Criminal Division.

Categories: Cyber Risk News

#DTX2021: AI Ethics in Practice: How to Turn AI Principles Into Practical Governance and Compliance?

Thu, 10/07/2021 - 15:25
#DTX2021: AI Ethics in Practice: How to Turn AI Principles Into Practical Governance and Compliance?

Where are we at with human interaction with AI? What impact in terms of ethics does this have at the moment? These were the focal topics of investigation during a panel discussion at the Digital Transformation EXPO Europe 2021.

Moderating the 'AI Ethics in Practice: How to Turn AI Principles Into Practical Governance and Compliance?' panel  was Sherin Mathew, CEO and founder of Innovation Exchange, who opened the panel by discussing AI through the lens of regulation, particularly how AI regulation can become governmental policy. 

Tim Clement-Jones, co-chair of the All Party Parliamentary Group of Artificial Intelligence, emphasized that accepting the need to put AI regulation into policy is "one the most important points to this question." "We are at a crossroads," he said. With the EU and the US already making inroads, the UK must ensure that it doesn't fall behind. The EU approach "appears to be the best model," he claimed. 

Minesh Tanna, global AI lead of law-firm, Simmons & Simmons and chair of Society for Computers and Law (SCL) AI Group concurred with Clement-Jones, praising the EU draft on AI regulation as "very good since it is detailed." Ensuring that any policy is detailed will avoid significant "pitfalls." 

Another central theme of the panel concerned what steps organizations can follow to ensure that they are regulation-ready. Sara El-Hanfy, innovation lead, machine learning and data at Innovate UK, brought attention to investing in workforce skills. "Employees must have lifelong learning around AI" she claimed. Simon Greenman, partner and member of the World Economic Forum's Global AI Council, told the audience that organizations must figure out what AI they are using. Almost all attempts to regulate AI miss the critical question regarding what the AI being used is. "Figure out what AI you are using," he stressed. 

The panel discussion quickly evolved into a debate about the benefits of regulating AI. Greenman argued that the competitive advantages of AI regulation would be "immense," a view shared with Tanna, who remarked that contractual assurances are now more commonplace. In addition, ethical business practices as a paradigm was raised, with more customers choosing to shift to ethical consumerism. This point was highlighted by El-Hanfy, who highlighted AI regulation as an "immediate ethical opportunity." 

The final question of the session concerned best practices for businesses to get regulation-ready. Most of the panelists were in agreement with Greenman, who delineated six practices that included: 

  1. Getting those at the board level involved in the conversation 
  2. Ensure effective teamwork 
  3. Emphasise leadership visibility 
  4. Don't forget about controls 
  5. Use explainable language
  6. Be sure to have an AI "kill-switch"

Wrapping up the session, Clement-Jones highlighted digital literacy. One of the most significant pitfalls in achieving AI regulation, he said, is getting those on the board level to have a better digital understanding. "Time and time again, I see this problem," he rued. "This is no good unless those sitting on a board are AI literate. AI regulation is not an issue for the future; it is an issue for the present." 

Categories: Cyber Risk News

#DTX2021: Adapt to Succeed During Times of Great Disruption, Says Astronaut Adam Steltzner

Thu, 10/07/2021 - 11:50
#DTX2021: Adapt to Succeed During Times of Great Disruption, Says Astronaut Adam Steltzner

Astronaut Adam Steltzner, NASA JPL, outlined six principles that organizations of all sectors need to embrace in order to navigate significant changes to their environment. His insights can be seen as especially relevant to cybersecurity teams that continue to deal with the digital shift and growing threat landscape during COVID-19.

Speaking during the keynote session on day two of the Digital Transformation EXPO 2021 (DTX) in Excel London, Steltzner explained the enormous challenges he and his team at NASA had to overcome to land the Perseverance land rover on the surface of Mars in February this year. This mission is part of an ongoing journey of discovery about the red planet, principally answering the question as to whether life has ever, or indeed currently, exists there.

NASA also successfully flew the helicopter Ingenuity above the surface of Mars during this mission, despite fears that it would be impossible to fly in a planet that contains atmosphere less than 1% of that of Earth's.

None of this could be adequately tested on Earth, due to the atmospheric conditions being so far removed from that of Mars. Therefore, the key to ensuring the mission was successful was a willingness to adapt plans, and show “grit” to persevere in all conditions, according to Steltzner. He said that Ingenuity almost didn’t make it to Mars’ surface — the initial plan to fold it into two and be tucked between a pair of wheels had to be changed “late in the development” to ensure it could land safely.

Steltzner then set out lessons he learned from his experience working with Perseverance and Ingenuity, and argued these principles can be applied across all industries.

  • 1. Humans are able to adjust to tremendous disruptions: He noted that while humans generally dislike disruptions to the eco-system, they nevertheless are “capable of change.” However, adapting to new landscapes requires significant perseverance and “grit to adjust to the disappointments.” For example, the COVID-19 pandemic forced people throughout the globe to change their plans and miss out on great experiences. The lesson here is that “every tomorrow is not the universe we expect,” and “if we allow ourselves to embrace the truth of where we are, we will be in a much better place to be successful in the actual universe we live in.”
“If we allow ourselves to embrace the truth of where we are, we will be in a much better place to be successful"

Thankfully, humans are very good at adapting. For example, Steltzner noted that during the pandemic, he “learned to operate spacecraft from my house,” whereas previously he’d be in a control room with 60 colleagues.

  • 2. Being successful during disruption requires ingenuity: Steltzner pointed out that in the US, whole sectors of the economy boomed in the pandemic “because people saw the world as it really was and looked for opportunity in that world.” He added: “That’s what it takes to be successful in a pandemic, and what it takes to be successful any time in the future.” In regard to the late changes made to Ingenuity, this was a recognition “of what was working and what wasn’t.” Steltzner said: “That happens all the time in industry and technology – we have to assess what are the new opportunities for us and what can we leverage to be more successful.”
  • 3. Sort fact from opinion: Steltzner made the point that in periods of great disruption, “it’s challenging to know what you actually know.” Therefore, it is vital to distinguish facts from opinion. To do so, leaders need to understand the perspectives of the different teams within their organization. “It’s my job to look across their siloed perspectives and find a tempered, balanced perspective with which to lead the team.”
  • 4. Humans succeed as teams: “As individuals we might have a great idea, to succeed we have to come together in groups we call teams,” outlined Steltzner. He said the strength of a particular product is always a result of the strength of the teamwork that went into creating it. “You want everybody on your team contributing the most of themselves that they possibly can,” he added, stating it is the responsibility of leaders to establish an environment in which everyone enjoys themselves — “a supercharged, collaborative, lovefest!” as he put it.
  • 5. Talk less, listen more: Steltzner said this principle is particularly vital in the current world, which is more virtual and distant. “To really get the most from my team, I need to make the space in the room for their contributions to come out,” he said, adding that he realized he needed to “talk less” to ensure this was the case.
  • 6. Be curious: Steltzner pointed out that everyone enters the world as babies essentially “unprogrammed,” and it’s that child-like curiosity that enables us to learn how to navigate the environment we reside in. However, as humans get older, “we start expecting that tomorrow is going to be the tomorrow we thought it would be, and we stop looking to see the tomorrow as it really is.” This mindsight leads to lost opportunities, according to Steltzner, and it is therefore important that “we keep our minds curious like a child’s, as we will be more agile and more innovative.”

Steltzner concluded by stating: “If we take that [curiosity] and combine it with a culture of a team and weather the hardships that we might face in the future, there’s almost nothing a team of individuals can’t do.”

Categories: Cyber Risk News

#DTX2021: Houston, We Have a Breach: Cyber Preparedness Advice From Lisa Forte

Thu, 10/07/2021 - 11:00
#DTX2021: Houston, We Have a Breach: Cyber Preparedness Advice From Lisa Forte

At DTX in London Excel on October 6 2021, Red Goat Cyber Security founder, Lisa Forte, delivered a session on cyber breach preparedness. Forte used examples of mountaineering and caving to demonstrate how to prepare for a breach.

Themes of preparedness, communication and coordination ran through Forte’s talk, titled ‘Houston we have a breach!”

“Human beings are terrible decision makers under pressure. Cognitive processes are surpassed and we [fail to] work off facts.

“Why do humans fail under pressure? That falls into two categories — panic and choking.” The former, Forte explained, is a reversion to instinct. “When you panic, you think too little about things and experience a perpetual narrowing.”

In the latter category — choking — the opposite is true. “You overthink a situation and paralyse yourself with decision-making. You think too much, see too many options, and lose instinctual response.”

This is why it is essential that organizations practice breach preparedness, advised Forte. “You don’t want to realise that people on your crisis management team are incapable in the middle of a crisis,” said Forte, “that would be terrible.”

Forte advocated a six-step plan to ensure cyber breach preparedness:

  1. Plan — “do your research”
  2. Invest wisely — “consider what equipment you need”
  3. Train and rehearse — “Plans need to make sense and be tested for execution”
  4. Playbooks — “you need playbooks for the things you anticipate could happen to your company”
  5. Redundancy
  6. Debriefs — “The crucial last step is to debrief every relevant incident, even if it happens to a competitor rather than to you. Debrief the problems, the response, the criticism, and learn from it.”

“You can’t firefight whilst also looking at the bigger picture,” Forte explained. “You can’t make everything secure, safe and bullet-proof, but you can plan for every eventuality so you don’t have to make it up on the spot.”

Categories: Cyber Risk News

Police Crack Multimillion-Dollar Real Estate Fraud Gang

Thu, 10/07/2021 - 09:50
Police Crack Multimillion-Dollar Real Estate Fraud Gang

European police claim to have dismantled an international organized crime group (OGC) that made millions from real estate fraud.

Law enforcers in the Hungarian capital of Budapest, supported by Europol, began operations against the gang back in 2017. However, it was during 10 so-called “action days” between September 2020 and September 2021 that the OGC was taken down.

Its leader was apparently found hiding in the Dominican Republic on fake documents, and extradited to Hungary last week.

Overall, 130 suspects were identified and 116 searches conducted. The group is estimated to have caused losses of around €3.5m ($4m) for over 470 victims.

The fraud gang worked by posting fake ads for properties up for sale or rent — tricking victims into sending deposit money and rent. The OGC also remotely hacked some victims’ PCs, stole financial details and carried out transactions without their knowledge, Europol claimed.

In some cases, COVID-19 was used as an excuse to install remote access software on these machines, it said.

Money mules were recruited in Hungary to open bank accounts, receive and transfer funds and carry out cryptocurrency transactions to help with money laundering — with the illegal proceeds sent to the Dominican Republic.

According to a new Serious and Organized Crime Threat Assessment report from Europol, the drive to digital is creating new opportunities for OGCs and lone cyber-criminals alike.

“The move toward cashless economies creates powerful incentives for payment fraudsters … The steady increase in the number of users and connections creates new vulnerabilities and opens more potential victims to cyber-attacks,” it explained.

“Cybercrime is attractive to criminals due to the potential profits, limited risk of detection and prosecution, which if successful often only results in low sentences.”

Real estate and rental fraud reported to the FBI last year cost victims an estimated $213m off the back of around 13,600 cases. As such it represented one of the top 10 earners for cyber-criminals.

Categories: Cyber Risk News

Data Breach Volumes for 2021 Already Exceed 2020 Total

Thu, 10/07/2021 - 09:15
Data Breach Volumes for 2021 Already Exceed 2020 Total

The number of data breaches publicly reported so far this year has already exceeded the total for 2020, putting 2021 on track for a record year, according to the Identity Theft Resource Center (ITRC).

The non-profit’s figures for Q3 breach volumes came in at 446 incidents. Although this is lower than the 491 breaches reported in the second quarter, the total for the year-to-date is now 1291, versus 1108 in 2020.

The all-time high of 1529 breaches was set in 2017, but with phishing and ransomware leading the way in driving volumes up this year, it’s predicted that 2021 could exceed that figure.

Eva Velasquez, president and CEO of the ITRC, said 2021 is just 238 breaches away from tying the all-time record for a single year.

“It’s also interesting to note that the 1,111 data breaches from cyber-attacks so far this year exceeds the total number of data compromises from all causes in 2020,” she added.

“Everyone needs to continue to practice good cyber-hygiene to protect themselves and their loved ones as these crimes continue to increase.”

The ITRC’s figures comprise not only traditional breaches where malicious third parties steal data from organizations, but also cases of cloud misconfigurations that lead to data leaking into the public domain.

Cases of the former in the year-to-date rose 27% versus the whole of 2020.

Cloud leaks often affect large numbers of users, even if the data does not ultimately end up in the wrong hands. To that end, the number of data compromise victims in Q3 (160 million) is higher than Q1 and Q2 2021 combined (121 million). However, that figure is mainly due to unsecured cloud databases, ITRC said.

Interestingly, there have been no reported breaches this year associated with payment skimming campaigns, often dubbed "Magecart."

Categories: Cyber Risk News

Infosec Experts: Twitch Breach “As Bad as it Gets”

Thu, 10/07/2021 - 08:45
Infosec Experts: Twitch Breach “As Bad as it Gets”

Gaming and content streaming giant Twitch has confirmed a breach has taken place at the firm, after reports claimed a hacktivist leaked its entire source code, creator info and internal data.

A brief statement from the Amazon-owned firm, posted yesterday afternoon, said: “Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available. Thank you for bearing with us.”

That came after Video Games Chronicle first reported that an anonymous 4Chan user posted a 125GB torrent link to the site containing the data dump. Sources told the site it could have been taken as recently as Monday.

Leaked data reportedly includes all of the firm’s source code; mobile, desktop and console clients; proprietary SDKs and internal AWS services; and “every other property” it owns, including IGDB, CurseForge and an unreleased Steam competitor, dubbed “Vapor.”

Also leaked were red teaming tools used by the firm’s SecOps function and, perhaps most embarrassing, sensitive information on how much it paid its most popular streamers back in 2019 — which reached millions of dollars for some.

It appears the hacker may have been acting in retaliation for what many users saw as Twitch’s inadequate response to the problem of hate raids on the site over the summer. Here, bots were used by trolls to flood the chat section of certain streamers, mainly from minority or marginalized communities, with hateful messages.

In fact, in the original post, the anonymous hacktivist described Twitch as a “disgusting toxic cesspool” and that they were releasing source code from nearly 6000 internal Git repositories “to foster more disruption and competition in the online video streaming space.”

"Jeff Bezos paid $970m for this, we're giving it away FOR FREE. #DoBetterTwitch," they added, using the hashtag popular with hate raid protesters.

Cybersecurity experts were quick to ask questions of the internal security posture at one of the world’s biggest gaming platforms.

“This will send a shudder down any hardened infosec professional. This is as bad as it could possibly be,” argued ThreatModeler CEO, Archie Agarwal.

“The first question on everyone’s mind has to be: how on earth did someone exfiltrate 125GB of the most sensitive data imaginable without tripping a single alarm? There’s going to be some very hard questions asked internally.”

He added that user information will probably have been swept up in the breach, so account credentials will need to be reset.

“This incident serves as a reminder that while ransomware attacks are taking up the majority of headlines recently, breaches that result in stolen proprietary data are still a real and persistent threat,” argued Darren McCutchen, principal threat researcher at NetWitness.

“It’s important that enterprises have the ability to detect threats immediately and react quickly to keep threat actors from gaining access to critical systems and then moving laterally to steal seemingly unrelated data and information.”

Most worrying for Twitch is the fact that the initial leak was labelled “part one,” indicating there’s more to come.

Categories: Cyber Risk News

America Urged to Prepare for Shift to Post-Quantum Cryptography

Wed, 10/06/2021 - 20:53
America Urged to Prepare for Shift to Post-Quantum Cryptography

The Department of Homeland Security (DHS) has teamed up with the Department of Commerce’s National Institute of Standards and Technology (NIST) to release a roadmap on the best way for organizations to navigate the transition to post-quantum cryptography.

The guide provides relevant stakeholders with achievable steps they can take to reduce the risks related to the advancement of quantum computing technology.

"While quantum computing promises unprecedented speed and power in computing, it also poses new risks.  As this technology advances over the next decade, it is expected to break some encryption methods that are widely used to protect customer data, complete business transactions, and secure communications," said a DHS spokesperson.

"DHS’s new guidance will help organizations prepare for the transition to post-quantum cryptography by identifying, prioritizing, and protecting potentially vulnerable data, algorithms, protocols, and systems."

Under the new roadmap, organizations are encouraged to follow a seven-step plan that will enable them to hit the ground running when NIST completes its ongoing process to create a new post-quantum cryptography standard. 

Actions that organizations "should consider" include taking stock of their current cryptographic systems and the data being protected, and prioritizing systems for transition.

"Organizations should inventory the most sensitive and critical datasets that must be secured for an extended amount of time," reads the guidance. 

"This information will inform future analysis by identifying what data may be at risk now and decrypted once a cryptographically relevant quantum computer is available."

Once the prioritization has been completed, organizations should develop a plan for systems transitions under the guidance of their cybersecurity officials. 

The roadmap's release follows US Secretary of Homeland Security Alejandro Mayorkas' identification of the move to post-quantum encryption as a priority.

Speaking on March 31, 2021, Mayorkas said: “The transition to post-quantum encryption algorithms is as much dependent on the development of such algorithms as it is on their adoption. While the former is already ongoing, planning for the latter remains in its infancy."

He added: "We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future.”

Categories: Cyber Risk News

Texan Imprisoned Over COVID-19 Hoax

Wed, 10/06/2021 - 18:58
Texan Imprisoned Over COVID-19 Hoax

A man from Texas has been sentenced to 15 months in federal prison after lying on social media.  

San Antonio resident Christopher Charles Perez, also known as Christopher Robbins, posted two messages on Facebook in April 2020 in which he falsely claimed to have hired a person infected with COVID-19 to lick items on display at grocery stores.

Perez, who is aged 40, said in the messages that goods for sale in several shops in the San Antonio area had been licked. 

The US Attorney's Office for the Western District of Texas said Perez posted the "threatening" messages "to scare people away from visiting the stores."

On April 5, 2020, a screenshot of the first message posted by Perez was sent to the Southwest Texas Fusion Center (SWTFC) via an online tip. SWTFC then contacted the FBI office in San Antonio, which investigated the matter and found the threats made by Perez to be false.   

"Perez did not pay someone to intentionally spread coronavirus at grocery stores, according to investigators and Perez’s own admissions," said the US Attorney's Office in a statement published October 4.

Following the FBI investigation into his social media posts, Perez was charged with two counts of 18 U.S.C. § 1038, which criminalizes false information and hoaxes related to biological weapons. 

A federal jury found him guilty of the charges, and on Monday Perez was handed a custodial sentence and ordered to pay a $1,000 fine. 

“Those who would threaten to use COVID-19 as a weapon against others will be held accountable for their actions, even if the threat was a hoax,” said FBI San Antonio Division Special Agent in Charge Christopher Combs. “Perez’s actions were knowingly designed to spread fear and panic, and today’s sentencing illustrates the seriousness of this crime."

US Attorney Ashley Hoff said that "trying to scare people with the threat of spreading dangerous diseases is no joking matter.”

She added: “This office takes seriously threats to harm the community and will prosecute them to the full extent of the law.”

Categories: Cyber Risk News

Publishers Tackle Doctoring of Research Images

Wed, 10/06/2021 - 17:48
Publishers Tackle Doctoring of Research Images

A working group appointed by the International Association of Scientific, Technical and Medical Publishers (STM) has published a new set of guidelines to tackle the issue of doctored images in scientific research papers. 

The recommendations of the Standards and Technology Committee (STEC) include a three-tier classification system that editors can use to flag suspicious content, and detailed step-by-step instructions on how to deal with manipulated images.

STM said the guidelines provide "a structured approach that supports editors and others applying image integrity screening as part of pre-publication quality control checks or post-publication investigation of image and data integrity issues at scholarly journals, books, preprint servers, or data repositories."

Images that fall under tier one of the classification system include pictures that have been "beautified" or altered in a way that does not change the conclusion of the research. Images that have been significantly manipulated in a way that clashes with accepted scholarly practice and change the scientific conclusions for key data are designated tier two. 

Tier three, reserved for the most serious aberrations, includes “severe image manipulation, with unequivocal evidence of obfuscation or fabrication and an intent to mislead,” such as the selective cropping or reporting of images so that they fail to represent the original data. 

Editors who suspect an image has been doctored are advised to ask authors for their source data and an explanation. If an editor receives no response to a query over a tier three offense and later sees the suspicious images published in another journal, the guidance says the editor should notify that journal of their suspicions. 

"With these recommendations, the STM Working Group aims to contribute a consistent, structured and efficient framework for handling image integrity issues both within and between journals and publishers," said STM. 

Elisabeth Bik, a research-integrity consultant based in California, said that the new recommendations "will not prevent science misconduct, but they provide stronger scrutiny both at the submission stage, as well as after publication."

STEC's recommendations are open for comments until October 31, 2021. Final recommendations will be presented at the STM Innovations Seminar on December 7, 2021.

Categories: Cyber Risk News