A federal judge has dismissed a lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach.
The potential class-action suit was filed in June last year over a data-sharing partnership between Google and the University of Chicago Medicine.
In 2017, Google received the anonymized data of University of Chicago Medicine patients for research purposes. The data was sent by University of Chicago Medicine under an initiative to improve predictive analysis of hospitalizations and subsequently raise the level of patient care.
Under the partnership, the tech giant used machine learning techniques to analyze the patient data in the hope of detecting when a patient’s health is deteriorating. The idea was to find out if and how a timely intervention might prevent the need for hospitalization.
Data sent by the University of Chicago Medicine to Google belonged to hundreds of thousands of people who were patients of the healthcare provider between 2009 and 2016. Although de-identified, the data contained time stamps of dates of service and notes made by physicians.
Edelson PC filed the lawsuit on behalf of lead plaintiff Matt Dinerstein, a patient of UC Medical Center who stayed at the hospital twice in 2015.
The suit alleged that Dinerstein’s confidential protected health information had been shared with Google without first being appropriately de-identified. The suit claimed that the alleged data breach had come to light after the publication of a 2018 research study that confirmed notes and time stamps had not been removed from the data before it was sent to Google.
In the suit, Dinerstein sought a royalty for the use of his protected health information by Google. The plaintiff claimed his medical records were of value to himself and had been stolen.
Federal judge Rebecca Pallmeyer of the United States District Court Northern District of Illinois Eastern Division dismissed the suit on September 4. Pallmeyer ruled that royalties are only appropriate when a property right has been interfered with, and Dinerstein had failed to establish that he had property rights to his own personal health information.
The Bank of England is to make securing cashless payment technology and preventing cybercrime a top priority.
The decision by the 326-year-old institution to focus on cybersecurity and digital payments was revealed yesterday by an external member of the Bank of England's financial policy committee. The committee was created in 2010 with the remit of monitoring the economy of the United Kingdom.
According to Law360.com, committee member Elisabeth Stheeman said that the impact of the COVID-19 pandemic on the financial system was key in driving the decision to focus on cyber-issues. According to Stheeman, what had been a gentle stroll toward digital dominance in everyday payments had increased to a leggy gallop.
"The reality is that online fraud and cyber-hacking of digital accounts have outstripped traditional theft of banknotes and gold," Stheeman said. "Payments have undergone rapid innovation in recent years, and the COVID-19 shock has accelerated these trends."
Stheeman said the committee believes these two areas will be critical in creating the kind of operational resilience that will enable the system to contain and withstand future unforeseen financial crises.
To achieve such resilience, Stheeman said the committee will call for more frequent stress-testing to gauge how well banks can recover from cyber-attacks. The committee also plans to create new standards for how quickly and effectively financial institutions should be expected to contain cyber-attacks.
Stheeman anticipates that the responsibility for ensuring the security of digital payments will lie with technology companies in the future, rather than with banks.
Cyber-criminals have sought to exploit the changes wrought by the global health pandemic, creating scams promising cures or vaccinations and targeting the newly opened up attack surface created by the increase in remote working.
Across the pond, Americans have lost more than $77 million in fraud related to COVID-19 since the outbreak began, according to the US Federal Trade Commission. John Breyault, vice president of public policy, telecommunications, and fraud at the National Consumers League, thinks the real figure is much higher.
“I think the FTC’s numbers are almost certainly just the tip of the iceberg when it comes to fraud losses,” Breyault said. “We know fraud is historically an under-reported crime.”
Malicious actors have substantially evolved the use of fake alert scams in recent years, in particular, the increasing targeting of mobile users, according to a new report by Sophos.
The investigation, authored by Sean Gallagher, senior threat researcher at Sophos, found that “a vast majority” of the fake alerts in malvertising networks targeted mobile users. This is partly because mobile has become a greater source of internet traffic, but these devices also offer easier modes of attack compared to desktop. For instance, iOS Safari’s accessibility function allows pop-up ads to make phone calls to lure victims to a dodgy app on the corresponding app store without scammers needing to cold call or voice-phish victims.
Gallagher added that most of the iOS fake alerts discovered were linked to App Store listings for a group of apps that claimed to be virtual private networking and site blocker tools. These apps all included in-app purchases, requiring payments to be made following a trial period.
The study also observed that desktop tech support scam operations have evolved over the past decade, primarily shifting from call center cold calls to more automated targeting techniques. These include pull-based attacks based on Google search ads and search engine optimization, vishing campaigns prompting the target to call back and email or text phishing campaigns to lure targets to a fraudulent website.
In addition, it was highlighted how malicious alerts masquerading as pop-up/pop-under ads, such as PopCash.net and PopAds.net, are being routed through legitimate advertising networks. They are therefore able to slip through as blocking them would substantially disrupt these advertising networks’ business models.
“At least on the desktop, there are multiple ways to prevent having an encounter with a fake alert site to begin with,” commented Gallagher. “The problem on the mobile side, however, remains largely a user education issue. While Apple and Google have made it more difficult for scammers to leverage browser features to attack users’ privacy and install unwanted applications without intervention, pop-up defenses remain weak and app store abuses remain an issue. As protections increase on desktops against malvertising, more scammers will focus on the weaknesses of mobile devices.”
Businesses fear suffering a data breach and expect it to be caused by an insider or internal error.
A survey of 500 IT professionals by Exonar found that 94% of respondents have experienced a data breach, and 79% were worried their organization could be next.
In an email to Infosecurity, Niamh Muldoon, senior director of trust and security at OneLogin, said the fear associated with breaches stems from the security culture within the organization, along with the security reporting structure.
“Having security teams in close dialogue with executive leadership, supporting the leadership to make informed risk-based decisions and driving the business strategy, including the technologies used, reduces this fear significantly,” she said.
“Secondly, not understanding information security, its components and principles drives fear and anxiety of the unknown, so having security education training, and developing awareness and consciousness of threats, will enable and empower the entire organization to act with a ‘security first’ mindset.
“Finally, recognizing the importance of access control to protect systems and data is a foundational level control that organizations can apply to reduce the risk of a data breach. Hand in hand with this is partnering with trusted identity and access control platform providers who can provide enterprises with that security expertise and industry leadership.”
In terms of what is causing the breaches, 40% of respondents to the Exonar survey said accidental employee incidents were to blame, compared to 21% who said it is external attackers. Asked if this is a case of businesses not having a handle on what leaves their organizations (either intentionally or accidentally), Sammy Migues, principal scientist at Synopsys, said insiders already have access and can leave with data invisibly, which might turn up somewhere embarrassing later.
Migues added: “Insiders make bad decisions to temporarily put data in the cloud without knowing how to secure it. Insiders are pretty sure it is okay to just tell a few people about that new thing that no one should know about. Insiders know exactly how to hurt the organization if they want to. Between accidents and malicious intent, insiders are a major concern.”
Muldoon said: “Firstly, always remember your employees are your biggest information asset. Security is the biggest enabler supporting business moves forward, especially during times of uncertainty, and fostering and growing good working relationships with your organization’s security team will help to bring diversity and inclusion to business strategy and decisions, while creating and maintaining highly-performing teams.
“Secondly, as the saying goes, you are only as strong as your weakest link, so working with an organization to ensure access to systems and data is provisioned only on a need-to-know basis will go a long way. This is where working with a trusted identity and access control partner really benefits an organization as a single access view of access for internally housed systems and/or cloud-based systems.”
BlackBerry has announced the launch of dedicated EU data centers to comply with new and existing GDPR regulations.
Located in the Netherlands and France, the new data centers will add to BlackBerry’s existing infrastructure in the UK and will help the company to provide dedicated EU instances of its critical event management platform AtHoc.
Under a new EU regulation, all member states must establish a critical event public warning system to protect citizens by 2022. BlackBerry explained that, with its new EU-dedicated data centers, organizations will be able to safely and securely communicate with their workforce and other organizations through any device in the event of a natural disaster, terrorist attack or other major contingencies.
“Empowering our customers with the most secure communication platform for increasing resiliency and communicating swiftly is critical in a crisis,” said Adam Enterkin, senior vice-president EMEA at BlackBerry. “It is also vital that we are able to adhere to new and existing EU data residency requirements per the GDPR. With BlackBerry AtHoc’s new EU-based data centers we are able to scale our infrastructure to better support our customers’ needs over a secure and reliable network.”
Security researchers have discovered six critical vulnerabilities in third-party code which could expose countless operational technology (OT) environments to remote code execution attacks.
A team at Claroty found the bugs in Wibu-Systems’ CodeMeter software license management offering, widely used by many leading vendors of industrial control system (ICS) products.
They have been given a collective CVSS score by the ICS-CERT of 10.0, representing the highest level of criticality.
“Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,” the US Cybersecurity and Infrastructure Security Agency (CISA) noted.
Attackers could phish their targets, socially engineering them into visiting a malicious site under their control to inject a malicious license onto the victim machine. Or they could exploit one of the bugs to create and inject forged licenses onto a machine running CodeMeter, Claroty said.
The firm claimed the worst of the bugs allow attackers to compromise the CodeMeter communication protocol and internal API, allowing them to send commands to any machine running the code.
This could enable complete remote takeover, allowing attackers to install ransomware or other exploits and/or crash programmable logic controllers (PLCs) because of the malicious license.
Mitigating the threat is made more difficult by virtue of the fact that many OT managers may not know a vulnerable version of CodeMeter is running. Claroty recommended scanning for the product, blocking TCP port 22350 and contacting ICS vendors to check if they can manually upgrade the third-party component of CodeMeter.
A report from Claroty last month claimed that over 70% of ICS vulnerabilities disclosed in the first half of the year can be remotely exploited.
Security researchers are warning users of popular content management system (CMS) platforms that they could be exposed to a range of cyber-threats, after uncovering 89 zero-day vulnerabilities.
A team at Comparitech decided to investigate a recent surge in web defacement attacks which appears to have bucked the long-term trend of a decline in such activity.
Monthly attacks soared from around 300,000 in July 2019 to nearly 700,000 in May 2020. Comparitech privacy advocate Paul Bischoff claimed the rise may be due to hackers staving off boredom while in lockdown.
As part of its investigation, the team uncovered 89 zero-day vulnerabilities in platforms such as WordPress, Joomla, Drupal and Opencart — and their plugins.
It claimed that as many as 100,000 websites are currently running plugins vulnerable to exploitation of these bugs, and that the vast majority of which were on WordPress (78,430) and Joomla (16,360).
“Researchers analyzed the source code of five popular mass-hacking bots, each of which can take advantage of 40 to 80 exploits,” Bischoff continued. “Arbitrary file upload vulnerabilities are the most common, which allow attackers to upload shell scripts onto web servers. Those shell scripts can then be used to remotely execute code and deface the site.”
However, web defacement represents a relatively minor impact compared to the potential damage such attacks could cause.
“Many of the exploits could also be used to distribute malware, set up phishing pages, redirect users to other malicious pages, install card skimming malware, add the server to a botnet, install a cryptominer, encrypt site data with ransomware or launch a number of other attacks on the site and its visitors,” Bischoff warned.
Comparitech also found that a relatively small number of the exploits it analyzed appear in vulnerability databases: just 124 out of a total of 280. This makes it less likely that security teams and vendors will have documented and built-in protections against them.
Scanning for specific plugins, databases and other elements known to be vulnerable is relatively straightforward via specially crafted searches known as “dorks,” explained Bischoff. Alternatively, IP scanning bots or IoT search engines like Shodan.io, Censys and BinaryEdge can be used. Off-the-shelf hacking tools have also lowered the barrier to entry significantly over recent years, he concluded.
Microsoft has fixed 129 CVEs this Patch Tuesday, the seventh month in a row that the number has exceeded 100.
The September line-up for system administrators included 23 critical vulnerabilities, mostly affecting Windows OS and browsers, although none have been exploited or publicly disclosed.
SharePoint also accounts for seven of the critical bugs fixed this month, all of which could lead to remote code execution (RCE).
“Five of these vulnerabilities (CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, CVE-2020-1576) involve uploading a malicious application package, and one (CVE-2020-1460) involves user-created content,” explained Qualys senior director of product management, Jimmy Graham.
“The remaining vulnerability (CVE-2020-1595) is a deserialization vulnerability in SharePoint APIs. Because of this, it is highly recommended to prioritize these patches across all SharePoint deployments.”
Another flaw highlighted by experts as a priority is an RCE bug in Exchange 2016 and 2019 with a CVSS score of 9.1 (CVE-2020-16875).
“The vulnerability is a memory corruption vulnerability, which means all an attacker has to do is send a specially crafted email to exploit it,” said Allan Liska, senior security architect at Recorded Future.
“Both cyber-criminal and nation state threat actors are looking to exploit Microsoft Exchange because so many large enterprises rely on it. For example, CVE-2020-0688 was disclosed in February of this year and by early March exploits were being discussed on underground forums, and vulnerable systems were being scanned and exploited.”
Another, CVE-2020-0922, is an RCE bug in Microsoft COM for Windows, which affects Windows 7-10 and Windows Server 2008-2019.
“If this vulnerability is eventually weaponized, it would be in line with recent trends of attackers using so-called fileless malware in their attacks by sending phishing emails with malicious scripts as attachments.”
Google also released a security update yesterday fixing five security vulnerabilities in Chrome rated “high,” its second highest severity rating.
Unscrupulous criminals are impersonating employees of the United States Department of Justice to scam elderly victims of crime.
The DOJ issued a fraud alert on Friday in which it strongly encouraged the public to remain vigilant and urged them not to provide personal information over the phone to anyone claiming to be from the department.
An alert was issued after the Office of Justice Programs’ Office for Victims of Crime (OVC) received multiple reports that individuals claiming to represent the Department of Justice are calling members of the public as part of an imposter scam.
A DOJ spokesperson said: "Reports to the National Elder Fraud Hotline indicate these scammers falsely represent themselves as Department of Justice investigators or employees and attempt to obtain personal information from the call recipient, or they leave a voicemail with a return phone number."
The return phone number directs users to a recorded menu that has been set up to match the genuine recorded menu for the department’s main phone number.
Eventually, the user reaches a fake operator who connects them to someone claiming to be an investigator. That charlatan investigator then attempts to con the user into sharing their personal information.
The National Elder Fraud Hotline is open seven days a week for people to report fraud against American seniors aged 60 or older.
“Phone scams are an ugly and pervasive act of victimization. The scams being reported to our National Elder Fraud Hotline are especially heinous because they show the perpetrators are preying upon one of the most vulnerable segments of our society—the elderly,” said OVC director Jessica Hart.
“As if this were not despicable enough, the scammers do so posing as employees of the Justice Department, usurping public trust in the agency that serves as a bastion of fairness and lawfulness while these scams exploit the elderly for financial gain."
Hart added that the first step to identifying the criminals behind such scams is to report their crimes to the relevant authorities.
Americans who receive one of these calls are urged to report it to the Federal Trade Commission.
The first day back to school was postponed for students in the Connecticut capital after a cyber-attack knocked critical systems offline.
Hartford Public Schools students were due to resume classes on Tuesday morning. Instead, lessons were put on hold while officials tried to deal with a ransomware attack that struck the city on Thursday, causing a systems outage over Labor Day Weekend.
Hartford mayor Luke Bronin described the incident as the most extensive and significant cyber-attack on the city in the last five years. According to the mayor, the attack would have been worse had the city not invested in a cybersecurity system a year ago.
City officials said an unauthorized attacker first gained access to the city's systems on Thursday but didn't launch an attack until Saturday. The IT team worked through the weekend, going server to server to restore systems.
Bronin said the Hartford Public Schools system has about 300 servers, more than 200 of which were impacted by the cyber-attack.
Student information systems were restored at around midnight on Monday, said Hartford Public Schools superintendent Dr. Leslie Torres-Rodriguez.
She said: “It houses all of our student addresses, our grades, our attendance. It’s all housed there. It’s all been fully restored."
Torres-Rodriguez added that the ransomware did not have any impact on the student learning platforms.
The system that routes school buses has not yet been fully restored following the attack. Other Hartford city systems impacted by the cyber-incident include public safety systems.
The city's police department said that response times were not impacted by the incident, but that the ransomware attack had caused inconvenient scheduling issues.
City officials told NBC Connecticut that they don't believe any private information or sensitive financial information was exfiltrated by the attacker.
In its latest "State of Email Security Report," Mimecast examined the effects of ransomware and email attacks on the education sector. The company found that 32% of workers in the public sector said that ransomware had impacted their operations in the last 12 months.
On average, those struck by ransomware suffered two to three days of downtime as a result of the attack, with 9% experiencing downtime of a week or more.
Acronis will deliver technical and commercial support to the racing series, which was created by performance electric flying car manufacturer Alauda.
The partnership will be reflected in the placement of Acronis branding in a prominent position on Airspeeder’s MK4 racing craft.
Plans are under way for the first Airspeeder Grand Prix to be held in 2021, in which electric racing multi-copters will fly at speeds of up to 130km/h.
Light Detection and Ranging (LiDAR) and Machine Vision technology will be used to create a virtual force-field around each racing craft. Acronis will provide cyber-protection solutions to ensure the technology can deliver close but safe racing between the crafts.
Part of this technology will be delivered by Teknov8, a global provider of cybersecurity solutions that will support Acronis’ partnership with Airspeeder as an Official #CyberFit Delivery Partner.
"Backing from Acronis, a business with an extraordinary culture of technological success in Formula One and Formula E, represents significant affirmation of our vision to accelerate the next great mobility revolution through sporting competition,” said Matt Pearson, founder of Alauda and Airspeeder.
Under the new partnership, Airspeeder’s team and pilots will benefit from real-time data, including analysis of battery and key systems performance. From this information, engineers will be able to define strategy as they race to find a competitive advantage in a sport where every team starts with the same technical platform.
“Acronis’ place at the leading edge of innovation in data management perfectly aligns with Alauda and Airspeeder’s vision to accelerate a mobility revolution through close sporting competition," said Jan-Jaap Jager, the board advisor and senior vice president at Acronis.
"Our proven, integrated approach to providing easy, efficient, reliable and secure cyber protection for all data, applications and systems will help Airspeeder to enhance their performance on the air track and in the back office. We look forward to delivering on the promise of a true next generation technical and sporting proposition.”
Threat actors have heavily focused on the issues related to the pandemic to launch attacks such as phishing, ransomware and malware as well as exploit the increased reliance on home networks and IoT devices in the lockdown period, the study found.
Bitdefender also revealed it had received a five-fold increase in the number of coronavirus-themed reports in the first two weeks of March alone, while an average of 60% of all received emails were fraudulent in April and June. Overall, an average of four out of 10 COVID-themed emails were tagged as spam throughout the first of half of 2020. These frequently impersonated government, health and financial institutions to spread misinformation, fake cures and offers for protective equipment.
As the shift to home working took place due to COVID-19 lockdown restrictions, cyber-criminals adapted their strategy to target this phenomenon. This included the discovery of a new DNS hijacking attack targeting a popular brand of home routers that redirected victims to malware-serving websites promising applications that offer new and up-to-date information about the outbreak.
In addition, malware developers also quickly sought to target applications commonly used by remote employees, such as the Zoom video conferencing platform.
Suspicious incident reports related to IoT devices went up by 46% in the six months from January to June, which is linked to people staying indoors much more during the lockdown period. Over half (55.73%) of IoT network threats involved port-scanning attacks.
Ransomware was another particularly popular mode of attack in this period, with a seven-fold year-on-year increase in reports.
Speaking to Infosecurity, Liviu Arsene, global cybersecurity researcher at Bitdefender, explained that he expects cyber-criminals to continue leveraging the COVID-19 pandemic to launch attacks throughout the rest of 2020. “If during the first half of 2020 cyber-criminals have been exploiting the pandemic with messages promising miracle cures and medical devices or equipment meant to protect users from infection, during the second half we’ll likely see attackers exploiting the economic and social aftermath of the pandemic,” he said.
“Spam or fraudulent messages will likely exploit the way both private and public companies have changed their interaction with users. For example, messages claiming to be from financial institutions asking customers to update their personal and financial data or promising financial relief, because they can no longer do it in person in light of COVID-19 restrictions.”
Small- to medium-sized businesses (SMBs) are proactively putting tools in place to combat attacks whilst working with limited security budgets and constrainted resources.
According to research of 500 SMBs by Untangle, 38% have allocated under $1000 to their security budget, but this is an increase of 29% compared to 2019 and 27% compared to 2018. Heather Paunet, senior vice-president of product management at Untangle, told Infosecurity that its research found “74% of respondents from the survey confirmed that network security is a top business priority.”
She said 45% of respondents also confirmed news about large scale data breaches and companies dealing with these have shifted their network security roadmap. “This shows that SMBs are prioritizing some form of cybersecurity, but within their limited budgets,” she added. “This can be focusing on a firewall solution one year, and then endpoint security options in another.”
In terms of technology, 82% of SMBs rank firewalls as the most important features when considering which IT security solutions to purchase, whilst 71% have their firewall on site rather than in the cloud.
Paunet said: “Many firewalls can be deployed easily for novice or intermediate network administrators. Many times, next-generation firewalls can be deployed with some standard presets, and as IT teams and administrators become more familiar with the technology and the needs of their company, they can adjust settings, block lists, filters and access parameters.”
In terms of budget allocation, 32% of respondents identify budget as their greatest barrier, followed by employees who do not follow IT security guidelines (24%) and limited time to research and understand emerging threats (13%). Paunet said with fewer employees overall, the number of incidents can decrease. “For example, with only a handful of employees, email filtering or web filtering overall can be more effective, and training five employees on a consistent basis to notice suspicious activity or emails can help create a better employee-driven defense against cyber-attack,” she explained.
“IT teams do need to be aware that just because their company may be small, they can still be targeted by phishing scams or malicious links.”
Furthermore, 78% of SMB employees are temporarily working remotely with 56% suggesting some positions will be permanently remote moving forward.
“As the abnormal becomes our new normal, SMBs need to approach remote work by using a combination of cloud-based applications and on-premises solutions to keep employees and systems safe, and ensure business continuity,” said Scott Devens, CEO at Untangle.
“SMBs should be looking for technologies that incorporate multi-layered network security tools and a hybrid network infrastructure, such as SD-WAN, to avoid large-scale network vulnerabilities, regardless of budget and resource size.”
New research from Kaspersky has discovered that of the 32% of Brits provided with a corporate desktop computer, only 77% have adequate anti-virus or cybersecurity software installed, leaving 23% of company desktops significantly insecure and exposed to cyber-threats.
This is also the case for company smartphones, 23% of which are unprotected, according to the security giant.
Kaspersky did point out that corporate laptops are slightly more likely to be protected than desktops and smartphones, although it stated that one in five laptops still lack adequate security software.
Kaspersky commissioned Arlington Research to interview 2000 UK consumers aged 18+ in June 2020.
The figures gathered are particularly concerning given the current remote working trend brought about by the COVID-19 pandemic, which has seen 48% of the UK’s 32.9 million workers work remotely from their normal workplace this year.
With regards to personal devices being used for corporate means – something that has become more common since COVID-19 lockdowns and remote working strategies were introduced – Kaspersky’s findings make for even more troubling reading.
For example, more than half of those surveyed by Kaspersky stated that they use personal smartphones to check work email, while 36% rely on their personal laptop or desktop for work. However, personal devices are even less likely to be protected by adequate security software than employer-supplied equipment, Kaspersky found.
“When company devices are used outside the workplace, they are at greater risk of cyber-threats,” said David Emm, principal security researcher at Kaspersky. “Therefore, it’s troubling to discover that nearly a quarter of corporate computers and smartphones lack anti-virus software, leaving them potentially vulnerable to attack.
“It’s important that all businesses pre-install staff computers and devices with security software to ensure they are protected at all times. Employers must also make sure staff know how to install or check the status of anti-virus software while working on personal, or company devices from home, to secure corporate information and networks.”
More British security conferences have recently been canceled.
Organizers of both 44CON, which was due to take place this week, and BSides London, which was due to take place October 23 and 24, have announced in recent weeks that their 2020 events will not take place.
In a statement released today, BSides London said it is “with a heavy heart that we, as event directors, have taken the decision to CANCEL this year’s event” based on the available data and its own risk evaluation. These factors included the likelihood of maintaining social distancing in networking areas, taking temperatures upon entry, the number of people actually able to attend and the possibility of a next wave of COVID-19.
“We want to thank all of you for being patient in these times and supporting the team,” the organizers added.
Also, the organizers of 44CON said there will not be a physical 44CON event this year, or until a COVID-19 vaccine is available and being used, as government rules “mean we can’t hold the physical event in September.”
In the meantime, 44CON announced the first in a series of free-form war gaming exercises.
A host of British cybersecurity conferences have been pulled this year, including the majority of the UK BSides events which were due to take place after lockdown began, and Infosecurity Europe, which announced its physical event was to be replaced with a series of virtual events taking place throughout the year.
Nearly all cybersecurity companies have exposed sensitive data including PII and passwords online, according to a new study from ImmuniWeb.
The security vendor selected 398 of the world’s top security vendors and then scoured surface, dark and deep web sites including hacking forums and marketplaces, WhatsApp groups, public code repositories, social networks and paste websites.
It claimed to have discovered verified sensitive data over 631,000 times, with 17% of these “incidents” estimated to have critical risk. This means they included logins with plaintext passwords, or data leaks such as PII and financial records that are recent and/or unique.
In total, the research revealed PII and corporate data accounted for half (50%) of all incidents, with credentials taking 30% and backups and dumps 15%.
Also concerning is the fact that 29% of the discovered passwords were “weak” — i.e. they featured less than eight characters, with no uppercase, no numbers and no special characters. In 41% of companies studied, employees were found to have reused passwords on different breached systems, further exposing their organization to breach risks.
The report also revealed that over 5100 stolen credentials came from breaches of adult content sites, meaning employees had registered on such sites with their work emails.
In total, 97% of cybersecurity firms studied in the report were found to have sensitive data exposed online, although some date back as far as 2012, and the majority of incidents were classed as low (25%) or medium (49%) risk.
Low risk refers to “mentions of an organization, its IT assets or employees in data leaks, samples or dumps without accompanying sensitive or confidential information,” while medium risk could include encrypted passwords or leaks of “moderately” sensitive data such as source code or internal docs.
ImmuniWeb CEO Ilia Kolochenko warned that third parties like security vendors are an increasingly popular target for attackers.
“In 2020, one need not spend on costly zero-days but rather find several unprotected third parties with privileged access to the ‘Crown Jewels’ and swiftly crack the weakest link,” he added.
The world’s largest webmaster form has been found wanting in terms of its cybersecurity posture after researchers discovered an unprotected database leaking data on nearly 900,000 users.
Digital Point provides a platform for members to chat and buy and sell websites, domains and digital services.
Back in July, researchers at WebsitePlanet teamed up with Jeremiah Fowler to discover an Elasticsearch database belonging to Digital Planet that was left online without password protection, exposing nearly 63 million records.
These included emails, names, internal user ID numbers, internal records and user posts related to 863,412 users of the site.
Fowler warned that an attacker without administrative credentials could have edited, downloaded or even deleted this data.
The latter threat is particularly real given the recent spate of “Meow” bot attacks on exposed databases. An attacker could also look to steal the data before deleting it and holding it to ransom.
Another particular threat from exposure of this kind of data is domain hijacking, Fowler warned.
“Having the contact information, email and other details could allow a cyber-criminal to use acquired personal information about the actual domain owner to impersonate them,” he explained.
“Domain hijacking is exactly what it sounds like and criminals could try to change the registration information and ownership details. This type of theft would allow the domain hijacker to gain full control of the website name and can use the domain for their own purposes or try to sell it to a third party.”
Fowler described the dataset as a “treasure chest of information” for would-be domain hijackers.
“Many of the email accounts were admin@ or similar. Having a domain stolen can destroy a business or an organization and there is no guarantee that you will get it returned,” he continued.
“Anyone who has ever lost a domain name will tell you that dealing with lawyers, court costs and losing the trust of your clients would be devastating.”
A leading UK university has warned staff and students that it will take weeks to recover from a recent ransomware incident, with a well-known threat group already posting stolen documents.
Newcastle University in the north-east of England is part of the elite Russell Group. It claimed to have been attacked on August 30 2020 with most university systems unavailable or restricted indefinitely.
“The nature of the problem means this is an on-going situation which we anticipate will take a number of weeks to address,” it said in an update on Monday. “We hope to have a better estimate at the end of this week.”
Still available to staff and students during this time are Office 365 including email, Office applications and Teams, Zoom, SAP core services and the Canvas virtual learning environment.
However, the university IT team (NUIT) also warned on Friday that services which are operating may need to be taken down without notice, that “colleagues may lose access to their IT accounts without notice and they may not be re-enabled quickly,” and that PCs, servers and other assets may need to be removed for investigation.
The attack happened at around the same time as Newcastle’s other higher education institution, Northumbria University, also suffered a ransomware outage.
They appear to have been timed to cause maximum damage as the universities prepare for the start of the new academic year — one in which online services will play a key part as remote students log-in to attend classes and receive assignments.
The bad news for Newcastle University is that the notorious DoppelPaymer group has begun posting documents it claims to have stolen from its servers to its dedicated “Doppel Leaks” site.
According to Group-IB, DoppelPaymer ranks alongside Ryuk and REvil as one of the “greediest ransomware families with highest pay-off.”
Ransomware could pose a significant threat to the US election infrastructure, as aging software and potentially vulnerable voting machines could be targeted by criminal elements or by foreign-based cyber-attacks.
According to NTT Ltd.’s global threat report for September, ransomware could be deployed and lay in wait to be activated on election day, or once voting machines are activated, and could pose a significant threat to voting processes and procedures, potentially bringing voting operations to a halt.
“Election threats from ransomware, or from other types of cyber-attacks, do not come solely from foreign governments,” the report said. “Cyber-attacks against the US election infrastructure can be launched by any criminal threat actor seeking financial gain.”
NTT claimed the US elections in November will involve a “a high stakes endeavor” in terms of ensuring and maintaining security, and threats to the US voting processes could involve: foreign interference, disinformation campaigns, potential changes in the US Postal Service operating procedures, ransomware attacks, aging technology (including hardware and end-of-life software), voter role purge, voter apathy – and particularly for this year – the fear of COVID-19 contagion at voting precincts.
“A cyber or physical attack on the election infrastructure, whether election systems or processes are interconnected or not, could potentially lead to overall election system dysfunction, errors in vote count, delays in voting results and erroneous election reporting,” the report said.
NTT claimed the most important elements of security are those which attackers will most likely target first, and the first line of defense against cyber-intrusion, and other threats, “must be a secure and resilient US election infrastructure.” NTT determined the threats to be in three areas:
Threats to pre-election activities: Attacks of voter registration information could involve tampering with or deleting voter registration details so that he potential voter is unregistered and thus unable to vote. Also malware planted on a voter registration system could compromise the integrity of that data. Finally, voters’ data could be mined for personal identifying information and held for ransom, or it could be sold for criminal profit on the dark web.
Threats to election day activities: Voting on a Direct Record Electronic (DRE) voting machine could be susceptible to physical damage by a cyber-attack, while election results submitted electronically, or via email on election night, face cyber-threats, and an attacker could plant malware on the optical scan machine at any point from warehouse, to delivery, to set up at polling locations.
Threats to post-election activities: NTT admitted these are reduced, as the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency published the Cyber Incident Detection and Notification Planning Guide for Election Security among materials to help state and local election officials strengthen their election security.
NTT’ analysts recommend following the latest cybersecurity practices and maintaining good cyber-hygiene as a first line of defense against cyber-intrusions, as well as having proper patching and update processes, and proper custodianship of hardware and security awareness.
In an email to Infosecurity, Jake Moore, cybersecurity specialist at ESET, said he believed threat actors are clearly ready to attack what promises to be the hottest election yet, and there will no doubt be greater kudos to gain than ever, as the world watches on.
“Ransomware is a significant threat to all organizations at the best of times, but the spotlight of the election will add a huge amount of interest from criminal gangs from all over the globe,” he said.
“Ransomware is a genuine threat, but arguably no more likely than a DDoS or data breach. Threat actors of all types will be doing what they do best: looking for weaknesses and vulnerabilities to exploit in the hopes of a huge financial gain.”
He concurred with NTT Ltd’s advice on maintaining good cyber-hygiene – such as timely patches and updates – as well as offering the best, most up-to-date awareness advice to all staff, to help protect against the inevitable barrage of attacks.
The number of whistleblower reports made to the Information Commissioner’s Office (ICO) about potential data breaches and the misuse of customer information by organizations has risen by 34% in the last year.
That’s according to RPC, a London-headquartered professional services firm offering legal and consultancy advice to a range of sectors. Of the record-high 427 whistleblower reports made in the last year, RPC stated that further action was taken with 68, including 23 being taken into consideration for investigations.
According to RPC, greater awareness of online fraud and other forms of data theft has caused more people to report businesses for not taking proper precautions with the data they hold.
Richard Breavington, partner at RPC, explained: “Whistleblowing is now a major risk for businesses that fail to deal with a data breach properly, or who have failed to take reasonable steps to protect the data they hold on their customers.
“This makes it more important than ever for businesses who do fall victim to a data breach to respond quickly and to inform the ICO of the data breach if necessary, within the right deadline and ensure customers are informed when they are exposed to a major risk.”
Breavington added that whilst the ICO has indicated that it is exercising some forbearance during coronavirus with regards to investigations and potential disciplinary action relating to data misuse, organizations should not misinterpret that as a “free pass” to neglect sound data security management.
“With millions of employees continuing to work from home, businesses need to have clear practices in place. For example, recommending multi-factor authentication if employees are using their own devices for work and advising employees to update software regularly so it’s at a lower risk of being hacked into.”