Info Security

Subscribe to Info Security  feed
Updated: 1 hour 55 min ago

Mozilla Urges Facebook and Google to Pause Political Ads

Tue, 11/05/2019 - 10:20
Mozilla Urges Facebook and Google to Pause Political Ads

The Mozilla Foundation and a group of rights groups and non-profits have penned an open letter to Facebook and Google urging them to halt political advertising until after the upcoming UK General Election.

The letter argued that there won’t be time in the current parliament for the urgent legislation on political ads that the UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have called for.

“This legislative blackspot is particularly concerning in light of Facebook’s recent policies to allow politicians to openly publish disinformation through ads. Equally concerning is the lack of transparency as to what data is being used to target ads, and how such ads are being targeted,” the letter continued.

“We are aware that these policies are subject to debate both inside and outside the company. While that debate continues, people in the UK are left in uncertainty about whether they can trust what they see on the platform.”

The letter’s authors pointed to precedent in this space, with Google blocking political ads two weeks before polling in the Irish referendum and during the entirety of the recent Israeli and Canadian election periods.

“Again, this call is not about a permanent ban on political and issue-based ads; indeed, political ads are not inherently problematic. But the online advertising model, which depends on vast collection of data and opaque ad targeting systems is not fit for purpose and thus fundamentally undermines trust in political advertising,” it concluded.

“It is a request to take temporary measures to ensure that your platforms are not complicit in exploiting electoral laws MPs themselves have described as ‘unfit for purpose’.”

Mark Zuckerberg has come in for heavy criticism of late for effectively defending the right of politicians to lie in their ads, saying: “I don't think most people want to live in a world where you can only post things that tech companies judge to be 100% true.”

Facebook rejected a request from Presidential hopeful Joe Biden to remove a Trump campaign ad containing misinformation about the former Veep.

Last month, Twitter stepped up the pressure on Facebook by announcing a ban on political advertising on its platform. However, experts argued that Twitter doesn’t host many political ads anyway, and the move would do nothing to stem the flow of misinformation ahead of elections coming from bot accounts.

Categories: Cyber Risk News

Attack on Indian Ed Tech Firm Exposes 687K Users

Tue, 11/05/2019 - 09:50
Attack on Indian Ed Tech Firm Exposes 687K Users

An Indian ed tech provider suffered a serious data breach months ago impacting hundreds of thousands of customers, but is only now informing them of the incident.

Vedantu offers a real-time online learning environment for teachers and students from its headquarters in Bengaluru.

However, it was hit by an attack back in July that exposed the personal data of 687,000 users, according to breach notification site HaveIBeenPwned?

“The JSON formatted database dump exposed extensive personal information including email and IP address, names, phone numbers, genders and passwords stored as bcrypt hashes,” the note explained. “When contacted about the incident, Vedantu advised that they were aware of the breach and were in the process of informing their customers.”

Reports suggest that the culprit may have been an exposed MongoDB instance, although this has yet to be confirmed.

Although the passwords appear to have been encrypted, there’s plenty of other personal information in the breach that could give the hackers an opportunity to craft convincing follow-on phishing attacks and identity theft attempts.

Ray Walsh, digital privacy advocate at ProPrivacy, said it’s a concern the breach wasn’t discovered earlier by Vedantu.

“What’s more, because phone numbers were stolen along with names and addresses, it is possible that users could have fallen victim to phone scams designed to steal their money — or perhaps even a SIM swap attack that could have resulted in the dual-factor authentication for their online accounts, or perhaps even their internet banking, being compromised,” he added.

“Any user who believes they have been affected by this data breach is advised to keep a close eye on any emails, messages, or phone calls they receive that could be using data stolen from Vedantu to coerce them into parting with further data or clicking on malicious links.”

Categories: Cyber Risk News

Pentagon Publishes Guide to Ethical Wartime Use of AI

Mon, 11/04/2019 - 18:07
Pentagon Publishes Guide to Ethical Wartime Use of AI

A Pentagon advisory board has published a set of guidelines on the ethical use of artificial intelligence (AI) during warfare. 

In "AI Principles: Recommendations on the Ethical Use of Artificial Intelligence by the Department of Defense," the Defense Innovation Board (DIB) shied away from actionable proposals in favor of high-level ethical goals. 

In its recommendations, the board wrote that the Department of Defense's AI systems should be responsible, equitable, traceable, reliable, and governable.  

Since AI systems are tools with no legal or moral agency, the board wrote that human beings must remain responsible for their development, deployment, use, and outcomes.

As far as being equitable, the board wrote that the Department of Defense (DoD) "should take deliberate steps to avoid unintended bias in the development and deployment of combat or non-combat AI systems that would inadvertently cause harm to persons."

To ensure AI-enabled systems are traceable, the board recommended the use of transparent and auditable methodologies, data sources, and design procedure and documentation.

The board recommended that the DoD's AI should be as reliable as possible, and because reliability can never be guaranteed, that it should always be governable. That way, systems "that demonstrate unintended escalatory or other behavior" can be switched off. 

The board called for ethics to be an integral part of the development process for all new AI technology, rather than an afterthought. 

"Ethics cannot be 'bolted on' after a widget is built or considered only once a deployed process unfolds, and policy cannot wait for scientists and engineers to figure out particular technology problems. Rather, there must be an integrated, iterative development of technology with ethics, law and policy considerations happening alongside technological development," wrote the board.

Although the public sector, including the European Commission, the United Kingdom House of Lords, and ministries or groups from the governments of Germany, France, Australia, Canada, Singapore, and Dubai have all formulated AI ethics or governance documents, the US is unique in offering AI guidelines specific to the military. 

"What is noteworthy when canvassing the plethora of available AI Ethics Principles documents is that there is no other military in the world that has offered its approach to ethical design, development, and deployment of AI systems. In this respect, DoD is leading in this space, showing its commitments to ethics and law" wrote the board.

Since DIB's recommendations are not legally binding, it is now up to the Pentagon to decide if the board's guidelines should be followed.

Categories: Cyber Risk News

Midwest to Get First Cyber Battalion

Mon, 11/04/2019 - 16:59
Midwest to Get First Cyber Battalion

America's Midwest is to get its first National Guard cyber battalion.

The 127th Cyber Battalion will comprise 100 soldiers, who will be based in Indiana. Before taking up their new command, the soldiers will head to the Muscatatuck Urban Training Center in Jennings County, where they will receive state-of-the-art training in cybersecurity and cyber-warfare.

Located 75 miles southeast of Indianapolis, the center features live environments for cyber- and electronic warfare testing and training. The soldiers will be challenged to neutralize attacks in realistic simulations of incidents that have occurred in the past and attacks that could be launched in the future.

Additional training will be provided to the soldiers by Ivy Tech Community College Cyber Academy at Muscatatuck.

"With our National Guard's current cyber resources and Indiana's top-notch academic institutions, our state is a natural fit for one of the country's first cyber battalions," Indiana governor Eric Holcomb said in a statement. 

"Warfare is becoming increasingly digital, and it's an honor for Indiana to be home to those who protect our country from computer-generated threats."

Indiana beat nineteen other states and territories to become the battalion's new home. Officials chose the Hoosier State for its existing cyber capabilities, partnerships with industry and academia, and its proven ability to recruit and retain soldiers.

The 127th Cyber Battalion is the Army National Guard's fifth cyber battalion. Two battalions are already up and running in Virginia, and South Carolina and Massachusetts each have one. 

Indiana's new battalion is expected to attain its full operational capability by 2022. The 127th will serve under the Army National Guard's 91st Cyber Brigade, which was established in 2016 in Virginia.

Most of Indiana's new battalion of cyber-soldiers will serve part-time on top of pursuing civilian careers. Once qualified, they will offer cybersecurity expertise to companies, providing training readiness oversight to conduct cyberspace operations, network vulnerability assessments, security cooperation partnerships, and FEMA support along with cyberspace support of federal requirements.

“The Army National Guard’s role in national cybersecurity provides a larger blanket of protection against our adversaries,” said Lt. Gen. Daniel R. Hokanson of the Army National Guard.

Categories: Cyber Risk News

Android Dropper App Infects 45K Devices

Mon, 11/04/2019 - 16:08
Android Dropper App Infects 45K Devices

A malicious Android app that displays advertisements and facilitates the download of additional malicious apps has infected over 45,000 devices in six months. 

Researchers at Symantec observed a surge in detections of the Xhelper app, which has mainly been targeting users in the US, India, and Russia. 

This annoying app, which bombards infected devices with pop-up advertisements, is tricky to find because it has been designed to not appear on the system's launcher.

In addition to playing an irritating game of hide and seek, Xhelper has proved to be more tenacious than a 5-year-old in a candy store by repeatedly reinstalling itself on devices from which it's been removed and even on devices that have been restored to their factory settings.

Researchers wrote: "We have seen many users posting about Xhelper on online forums, complaining about random pop-up advertisements and how the malware keeps showing up even after they have manually uninstalled it."

With no app icon visible on the launcher, Xhelper can’t be launched manually. Instead, the malicious app gets its green lights from external events, leaping into action when a compromised device is rebooted, an app is added or removed from the device, or the device is connected or disconnected from a power supply. 

The launched malware has cunningly been designed to register itself on the device as a foreground service, lowering its risk of being quashed when the device's memory is low. 

"For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware," wrote researchers.

Once Xhelper has settled into the device's lounge and popped its feet up on the coffee table, it begins decrypting to memory the malicious payload embedded in its package. The payload then connects to the threat actor's command and control (C&C) server and waits for commands.

"Upon successful connection to the C&C server, additional payloads such as droppers, clickers, and rootkits, may be downloaded to the compromised device. We believe the pool of malware stored on the C&C server to be vast and varied in functionality, giving the attacker multiple options, including data theft or even complete takeover of the device," wrote researchers. 

Symantec first spotted Xhelper back in March 2019 when it was visiting advertisement pages for monetization purposes. Since then, the malicious app's code has become more sophisticated, and researchers "strongly believe that the malware’s source code is still a work in progress."

Categories: Cyber Risk News

Proofpoint to Boost DLP Suite with ObserveIT Acquisition

Mon, 11/04/2019 - 13:34
Proofpoint to Boost DLP Suite with ObserveIT Acquisition

Proofpoint has entered into a definitive agreement to acquire ObserveIT for $225m.

Extending its data loss prevention (DLP) capabilities with the acquisition of the insider threat management provider, Proofpoint said that the combination of ObserveIT’s lightweight endpoint agent technology and data risk analytics with Proofpoint’s information classification, threat detection and intelligence, will offer “unprecedented insights into user activity with their sensitive data.” The transaction is expected to close in the fourth quarter of 2019.

ObserveIT’s insider threat management solution enables security teams to detect, investigate, and prevent potential insider threat incidents by delivering real-time alerts, and actionable insights into user activity in one solution. Set to be integrated with Proofpoint’s information protection suite, this will deliver real-time detection of the anomalous interactions across people, data, devices, and applications allowing security teams to understand and respond to data being mishandled, whether on a corporate device, in a cloud app like Office 365, or via email.

“Today’s ObserveIT acquisition underscores Proofpoint’s commitment to providing organizations with people-centric cybersecurity and compliance solutions that protect what matters: their people and the data they have access to, in a post-perimeter, cloud-first world,” said Gary Steele, chairman of the board and chief executive officer of Proofpoint.

“Defending data requires the ability to detect risky insider threat behavior and risky user activity, and swiftly mitigate risk across cloud apps, email, and endpoints. We are the only security company that provides organizations with deep visibility into their most attacked people—and with ObserveIT, we will bring to market the first truly innovative enterprise DLP offering in years. We are thrilled to welcome ObserveIT’s employees and customers to Proofpoint.”

Mike McKee, CEO of ObserveIT, said that Proofpoint’s leadership in people-centric cybersecurity, broader intelligence and R&D resources “are significant market differentiators and directly complement our ability to quickly detect insider threats and prevent critical information loss.”

McKee added: “We are very excited to join the Proofpoint team and provide customers with even more powerful solutions to mitigate insider threats, decrease incident investigation time, and make sure users don’t intentionally or accidentally send valuable, confidential information externally.”

Categories: Cyber Risk News

US: Licenses to Sell to Huawei Coming Soon

Mon, 11/04/2019 - 11:30
US: Licenses to Sell to Huawei Coming Soon

The US government will soon partially relax its block on Huawei by allowing domestic tech firms to sell it components, according to the Commerce Department.

Although Donald Trump in June signaled a softening of Washington’s hardline approach to the Chinese giant, when he said he’d allow some US firms to start supplying the company again, the all-important licenses have still not appeared.

Commerce secretary Wilbur Ross said on Sunday that these “will be forthcoming very shortly,” according to Bloomberg.

This will help US firms which have seen rival companies in Asia pick up lucrative contracts to sell Huawei various components, after Trump approved a decision to put the Shenzen firm and 70 affiliates on an “entity list.”

It’s telling that the Commerce Department has already received 260 requests from US firms for licenses to circumvent Huawei’s blacklisting.

“That’s a lot of applications. It’s frankly more than we would’ve thought,” Ross reportedly said. “Remember too with entity lists there’s a presumption of denial. So the safe thing for these companies would be to assume denial, even though we will obviously approve quite a few of them.”

Huawei has subsequently been joined on the entity list by over 20 other Chinese firms, including AMD joint venture partner Tianjin Haiguang Advanced Technology Investment Company, surveillance tech giants Hikvision and Dahua Technology, and supercomputer builders Sugon and the Wuxi Jiangnan Institute of Computing Technology.

US firms are also fearful of a reprisal from China, which could put them on a tit-for-tat blacklist, making it difficult to sell their wares in the giant eastern market.

For its part, Huawei has been bullish about its growth prospects, despite the intense pressure from Washington, which has also barred it from competing in the US telecoms market.

It denies all claims of being a US national security risk and still hopes to be the world’s leading smartphone maker by volume by 2020

Categories: Cyber Risk News

Nikkei Hit in $29m BEC Scam

Mon, 11/04/2019 - 10:15
Nikkei Hit in $29m BEC Scam

Media giant Nikkei has become the latest firm to suffer a humiliating Business Email Compromise (BEC), after it admitted losing $29m to scammers following human error.

The Tokyo-headquartered firm, which owns the Financial Times, revealed in a brief statement that an employee of its US subsidiary made the crucial mistake.

“In late September 2019, an employee of Nikkei America, Inc. … transferred approximately $29m Nikkei America funds based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei,” it noted. 

“Shortly after, Nikkei America recognized that it was likely that it had been subject to a fraud, and Nikkei America immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the US and Hong Kong. Currently, we are taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations.”

Nikkei follows a long line of big-name organizations which have been caught out over recent months and years.

Most notably, tech giants Facebook and Google were both tricked into making huge money transfers, of $99m and $23m respectively — although those attacks appear to have been more sophisticated than the one affecting Nikkei.

BEC scammers are also looking to take a leaf out of the ransomware playbook by targeting US municipalities.

The City of Ocala in Florida is said to have lost $742,000 after an official was tricked by a spear-phishing email. The message was sent by an attacker posing as an employee of a building firm the authority is currently using to construct an airport terminal.

When the real construction company complained that an invoice had not been paid, the alarm was raised, according to local reports.

BEC cost global organizations $1.3bn last year, almost half of total losses reported to the FBI.

Categories: Cyber Risk News

Global Registrar Suffers Major Breach

Mon, 11/04/2019 - 09:40
Global Registrar Suffers Major Breach

A global internet registrar with millions of customers has admitted suffering a data breach in August which exposed user account information.

US-based, and subsidiaries Network Solutions and, discovered on October 16 that they were hit by an attack late in August.

“Our investigation indicates that account information for current and former customers may have been accessed,” the firm said in a statement.

“This information includes contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder. We encrypt credit card numbers and no credit card data was compromised as a result of this incident.”

The firm said it brought an independent cybersecurity firm on board “immediately” after discovering the unauthorized access, in order to determine the scope of the incident and what data was affected.

“We are notifying affected customers through email and via our website, and as an additional precaution are requiring all users to reset their account passwords,” it added.

Although credit card numbers are encrypted in line with PCI DSS standards, urged customers to keep an eye on card activity.

However, the other stolen information could put customers at risk of follow-on phishing and identity fraud attempts.

Network Solutions is the fifth largest registrar in the world, with almost seven million accounts to its name, although it’s unclear how many were affected by this incident.

Matthew Ulery, chief product officer at SecureAuth, argued that the attack highlights the need for more streamlined, intelligent authentication security to protect employee accounts.

“Attackers are simply walking through the front door of enterprises, gaining unauthorized access and looting PII, further exacerbating the identity security crisis. This attack is a major wake up call for organizations to improve their identity security approach,” he added.

Categories: Cyber Risk News