Info Security
#teissLondon2020: Be Aware of Malicious and Non-Malicious Insider Behavior
Speaking at the TEISS conference in London, ClubCISO chair Dr Jessica Barker said that both non-malicious and malicious insiders can be detected by common behaviors.
Displaying ClubCISO’s research from 2019, which showed that non-malicious insiders accounted for 42% of incidents in the last 12 months, and malicious insiders accounted for 18%, Barker said that this is the biggest threat after a malicious external attacker (46%) where they can often “take advantage of a non-malicious insider.”
Barker explained that people don’t often expect to be impacted by these sorts of people, but often they can be people who have worked for an organization for a long time, and may appear to be loyal, but they can have grudges, feel overlooked for promotions and pay rises. “They don’t feel what they are doing is criminal, but they justify their activity in righting a wrong.”
Also, someone may feel like they can get away with actions such as leaking data or stealing information for a period of time, “but it takes a level of arrogance to steal and not be identified.”
For the non-malicious insider, Barker said that this is a result of people not understanding the complexities of cybersecurity, and press about cybersecurity can make it feel like the responsibility is out of their control.
“Using fear to trick behavior is not that easy, as if it was we wouldn’t have smokers or drink drivers,” she said.
Barker recommended communicating with staff who may be non-malicious insiders, as they could “have usable skills and knowledge to engage in behaviors.
“We can have all the awareness we want, but it needs to be usable,” Barker said, saying that you cannot just tell people that they need a better password, you need to tell them what they should do, and give them the tools to do it. “You cannot force people to change, you have to work to their knowledge” she said, adding that people commonly want to do the right thing at work but security controls usually get in the way of priorities.
She concluded by saying it is not about creating a separate security culture, but about understanding it is a culture, as “culture underpins what is normal in an organization, and what is acceptable.”
Ukrainian Blackout Malware at Large on Dark Web
Sophisticated backdoor malware techniques used by state-backed attackers to cripple Ukrainian power stations in 2015 are now being deployed more widely by the black hat community, Venafi has warned.
The malware in question targets SSH keys, which are designed to secure remote commands to and communications between machines. As such, they are central to securing cloud workloads, VPN connections, connected IoT devices and more.
Compromise of a single SSH key could give attackers undetected root access to mission critical systems to spread malware or sabotage processes, the security vendor warned.
It is now seeing malware adding attackers’ SSH keys to a list of authorized key files on victim machines, meaning their machine trusts the key. Other techniques include brute-forcing weak SSH authentication to gain access and move laterally across networks.
These techniques have been observed in use over the past year by crimeware botnet TrickBot, cryptomining campaign CryptoSink, Linux Worm and Skidmap, said Venafi. That’s a far cry from the relatively rare sight of a backdoored SSH server being used by the BlackEnergy gang in December 2015. That attack caused mass power outages in parts of Ukraine.
“SSH keys can be potent weapons in the wrong hands. But until recently, only the most sophisticated, well-financed hacking groups had this kind of capability. Now, we’re seeing a ‘trickle-down’ effect, where SSH capabilities are becoming commoditized,” warned Yana Blachman, threat intelligence specialist at Venafi.
“What makes this commoditization so worrying is that if an attacker is able to backdoor a potentially interesting target, they may monetize this access and sell it through dedicated channels to more sophisticated and sponsored attackers, such as nation state threats for the purpose of cyber-espionage or cyber-warfare.”
This has happened before, when the TrickBot gang were found to have been selling a “bot-as-a-service” to North Korean hackers, she claimed.
To combat such threats, organizations need to have a clear visibility of and protection for all authorized SSH keys in the enterprise, to prevent them being hijacked and to block attempts by attackers to insert their own malicious SSH machine identities into systems.
Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.
#teissLondon2020: Blanket Approaches to Security Awareness Efforts Often Fail
Employee awareness needs to be holistic, and not use a blanket approach.
Speaking on a panel at the TEISS conference in London exploring tailoring security awareness programs to overcome colleagues' inbuilt biases, business strategist Dr Dave Chatterjee said that benchmarks can be used, and help you to know that if you are talking awareness, whether you are addressing your goals. “At a deeper level, it can convince you to be more careful on phishing and to be motivated and driven to be secure,” he added.
Dr Jessica Barker, chair of ClubCISO, said she had found “phishing awareness and detection to be very good and strong” but the issues of emailing personally identifiable information and storage of data were not addressed, and often these issues need to be covered and benchmarks can help you know in six to 12 months if you have targeted these areas.
Also speaking on the panel was Marilise de Villiers, founder and CEO of MDVB Consulting, who said that awareness solutions need to be designed to allow you to measure awareness, and let “you know what you want to know” as well as “what will trip us up later down the road.”
The panellists were all agreed that a check box methodology is not enough, and Chatterjee said that you “need to put enough thought into what you’re measuring.”
Panel moderator Jeremy Swinfen Green, head of consulting at TEISS, asked what some of the problems around awareness campaigns can be. “A fear of speaking up” was cited by de Villiers, while Barker said that a fear of speaking up “engenders a culture of fear.” Chatterjee added that companies often try to create a workplace of happy employees, but that is often “easier said than done.
“Companies have to survive and treat their employees well,” he said, while de Villiers argued that awareness campaigns need to be done on a “case-by-case basis.”
Ransomware Costs May Have Hit $170bn in 2019
There were nearly half a million ransomware infections reported globally last year, costing organizations at least $6.3bn in ransom demands alone, according to estimates from Emsisoft.
The security vendor analyzed submissions to the ID Ransomware identification service during 2019 and found a total of 452,121 records.
However, around half of these were related to a type of ransomware called STOP which is mainly targeted at home users, so its financial calculations are based on more like 226,000 victims.
What’s more, the firm estimated that only around 25% of organizations affected by ransomware use the ID Ransomware service, so it provided both a minimum cost based on 50% of submissions and a larger figure based on four-times that number.
With the average ransom demand around $84,000 and roughly a third of firms paying up, Emisoft estimated minimum global costs at $6.3bn and a higher figure at $25bn.
Working out downtime costs was harder, the firm admitted.
“Gartner previously put the average at more than $5600 per minute – so we have used the extremely conservative figure of $10,000 per day,” it explained. “This figure has no basis in reality and we have included it simply to illustrate the enormity of the costs. The actual costs are almost certainly much higher.”
When combined with ransom payments, downtime of 16 days would mean that globally, firms spent at least $42.4bn on ransomware last year. The higher figure, taking into account those that didn’t report incidents to ID Ransomware, is estimated at a staggering $170bn.
That’s in stark contrast to the FBI report released this week, which claimed that losses reached just $9m last year. However, the caveats are that just 2047 cases were reported to the Feds in 2019, and the FBI admitted that its calculations did not include “lost business, time, wages, files, or equipment, or any third party remediation services acquired by a victim.”
Emisoft claimed that an accurate estimation of the scale of financial damage caused by ransomware was not the point of the exercise.
“The intention of this report is not to accurately estimate the costs, which is impossible due to a dearth of data, but rather to shine a light on the massive economic impact of these incidents in the hope that doing so will help governments and law enforcement agencies formulate a proportionate response to the ransomware crisis,” it concluded.
Estée Lauder Database Exposes 440 Million Records
Estée Lauder is the latest big-name brand to suffer an embarrassing data leak after a researcher discovered 440 million records including plain text emails exposed via an online database.
Security Discovery’s Jeremiah Fowler made the discovery on January 30, claiming the non-password protected database exposed a total of 440,336,852 records.
It’s unclear how many user emails were exposed, but the cosmetics giant claimed in an emailed statement that they were “non-consumer” and instead came from an internal “education platform.” Fowler confirmed that many of the emails he saw in plain text belonged to the @estee.com domain.
There was no sign of payment data or sensitive employee information in the database either. However, although the direct risk to customers and staff appears to have been negligible from this data leak, Fowler warned that other information contained in the database may have been of interest to attackers.
“There were millions of records pertaining to middleware that is used by the Estée Lauder company. Middleware is software that provides common services and capabilities to applications outside of what’s offered by the operating system. Data management, application services, messaging, authentication, and API management are all commonly handled by middleware,” he explained.
“Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.”
Although it took Fowler multiple attempts to pass on details of his discovery to the right team, Estée Lauder has been praised as acting “fast and professionally” to block public access to the database on the day of the discovery.
US Bank Slammed for "Vague and Deceptive" Breach Disclosure
American bank Fifth Third has come under fire for sending customers a cryptic breach disclosure letter judged to be "vague and deceptive" by a consumer group.
Fifth Third wrote to customers after discovering that at least two of its employees had stolen customer information and provided it to a third party. Data exposed included names, Social Security numbers, addresses, phone numbers, dates of birth, mothers' maiden names, driver's license information, and account numbers.
The thefts began in the summer of 2018, and those responsible have since been terminated by the company. Although it hasn't been confirmed that the employees who pulled this inside job later sold the stolen data on the dark web, it's only logical to conclude that they stood to profit in some way from their high-risk actions.
The bank, which is headquartered in Cincinnati, Ohio, at Fifth Third Center, has not specified how many customers were impacted by the incident or how many former employees were fired for passing out customers' personal data.
In a written statement, Fifth Third said: "We have notified the limited number of customers who may be impacted. We will provide identity theft monitoring to them at no cost."
The head of the Consumer Federation of America slammed Fifth Third's enigmatic letter to customers disclosing the data breach.
Jack Gillis, executive director of the Washington, DC–based non-profit consumer advocate, said: "Fifth Third is only telling half the story—it's vague and deceptive to customers because it’s not just their Fifth Third accounts that will be impacted."
A breach notification letter sent to select consumers which reassured them that the bank had "not detected any fraudulent activity on your accounts" was criticized by Gillis as misleading. He pointed out that whoever had access to the stolen data could misuse it in ways that wouldn't be detected by the bank.
The illicitly obtained personal data, which Gillis said could now be on sale on the dark web, could be purchased by criminals and used to set up credit accounts with banks other than Fifth Third. Such accounts could be used to run up fraudulent charges that wouldn't be detected until they came on the radar of credit reporting agencies.
Great Britain at Odds over Police Use of Facial Recognition Technology
Great Britain's three nations are not in agreement over the use of facial recognition technology by police forces.
The technology, which can be legally used by police in Wales, was officially introduced by England's Metropolitan Police Service in East London yesterday, amid a peaceful protest by Big Brother Watch.
Use of the technology by English police forces has not been debated in parliament or approved by elected officials.
By contrast, Police Scotland announced yesterday that its plans to roll out facial recognition technology by 2026 have been put on hold pending a wider debate about the implications of its use.
Their decision comes in the wake of a report published on Tuesday, February 11, by a Scottish government committee, which concluded that facial recognition technology is "currently not fit for use" by Police Scotland.
The Justice Sub-Committee on Policing informed Police Scotland that the force must demonstrate the legal basis for using the technology and its compliance with human rights and data protection legislation before they can start using it.
In a report that was part of the committee’s inquiry into the advancement of the technology, the committee wrote: "The use of live facial recognition technology would be a radical departure from Police Scotland’s fundamental principle of policing by consent."
The committee warned that the facial recognition technology was "known to discriminate against females and those from black, Asian and ethnic minority communities."
Committee convener John Finnie said: "It is clear that this technology is in no fit state to be rolled out or indeed to assist the police with their work.
"Current live facial recognition technology throws up far too many ‘false positives’ and contains inherent biases that are known to be discriminatory."
Police Scotland Assistant Chief Constable Duncan Sloan said it would now conduct a public consultation on the live software and keep a "watching brief on the trialling of the technology in England and Wales."
In September 2019, Cardiff's high court ruled that police use of automatic facial recognition technology to search for people in crowds is lawful. The technology is currently being used by South Wales police.
#teissLondon2020: Supply Chain Challenge Can Be Contained
Speaking on a panel at the TEISS conference in London on the theme of threats in the supply chain, chair Raef Meeuwisse asked where the supply chain sits in a company’s overall risk.
Mike Seeney, head of supply chain information risk at Pinsent Masons, said that it is typically very high, as it is common that you will be breached via social engineering or the supply chain. “In the last few years we have had advances in technology, and the best way is through people or the supply chain,” he said. “This is a dedicated function and you need to have recognition of that.”
Quentyn Taylor, director of information security at Canon EMEA, said that this is now part of infosecurity risk, and while the infosec team should own the risk, they may not rate it too highly. “We trust third parties as we buy from them, but we should consider the third parties of the third parties,” Taylor said.
Holly Grace Williams, technical director at Secarma, said that the conversation should be on where you draw the line, and who takes ownership of the risk, while Naina Bhattacharya, director of cybersecurity for EMEIA at EY, said that, 10 years ago, this sort of risk was being taken seriously by payment card companies as they saw fraud, but the introduction of consumer products and compliance frameworks has changed attitudes.
Asked by Meeuwisse about how far contracts can protect you, Taylor said that “virtually not at all” as contracts “can be a useful way to start a fire” as ultimately the company who offers a contract has not got your back.
In order to better protect yourself, Bhattacharya said that you should have a foundation in place, and she acknowledged that this “can be a big step forward” but a way for you take care of risk.
Focusing briefly on the theme of Huawei, Meeuwisse said that there is guidance offered from government, but acknowledged that global standards are needed.
Concluding, Bhattacharya said that supply chain has “been a problem for a while and will continue to be one” while Williams recommended reviewing what level of access you’re sharing, and Taylor suggested picking “a simple model and be prepared to change” to follow a way of working.
#teissLondon2020: Tech is Not Neutral and Needs Ethical Frameworks
At The European Information Security Summit in London, Dr Stephanie Hare, author of the forthcoming book Technology Ethics, reflected on the need for ethical frameworks in technology.
Technology ethics engages with a problem that no one has solved to anyone’s satisfaction, Dr Hare said. That problem is how we create and use technologies so that they deliver maximum benefit and minimum harm.
Technology is not neutral, she added, and technology ethics surrounds all of us, so “there is no such thing as being ‘neutral’ on technology ethics.
“Every time you want to introduce something, the positive effects may have negative effects elsewhere – so how do you balance that out and think it through ahead of time?”
An ethical lens is therefore vital in the production and application of technology, and whilst Dr Hare admitted that technical ethics is not the answer to all problems, it is a tool that can help create better technologies, involves everyone and aligns technology/people with key values.
“I’m an optimist,” Dr Hare concluded. “I think we can do better and there are a lot of good opportunities for technology to be a better source for society. Right now, we have to move beyond a ‘Hippocratic Oath’ for tech. This group [security professionals] in particular has so much to contribute to the next generation of computer engineers and scientists, to people looking to make a buck in tech, and to law makers who, with the best will in the world, don’t have time to develop expertise [in tech ethics] and so need a roadmap.”
Canadian Cabinet Ministers Get Hacking Hotline
An around-the-clock phone line to report suspected cyber-attacks has been created for federal cabinet ministers in Canada.
Newly released documents show that officials at the Canadian Centre for Cyber Security (CCS) set up the 24/7 telephone service last year to help ministers respond swiftly to possible security breaches and hacking incidents.
The cyber-reporting hotline is operated by the CCS, a division of the Communications Security Establishment (CSE), which is the Government of Canada's national cryptologic agency.
According to a confidential memo circulated to ministers, the hotline was set up to act as a "front-line response to address compromise and limit damage." Ministers are advised to call it if they suspect that their ministerial, parliamentary, or personal email has been compromised or if their social media accounts are hacked.
A copy of the memo was obtained by The Canadian Press via the Access to Information Act. However, due to the sensitivity of the topic, only parts of the circular were revealed to the media.
The memo was part of a larger briefing package regarding ministerial security that was put together in August 2019. It was prepared by Prime Minister Justin Trudeau's then national security and intelligence advisor Greta Bossenmaier for Privy Council clerk Ian Shugart.
The CSE said the phone service was set up in advance of the October federal election and "is still operational today."
Shugart was advised in August that all cabinet members had registered for the hotline service, following online security guidance given to them at a CSE briefing in March.
The CSE would not reveal how many incidents had been reported by ministers since the hotline was made operational.
"Due to operational security reasons, we are unable provide a specific breakdown of the incidents reported through the hotline, but we can confirm that the service was used effectively by ministers, as well as political parties throughout the 2019 general election," the CSE said.
"As per Cyber Centre standard policy, we do not comment on specific meetings with individual political parties, candidates and their staff, nor do we comment on any specific incident."
A round-the-clock phone line to report suspected cyber-attacks has been created for federal cabinet ministers in Canada.
Newly released documents show that officials at the Canadian Centre for Cyber Security (CCS) set up the 24/7 telephone service last year to help ministers respond swiftly to possible security breaches and hacking incidents.
The cyber-reporting hotline is operated by the CCS, a division of the Communications Security Establishment (CSE) which is the Government of Canada's national cryptologic agency.
According to a confidential memo circulated to ministers, the hotline was set up to act as a "front-line response to address compromise and limit damage." Ministers are advised to call it if they suspect that their ministerial, parliamentary or personal email has been compromised or if their social media accounts are hacked.
A copy of the memo was obtained by The Canadian Press via the Access to Information Act. However, due to the sensitivity of the topic, only parts of the circular were revealed to the media.
The memo was part of a larger briefing package regarding ministerial security which was put together in August 2019. It was prepared by Prime Minister Justin Trudeau's then national security and intelligence advisor Greta Bossenmaier for Privy Council clerk Ian Shugart.
The CSE said the phone service was set up in advance of the October federal election and "is still operational today."
Shugart was advised in August that all cabinet members had registered for the hotline service, following online security guidance given to the at a CSE briefing in March.
The CSE would not reveal how many incidents had been reported by ministers since the hotline had been operational.
"Due to operational security reasons, we are unable provide a specific breakdown of the incidents reported through the hotline, but we can confirm that the service was used effectively by ministers, as well as political parties throughout the 2019 general election," the CSE said.
"As per Cyber Centre standard policy, we do not comment on specific meetings with individual political parties, candidates and their staff, nor do we comment on any specific incident."
#teissLondon2020: ICO Outlines Expectations for 2020 and Beyond
Speaking at The European Information Security Summit in London, Stephen Eckersley, director of investigations at the Information Commissioner’s Office, outlined the privacy watchdog’s expectations for 2020 and beyond with particular focus on regulations and data protection.
“We are still coming to terms with our new [regulatory] powers,” Eckersley said, “and we are still learning how to apply them – there are a lot of them.”
The ICO expects to face increased expectations from the public, industry, other regulators, law enforcement agencies and governments with regards to being an effective and relevant regulator, he added.
The ICO is the lead supervisory authority on a number of current GDPR-related investigations, Eckersley explained, and will soon be submitting those cases to various EU counterparts, whilst the ICO will also be involved in post-Brexit negotiations relating to data protection.
“That will include the arrangements under cooperation and coordination – it’s too early to say what those arrangements are going to look like – however, from our perspective, securing arrangements that are very similar to the current ones under GDPR would be advantageous for the UK.”
In terms of the volume of data breach reports, the ICO does not expect to see a significant rise over this year and next year, Eckersley said, but the issue of privacy rights surrounding emerging technology will prove a significant challenge.
Lastly, the main challenge for the ICO will be “helping UK citizens stay safe, because personal data, as a commodity, is increasing in value. Organized crime groups are moving into cybercrime, as are state actors, because they recognize that personal data is of value and they can hold organizations to ransom.
#teissLondon2020: Security Requires Sound Storytelling, Says Thom Langford
At The European Information Security Summit in London, Thom Langford, founder of TL(2) Security, said that effective storytelling is important to security professionals if they want to evoke reactions, behaviors and actions from others.
“Stories are important to us as security professionals, because, to be blunt, we’re normally really bad at putting across information to people who are not security professionals.”
If we focused more on telling stories, Langford added, we would actually generate an experience.
“When people experience things, they create a visceral response in their bodies and they start to remember things.”
Langford cited an equation that security professional can adopt to better translate important security topics. The equation is: value (the knowledge you have and wish to impart) plus story (the best way of imparting the value) equals experience (the memorable thing that allows people to absorb the information you are sharing).
“Storytelling is as old as time,” Langford concluded, “and it doesn’t matter if it’s a short story or a longer story, what’s important is that people learn, understand and then are able to impart knowledge onto others.”
#teissLondon2020: NCSC Shares Six Tips for Secure Password Management
Speaking at The European Information Security Summit in London, Helen L, technical director for sociotechnical security at the National Cyber Security Centre, discussed strategies for effective password management within the enterprise.
Helen L challenged common, traditional password management strategies, saying that “what looks good in theory and on paper, may not work in the real world.”
If a person who typically has around 50 different passwords across their work and home life conscientiously followed standard security advice, they would be expected to remember the equivalent of the order of nine shuffled decks of cards, she said.
“I don’t think the average person using passwords would be able to do that,” she added, and traditional password security policies often lead to people using workarounds (such as reusing passwords, writing passwords down, sharing passwords, etc) that result in weaker security than to begin with.
Therefore, different approaches to password management are needed, Helen L said, highlighting six pieces of advice that the NCSC is promoting.
Tip one: Reduce your organization’s reliance on passwords
- Passwords have been the default authentication method for too long and often used when another method is more suitable
Tip two: Implement technical solutions
- Your system’s security should always rely on effective technical defenses rather than user behavior and so solutions should be used to remove the burden from users
Tip three: Protect all passwords
- While all passwords should be protected, the accounts they protect are not all the same, so time and effort should be spent on accounts that contain extra privileged information
Tip four: Help users cope with password overload
- Many of the issues around passwords are a consequence of burdens placed on users
Tip five: Help users generate better passwords
- Too much emphasis has been placed on password generation as a defense mechanism, so provide users with support in password creation
Tip six: Key messages for training
- Repeating the usual messages over and over again is not effective – instead, focus on the areas where users’ decisions have the most impact and make training useful and relevant
To conclude, Helen L said: “When you’re thinking about security in your organization, try to think of it from the perspective of the user.”
FBI: BEC Losses Soared to $1.8 Billion in 2019
Losses from business email compromise (BEC) attacks soared by hundreds of millions of dollars over the past year, to once again account for half of all cybercrime losses reported to the FBI.
BEC scammers made nearly $1.8 billion in 2019, over half the $3.5 billion total, according to the FBI’s 2019 Internet Crime Report. That’s up from around $1.3bn and a total of $2.7bn in 2018.
A recent evolution in BEC tactics has seen scammers impersonate regular employees rather than C-level execs.
“In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period,” the report explained. “The new direct deposit information generally routes to a pre-paid card account.”
The second biggest earning category of cyber-threat was romance scams, which netted over $475 million, followed by “spoofing” at $300m.
Ransomware was way down in the bottom half of the table with $9m in losses, up significantly from $3.6m in 2018. However, the usual caveats apply that this calculation doesn’t include “lost business, time, wages, files, or equipment, or any third party remediation services acquired by a victim.”
The FBI also admitted that many victims do not report ransomware losses to the Bureau.
When measured according to numbers of reported victims rather than financial losses, phishing (114,702) came top, followed by non-payment/non-delivery (61,8332), and extortion (43,101).
BEC was down in fifth place (23,775) with ransomware even further behind with just 2047 reported cases in 2019 — highlighting the scale of under-reporting.
The FBI also singled out tech support fraud as a growing problem, with some recent complaints involving criminals posing customer support for well-known travel companies, banks and even virtual currency exchanges.
“In 2019, the IC3 received 13,633 complaints related to tech support fraud from victims in 48 countries,” the report said. “The losses amounted to over $54 million, which represents a 40% increase in losses from 2018. The majority of victims reported to be over 60 years of age.”
Total reported cybercrime losses have tripled over the past five years, from just $1.1bn in 2015, amounting cumulatively to $10.2bn for the period.
Microsoft Fixes 99 Problems This Patch Tuesday
Microsoft has fixed almost a century of CVEs this month, although experts suggest the workload shouldn’t be too hard on admins.
The 99 vulnerabilities fixed this month feature 12 critical CVEs, including one zero-day, and another four that have been publicly disclosed and so will also need to be prioritized.
The zero-day being exploited in the wild is CVE-2020-0674, a remote code execution flaw in the way the scripting engine handles objects in memory in Internet Explorer. By hosting a specially crafted website designed to exploit the bug, a hacker could gain the same rights as the current user.
Other noteworthy critical bugs include CVE-2020-0729 a remote code execution vulnerability in the way Microsoft processes LNK files.
“Microsoft considers exploitation of the vulnerability unlikely, however, a similar vulnerability discovered last year, CVE-2019-1280, was being actively exploited by the Astaroth trojan as recently as September,” explained Recorded Future senior solutions architect, Allan Liska.
He also highlighted CVE-2020-0662, an RCE vulnerability that could allow any user with a domain account to execute arbitrary code on a victim’s machine at elevated privileges, using a specially crafted packet.
It affects the now-unsupported Windows 7 and Server 2008, as well as later versions.
Todd Schell, senior product manager at Ivanti, argued that despite the sizeable patch load, updating operating systems or browsers “can take the teeth out of the majority of risks this month.”
“The really good news in all of this is 99 CVEs really doesn’t mean a whole lot of extra work for admins this month,” he added.
“The normal updates still apply. OS, browsers, and Office will resolve most of your vulnerabilities from the Microsoft side. SQL and Exchange admins do get a bit of extra work this month as both of those products are included in the updates released.”
Meanwhile, Adobe resolved 17 CVEs for Adobe Reader and Acrobat (APSB20-05), including 12 critical ones, and one critical CVE for Flash Player (APSB20-06).
Crypto AG Unmasked: CIA Spied on Governments For Decades
A Swiss company thought to have sold among the most secure encryption products in the world was actually owned by US and German intelligence, allowing the CIA and BND to spy on allies and enemies around the world, it has emerged.
A new report from The Washington Post and Germany’s ZDF claims that Crypto AG, founded during the Second World War, struck a deal with the CIA in the 50s and then passed fully into the hands of US and German intelligence two decades later, before being wound up in 2018.
Internal reports about the operation, codenamed “Thesaurus” and then renamed “Rubicon” in the 80s, reportedly claim it was “the intelligence coup of the century.”
“Foreign governments were paying good money to the US and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries,” the article claimed.
This “five or six” figure would seem to suggest that countries belonging to the Five Eyes intelligence sharing partnership also benefited. In fact, it is claimed that the UK was handed vital intelligence intercepted from the Argentinian military during the Falklands war.
The US was also able to monitor Iranian communications during the 1979 hostage siege and Libyan officials celebrating after terrorists exploded a bomb in a Berlin nightclub in 1984.
Then-President Ronald Reagan raised suspicions about Crypto AG after citing some of these Libyan communications publicly, but the rumors were never confirmed.
It is claimed the Americans didn’t request backdoors be inserted into the Crypto AG products, they simply made sure that the encryption itself was weak enough to crack fairly easily. When countries suspected something may be up, the US/Germany sent representatives like respected academic Kjell-Ove Widman to reassure governments that their products were the most secure in the world.
The revelations may raise new fears about the security or otherwise of platforms like Tor, which arose from a US Defense Department project, and of the potential for China to interfere with Huawei-built equipment.
Aflac to Open Global Cybersecurity Center in Belfast
A subsidiary of American insurance giant Aflac is to open a global IT and cybersecurity center in the Northern Irish capital city of Belfast.
Aflac Northern Ireland signed a 10-year lease with Belfast Harbor on 11,000 sq ft of office space within the ongoing multi-million-dollar waterfront development City Quays. With the opening of the new center on regenerated dockland, Aflac Northern Ireland will create 130 jobs by 2023.
City Quays is currently being constructed on a 20-acre stretch of ex-shipping land in Belfast City Centre. Upon completion, the development will boast office spaces, leisure facilities, a four-star AC Hotel by Marriott Belfast, retail spaces, and multi-story parking.
Aflac Northern Ireland is a subsidiary of Georgia-headquartered Aflac Incorporated, which provides supplemental health insurance to customers in the US and Japan. The company, which is ranked at 143 on the Fortune 500 list, announced plans to invest in Northern Ireland in October 2019.
Joe O’Neill, CEO of Belfast Harbor, welcomed Aflac's decision to site the new center at City Quays, which has already secured leading global law firm Baker McKenzie and the broadcasting organization ITV as tenants.
Baker McKenzie was the first tent to move into the office space within City Quays in June 2015. In 2018, the company leased an additional floor of space to accommodate its growing business.
O'Neill said: "There are currently over 5,500 workers based in City Quays and Clarendon Dock, and our ambition is that City Quays on completion will accommodate 13,000 people living and working on Belfast’s waterfront."
Keith Farley, managing director and vice president of Aflac Northern Ireland, said: "City Quays offers an ideal location for technology innovation with its modern facilities and amenities."
Aflac's news comes just two weeks after Microsoft announced plans to establish a new cybersecurity center in Belfast. The IT giant's proposed facility is expected to create 85 new jobs.
Economy Minister Diane Dodd described Microsoft's decision to site the center in Belfast as "exciting and welcome news."
Dodd said: "Not only is it a direct result of the skills and talent available here, but it is also an indicator of the strength and vibrancy of the local IT sector, particularly in the field of cyber security."
White House Asks Congress for Largest IT Budget in History
President Donald Trump's fiscal 2021 budget includes the largest ever information technology funding request in United States history.
The White House is asking Congress to approve IT funding of $92.1 billion, up from the $91.9 billion sought in 2020 and the $88.7 billion requested in 2019. By contrast, the amount of cash the president is seeking to spend on cybersecurity in 2021 dropped from the $18.79 billion he asked for in 2020 to $18.18 billion.
According to the budget, funds secured for IT "will be used to deliver critical citizen services, keep sensitive data and systems secure, and to further the vision of modern Government."
Modernization is a key focus of the budget, with the administration revealing plans to replace highly customized, internally developed, and often single task–oriented systems that are costly to maintain and secure with "commercial off the shelf technologies that largely enable more efficient use of Federal technical resources."
The budget states: "The Administration continues to pursue its IT Modernization CAP Goal, with its three-pronged approach focusing on enhancing Federal IT and digital services, reducing cybersecurity risks to the Federal mission, and building a modern IT and cybersecurity workforce."
Federal chief information officer Suzette Kent said on Monday the IT budget was about "not only improving service, but saving money as well."
Kent said: "You see investments in shared services continue that helps us save money across agencies on the modernization side. We will continue the savings as we consolidate data centers."
Another key policy identified in the budget is advancing automation, artificial intelligence (AI), and robotic process automation (RPA).
The budget states: "To maintain America’s AI advantage, federal agencies are to focus on two distinct areas. The first area of focus is internal—Federal use of AI to better achieve agency missions and serve citizens.
"The second focus area is external—including provision of data and related resources to support the private sector and academia in their efforts to harness AI. In both of these areas, the administration’s policies and strategies aim to accelerate AI innovation to increase our prosperity, enhance our national/economic security, and improve our quality of life."
China Denies Involvement in Equifax Hack
The People's Republic of China (PRC) has denied any involvement in the Equifax hack that saw the personal data of nearly half of America's population exposed.
Yesterday the United States' Department of Justice issued a nine-count indictment against four Chinese military personnel in connection with the cyber-attack, which took place from May to July 2017.
The US alleges that Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可), and Liu Lei (刘磊), who are all members of the Chinese People's Liberation Army (PLA), conspired to access Equifax's computer systems. The defendants are accused of stealing trade secrets and the personal data of 145 million American citizens from the credit reporting agency.
In a statement issued today from Beijing, PRC foreign ministry spokesperson Geng Shuang strongly denied that the Chinese military or government were responsible for this or any other cyber-attack.
During a briefing, which was held over social media app WeChat to minimize the risks associated with the current outbreak of coronavirus in the PRC, Shuang wrote: "We firmly oppose and combat cyberattacks of any kind. China is a staunch defender of cybersecurity."
Shuang further denied that the theft of data from Equifax had been a state-sponsored initiative conducted with the backing of the PRC.
"The Chinese government, military and relevant personnel never engage in cyber-theft of trade secrets," wrote Shuang.
According to Shuang, the same cannot be said of the United States, whom he accused of carrying out cyber-espionage activities on a grand scale.
In the international diplomacy equivalent of the time-honored playground retort, "whoever smelt it, dealt it," Shuang portrayed America rather than China as the cyber-aggressor.
Shuang wrote: "It has long been an open secret that relevant departments in the US, in violation of international law and basic norms governing international relations, have been engaging in large-scale, organized and indiscriminate cyber stealing, spying and surveillance activities on foreign governments, enterprises and individuals."
Shuang went on to cite the cases of WikiLeaks and whistleblower Edward Snowden as examples of the "hypocrisy and double standards" being exercised by America when it came to cybersecurity.
He added: "According to plenty of information that has been made public, US agencies have been engaging in cyber intrusion, surveillance and monitoring activities on foreign governments, institutions, enterprises, universities and individuals, including on its allies."
Year of the Catfish: 27% of Dating Site Users Scammed
The UK banking industry is warning consumers not to fall victim to romance fraud, after revealing that over a quarter (27%) of dating website users have been scammed by fake personas over the past year.
Known as “catfishing,” these usually involve a fraudster posing as someone they’re not in order to gain the trust of those looking for love on a dating site.
Once they’ve ingratiated themselves, they typically will try to trick the victim into wiring them funds to deal with an ‘emergency,’ or even to become unwitting money mules.
Over a fifth (21%) of dating website users told UK Finance they have either been asked for money or have given money to someone that they met online. The average amount was £321, although in total £7.9m was lost to romance scams in the first half of 2019, an increase of 50% on the previous year.
The banking lobby group warned that over half (55%) of dating site users are inviting trouble by claiming to trust the people they meet online before they’ve seen them in person.
Men (33%) were more likely to say they had been catfished than women (20%), and also more likely to be asked for money than women (26% versus 15%).
Katy Worobec, managing director of economic crime at UK Finance, urged netizens to be cautious ahead of Valentine’s Day on Friday.
“Romance scams are both emotionally and financially damaging for victims,” she added.
“Although banks are always looking out for suspicious activity, customers must be on their guard and protect themselves too. Always be wary of requests for money from someone you’ve never met in person. If you think you’ve been the victim of a romance scam, contact your bank immediately.”
The research comes a week after the FBI released a similar warning to lonely hearts. According to the Bureau’s Internet Crime Complaint Center (IC3), 18,000 victims reported losses of over $362m in 2018.
Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.