Info Security

Subscribe to Info Security  feed
Updated: 2 hours 46 min ago

Online Thieves Steal $320m from Crypto Firm Wormhole

Thu, 02/03/2022 - 09:06
Online Thieves Steal $320m from Crypto Firm Wormhole

Yet another cryptocurrency firm is offering a multimillion-dollar ‘bug bounty’ reward to those who hacked it after suffering a cyber-heist worth an estimated $322m.

Wormhole operates what’s known as a cross-blockchain bridge, enabling holders of certain cryptocurrencies to transfer tokens, data and other assets between siloed blockchains. It offers this service to bridge Ethereum, Solana, BSC, Polygon, Avalanche, Oasis and Terra.

In a brief statement late yesterday, the firm tweeted that its network was down while it investigated a potential exploit.

Then came the news that users were dreading: Wormhole confirmed that attackers stole 120,000 Ethereum tokens worth over $320m.

However, the firm claimed that it would be adding more Ethereum to its platform “over the next hours” to ensure any assets it owns are backed 1:1. The fear is that without this backing, various Solana users and platforms would be helpless.

A security researcher going by the handle “samczsun” on Twitter has a detailed write-up of the attack here, having reverse-engineered the exploit. The hacker exploited a vulnerability on the Wormhole platform, enabling them to pocket new wrapped Ethereum (wETH) without needing to deposit any in return.

WETH is a version of Ethereum designed to be exchanged with other Ethereum-based tokens and has the same value as ETH.

Just like Qubit Finance a few days ago, Wormhole has reached out to its attacker, offering a massive $10m reward for finding the bug.

“We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a white hat agreement, and present you a bug bounty of $10m for exploit details, and returning the wETH you’ve minted,” it said in a message on the Ethereum blockchain.

The audacious cyber-heist makes this easily the biggest theft of cryptocurrency so far this year and the largest such incident targeting cross-blockchain bridges.

In its most recent update, Wormhole claimed the vulnerability had now been patched, and it was working on getting the network back up and running.

Categories: Cyber Risk News

Orange County Launches Cybercrime Initiative

Wed, 02/02/2022 - 18:30
Orange County Launches Cybercrime Initiative

Authorities in California’s Orange County have launched a new initiative to help the public identify and report cyber-threats.

SafeOC is a localized version of the national ‘If You See Something, Say Something’ anti-terrorism public awareness campaign that emphasizes the importance of reporting suspicious items and behaviors to law enforcement.

A website and a social media account have been created to support the campaign. The website provides examples of suspicious cyber-activity and online threats, including configuration changes to files, sharing of account access and changes in user permissions.

Through the website, users can report suspicious activity directly to the Orange County Intelligence Assessment Center (OCIAC)

“Cyber is by far the up-and-coming crime and risk domestically,” said Orange County sheriff Don Barnes. 

He added: “Crimes happening online are much more prevalent than they were just a decade ago and criminals are finding new ways to create new victims and ways to victimize people.” 

Cyber-investigator with the OCIAC, Lance Larson, said solving cybercrime cases is challenging as bad actors often operate from overseas, and encryption makes it difficult to “follow the money.” He added that early detection was crucial in the fight against cybercrime.

“It gives us that ability to go on and be able to start the disruption process of stopping the cyber-attack, potentially being able to freeze money as it’s moving through the financial system potentially trying to go overseas,” said Larson.

The SafeOC website also provides information about the dangers children face when gaming online such as cyber-bullying, malware, spying and data loss. Advice offered to parents includes ensuring webcams and microphones are defaulted to the ‘off’ setting and ensuring children don’t create usernames that reveal any personal information.

The site also warns parents about hidden fees in freemium games that provide some content for free but charge users to access the game’s full features and functions. 

“In 2018, these ‘free’ games generated $61bn in revenue,” states the site before warning users never to share their payment card details with a freemium game and to regularly check their credit card bills for unapproved purchases.

Categories: Cyber Risk News

Fake Influencer Flags Hacking Tactics

Wed, 02/02/2022 - 18:00
Fake Influencer Flags Hacking Tactics

A Swiss secure storage company has launched a creative cybersecurity awareness campaign to show how hackers gather personal data from social media.

The campaign by pCloud uses a fake influencer account on Instagram (@thealiceadams) to highlight how users unintentionally give away pieces of sensitive data through their bios and the content they post. 

“Through what we share online, the pictures we post and the locations we tag, hackers and criminals can guess your password in seconds, putting your identity and your bank accounts at risk of being stolen,” said a pCloud spokesperson.

In one post from the mock account, the influencer reveals her date of birth by sharing an image of birthday balloons that spell out her age. Other seemingly harmless posts give away information commonly used in passwords and security questions, including her pet’s name, where she went to school and her favorite movie.

Additional posts emphasize the importance of checking photographs for sensitive data before sharing them. Captured in an image of the influencer at her desk is a post-it note upon which a password has been written. Another shot of the influencer dining at a restaurant features her credit card, revealing her bank details. 

“You may be posting a picture of your birthday balloons, a heartwarming picture of your newborn baby or snapping that ‘picture perfect’ bar you spent the weekend at. But those seemingly harmless posts could actually be giving away security information that gives hackers access to all your accounts,” said pCloud.

Research performed by pCloud found that the most common themes for passwords that hackers are aware of include the last name followed by a number, date of birth, child or grandchild’s name and date of birth, pet name, place of birth and current place of residence. 

Other popular password choices are Qwerty (the first letters on a keyboard), favorite films, foods and nicknames. 

The company advised users to leave personal information out of their passwords and make their passwords long and nonsensical, making them more challenging for hackers to guess. It also recommended using different passwords for different accounts so that cracking one password won’t enable a hacker to access all accounts

Categories: Cyber Risk News

Online Ad Association Fined for Privacy Violation

Wed, 02/02/2022 - 17:30
Online Ad Association Fined for Privacy Violation

An association for online advertising companies has been fined hundreds of thousands of dollars for developing an ad-targeting tool that violated European Union data laws. 

The Belgian Data Protection Authority (BE DPA) said it was necessary to impose “harsh sanctions” on IAB Europe because the association’s Transparency and Consent Framework (TCF) “could, for a large group of citizens, lead to a loss of control over their personal data.”

The TCF tool allows online publishers and websites to obtain users’ consent to process their personal data for targeted advertising. It was designed to facilitate real-time bidding (RTB) – a means by which advertising inventory is bought and sold on a per-impression basis via instantaneous programmatic auction. 

In a statement released October 2020, IAB Europe said that the TCF is a voluntary standard whose purpose is to assist companies in the digital advertising ecosystem to comply with EU data protection law.

“It contains a minimal set of best practices seeking to ensure that when personal data is processed, users are provided with adequate transparency and choice,” said IAB Europe. 

“Its policies do not assist or seek to assist the processing of special categories of data. It does not intend to replace legal obligations nor enable practices prohibited under the law.”

The Belgian data watchdog imposed a fine of €250k ($282,690) on IAB Europe and ordered the advertising association to implement a “series of remedies” to ensure that it complied with the EU’s General Data Protection Regulation (GDPR).

“Contrary to IAB Europe’s claims, the Litigation Chamber of the BE DPA found that IAB Europe is acting as a data controller with respect to the registration of individual users’ consent signal, objections and preferences by means of a unique transparency and consent (TC) string, which is linked to an identifiable user,” stated the BE DPA.

IAB Europe has been given six months to bring the framework into compliance with European law. 

David Stevens, a chairperson of the BE DPA, said: “Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one, which really concerns all European citizens that shop, work or play online.”

Categories: Cyber Risk News

#Enigma2022: Pandemic Misinformation Reveals Challenges for Online Health Information

Wed, 02/02/2022 - 13:30
#Enigma2022: Pandemic Misinformation Reveals Challenges for Online Health Information

The fact that misinformation is rampant online is not a new phenomenon. Perhaps less understood is the intersection between how often an individual sees a piece of misinformation and how likely they are to believe it.

In a session at the Enigma 2022 conference on February 1, Patrick Gage Kelley, trust and safety researcher at Google, outlined the results of a two-year study conducted by Google about online misinformation. The study was conducted throughout 2020 and 2021 and involved a series of regular surveys that included feedback from over 50,000 people from 16 countries worldwide.

Kelley explained that the researchers had two basic lines of questioning. The first focused on exposure. The researchers asked about a certain statement of information and whether the survey participant heard the information once, many times or not at all. The second line of questioning focussed on beliefs. Respondents could tell the researchers if they strongly believe a specific statement, if they kind of believe it or if they strongly don’t believe it.

Pandemic Conspiracy Misinformation and Beliefs

The Google-led research asked about a series of pandemic-specific conspiracies and found a shocking level of awareness and belief in them.

“We asked people if Bill Gates, George Soros or some other powerful person is behind COVID-19, and 16% globally had that belief,” Kelley said. “We asked people if injecting cleaning products or UV light into people is an effective treatment for COVID-19 – that had an 11% belief.”

Kelley noted that the research wasn’t conducted as just a single point-in-time study but conducted with researchers doing the survey and asking similar questions every few months.

“One of the effects that we find over and over again is that although the narratives move quickly, once these fringe beliefs take hold, they’re difficult to change,” he said.

The researchers also tested views about multiple conspiracies related to the COVID-19 vaccinations, including the falsehood that the COVID-19 vaccine has microchips and is used to track those who get vaccinated secretly. In 2020, 11% of global respondents believed that falsehood to be true, dropping to 10% in 2021.

Reasons for Optimism

While there is much to worry about in terms of online misinformation, there is also some cause for optimism, according to Kelley.

Kelley said that overall, there was a higher level of belief in several positive public health statements that the researchers tested than in the more clear-cut misinformation statements tested.

One such statement was that wearing a face-covering in public is an effective way for slowing the spread of COVID-19. 73% of people globally believed that statement in 2020. Another tested statement was that social distancing, by staying at least six feet from people not in your household, effectively slows the spread of COVID-19, which was believed by 70% of respondents globally. In 2021 however, the results dropped by 5% for face masks and 7% for social distancing.

“While this keeps both above the 60% belief range, it shows how much effort is required to maintain these extremely high levels of belief,” Kelley said. “We take this to show how important continued unified proactive health messaging is.”

Kelley concluded his presentation by noting that Google overall continues to see substantial populations in every country believing in various misinformation and low-quality information statements after widespread exposure to that information.

“People are going to believe a wide range of things and what we need to make sure is that we continue to get access to good information,” Kelley said. “There’s going to be misinformation, and one of the things we can do is measure and understand that so that we can best respond.”

Categories: Cyber Risk News

Third of Employees Admit to Exfiltrating Data When Leaving Their Job

Wed, 02/02/2022 - 12:30
Third of Employees Admit to Exfiltrating Data When Leaving Their Job

Nearly one-third (29%) of employees admitted taking data with them when they leave their job, according to new research from Tessian.

The findings follow the ‘great resignation’ of 2021, when workers quit their jobs in huge waves following the COVID-19 pandemic. Unsurprisingly, close to three-quarters (71%) of IT leaders believe this trend has increased security risks in their organizations.

In addition, nearly half (45%) of IT leaders said they had seen incidents of data exfiltration increase in the past year due to staff taking data with them when they left.

The survey of 2000 UK workers also looked at employees' motives for taking such information. The most common reason was that the data would help them in their new job (58%). This was followed by the belief that the information belonged to them because they worked on the document (53%) and to share it with their new employer (44%).

The employees most likely to take data with them when leaving their job worked in marketing (63%), HR (37%) and IT (37%).

The research also found that 55% of workers are considering leaving their jobs in 2022, while two in five (39%) are currently working their notice or actively looking for a new job in the next six months, meaning organizations remain at high risk of data exfiltration.

Josh Yavor, chief information security officer at Tessian, commented: “It’s a rather common occurrence for employees in certain roles and teams to take data when they quit their job. While some people do take documents with malicious intent, many don’t even realize that what they are doing is wrong. Organizations have a duty to clearly communicate expectations regarding data ownership, and we need to recognize where there might be a breakdown in communication which has led to a cultural acceptance of employees taking documents when they leave.

“The great resignation, and the sharp increase in employee turnover, has exposed an opportunity for security and business leaders to consider a more effective way of addressing insider risk. It comes down to building better security cultures, gaining greater visibility into data loss threats and defining and communicating expectations around data sharing to employees – both company-wide and at departmental level. Being proactive in setting the right policies and expectations is a key step before investing in preventative controls.”

study last year found that over three-quarters (78%) of insider data breaches involved unintentional data exposure or loss rather than any malice.

Categories: Cyber Risk News

CVSS 9.9-Rated Samba Bug Requires Immediate Patching

Wed, 02/02/2022 - 10:10
CVSS 9.9-Rated Samba Bug Requires Immediate Patching

A critical vulnerability in a popular open-source networking protocol could allow attackers to execute code with root privileges unless patched, experts have warned.

Samba is a popular free implementation of the SMB protocol, allowing Linux, Windows and Mac users to share files across a network.

However, a newly discovered critical vulnerability (CVE-2021-44142) in the software has been given a CVSS score of 9.9, making it one of the most dangerous bugs discovered in recent years. Log4Shell was given only a slightly higher score of 10.0.

“All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read-write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit,” Samba explained.

“The specific flaw exists within the parsing of EA metadata when opening files in smbd. Access as a user that has write access to a file’s extended attributes is required to exploit this vulnerability. Note that this could be a guest or unauthenticated user if such users are allowed write access to file extended attributes.”

Patches have been released, and Samba updates 4.13.17, 4.14.12 and 4.15.5 have been issued to fix the problem, with administrators being urged to upgrade to these releases or apply the patch as soon as possible. The vulnerability has not yet been exploited in the wild at the time of writing, but this is likely to change.

An additional workaround is possible if sysadmins remove the “fruit” VFS module from the list of configured VFS objects in any “vfs objects” line in the Samba configuration smb.conf.

The new vulnerability comes at a busy time for administrators, many of whom spent time over the holidays hunting for instances of vulnerable Log4j hidden in Java dependencies across their organization.

Last year was another record-setter in terms of the number of CVEs published to the National Vulnerability Database (NVD), the fifth year in a row this has happened.

Categories: Cyber Risk News

90% of Security Leaders Warn of Skills Shortage

Wed, 02/02/2022 - 09:30
90% of Security Leaders Warn of Skills Shortage

Most IT security decision-makers are struggling to recruit workers to address a shortage of skilled professionals, despite business backing to do so, according to new research.

Global cybersecurity recruitment firm Stott and May teamed up with venture investor Forgepoint Capital to compile the Cyber Security in Focus study. It features responses from cybersecurity directors, security operations directors and VPs of product security in EMEA and North America.

Some 87% of respondents admitted they are suffering skills shortages, with over a third (35%) claiming positions were left unfilled after a 12-week period.

As a result, in-house skills (43%) were cited as the most significant barrier to strategy execution, above budget (35%), technology (13%) and board-level buy-in (9%).

The challenges around hiring have also led to a surge in salaries: 54% of hiring managers believe that these have increased more than 11% year on year in the sector.

The study also highlighted something of a contradiction. Security is gaining board-level buy-in. Some 80% of security leaders said their business perceives the function as a “strategic priority,” up from 54% last year. In addition, 100% agree that the business feels the function plays a role in improving the overall value proposition to customers.

However, over half (51%) of respondents argued that cybersecurity investment is still not keeping pace with digital transformation.

As investments in digital increase, sourcing the right engineering-centric CISOs will be the key to success, according to Forgepoint Capital managing director William Lin.

“A lot of digital transformation is inherently going to be driven by engineering, and finding a CISO that can empower developers with knowledge, tooling and experience will enable outcomes to be achieved faster and more securely,” he argued.

Heather Paunet, SVP at Untangle, argued that closing the cyber skills gap will require the industry to promote itself to would-be recruits better.

“There also needs to be organizational change that recognizes the severity and devastation cyber-attacks can cause and makes cybersecurity a priority. Companies need to ensure this investment isn’t just in technology, but also in their current workforce with continual training, advancement opportunities and recognition,” she added.

“In addition, IT education programs need to do the profession justice and emphasize the different roles and careers available in cybersecurity.”

According to the latest ISC2 survey, global skills shortages fell for the second consecutive year in 2021 to 2.7 million, including a shortfall of 377,000 in the US and 33,000 in the UK.

Categories: Cyber Risk News

Scottish Agency Still Recovering from 2020 Ransomware Attack

Wed, 02/02/2022 - 09:04
Scottish Agency Still Recovering from 2020 Ransomware Attack

A ransomware attack on a Scottish regulator in 2020 continues to significantly impact operations, with the true cost of the incident still unknown, an audit has found.

The double extortion attack hit the Scottish Environment Protection Agency (SEPA) on Christmas Eve 2020, forcing IT services offline.

According to a new report from Audit Scotland, the initial attack vector appears to have been a phishing email, although it’s still not 100% clear.

Despite following best practice backup guidelines, with one copy stored offline, the “sophisticated nature of the attack” meant online copies were quickly targeted, and there was no way of accessing historical records quickly, the spending watchdog claimed.

As a result, the “majority” of SEPA’s data was encrypted, stolen or lost.

Despite claiming the agency had a “high” level of cyber-maturity, independent reviews since the attack have also made 44 recommendations for enhancing the agency’s cyber-readiness and resilience.

According to Audit Scotland, it will be particularly alarming to Scottish taxpayers that more than a year on from the attack, the agency is still reinstating some of its systems.

The auditor took the rare step of issuing a “disclaimer of opinion” on SEPA’s annual accounts for 2020/21, claiming it couldn’t access enough evidence to substantiate £42m of income from contracts.

The agency still doesn’t know the total financial impact of the cyber-attack, although it has already been forced to write off over £2m in bad debts because of records lost to the incident.

“Based on management forecasts during the year, the Scottish Government gave SEPA authority to overspend by £2.5m to cover the impact of Covid19 and the cyber-attack if required,” the report claimed.

“SEPA recognizes that the cyber-attack has increased the medium to longer-term financial pressures on the organization. Its financial strategy 2020-24 had already identified potential variability in future income and expenditure streams of up to £17.9m as a worst-case scenario.”

Categories: Cyber Risk News

Cyber-Attack on Oil Firms

Tue, 02/01/2022 - 17:30
Cyber-Attack on Oil Firms

A cyber-attack has disrupted operations at two oil storage and logistics firms in Germany.

Oiltanking GmbH Group and Mabanaft Group said on Tuesday that they had launched an investigation into a cyber-incident on Saturday. 

IT systems at both companies were affected, though the full extent of the attack is still being determined. In a statement to the Associated Press, the companies said they had hired external computer forensic specialists to discover the “full scope” of the incident.

No information has been shared yet by either company regarding the nature of the attack or its perpetrators. The companies said work is being undertaken to enable them “to restore operations to normal in all our terminals as soon as possible.”

Oiltanking GmbH Group is still operating storage tank terminals for oil, gas and chemicals in all global markets. However, the attack has forced separate entity Oiltanking Deutschland GmbH, part of Mabanaft, into “operating with limited capacity” its terminals in Germany.

The statement said that Mabanaft’s German arm had “declared force majeure for the majority of its inland supply activities in Germany.”

Speaking at a conference on Tuesday, the head of Germany’s IT security agency, Arne Schoenbohm, said that while the incident was severe, it was “not grave.” 

Schoenbohm said that 1.7% of the country’s total gas stations had been impacted by the incident, making it impossible for prices to be changed or for customers to pay for gas using a credit card. Cash payments were being accepted at some of the 233 affected facilities, most of which are in northern Germany. 

German news agency dpa reported that industry officials had said that the cyber-attack on the two companies did not pose a threat to the country’s overall fuel supplies. 

“The timing of this coincidentally aligns with Russia having threatened to shut off its pipelines into Europe as the crisis in Ukraine continues to be tense for all involved,” observed Lookout’s senior manager of security solutions, Hank Schless. 

He added: “This is the perfect example of using a high-pressure situation to create opportunity for malicious cyber-activity, which attackers do as often as they can.”

Categories: Cyber Risk News

California Passes FLASH Act

Tue, 02/01/2022 - 17:15
California Passes FLASH Act

The California State Senate has passed legislation to ban the transmission of unsolicited sexually explicit images and videos without the recipient’s consent – a practice called ‘cyber flashing.’

Senate Bill 53, also known as the FLASH (Forbid Lewd Activity and Sexual Harassment) Act, was passed on Monday with bipartisan support.

Introduced in February 2020 by senators Connie Leyva and Lena Gonzalez, the legislation would establish legal protections for users of technology who receive explicit sexual consent, which they have not requested.

SB 53 would give victims of cyber flashing a private right of action against any person who knows or reasonably should know that a lewd image they sent was unsolicited. The bill would entitle the plaintiff to recover economic and non-economic damages or statutory damages between $1500 and $30,000, as well as punitive damages, reasonable attorney’s fees and costs and other available relief, including injunctive relief.

“I appreciate the Senate’s support of SB 53 as we are now one step closer to finally holding perpetrators of cyber flashing accountable for their abusive behavior and actions,” Senator Leyva said. 

“This form of technology-based sexual harassment is far more pervasive than many Californians realize, so it is important that we empower survivors that receive these unwanted images or videos.”

According to the Pew Research Center, 53% of young American women and 37% of young American men have been sent unsolicited explicit material while online. Most women who received uncalled for X-rated content reported being sent this material through social media platforms, including Snapchat, Instagram, LinkedIn, Twitter and Facebook. 

Cyber flashing also occurs via dating platforms, text messages, email and through the ‘AirDropping’ of content in public spaces.

The FLASH Act has the support of the dating app Bumble, whose CEO Whitney Wolfe Herd sees a need for stronger laws to protect internet users.

“An overwhelming majority of our time is spent online and there are simply not enough laws and deterrents in place to protect us, and women and children in particular,” said Wolfe Herd.

“It falls upon us in the technology and social media space to work hand in hand with local government and legislators to isolate the problems and develop solutions just like the FLASH Act being introduced by Senator Leyva.”

Categories: Cyber Risk News

Social Security Numbers Most Targeted Sensitive Data

Tue, 02/01/2022 - 17:00
Social Security Numbers Most Targeted Sensitive Data

Social Security Numbers (SSN) are the type of sensitive data most commonly targeted in data breaches in the United States, according to new research published today by Spirion.

Analysis conducted against the Identity Theft Resource Center (ITRC) database of publicly reported data breaches in the United States revealed that 65% of all sensitive data incidents in 2021 involved SSN.

The finding was included in the data protection and privacy company’s Definitive Guide to Sensitive Data Breaches: America’s Top Leaks, Attacks and Insider Hacks. Spirion’s guide is based on the analysis of more than 1,500 data breaches involving sensitive data in the United States last year.

A total of 1,862 data compromises were reported by US organizations last year, representing a 68% increase over 2020 and making 2021 steal 2017’s title of the most prolific year on record for data breaches. ITRC data showed that 83% of the year’s incidents impacted more than 150 million individuals by exposing 889 million sensitive data records.

Personal Health Information (PHI) was the second most targeted form of sensitive data and was the focus of 41% of data incidents. The third most predated forms of sensitive data were bank account information and driver’s licenses, which were each involved in 23% of incidents.

The majority of individuals affected by sensitive data breaches in 2021 (84%) were victims of incidents in the professional and business services, telecommunications and healthcare industries. The 157 reported data breaches in the professional and business services sector impacted 52 million individuals (or 35% of total individuals). Just eight incidents in the telecommunications industry impacted 47.8 million individuals (or 32% of total individuals).

Trends identified in the guide included the emergence of supply chain and third-party attacks as a leading contributor to sensitive data compromises. 

“A total of 93 third-party attacks impacted 559 organizations, exposing more than 1.1 billion data records,” said a Spirion spokesperson. 

“Of these incidents, 83% contained sensitive data, revealing PII [personally identifiable information] for 7.2 million people.”

Another trend was experiencing multiple data breaches in one year – a fate suffered by more than two dozen US organizations in 2021. 

Categories: Cyber Risk News

British Council Students' Data Exposed in Major Breach

Tue, 02/01/2022 - 14:11
British Council Students' Data Exposed in Major Breach

Hundreds of thousands of British Council students had their personal and login details exposed in a worrying data breach, according to an investigation by Clario researchers.

The team discovered an open Microsoft Azure blob repository indexed by a public search engine that held 144K+ of xmal, json and xls/xlsx files, with no authentication in place. These contained sensitive information about hundreds of thousands of students that had enrolled on British Council courses across the world. This included students’ full names, email addresses, student IDs, notes, student status, enrollment dates and study duration. It is not known how long this information was available online in public.

The breach was discovered on December 5 2021, and Clario informed the British Council as soon as they had confirmed their findings. However, they received no response. After 48 hours, contact was made via Twitter, and Clario engaged in regular communication with the organization via direct messages on the platform.

Two weeks later, on December 21, the British Council issued the following statement: “The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount.

“Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.

“We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.”

Clario stated: “Although they were not responsible for the data breach, errors made by the data provider they decided to work with have exposed these student details. This suggests that they need to be more rigorous in terms of how they select and work with third parties.”

British Council students have been warned that the breach may put them at risk of various scams, such as phishing and identity theft.

The British Council is a non-departmental public organization that aims to connect people in the UK and other countries through culture, education and the English language. In 2019-20, it connected with 80 million people directly and 791 million overall, including online and through broadcasts and publications.

At the end of last year, official data obtained from a Freedom of Information request revealed that the council had fallen victim to two successful ransomware attacks over the past five years, suffering a total of 12 days of downtime as a result.

Categories: Cyber Risk News

Data Leak Exposes IDs of Airport Security Workers

Tue, 02/01/2022 - 10:30
Data Leak Exposes IDs of Airport Security Workers

A cloud misconfiguration at a leading security services multinational has exposed the details of countless airport staff across South America, according to a new report.

A team at AV comparison site Safety Detectives found an Amazon Web Services S3 bucket wide open without any authentication required to view the contents. After notifying the owner, Swedish security giant Securitas, on October 28 2021, the firm secured the database a few days later on November 2.

Inside the 3TB trove, the researchers found personally identifiable information (PII) on Securitas and airport employees dating back to November 2018.

At least four airports across Peru (Aeropuerto Internacional Jorge Chávez) and Colombia (El Dorado International Airport, Alfonso Bonilla Aragón International Airport, and José María Córdova International Airport) are impacted.

Safety Detectives is not sure exactly how many workers are affected, but claimed the S3 bucket contained around 1.5 million files.

These include photos of ID cards featuring full names, occupations and national ID numbers, as well as other miscellaneous photos of employees, planes, luggage and more. The bucket was apparently live and being updated at the time of its discovery.

If found by threat actors, the database could have enabled not only follow-on identity fraud and scams, but far more serious criminal acts, Safety Detectives warned.

“Photos of IDs and employees could allow criminals to impersonate various members of staff – employees that can gain access to restricted areas of the airport, such as luggage-loading areas and even planes,” it said.

“Criminals could even use leaked data to create counterfeit ID cards and badges. A criminal could further strengthen their appearance as a legitimate employee by downloading leaked mobile apps.”

Colombia in particular has a history not only of serious organized crime but also guerrilla warfare groups plotting to destabilize the country.

Categories: Cyber Risk News

FBI: Olympic Athletes Should Leave Devices at Home

Tue, 02/01/2022 - 09:30
FBI: Olympic Athletes Should Leave Devices at Home

US law enforcers are urging participants at the Beijing Winter Olympics to leave their devices at home after warning of potential state-backed and cybercrime activity at the event.

An FBI alert issued yesterday claimed it was aware of no specific threat to the games but urged “partners” to remain vigilant.

While strict Communist Party COVID restrictions mean no foreign spectators will be allowed to attend the Olympics or Paralympics, athletes could be targeted, the Feds warned.

“The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the games. The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the games,” the notice read.

“The use of new digital infrastructure and mobile applications, such as digital wallets or applications that track COVID testing or vaccination status, could also increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware. Athletes will be required to use the smartphone app, MY2022, which will be used to track the athletes’ health and travel data.”

Alongside the potential for Chinese agents to spy on participants and other attendees, the FBI warned of the risk of disruption by third parties, who could target broadcasters, hotel networks, transport providers, ticketing services, event security and other Olympic support functions.

It cited the last event in Pyeongchang, South Korea, four years ago where Russian state actors managed to cause significant disruption to the official website and media center.

However, the reality is that few hostile nations will want to spoil China’s party, given the potential geopolitical repercussions, and Beijing will be marshaling all of its resources to keep cybercrime actors at bay.

That said, the FBI has released a set of recommended best practices for organizations and individuals with a presence at the event to mitigate network, remote working, ransomware and social engineering threats.

Categories: Cyber Risk News

CISA Tells Organizations to Patch CVEs Dating Back to 2014

Tue, 02/01/2022 - 09:05
CISA Tells Organizations to Patch CVEs Dating Back to 2014

The US government has added eight more vulnerabilities to its growing list of CVEs that must be patched by federal agencies, including some that first appeared eight years ago.

The Cybersecurity and Infrastructure Security Agency (CISA) first launched its Known Exploited Vulnerabilities Catalog in November 2021 as part of a government effort to enhance cyber-resilience.

The Binding Operational Directive (BOD) 22-01 that enabled it applies only to civilian federal agencies, but all organizations are encouraged to monitor the list on an ongoing basis as part of best practice security efforts.

The latest eight additions to the catalog include two that must be patched by February 11: a memory corruption vulnerability in Apple’s IOMobileFrameBuffer (CVE-2022-22587) and a stack-based buffer overflow bug SonicWall SMA 100 appliances (CVE-2021-20038).

Interestingly, while two of the remaining six CVEs were first discovered and published to the National Vulnerability Database (NVD) in 2020, four come from several years earlier.

These include two arbitrary code execution vulnerabilities in the GNU’s Bourne Again Shell (Bash) Unix shell and command language, from 2014 (CVE-2014-7169 and CVE-2014-6271).

Also, from 2014 is an Internet Explorer use-after-free bug (CVE-2014-1776).

The final CVE on the new list is a privilege escalation vulnerability in Intel’s Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability offerings. It was first published back in 2017.

Aside from the Apple and SonicWall flaws, all those on the list must be patched by July 28 2022.

Their inclusion in the catalog is proof again that threat actors often favor older CVEs that have been forgotten about rather than spending the time and resource researching zero-days.

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, argued that IT teams find it increasingly difficult to stay on top of a mounting patch-load, never mind fixing bugs from several years ago.

“We have a couple of options. Either we hire more people to remediate vulnerabilities and mitigate risk. Or we can be more efficient with the people, resources and tools we already have,” he added.

“The only way the cybersecurity industry will be able to reduce an increasingly concerning accumulation of risk and associated cyber-debt will be through a risk-based approach to vulnerability prioritization and a well-orchestrated approach to risk mitigation. It isn’t easy, but it is possible if leaders make cyber-hygiene and risk management a priority.”

CISA now has over 350 vulnerabilities in its “must-patch” catalog.

Categories: Cyber Risk News

Cengage to Buy Cybersecurity Training platform, Infosec

Mon, 01/31/2022 - 19:16
Cengage to Buy Cybersecurity Training platform, Infosec

A global education technology company based in Boston has signed a $191M deal to buy the cybersecurity training platform, Infosec.

Cengage Group announced the planned addition to its ed2Go business on Monday. The deal is expected to close in the first quarter of 2022. 

“The online, employer-paid cybersecurity training segment is currently a $1bn market, with expectations that it will grow to $10bn annually by 2027,” said Cengage CEO Michael Hansen. 

He added: “Combining Infosec with our already-successful Workforce Skills business will provide top-line growth, expand our base of recurring revenue and accelerate our opportunity within the space.”

Infosec was founded in 2004 by its current chief executive Jack Koziol who will remain at the helm to manage the transition. The company is based in Wisconsin and provides skills development and certification programs for the cybersecurity industry. 

“Cengage Group has the same level of passion for making learning accessible, affordable and applicable to today’s cybersecurity professionals,” said Jack Koziol, CEO and Founder of Infosec. 

He added: “Building on ed2go’s history in online training, Infosec will benefit from Cengage Group’s scale and expertise, which means we can reach more cybersecurity professionals and employers that are looking to not only grow their careers but to keep businesses, governments and people safe from cyber threats.”

Infosec employs around 100 people and offers more than 1,400 online cybersecurity courses. Nearly all Infosec’s current employees will reportedly be joining Cengage’s workforce of 4,500 people. 

According to Cyber Seek, there are just under 600,000 vacant cybersecurity roles in the United States. Research by Burning Glass Technologies suggests that around half of these positions require at least one certification. 

“We can’t hire people fast enough,” Hansen told The Boston Globe. “Right now, the demand for workforce skills courses is just exploding, and it’s exploding in very specific job categories,” he said. 

Hansen continued: “There is such a labor shortage. Every CEO tells me that...the labor shortage is really a skills shortage.”

News of Cengage’s planned purchase comes as rival British publishing house Pearson announced its acquisition of Credly, a digital workforce credentialing service provider, for around $200m.

Categories: Cyber Risk News

Aussie Tech Entrepreneur Extradited Over SMS Fraud

Mon, 01/31/2022 - 18:30
Aussie Tech Entrepreneur Extradited Over SMS Fraud

A Russian-born tech entrepreneur has been extradited to the United States from Australia to face charges relating to a multi-million-dollar text messaging consumer fraud scheme.

The arrival in America of 41-year-old dual Russian and Australian citizen Eugeni Tsvetnenko was announced by the Federal Bureau of Investigation (FBI) on Friday. Tsvetnenko – also known as “Zhenya” – was extradited on charges of conspiracy to commit wire fraud, wire fraud, aggravated identity theft and conspiracy to commit money laundering.

Prosecutors allege that former Perth resident Tsvetnenko conspired with others to operate an auto-subscribing scheme that signed cell phone users to receive premium paid for content via text message without their knowledge or consent. 

“Eugeni Tsvetnenko is alleged to have surreptitiously subscribed hundreds of thousands of cell phone users to a $9.99 per-month charge for recurring text messages they did not approve or want,” said US attorney Damian Williams.  

Victims of the scheme received text messages on horoscopes, celebrity gossip and trivia facts. The scheme’s operators defrauded victims of approximately $41,389,725 and made around $20m in profits. 

Tsvetnenko’s alleged co-conspirators include Darcy Wedd, the operator of telecommunications company Mobile Messenger, and Fraser Thompson, Mobile Messenger’s senior vice president of strategic operations. 

“Tsvetnenko and his co-conspirators concocted a scheme that turned thousands of mobile phone customers into unwitting subscription service participants, as alleged,’ said FBI assistant director-in-charge Michael J. Driscoll said.

He added: “These customers incurred monthly charges for services they never subscribed to and, in many cases, disregarded as spam until the charges turned up on their monthly statements.”

Prosecutors allege that at the start of 2012, Wedd, Thompson and two other Mobile Messenger senior executives recruited Tsvetnenko to their auto-subscribing scheme to boost their company’s revenue. Tsvetnenko allegedly agreed and established two new content providers based in Australia, CF Enterprises and DigiMobi, to auto-subscribe on Mobile.

CC-3 allegedly provided Tsvetnenko with lists of phone numbers to target, along with instructions on how to auto-subscribe without being caught by making it appear as if the customers had genuinely chosen to buy the text-messaging services.

Tsvetnenko is further accused of working with co-conspirators to launder the proceeds of the auto-subscribing scheme.

Categories: Cyber Risk News

Prison for Dark Overlord Collaborator

Mon, 01/31/2022 - 18:00
Prison for Dark Overlord Collaborator

A Canadian man has been sentenced to prison in the United States for trading in stolen identities and collaborating with the Dark Overlord cyber extortionist group.

Using the screen name GoldenAce, Slava Dmitriev bought and sold hundreds of illegally obtained IDs on the dark web. The 29-year-old resident of Vaughn, Ontario, traded in Social Security numbers and other personally identifiable information, including names and dates of birth belonging to American citizens. 

Between May 2016 and July 2017, Dmitriev made approximately $100K by selling 1,764 items (mostly stolen identities) via the darknet marketplace AlphaBay.

An investigation into Dmitriev’s cyber-criminal activities revealed that he aided the Dark Overlord with their illegal activities on multiple occasions. On June 16 2016, Dmitriev sent access credentials to the group for a New York-based dentist he had purchased on a criminal marketplace. The dentist subsequently became the victim of a cyber extortion attack perpetrated by the group. 

A month later, Dmitriev received a spreadsheet from the Dark Overlord containing approximately 200,000 stolen identities. Investigators also determined that in May 2017, Dmitriev sold data stolen by the group containing the identity of a victim residing in La Quinta, California.

Dmitriev was arrested in Greece in September 2020 through the coordinated efforts of the Federal Bureau of Investigation (FBI) and the Hellenic Police. When Greek police searched the residence where Dmitriev was staying, they located a computer containing emails discussing the buying and selling of identities and Social Security numbers, as well as a video about how to commit identity theft.

Dmitriev was extradited to the United States in January 2021 to face a charge of fraud and related activity in connection with access devices. On Wednesday, he was sentenced to three years in federal prison, followed by three years of supervised release.

“Dmitriev stole the identities of hard-working citizens of the United States and thought he was safe from prosecution while overseas,” said Phil Wislar, acting special agent in Charge of FBI Atlanta.  

He added: “This sentence will serve as a reminder that the FBI will always work diligently with International Law Enforcement partners to bring justice to citizens who have been victimized.”

Categories: Cyber Risk News

US Revokes China Unicom's License

Mon, 01/31/2022 - 11:00
US Revokes China Unicom's License

The US government has effectively stripped another Chinese telecoms player of its license to operate in the country on national security grounds.

The new Federal Communications Commission (FCC) order ends the ability of China Unicom Americas to provide telecoms services within the US.

It follows a March 2021 finding by the FCC in which it said the Chinese vendor had “failed to dispel serious concerns” about its continued operations.

In its ruling late last week, the FCC claimed that, as a state-owned enterprise, China Unicom “is subject to exploitation, influence and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight.”

It said this is more likely today than two decades ago when the firm’s license was first approved. The FCC is particularly concerned about Beijing’s ability to “access, store, disrupt and/or misroute US communications” and therefore conduct state-backed cyber-espionage via China Unicom.

“China Unicom Americas’ conduct and representations to the commission and Congress demonstrate a lack of candor, trustworthiness, and reliability that erodes the baseline level of trust that the Commission and other US government agencies require of telecommunications carriers given the critical nature of the provision of telecommunications service in the United States,” the FCC added.

According to the FCC order, “mitigation” would not address these national security concerns.

The firm now has 60 days to stop providing its services within the US.

China Unicom Americas is the latest of several Chinese state-owned telecoms firms caught in the middle of escalating hostility between Beijing and Washington.

Last year, China Telecom Americas also had its license revoked. In contrast, several years before that, the Trump administration blocked China Mobile USA’s application to enter the US market.

China Telecom is currently appealing the revocation of its license.

Categories: Cyber Risk News