Info Security

Subscribe to Info Security  feed
Updated: 40 min 26 sec ago

Oracle Issues Record CPU with 334 Patches

Fri, 01/17/2020 - 12:35
Oracle Issues Record CPU with 334 Patches

Oracle has hit an all-time record for number of security fixes issued in a critical patch update (CPU), providing sysadmins with over 330 in its first quarterly release of the decade.

The enterprise software giant issued 334 patches in total across more than 90 products this week. As such, January 2020 easily beats the previous largest CPU, consisting of 308 fixes in July 2017.

Oracle strongly urged firms to apply the patches as soon as possible, claiming that attacks have had success in compromising customers that failed to update their systems promptly. However, there are short-term alternatives.

“Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack,” it explained.

“Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.”

Among the products affected by this quarter’s CPU are popular platforms including: Oracle Database Server, which featured 12 new patches including three remotely exploitable; Oracle Communications Applications (25 patches, 23 of which are remotely exploitable); Oracle E-Business Suite (23, 21); Oracle Enterprise Manager (50, 10); Fusion Middleware (38, 30); Java SE (12); JD Edwards (9); MySQL (19, 6); Siebel CRM (5); Oracle Virtualization (22, 3); and PeopleSoft (15, 12).

It’s a busy time of the year for IT administrators. Earlier this week, Microsoft released fixes for scores of vulnerabilities in the last regular Patch Tuesday for Windows 7 and Server 2008.

These included a serious bug disclosed by the NSA which could allow attackers to circumvent existing security by ‘signing’ malware with a legitimate-looking certificate.

Categories: Cyber Risk News

Equifax Breach Settlement Could Cost Firm Billions

Fri, 01/17/2020 - 10:40
Equifax Breach Settlement Could Cost Firm Billions

Equifax could end up paying as much as $9.5bn following a data breach settlement branded one of the largest in history by its presiding judge.

The credit reporting giant suffered a major cyber-attack in 2017 after hackers exploited an unpatched Apache Struts vulnerability, compromising highly sensitive personal and financial information on around 148 million customers.

Over two-fifths (44%) of the population of the US are thought to have been affected.

This week, a court in Georgia finally approved a settlement in the long-running class action case that followed the breach, which will require Equifax to pay $380.5m, plus potentially an extra $125m, to satisfy claims of out-of-pocket losses.

However, that’s just a small part of the overall financial impact of the ruling.

The firm has agreed to spend at least $1bn on improving its cybersecurity posture over the coming five years. It will also need to fund several years of credit monitoring from Experian and its own services for class members. That could amount to an extra $2bn if all 140 miilion+ customers sign up.

That’s not to mention the $6bn in credit monitoring services already being claimed by several million class members, their $77.5m in attorney fees and further amounts in litigation expenses that Equifax will need to pay.

The total could creep up towards $10bn — a cautionary tale for organizations tempted to focus on business growth at the expense of cybersecurity and risk mitigation.

“This settlement is the largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude,” wrote district judge Thomas Thrash.

“The minimum cost to Equifax of the settlement is $1.38bn and could be more, depending on the cost of complying with the injunctive relief, the number and amount of valid claims filed for out-of-pocket losses and the number of class members who sign up for credit monitoring.”

Categories: Cyber Risk News

Data Breach Site WeLeakInfo Suspended as Feds Swoop

Fri, 01/17/2020 - 09:56
Data Breach Site WeLeakInfo Suspended as Feds Swoop

The FBI has joined forces with the UK’s National Crime Agency (NCA) and other law enforcers to suspend a popular website which sells access to stolen data.

The WeLeakInfo[.]com domain was seized by the Feds after the District Court for the District of Columbia issued a warrant, although its administrators are still at large.

Although the site claimed to be focused on helping breached internet users discover if their personal data had been compromised, by selling access to billions of records it also provided a useful resource for cyber-criminals looking to launch credential stuffing, phishing and other attacks.

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts,” a statement from the Department of Justice explained

“The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months).”

The way it operated stood in contrast to legitimate breach notification site HaveIBeenPwned, which only lets users know if their accounts have been compromised, rather than providing access to troves of breached data.

Jake Moore, cybersecurity specialist at ESET, argued that hackers can do a great deal of damage even just with limited sets of breached emails and names.

“The big risk comes from brute force attacks, where criminals use common password combinations against emails to try and break into personal accounts,” he added.

“An incredibly large amount of people still use predictable or simple passwords. Many people's passwords are also readily available on the dark web, so it quickly and simply becomes an exercise in joining the dots for the cyber-criminals.”

The FBI is seeking any information on the owners and operators of WeLeakInfo.

Categories: Cyber Risk News

Emotet Locked onto US Military and Government

Thu, 01/16/2020 - 17:25
Emotet Locked onto US Military and Government

New research into the latest victims of Emotet has found increased instances of the malware affecting the United States of America's government and military.

The pernicious malware, which is spread via email, has been infecting organizations all over the world since 2014. By shining a spotlight on Emotet's recent activities, researchers at Cisco Talos discovered that the US government is among the latest victims to be compromised. 

Researchers made the discovery by closely examining the patterns of outbound email associated with the malware. 

A Talos spokesperson said: "If a person has substantial email ties to a particular organization, when they become infected with Emotet the effects would manifest in the form of increased outbound Emotet email directed at that organization. 

"One of the most vivid illustrations of this effect can be seen in Emotet's relationship to the .mil (U.S. military) and .gov (U.S./state government) top-level domains (TLDs). 

"When Emotet emerged from its summer vacation back in mid-September 2019, relatively few outbound emails were seen directed at the .mil and .gov TLDs. But sometime in the past few months, Emotet was able to successfully compromise one or more persons working for or with the U.S. government."

The malware's successful compromise of at least one US government employee led to what researchers described as a "rapid increase" in the number of infectious Emotet messages directed at the .mil and .gov TLDs in December 2019.

Following a brief spot of respite over the winter holidays, Emotet is once again causing trouble. Cisco Talos said that the upward trend in the quantity of messages directed at .mil and .gov had "continued into January 2020."

Emotet works by stealing someone's email, then impersonating the victims and sending copies of itself in reply. The malicious emails are delivered through a network of stolen SMTP accounts. 

Recipients, conned into thinking that they are receiving a message from a friend or professional colleague, open the email and are then infected.

The simplicity of Emotet's attack strategy belies its effectiveness. "This relatively simple email-man-in-the-middle social engineering approach has made Emotet one of the most prolific vehicles for delivering malware that we have seen in modern times," said researchers. 

Categories: Cyber Risk News

LORCA Announces Fourth and Largest Cohort of Cybersecurity Innovators

Thu, 01/16/2020 - 17:01
LORCA Announces Fourth and Largest Cohort of Cybersecurity Innovators

The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the 20 scale-ups selected to join its fourth cohort of cyber-innovators.

The latest group is LORCA’s largest and most international yet – including companies from the UK, Israel, Spain, Switzerland, Denmark, Singapore and the US – using technologies such as automation and quantum to protect UK industry against the latest threats.

LORCA is hosted and delivered by Plexal at Here East in London’s Queen Elizabeth Olympic Park. The year-long project will support the 20 new companies to scale, secure investment, access new markets and participate in overseas trade missions, with the ultimate aim of growing the British cybersecurity industry.

The scaleups will also receive technical and commercial support from the program’s delivery partner Deloitte and engineering expertise from the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.

LORCA lanched in June 2018 with backing from the Department for Digital, Culture, Media & Sport and has enrolled 55 companies into its program.

The latest cohort includes scaleups with a range of cutting-edge solutions, invited to apply based on three innovation themes identified by industry leaders from various sectors:

  • Connected Economy
  • Connected Everything
  • Connected Everyone

Saj Huq, program director, LORCA, said: “LORCA exists to bring cutting-edge technology to market and to enable the most promising cyber-innovators to become globally competitive businesses. The international reach and the variety of solutions within our incoming fourth cohort is an exciting demonstration of both the strength and attractiveness of the UK market, as well as an illustration of the increasingly prominent role that LORCA plays as a convener and collaborator within the global innovation ecosystem.”

The 20 companies enrolling in the latest cohort are:

  1. Acreto
  2. Anzen Technologies Systems
  3. Avnos
  4. Contingent
  5. Continuum Security
  6. Darkbeam
  7. Heimdal Security
  8. Keyless
  9. Kinnami
  10. L7 Defence
  11. Orpheus
  12. Osirium
  13. Risk Ledger
  14. ShieldIOT
  15. SureCert
  16. ThreatAware
  17. ThunderCipher (Licel)
  18. Variti
  19. VIVIDA
  20. Westgate Cyber Security

Categories: Cyber Risk News

Bill for New Orleans Cyber-Attack $7m and Rising

Thu, 01/16/2020 - 16:02
Bill for New Orleans Cyber-Attack $7m and Rising

The December cyber-attack on the southern city of New Orleans has caused over $7m of damage.

New Orleans mayor Latoya Cantrell said yesterday that the already alarmingly high figure continues to grow as the city recovers from the incident. 

A cyber-insurance policy taken out by New Orleans prior to the attack has allowed the Big Easy to recover $3m, but the popular vacation city will still be left cruelly out of pocket as a result of the incident. According to Cantrell, the cost is just something that the city will "have to eat."

"This is something that we have to deal with as a city and it is an expense that we also have to eat as a city. It speaks to the priority of infrastructure that has always been a priority of mine and it also speaks to the real push for maintenance of infrastructure. This will be ongoing," Cantrell told Fox8.

The $7m figure does not include the cost of paying a ransom to the attack's perpetrators, who, despite using ransomware to cripple the city's computer networks, never issued a ransom demand. 

In a stoic display of optimism, Cantrell told Fox8 that the ravages wrought by the attack, although bad, could have been far worse. 

She said: "The early detection and the intrusion helped us one. IT halted our networks, shut them down completely, which prevented this cyber-attack from being catastrophic."

Recovery from the attack is still a long way off, according to the city’s chief administrative officer, Gilbert Montano, as New Orleans is currently wading through a significant backlog of work that resulted from the forced reversion to manual governance.

"Now, we’re in the stabilization period. We are trying to rebuild what we had to turn off essentially and that is a long, laborious, time-sensitive process and that’s where I am telling staff and employees we’re looking maybe at a six to eight month window before actual normalcy starts to integrate all of our systems," said Montano.

Expenses that are included in the $7m figure are the cost of purchasing 3,400 new computers and improving the city's IT infrastructure in an effort to prevent future cyber-catastrophes.

Categories: Cyber Risk News

ISA Global Cybersecurity Alliance Triples Membership

Thu, 01/16/2020 - 15:00
ISA Global Cybersecurity Alliance Triples Membership

A worldwide cybersecurity alliance established last year by the International Society of Automation (ISA) has tripled its membership in just six months. 

The ISA Global Cybersecurity Alliance (ISAGCA) drew its first breath in July 2019. The organization was set up with the intention to provide an open, collaborative forum to advance cybersecurity awareness, readiness, and knowledge sharing. 

Founded with six initial members, ISAGCA announced on Tuesday that its ranks have since swelled to include an additional 23 companies and organizations. 

As of the end of 2019, the original vanguard of Schneider Electric, Rockwell Automation, Honeywell, Johnson Controls, Claroty, and Nozomi Networks had been strengthened by the addition of aeSolutions, Bayshore Networks, Beijing Winicssec Technologies Co. Ltd., Digital Immunity, Dragos, exida, ISA Security Compliance Institute, ISA99 Committee, Idaho National Laboratory, LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity), Mission Secure, Inc., Mocana Corporation, Munio Security, PAS Global, Radiflow, Senhasegura (supporting member), Tenable, TiSafe, Tripwire, WisePlant, Wallix Group, and Xage Security.

The new adherents to the cause have all joined as founding members. Alliance membership is open to all end users, asset owners, government agencies, and other cybersecurity-focused organizations. 

"The cyber threat to critical infrastructure has never been greater," said Eddie Habibi, founder and CEO of newly welcomed ISAGCA member PAS Global

ISA executive director Mary Ramsey said: "When we pair ISA's standards expertise with the real-world experience of companies like PAS, we can make major strides in advancing cybersecurity.

"Our founding members are united in their belief that security is a journey, not a destination, and they are committed to developing the resources that asset owners need to make progress." 

New alliance member Tripwire was sensible of the organization’s potential to influence cybersecurity around the globe. 

A Tripwire spokesman said: "In becoming a founding member of ISA Global Cybersecurity Alliance, Tripwire will participate in creating initiatives to increase industry awareness, creating education and certification programs, and advocating for sensible cybersecurity approaches with regulatory bodies and world governments."

ISAGCA is organized into four general focus areas: Awareness & Outreach, Compliance & Prevention, Education & Training, and Advocacy & Adoption. Each area has an attached working group, actively working on projects that include creating an easy-to-follow, condensed guide to implementing the ISA/IEC 62443 series of standards and setting up a database of speakers with expertise and experience in automation cybersecurity and associated commitments to wax lyrical at industry events.

Categories: Cyber Risk News

Business Disruption Attacks Most Prevalent in Last 12 Months

Thu, 01/16/2020 - 13:25
Business Disruption Attacks Most Prevalent in Last 12 Months

Business disruption was the main objective of attackers in the last year, with ransomware, DDoS and malware commonly used.

According to the CrowdStrike Services Cyber Front Lines Report, which offers observations from its incident response and proactive services, a third (36%) of incidents often involved ransomware, destructive malware or denial of service attacks. Crowdstrike determined that these three factors to be focused on “business disruption,” and while an adversary’s main goal in a ransomware attack is financial gain, the impact of disruption to a business can often outweigh the loss incurred by paying the ransom.

Also observed in 25% of the investigated incidents was data theft, including the theft of intellectual property, personally identifiable information and personal health information. IP theft has been linked to numerous nation state adversaries that specialize in targeted intrusion attacks, while PII and PHI data theft can enable both espionage and criminally-motivated operations.

“Typically, this type of data may be used by a cyber-espionage actor to build a dossier on a high-profile target, or a cyber-criminal may sell or ransom the information,” the report said.

To get on to a network, the most popular vector was spear-phishing, accounting for 35% of investigated cases, compared to 16% using web attacks and another 16% using compromised credentials.

Jack Mannino, CEO at nVisium, told Infosecurity that in many cases, we’re struggling with many of the same issues from a decade ago, while we’re seeing an increase in attacks against cloud infrastructure and systems.

“While many organizations have been in the cloud for a while, countless teams are still undertaking transformation and are attempting to replicate security controls that they have developed internally within a new architecture,” he said.

The report also found that organizations that meet Crowdstrike’s 1-10-60 benchmark — detect an incident in one minute, investigate in 10 minutes and remediate within an hour — are improving their chances of stopping cyber-adversaries. However, it found that the vast majority of organizations struggle to meet the 1-10-60 standard in another recent survey, despite the vast majority of organizations seeing adherence to the rule as a “game changer” in ensuring protection. “Adhering to the rule is a challenging benchmark that requires speed and experience,” the report said.

Shawn Henry, chief security officer and president of CrowdStrike Services, said: “The report offers observations into why ransomware and business disruption dominated headlines in 2019 and gives valuable insight into why issues with adversarial dwell time remain a problem for businesses around the world. Strong cybersecurity posture ultimately lies within technology that ensures early detection, swift response and fast mitigation to keep adversaries off networks for good.”

Rui Lopes, engineering and technical support manager at Panda Security, said that the use of cyberspace to carry out all kinds of malicious activities is not going anywhere in 2020, “and while cybersecurity players work to mitigate attacks, organizations struggle on their end with a gap in security experts which may not be covered even if they have a budget for it.”

Categories: Cyber Risk News

China Promises Action on Tech Transfers and IP Protection

Thu, 01/16/2020 - 12:00
China Promises Action on Tech Transfers and IP Protection

Phase One of the US-China trade deal has finally been signed, with promises from Beijing that it will improve protection of IP and trade secrets and end forced tech transfers, although security experts will be skeptical.

The majority of the headlines focused on the scrapping of some mooted tariffs on goods from China including mobile phones and computers, as well as promises to increase imports of US goods by $200bn.

However, in the document itself, major sections are devoted to several areas of concern for many US businesses over the past decade or more.

These include the forced transfer of IP to a local Chinese partner that many foreign businesses have been required to follow in order to gain access to the country’s vast market. In the new document, both parties recognize that such transfers should only happen on “voluntary, market-based terms.

“Neither Party shall require or pressure persons of the other Party to transfer technology to its persons in relation to acquisitions, joint ventures, or other investment transactions,” it continued.

The new deal also contains significant new promises by China to improve protection of intellectual property, trade secrets and confidential business information and combat counterfeiting and piracy online.

“China recognizes the importance of establishing and implementing a comprehensive legal system of intellectual property protection and enforcement as it transforms from a major intellectual property consumer to a major intellectual property producer,” it said.

Specifically, China has agreed to impose “heavier punishment” including jail time and monetary fines to deter IP theft.

However, it remains to be seen whether any of the promises made by Beijing are adhered to.

Both the US and UK famously signed an agreement with China in 2015 promising it would cease all economic espionage activity. Experts revealed that activity began to ramp up again from the Chinese side soon after.

China is also increasing its collection of sensitive corporate data from all firms operating within its borders, under a new corporate social credit system, which recently raised alarm bells at the EU Chamber of Commerce in China.

This could effectively achieve the same end for the Chinese government as forced tech transfers, it warned.

“The system of regulatory ratings necessitates the collection of massive amounts of company data, mostly through mandatory data transfers to government authorities, creating an increasingly complete disclosure of a company’s profile,” the report claimed. “Large data transfers are likely to include some sensitive data points, such as technological details and personnel information.”

Researchers have also recently revealed how Chinese state hacking groups are increasingly using local companies as a front for their espionage activities.

Categories: Cyber Risk News

Trump Takes on Apple Over FBI's Backdoor Request

Thu, 01/16/2020 - 11:00
Trump Takes on Apple Over FBI's Backdoor Request

Donald Trump has hit out at Apple after it refused to unlock the iPhone of a suspected terrorist shooter who killed three sailors last month, setting the firm on another collision course with the authorities over its stance on user privacy.

In a developing story reminiscent of the San Bernardino shootings four years ago, Apple declined to help the FBI unlock the smartphone of 21-year-old Royal Saudi Air Force lieutenant who went on a killing spree at Pensacola Air Force base.

Although it claimed to have given the FBI “all of the data in our possession” when approached by agents a month ago, Apple maintained that bypassing the killer’s passcodes would create a dangerous precedent.

“We have always maintained there is no such thing as a backdoor just for the good guys. Backdoors can also be exploited by those who threaten our national security and the data security of our customers,” it said in a statement.

“Today, law enforcement has access to more data than ever before in history, so Americans do not have to choose between weakening encryption and solving investigations. We feel strongly encryption is vital to protecting our country and our users' data.”

However, that wasn’t good enough for attorney general William Barr, who has previously slammed tech companies for their stance on encryption, and Trump, who took to Twitter to share his ire with the world.

“We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements. They will have to step up to the plate and help our great Country, NOW!” he wrote.

The world’s leading encryption experts agree with Apple and other tech firms that creating backdoors for law enforcers would ultimately undermine security for hundreds of millions of legitimate business and personal users.

In 2018 they penned an open letter to FBI director, Christopher Wray, asking him to explain the technical basis for the Feds’ repeated claims that encryption backdoors can be engineered without impacting user security.

That request remains unanswered.

Categories: Cyber Risk News

WEF Fears Cyber-Threats and Digital Fragmentation

Thu, 01/16/2020 - 10:14
WEF Fears Cyber-Threats and Digital Fragmentation

Digital fragmentation and cyber-threats are among the top 10 biggest risks facing global businesses over the coming decade, according to the latest World Economic Forum (WEF) report.

The annual Global Risks Report is compiled from interviews with business leaders, academics and others from around the world.

This year there was a heavy focus on environmental concerns, but cyber-related risks also featured strongly, as they have done for years.

In total, 76% of respondents claimed that cyber-attacks disrupting operations and infrastructure would increase in 2020, while a similar number (75%) said the same about online data and financial theft.

Cyber-attacks were also placed in the top 10 risks table in terms of likelihood and impact over the coming decade, while data theft/fraud made it into just the former category.

Information infrastructure breakdown also made it into the top 10 most impactful risks for the coming decade, reflecting respondents’ concerns around the increasingly fragmented online world brought about by geopolitical rivalries and competing standards.

The WEF report pointed to fourth industrial revolution (4IR) technologies as bringing tremendous gains to society and the global economy, but also unintended cyber-risk, as the attack surface grows exponentially.

Quantum computing, 5G, cloud computing, AI and IoT were all highlighted as areas of concern, as was the lack of an effective and unified global cyber-governance framework.

Fragmentation of the digital world threatens to stifle the development of 4IR technologies and will add extra cost for businesses, it warned.

“Businesses are facing the challenge of implementing existing cybersecurity and 4IR standards (where they exist), while ensuring compliance with fragmented regulations on accountability, transparency, bias and privacy for developing — or simply applying — 4IR technologies,” the report continued.

“Because government and corporate leaders equally share the responsibility for promoting global cybersecurity and digital trust, cooperation between the public and private sectors is more vital than ever in areas such as information-sharing, collaboration with law enforcement agencies, and skill and capacity development.”

Renaud Deraison, CTO at Tenable, said the report’s findings made sense.

“As the world seeks continued growth and competitiveness in the global economy, we’re seeing many new projects take off, including building modern factories that are highly automated. This innovation can’t happen without a good grasp of the security and integrity of the digital components those factories rely on,” he argued.

“It’s not just about stopping bad actors from damaging these mission-critical services, as experienced in cities across the world, it's also about preventing them from getting a foothold in our environments to cause harm, be it physical, data theft or financial gain.”

Categories: Cyber Risk News

Dagenham Duo Jailed for Hacking Bank Accounts

Wed, 01/15/2020 - 16:53
Dagenham Duo Jailed for Hacking Bank Accounts

Two Dagenham residents have been put behind bars after compromising more than 700 bank accounts and cell phone accounts to commit fraud in a six-year crime spree.

Nigerian-born Oluwaseun Ajayi, aged 39, and 49-year-old Inga Irbe hacked into bank accounts then applied for loans, credit cards, and additional bank accounts in the names of their victims. 

An investigation by the Metropolitan Police’s Central Specialist Crime—Cyber Crime Unit revealed that the duo also committed multiple incidences of phone upgrade fraud by gaining unauthorized access to strangers' cell phone accounts and ordering £12,000 worth of new devices. 

Police searches of the address shared by Irbe and Ajayi resulted in the seizure of numerous items, including multiple cell phones, SIM Cards, iPads, and a laptop. Correspondence and bank cards in other people’s names were also confiscated, along with £1,200 cash in £50 notes.

The pair, who both reside at Orchard Road, Dagenham, and who may be romantically involved, were found guilty of two counts of conspiracy to defraud and two counts of conspiracy to commit fraud by false representation between February 1, 2012, and May 14, 2018. Ajayi was further found guilty of failing to comply with a Section 49 RIPA notice to disclose his phone's PIN number to police.

The guilty verdicts were reached by a jury at Croydon Crown Court on November 27. In the same court, on Friday, January 10, Ajayi was sentenced to five years and six months in prison, while Irbe was handed a community order of 12 months and ordered to complete 170 hours of unpaid work.

Detective Inspector Gary Myers said: "Ajayi and Irbe committed these offences in a manner that showed a lot of pre-planning and deception.

"However, they were not able to deceive officers, who carried out a thorough investigation which has brought these two criminals to justice.

"While cybercrime can often be complex and investigations take months, Met officers will not relent in pursuing those that hide behind their keyboards to steal other people's money and make their lives a misery."

Categories: Cyber Risk News

Hidden Hotel Room Cameras Spark Investigation

Wed, 01/15/2020 - 15:49
Hidden Hotel Room Cameras Spark Investigation

An investigation has been launched by the Wisconsin Department of Justice and local police after hidden cameras were found in a downtown Minneapolis, Minnesota, hotel room.

The creepy discovery was made by a group of high school students who were staying at the Hyatt Regency Minneapolis hotel on 7th Street while on an overnight field trip with their school's business club. The trip took place over the first weekend of December last year. 

Police confirmed that students found multiple cameras in the room but have not disclosed exactly how many devices were involved in the incident. 

After East High School DECA students informed the school of the discovery, the Madison school district placed an unidentified staff member who had accompanied the students on the field trip on an administrative leave as a precautionary measure. 

DECA is an international organization that aims to educate youngsters about jobs in marketing, finance, and hospitality. The organization runs events and competitions to encourage student interest in the business world. 

The Wisconsin Department of Justice (DoJ) agents and Minneapolis police are investigating the incident, along with previous trips run by East DECA. 

In an email sent to students' parents on December 16, interim principal of East High School Brendan Kearney wrote: "We are sorry to have to contact you in this way and can only imagine what you must be feeling. 

"We want you to know that East and (the Madison school district) will do whatever we can to protect and support both our current and former students."

Included in Kearney's missive was a message from DoJ agent Jesse Crowe, which confirmed that the agency’s Division of Criminal Investigation was leading an investigation into any events that occurred prior to the business club's December trip, including anything that occurred outside the state.

According to CBSN Minnesota, a search warrant was served on a home in Cottage Grove, Wisconsin, on December 12 in connection with the incident, but no arrests were made. Police later asked a judge to seal the contents of the warrant.

Former DECA trip participants have been provided with an email address to which they were invited to submit any relevant information regarding former events and excursions. 

The Madison school district intends to carry out its own investigation into the incident after the investigation by law enforcement concludes.

Categories: Cyber Risk News

UK Announces AI Warship Contracts

Wed, 01/15/2020 - 14:57
UK Announces AI Warship Contracts

Britain's Ministry of Defense today announced contracts to create "revolutionary" warships that use artificial intelligence (AI) to make quicker decisions.

The Defense and Security Accelerator (DASA), part of the Ministry of Defense (MoD), said that an initial funding wave of £4m had been allocated to the project.

"The funding aims to revolutionize the way warships make decisions and process thousands of strands of intelligence and data by using Artificial Intelligence," said DASA.

The contracts are part of DASA’s Intelligent Ship—The Next Generation competition, which seeks to uncover inventive approaches for Human–AI and AI–AI teaming across a variety of defense platforms, such as warships, aircraft, and land vehicles. 

The competition was set up to source tech-based solutions that will prove effective in 2040 and beyond, with the possibility to completely change the way warships are built and how they operate. 

DASA, on behalf of the Defense Science and Technology Laboratory (Dstl), is looking at how future defense platforms can be designed and optimized to exploit current and future advances in automation, autonomy, machine learning, and artificial intelligence. 

Nine projects will share an initial £1m to develop technology and innovative solutions capable of overcoming the increasing information overload faced by Royal Navy crews. 

"Crews are already facing information overload with thousands of sources of data, intelligence, and information. By harnessing automation, autonomy, machine learning and artificial intelligence with the real-life skill and experience of our men and women, we can revolutionize the way future fleets are put together and operate to keep the UK safe," said Julia Tagg, technical lead from Dstl.

Despite being titled Intelligent Ship, a warship is just the prototype demonstrator for this competition. Effective technological solutions born from the project could be rolled out to the British Army and also the Royal Air Force.

"The astonishing pace at which global threats are evolving requires new approaches and fresh-thinking to the way we develop our ideas and technology. The funding will research pioneering projects into how A.I and automation can support our armed forces in their essential day-to-day work," said Defense Minister James Heappey.

Categories: Cyber Risk News

UK Consultancies Leak Data on Thousands of Workers

Wed, 01/15/2020 - 12:00
UK Consultancies Leak Data on Thousands of Workers

Thousands of UK business professionals have had their personal details exposed online via a leaky Amazon Web Services bucket, after researchers discovered files belonging to multiple consulting firms.

The misconfigured S3 resource is thought to have been left publicly viewable with no authentication by a London-based company known as CHS Consulting, according to vpnMentor.

However, as the firm has no website the researchers have been unable to confirm ownership of the database, labelled “CHS.”

What they do know is that it contained files from the HR departments of multiple UK consulting firms including Eximius Consultants, Dynamic Partners and IQ Consulting. Most of the data is from 2014-15 although records go back to 2011.

It included passport scans, tax documents, criminal record information and background checks, HMRC-related paperwork, emails and private messages as well as a range of PII including names, email and home addresses, dates of birth and phone numbers.

“Had criminal hackers discovered this database, it would have been a goldmine for illicit activities and fraud, with potentially devastating results for those exposed,” argued vpnMentor.

“If you’re a UK-based consultant or consulting firm and are concerned about this breach, contact the CERT-UK to understand what steps are being taken to keep your data safe and ensure it has not been leaked.”

The researchers contacted the CERT-UK on December 10, a day after discovering the leak, and followed up with AWS a week later. The cloud giant took action a day later on December 19 to secure the database.

This is just the latest of several incidents in which large cloud databases containing highly sensitive personal information have been discovered by the research team.

Other companies found wanting include LightInTheBox, Yves Rocher and Autoclerk. In one incident, the names, phone numbers and financial information of approximately 20 million Ecuadoreans, virtually the entire population, were exposed online.

Categories: Cyber Risk News

Mobile Apps Sharing Personal Data Illegally, Consumer Group Claims

Wed, 01/15/2020 - 11:15
Mobile Apps Sharing Personal Data Illegally, Consumer Group Claims

Several mobile apps such as Grindr, OKCupid and Tinder have been found to be leaking personal information to advertising tech companies in possible violation of European data privacy laws, an investigation by a Norwegian consumer group has discovered.

As stated in the Out of Control report, the Norwegian Consumer Council, a government-funded non-profit group, commissioned cybersecurity company Mnemonic to study 10 Android mobile apps. It said it found “serious privacy infringements” in its analysis of how online ad companies track and profile smartphone users, with the apps sending user data to at least 135 different third party services involved in advertising or behavioral profiling.

“As it stands, the situation is completely out of control, harming consumers, societies, and businesses,” the report said. Most of the adtech companies that Mnemonic observed receiving personal data have a “questionable legal basis” for harvesting and using consumer data, the report continued.

“If these companies do not have a legally valid basis for processing personal data, the backbone of much of the adtech system may be systemically in breach of the GDPR.”

The Norwegian Consumer Council therefore urged data protection authorities to enforce the GDPR, and for advertisers and publishers to look toward alternative digital advertising methods that respect fundamental rights.

“The digital marketing and adtech industry has to make comprehensive changes in order to comply with European regulation, and to ensure that they respect consumers’ fundamental rights and freedoms.”

Jake Moore, cybersecurity specialist at ESET, said: “When you join a high profile site such as Grindr, you expect to have your data protected and dealt with sensitively. Sadly, data on people is a lucrative currency, and so it can be tempting to share when given the opportunity. I always recommend that people limit the amount of personal data shared on these sites due to the possibility that the data could be targeted with a cyber-attack.”

James McQuiggan, security awareness advocate at KnowBe4, added that it is difficult in today’s society with social media apps for people to actually read the privacy or end user agreements and to understand what is happening with their name, address, pictures, contacts and GPS location once the data is entered into or collected by an app.

“On a lot of social media apps that are not charging users for their service, the users are undoubtedly the product,” he said. “Their information is collected and sold off to third party organizations for revenue for the social media app. Only in recent years are governments finally taking actions such as the GDPR in the UK and recently, the California Consumer Protection Act (CCPA).”

Categories: Cyber Risk News

Russian Phishers Hit Firm at Center of Trump Impeachment

Wed, 01/15/2020 - 10:40
Russian Phishers Hit Firm at Center of Trump Impeachment

An infamous Kremlin-backed hacking group has launched a coordinated phishing campaign aimed at Ukrainian firm Burisma Holdings, in what looks like an attempt to find internal information which could benefit Donald Trump.

Security vendor Area 1 claimed the attacks were carried out by the GRU-linked Fancy Bear (APT28) group responsible for stealing and releasing emails from the Democratic National Committee (DNC) which many believe gave Trump an advantage ahead of the 2016 Presidential election.

It’s no coincidence that the son of current Democratic Presidential hopeful Joe Biden sat on the board of Burisma Holdings. It was Trump’s decision to improperly pressure the Ukrainian President to investigate dealings at the firm that led to his impeachment by the House on charges of abuse of power and obstruction of Congress.

“Our report is not noteworthy because we identify the GRU launching a phishing campaign, nor is the targeting of a Ukrainian company particularly novel. It is significant because Burisma Holdings is publically entangled in US foreign and domestic politics,” noted the report.

“The timing of the GRU’s campaign in relation to the 2020 US elections raises the specter that this is an early warning of what we have anticipated since the successful cyber-attacks undertaken during the 2016 US elections.”

Specifically, the group used a lookalike domain to spoof the legitimate Burisma Holdings webmail login portal to access employee accounts. With this access they could read sensitive corporate emails and use accounts to launch further attacks.

To increase the chances of success, the attackers focused on subsidiaries of the company such as KUB-Gas and CUB Energy, and set up email sender authentication records using SPF and DKIM, Area 1 said.

The attacks are thought to have been successful in tricking some Burisma employees to part with their logins.

Rosa Smothers, senior VP of cyber operations at KnowBe4, explained that phishing is the “go-to methodology” for Russian intelligence services seeking to infiltrate target networks.

“Like any fairly sophisticated and organised hacking campaign, they also ran multiple domains that were just similar enough to legitimate Burisma domains that they went unnoticed by users,” she added.

“At the end of the day, the story here is one of ongoing and escalating social engineering efforts by the Russians against their targets of interest — which is why we should expect and plan for such activities during our upcoming election cycle."

Categories: Cyber Risk News

Microsoft Patches Serious Crypto Flaw Found by NSA

Wed, 01/15/2020 - 09:40
Microsoft Patches Serious Crypto Flaw Found by NSA

Microsoft has kicked off the new decade with fixes for half a century of vulnerabilities, including one discovered by the NSA that could allow hackers to spoof digital certificates to bypass security measures.

This month’s Patch Tuesday focused around the CVE-2020-0601 flaw, which security experts praised the NSA for disclosing responsibly rather than trying to weaponize in attacks.

Affecting Windows 10 and Windows Server 2016 and 2019, the bug exists in the way the CryptoAPI DLL validates Elliptic Curve Cryptography (ECC) certificates.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source,” warned Microsoft. “The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

If successful, an attacker could then conduct man-in-the-middle attacks and decrypt confidential information, or run malware even in environments using app whitelisting.

“Every Windows device relies on trust established by TLS and code signing certificates, which act as machine identities. If you break these identities, you won’t be able to tell the difference between malware and Microsoft software,” argued Kevin Bocek, VP of security strategy and threat intelligence at Venafi.

Todd Schell, senior product manager at Ivanti, urged admins to prioritize fixing the problem.

“The vulnerability is only rated as important, but there have been many examples of CVEs that were only rated as important being exploited in the wild,” he said. “Due to the nature of this vulnerability we would urge companies to treat this as a top priority this month and remediate quickly.”

A second flaw in Windows’ cryptographic services is rated with a lower CVSS score, but should also be prioritized, Schell claimed.

CVE-2020-0620 could allow attackers to overwrite or modify a protected file and elevate their privileges accordingly, although it first requires them to execute on a targeted system.

“Gaining execute rights on a system is a pretty low bar for most threat actors. Again, our guidance is to treat this as a priority 1 and address it in a timely manner,” said Schell.

This is the last Patch Tuesday that will include fixes for Windows 7 and Server 2008 systems, unless organizations have paid for extended support. If they have not, they will need to upgrade, or invest in virtual patching capabilities to mitigate the increased risk of attack.

“This will increase the risk assumed by those organizations that continue to run Windows 7 or 2008 and we expect attackers will begin actively looking for those operating systems as a ‘soft spot’ for a compromise,” warned Trustwave threat intelligence manager, Karl Sigler.

Categories: Cyber Risk News

App Leaks Thousands of Baby Photos and Videos Online

Tue, 01/14/2020 - 17:06
App Leaks Thousands of Baby Photos and Videos Online

An app designed to record and share milestones in a child's development has leaked thousands of images and videos of babies online.

Bithouse Inc., the developer of the Peekaboo Moments app, failed to secure a 100 GB Elasticsearch database containing more than 70 million log files dating from March 2019. As a result, information including email addresses, geographic location data, detailed device data, and links to photos and videos has been exposed.

The breach was discovered by Dan Ehrlich, who operates Texas-based computer security consulting firm Twelve Security.

Ehrlich estimates that at least 800,000 email addresses are in the exposed data, which is stored on servers hosted by Singapore-based Alibaba Cloud.

"I've never seen a server so blatantly open," Ehrlich told Information Security Media Group. "Everything about the server, the company's website and the iOS/Android app was both bizarrely done and grossly insecure."

Peekaboo Moments, which appears to be run by a company based in China, allows parents to record their baby's birth date and track the infant's length and weight. Now parents will be able to use it to record an unexpected milestone—their baby's first ever data breach.

The free app claims to take the security of users' data seriously and to offer users a "secured space" in which to record their child's precious moments. The company makes money by offering additional storage, with subscription plans starting at $8.99 per quarter.

On its Google Play app profile page, it states: "Data privacy and security come as our priority. Every Baby’s photos, audios & videos or diaries will be stored in secured space. Only families & friends can have access to baby’s moments at your control."

The length of time the Elasticsearch server has been unsecured or who may have accessed its contents are unclear. 

Information Security Media Group said that repeated efforts to contact Peekaboo Moments CEO Jason Liu—based in San Francisco, according to his LinkedIn profile—have drawn a blank. 

Attempts to contact the company and other Peekaboo employees have also proved unsuccessful.

According to Google Play, the Peekaboo Moments app has been downloaded 1 million times since launching in 2012.

Categories: Cyber Risk News

Play Store Still Peppered with Fleeceware Apps

Tue, 01/14/2020 - 15:56
Play Store Still Peppered with Fleeceware Apps

Four months after fleeceware's initial exposure, Android users who purchase "subscriptions" to apps from the Google Play Store are still at risk of being ripped off.

Fleeceware hit the news in September 2019, when researchers at SophosLabs showed how some app publishers were using a sneaky business model to drastically overcharge Android users for basic services. 

On the Google Play Store, researchers found multiple instances of app publishers operating a system where users could be charged excessive amounts of money for apps if they didn’t cancel a “subscription” before the short free trial window closed.

New research published today by SophosLabs reveals that fleeceware has not been shorn from the store. 

"While the company did take down all the apps we had previously reported to them, fleeceware remains a big problem on Google Play," wrote researchers.

"Since our September post, we’ve seen many more Fleeceware apps appear on the official Android app store."

New fleeceware flagged by SophosLabs includes entertainment or utility apps, fortune-telling apps, instant messengers, video editors, and beauty apps. 

Some apps, offering basic services such as a reverse-image search, which Google does for free, charge over $200 for an annual subscription. 

Researchers said that the total number of installations of these apps totals nearly 600 million across fewer than 25 apps. Some of the individual apps on the store appear to have been installed on more than 100 million devices.

One popular keyboard app investigated by researchers allegedly transmits the full text of whatever its users type back to China. 

Clues to the fleeceware apps' financial chicanery can be found in customers' reviews.

"User reviews reveal serious complaints about overcharging, and that many of these apps are substandard, and don’t work as expected," wrote researchers. 

Some users claim to have been charged an annual subscription fee despite unsubscribing by a certain date as per the app's instructions. 

Researchers noted apps offering weekly and monthly subscription payment options in an attempt to make their product seem more budget friendly. 

"In one case, we found an app displaying subscription fees of €8.99 per week, or €23.99 per month, which works out annually to €467.48 (if you pay the weekly amount for 52 weeks) or €287.88 (if you pay the monthly amount for 12 months)," wrote researchers. 

Categories: Cyber Risk News