Info Security

Subscribe to Info Security  feed
Updated: 1 hour 19 min ago

LORCA and Kx Partner to Boost Cyber-Scaleups with Advanced Analytics

Tue, 02/11/2020 - 11:02
LORCA and Kx Partner to Boost Cyber-Scaleups with Advanced Analytics

The London Office for Rapid Cybersecurity Advancement (LORCA) has announced a new partnership with Kx to enhance cyber-scaleups through access to advanced data processing capabilities.

LORCA is a government-backed program that supports the UK’s most innovative cyber-companies with the aim of growing the UK’s cybersecurity sector and making the internet a safer place.

Based in East London and run by Plexal, LORCA offers members a range of forums, programs and events aimed at helping them develop, convening academia, innovators, government, investors and industry into a cross-sector, non-competitive and collaborative ecosystem.

Through the partnership with Kx, which will be spearheaded by Kx Ventures – an arm of the Kx company – LORCA members will receive 12 months of dedicated support designed to help them scale, and will have access to the Kx platform, allowing them to improve their product research and development by processing and analyzing data more efficiently.

Saj Huq, program director, LORCA, said: “Every successful cyber-company starts with a validated, market-ready product. Working with Kx will provide a valuable opportunity for LORCA members to glean advanced, data-led insights and improve their market readiness, as well as access commercial expertise from Kx.”

Paul Hollway, head of Kx Ventures, added: “We have been impressed by the caliber of innovators LORCA has sourced from around the world and the cluster’s ability to drive such companies to success. We look forward to supporting them as a technology partner.”

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

Categories: Cyber Risk News

Danes Blame Bug for ID Leak Affecting 1.3 Million

Tue, 02/11/2020 - 10:32
Danes Blame Bug for ID Leak Affecting 1.3 Million

The Danish government is under fire after an audit revealed that the personal identity numbers of over a fifth of the country’s population were leaked to US tech providers for five years.

The issue was discovered by the Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen) which maintains the country’s tax office IT systems.

It is linked to a software bug in the TastSelv Citizen portal used by taxpayers, which meant that ID (CPR) numbers appeared in the web address after a user updated their details.

This in turn meant that the numbers, as part of these URLs, were sent to analytics providers Google and Adobe. According to tech supplier DXC Technology, 1.26 million citizens were affected by this leak between 2015 and 2020, while a further 1330 were caught up in a smaller incident from January 29 to February 1 2020.

The government agency was quick to play down the seriousness of the incident, confirming that no other payroll, tax or personal data was included in the privacy snafu, and that the leaked CPR numbers were sent via an encrypted connection.

“This is an older software bug that has been fixed today. It is important to note that in both cases there is no risk that the information sent has been misused. In one case, the information has been deleted as an integral part of the recipient process, meaning it is neither logged in nor stored with Google,” said Andreas Berggreen, director of the Danish Development and Simplification Board.

“We take these kinds of cases very seriously, and of course we need to be able to make sure that our suppliers handle all data according to applicable law and within the framework agreed upon with them. We must note that this has not been the case here, and that is why we have asked the attorney general to assess what legal steps the case is giving to the supplier.”

The incident is nowhere near the scale of Scandinavian neighbor Sweden, which imperiled the top secret details of government officials after failing to mandate security clearance for outsourced transport agency staff in Serbia and the Czech Republic.

Categories: Cyber Risk News

DevOps Alert: 12,000 Jenkins Servers Exposed to DoS Attacks

Tue, 02/11/2020 - 09:40
DevOps Alert: 12,000 Jenkins Servers Exposed to DoS Attacks

Security researchers are warning that 12,000 cloud automation servers around the world could be hijacked to launch denial of service (DoS) attacks.

Radware issued an emergency response team threat alert yesterday after discovering 12,802 Jenkins servers that are still vulnerable to a flaw patched at the end of January.

Discovered by Adam Thorn of the University of Cambridge, CVE-2020-2100 affects Jenkins 2.218 and earlier as well as LTS 2.204.1 and earlier.

“Jenkins’ vulnerability is caused by an auto-discovery protocol that is enabled by default and exposed in publicly facing servers,” explained Radware security evangelist, Pascal Geenens. “Disabling the discovery protocol is only a single edit in the configuration file of Jenkins and it got fixed in last week’s patch from a default enabled to disabled.”

The bug could enable attackers to compromise exposed servers to launch two different types of DoS: an amplification attack and an infinite loop attack.

The latter was described by Geenens as “particularly nasty,” because “with a single spoofed packet, a threat actor can make two servers go into an infinite loop of replies, and they cannot be stopped unless one of the servers is rebooted or has its Jenkins service restarted.

“The same exposed service can also be abused by malicious actors to perform DDoS amplification attacks against random victims on the internet – victims do not have to run or expose Jenkins for the amplification attack to impact them,” he continued.

“If your DevOps teams are using Jenkins servers in their cloud or on-prem environments, there is a simple solution: either disable auto-discovery protocol if you do not use it or add a firewall policy to block access to port udp/33848.”

Open source Jenkins servers are popular among DevOps teams, which use them to build, test and deploy apps running in the cloud in environments such as Amazon Web Services, OVH, Hetzner, Host Europe, DigitalOcean and Linode.

Categories: Cyber Risk News

Chinese Military Personnel Charged with Equifax Hack

Mon, 02/10/2020 - 18:23
Chinese Military Personnel Charged with Equifax Hack

The US has indicted Chinese military personnel today on charges of hacking into Equifax's computer systems and stealing valuable trade secrets and the personal data of nearly 150 million Americans.

A federal grand jury in Atlanta, Georgia, returned the indictment last week against four members of the Chinese People's Liberation Army (PLA). Wu Zhiyong (吴志勇), Wang Qian (王乾), Xu Ke (许可), and Liu Lei (刘磊) are accused of conspiring to carry out a three-month-long data heist.

According to the nine-count indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal to gain unauthorized access to the credit reporting agency's computer system. 

Once inside, the quartet allegedly ran around 9,000 queries on Equifax's system from May to July 2017, obtaining names, dates of birth, and Social Security numbers for nearly half of America's citizens. 

To obfuscate their location, the defendants are claimed to have routed traffic through approximately 34 servers located in nearly 20 countries and used encrypted communication channels within Equifax’s network to blend in with normal network activity. 

The indictment further alleges that to cover their tracks, the defendants deleted compressed files and wiped log files on a daily basis throughout the prolonged cyber-attack. 

"Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us," said Attorney General William P. Barr.

"Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information."

The defendants are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. They are further charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud. 

The accused are all members of the PLA's 54th Research Institute, a component of the Chinese military. 

FBI Deputy Director David Bowdich said: "Today’s announcement of these indictments further highlights our commitment to imposing consequences on cybercriminals no matter who they are, where they are, or what country’s uniform they wear."

Categories: Cyber Risk News

Social Robot Teaches Kids Cyber-safety

Mon, 02/10/2020 - 17:20
Social Robot Teaches Kids Cyber-safety

A social robot named Zenbo has been using updated versions of classic fairy tales to teach fifth graders in Delaware how to be safe online.

Zenbo was activated at the University of Delaware's Newark campus during a special lesson laid on by university researchers for a group of students from The College School. 

The two-foot-tall interactive robot was programmed with a number of familiar children's stories, which had been subtly adapted to promote security in the digital age. For example, in Zenbo's version of Little Red Riding Hood, entry to grandma's house is password protected and Red is warned by her mother not to reveal the password to anyone.

When Red encounters a cyber-savvy Big Bad Wolf in the woods, the little girl must grapple with the dilemma of whether she should keep the password a secret or share the private information with a predatory stranger.

Students are asked by the robot what Red should do next. A class confronted with the problem by Zenbo last Tuesday was split down the middle, with half deeming it okay to trust the wolf with the password and the other half believing that to do so would be risky.

“These checkpoints reinforce positive behaviors and create teachable moments for when children make mistakes,” said Chrystalla Mouza, distinguished professor in teacher education in the University of Delaware’s College of Education and Human Development (CEHD). 

“It’s important that this training is provided in school because we cannot rely on it being provided elsewhere.” 

Zenbo's cybersecurity classroom career is a collaboration between Mouza; professor of computer and information sciences in the College of Engineering Chien-Chung Shen; and Tia Barnes, CEHD assistant professor of human development.

When working to establish an academic minor and a master's cybersecurity program at the university, Shen observed that children from kindergarten age up to 12th grade were being overlooked when it came to cyber-safety instruction. 

“We envision this social robot being one part of the teacher’s strategy and lesson plan, perhaps as a station that students visit or an activity that they complete during class to generate discussion,” said Mouza.

The project may be expanded in the future to include virtual reality (VR) that would enable children to become characters within the stories and learn through role play.

Categories: Cyber Risk News

Facebook's Social Media Accounts Hacked

Mon, 02/10/2020 - 15:48
Facebook's Social Media Accounts Hacked

Hackers took over two social media accounts belonging to Facebook on Friday afternoon.

Saudi white hat hacking group OurMine compromised Facebook's official Twitter and Instagram accounts as part of a publicity stunt to advertise their own security services.

After gaining access to Facebook's socials, the hackers left a slightly misleading message that implied the Facebook website itself had been hacked as supposed to the company's Twitter and Instagram accounts (or whichever third-party company was hired to manage them). However, since Instagram is owned by Facebook, the brag was perhaps partially justified.

The group said: "Hi, we are OurMine. Well, even Facebook is hackable but at least their security is better than Twitter."

OurMine went on to give out its website and email address along with an open invitation for Facebook to get in touch "to improve your accounts [sic] security." 

In case any onlookers were in doubt as to whom had broken into Facebook's social media accounts, OurMine also posted a photo of their own logo on the company's Twitter and Instagram social feeds. 

Twitter confirmed that Friday's hack occurred via a third party and that Facebook's account was locked once Twitter had been alerted to the issue.

A spokesperson for Twitter said: "As soon as we were made aware of the issue, we locked the compromised accounts and are working closely with our partners at Facebook to restore them."

The incident is the latest in a series of high-profile social media hacks perpetrated by OurMine. Just last month, the attention-seeking group hacked the Twitter accounts of America's National Football League (NFL) and 15 of its teams one week before the Super Bowl.

OurMine is thought to have gotten their mitts on the sports teams' credentials via third-party social media management platform Khoros. According to their website, Khoros has implemented a number of security measures "throughout the organization to provide full transparency and a peace of mind for Khoros customers that their personal data and information are in good hands."

Previous online publicity stunts pulled by OurMine include hacking into Twitter founder Jack Dorsey's Twitter account and compromising the Twitter account of Google's chief executive, Sundar Pichai. The group has also hacked the corporate Twitter accounts of ESPN and Netflix.

Categories: Cyber Risk News

Emotet Spreads Via Newly Discovered Wi-Fi Module

Mon, 02/10/2020 - 12:00
Emotet Spreads Via Newly Discovered Wi-Fi Module

Security researchers have detected a new version of infamous malware loader Emotet designed to spread to any nearby Wi-Fi networks protected only by weak passwords.

The worm.exe is the main executable used for this process, according to Binary Defense.

“Upon startup of Worm.exe, the first action it takes is to copy the service.exe string to a variable that will be used during file spreading. Next, it steps into the main loop and immediately begins profiling the wireless network using wlanAPI.dll calls in order to spread to any networks it can access,” the firm explained.

“The use of purely wlanAPI.dll calls for network profiling makes sense; it is one of the libraries used by native Wi-Fi to manage wireless network profiles and wireless network connections.”

The malware will try to brute force its way past the Wi-Fi password, if the network is protected, and then go searching for all non-hidden shares — either brute forcing these users in turn or doing the same for the “administrator” account for the network resource.

Once individual user accounts are accessed, it drops the service.exe binary, which installs the Windows Defender System Service to gain persistence.

Interestingly, the researchers noted that a worm.exe timestamp of 04/16/2018 indicates that the module may have been running unnoticed for two years. This may be because it is used infrequently by attackers, and also because it will not show up if researchers don’t have a Wi-Fi card in their sandbox environment, Binary Defense claimed.

The good news is that more secure network passwords would help to mitigate the threat.

“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” the vendor concluded.

“Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”

Categories: Cyber Risk News

Docker Registry Snafus Expose Firms to Cloud Compromise

Mon, 02/10/2020 - 10:55
Docker Registry Snafus Expose Firms to Cloud Compromise

Security experts are warning that widespread Docker registry misconfigurations could be exposing countless organizations to critical data theft and malicious attacks.

Palo Alto Networks’ Unit 42 research group focused on one of the most popular platforms around for managing containers. Docker registries are servers designed to store and organize the all-important images, which contain bundled application code, dependent libraries and operating system files.

As these registries therefore provide access to app source code and business-critical data, it’s vital that they are properly secured. However, Palo Alto Networks discovered misconfigurations in registries’ network access controls which left many exposed.

In total, the Unit 42 team found 941 Docker registries exposed to the internet and 117 registries accessible without authentication. There were 2956 repositories and 15,887 tags in these registries, meaning effectively that nearly 3000 applications and almost 16,000 unique versions of these were exposed.

Scores of registries allowed the “push” operation, meaning hackers could replace legitimate app images with those containing backdoors. Others allowed for deletion, meaning cyber-criminals could encrypt or delete and hold them for ransom, while more still allowed any user to pull and run the images.

“The remediation strategy for this particular misconfiguration is straightforward, such as adding a firewall rule to prevent the registry from being accessed from the internet and enforcing authentication header in all the API requests,” the firm concluded.

“However, with an ever-increasing number of applications and complexity of infrastructure, security becomes a daunting job. Automated tools are needed to scan for vulnerabilities and monitor malicious activities constantly. The earlier the issues can be identified, the less chance they will be exploited in the production.”

Categories: Cyber Risk News

National Portrait Gallery Faced Almost 350,000 Email Attacks in Q4 2019

Mon, 02/10/2020 - 10:22
National Portrait Gallery Faced Almost 350,000 Email Attacks in Q4 2019

The National Portrait Gallery was targeted by 347,602 emails containing spam, phishing and malware attacks in the final quarter of 2019, according to Freedom of Information Act data obtained by think tank Parliament Street.

The National Portrait Gallery is one of London’s most prestigious art galleries, welcoming between 1.1-2 million visitors every year, many of which have private information such as payment details and email addresses stored on its servers. The research highlights the threats posed to the capital’s museums by malicious hackers who seek to steal membership data from popular tourist attractions.

Of the 347,602 blocked emails, 56% were identified as directory harvest attacks, whilst 61,710 emails were blocked as the sender belonged to a ‘threat intelligence blacklist.’ A further 85,793 emails were intercepted as they were believed, or confirmed, to have contained spam content and 418 emails were listed as being blocked for containing viruses.

Andy Heather, VP at Centrify, said: “These figures paint a worrying picture of the volume of malicious email attacks designed to trick unsuspecting staffers into handing over confidential data such as passwords and log-in credentials. The National Portrait Gallery is an incredibly popular destination for tourists, attracting millions of visitors and members every year, which unfortunately makes it a top target for hackers and cyber-criminals seeking to use legitimate, often stolen, credentials to gain access fear of detection.”

Addressing this threat means ensuring a zero trust approach to employee communication, Heather added, ensuring suspicious emails are spotted and full checks are made so that managers can be sure all staffers are who they say they are.

Categories: Cyber Risk News

Likud Election App Exposes All Israel’s Voters

Mon, 02/10/2020 - 10:02
Likud Election App Exposes All Israel’s Voters

An election app used by Israel’s Likud party has leaked the personal information of all of the country’s voters, it has emerged.

Developed and managed by a company called Feed-b, the Elector app is used by prime minister Netanyahu’s party to contact voters with news and updates.

However, serious security and privacy concerns have swirled in Israeli media about the app, before researcher Ran Bar-Zick decided to take a look.

He found serious security deficiencies that exposed the full names, identity card numbers, addresses, phone numbers, gender and other personal details of every eligible voter in Israel.

According to Bar-Zick, all a visitor to the app’s home page would need to do is right click and choose “view source” to expose the underlying code, which reveals all admin usernames and passwords. Entering these would allow an attacker to log in as admin and download the entire voter registry.

The problem stemmed from an API endpoint which was left exposed without a password, and a lack of two-factor authentication throughout the site.

Feed-b claimed it was a “one-off incident that was immediately dealt with.” However, there are concerns that the app also breaches privacy laws because it allows users to also add information including phone numbers on friends and family members whom they believe may vote for Likud.

It’s unclear whether any cyber-criminals or nation state hackers managed to take advantage of the leaky app before the security issue was addressed. The personal details of Israeli lawmakers, military and other VIPs would be of significant interest to many Middle East rivals.

The irony is that Israel prides itself on the quality of its computer engineers. It has a thriving cybersecurity industry, with many companies spun out of former military projects.

Netanyahu himself has boasted in the past that the state’s cyber-spooks have managed to help allies foil numerous terror plots thanks to their signals expertise.

Categories: Cyber Risk News

Crypto Exchange Loses "Almost All Funds" in Hack

Fri, 02/07/2020 - 15:50
Crypto Exchange Loses "Almost All Funds" in Hack

Cyber-criminals have stolen "almost all funds" entrusted to crypto exchange platform Altsbit.

The Italian exchange announced it had become the target of a devastating hack yesterday on Twitter. According to their posts, criminals made off with 1,066 Komodo (KMD) tokens and 283,375 Verus (VRSC) "coins" with a combined value of $27,000.

Funds kept in cold storage—crypto coins whose private keys are stored on devices that exist in an offline environment—were not swiped in the cyber-heist.  

In a statement released on Twitter at 2:24 a.m. on February 6, Altsbit wrote: "Dear users, unfortunately we have to notify you with the fact that our exchange was hacked during the night and almost all funds from BTC, ETH, ARRR and VRSC were stolen. A small part of the funds are safe on cold wallets."

How the thieves were allegedly able to make off with the money has not yet been revealed. Altsbit said that an investigation into the hack has been launched in a bid to discover how it happened.

On Twitter, the company wrote: "We are now on analysis of the amount of loss and technical issues of the hack. We will come back soon with more details."

Altsbit, which described itself in its Twitter bio as "Your reliable cryptocurrency partner," has come under fire from social media users.

Tim Tayshum, who is on Twitter as @ezCoinAccess, wrote: "The only way they can keep the RE-LIABLE is to drop the "RE" and take responsibility for shit security protocols. How is it that 6yrs after Mt. Gox there are STILL exchanges who don't know that hot wallet is only for live-execution flow and cold storage is for the other 97.5%!"

Other users were skeptical that a hack had actually occurred. Twitter user @kundalini2020 called the alleged theft an "exit scam."

Another user, @Psyagnostic, replied to Altsbit's hack announcement post with: "Dear users, unfortunately we have to notify you that we have decided to steal all your money and blame it on a hack. Please deposit more funds ASAP so that we can continue operations and you can keep on enjoying trading at Your Reliable Cryptocurrency Partner™. Thanks!!"

Categories: Cyber Risk News

Lawyers Could Net $30m in Yahoo Data Breach Settlement

Fri, 02/07/2020 - 14:55
Lawyers Could Net $30m in Yahoo Data Breach Settlement

Lawyers who secured a $117.5m deal to resolve litigation tied to multiple data breaches at Yahoo could get paid $30m for their efforts.

Class counsel who secured the breach settlement are currently waiting for US District Judge Lucy Koh to give her final stamp of approval and to award them the fees, according to new documents filed in California federal court.

The sizeable settlement, approved by a federal judge in California last summer, relates to a host of massive historic data breaches that occurred at Yahoo between 2012 and 2016. Data exposed included names, email addresses, telephone numbers, birth dates, passwords, security questions and answers, as well as potentially the contents of emails, calendars, and contacts.

The deal will allow only 194 million Yahoo users in the US and Israeli who were affected by the breaches to claim compensation. Globally, the breaches impacted some 3 billion Yahoo users.

Consumers or small business affected by the breach could potentially get up to $25,000 in reimbursement if they had out-of-pocket expenses tied to the breach, such as losses or fees incurred as a result of handling identity fraud or setting up credit monitoring.

Individuals who didn't suffer any direct harm from the breach will be given the option to claim for free credit monitoring. Users who demonstrate they have a minimum of 12 months of credit monitoring can claim a cash payout of up to $100. 

The amount of the cash payment that actually gets paid depends on how many people file for the benefit. If funds remain after all the claims are paid, then claimants could get up to $358.80 each. However, due to the 194 million potential claimants involved, the real payout could be as little as 60 cents per user. 

If even a third of the potential class members lodge a claim, then the payout will be $1.84 per person. 

Commenting on the settlement to CNBC, cybersecurity expert Joseph Steinberg predicted that the actual amount of compensation Yahoo users will receive is likely to be far lower.

"Everybody probably has free credit monitoring at this point," said Steinberg. "If you’re expecting to get $100, you’re probably going to be significantly disappointed."

Settlement class members have until July 20 to sign up for credit monitoring or alternative compensation.

Categories: Cyber Risk News

Gorgon Group Grows More Sophisticated

Fri, 02/07/2020 - 14:16
Gorgon Group Grows More Sophisticated

New research has revealed that the threat group behind the cryptocurrency-stealing MasterMana botnet has grown increasingly sophisticated and is now trapping victims through spoofed login portals.

Gorgon Group has been observed targeting the European Union as well as Dubai's main electrical/water utility DEWA with fake login pages that are highly convincing.

The illicit activity was detected by researchers at cyber-intelligence firm Prevailion, who published a report yesterday on the growing threat posed by Gorgon Group. 

In another newly detected campaign, researchers observed Gorgon Group using a clever social engineering scheme targeting Spanish/Portuguese speakers with typo-squatted hotel websites and spoofed reservation confirmations.

Historically, the group has relied on cheap malware obtained via the dark web to orchestrate their dastardly scams, but researchers say that Gorgon Group is now developing and customizing these tools to become even more dangerous. 

"I am surprised at the level of sophistication that this group has shown over the past year," Prevailion's director of intelligence analysis, Danny Adamitis, told Infosecurity Magazine. "During this time, they have taken a number of steps in order to increase their operational security both against network and host-based detection. 

"One example is their use of the new 'office.dll' that would elevate the actor’s privilege level and then disable Windows Defender. Another example is the actor going back and modifying an old Pastebin post in order to make tracking their activity more difficult."

Along with the new "office.dll," Gorgon Group has rocked out a variant of the NJrat trojan and a new, trojanized PowerPoint file, as well as a downloader that references the lyrics of rapper Drake.

Adamitis, whose favorite Drake track is "God's Plan," said it was difficult to predict how the threat group would evolve.

He said: "Unfortunately we don't have enough data at this time to make any sound conclusions about their intent."

It is not currently known from where Gorgon Group operates, though Adamitis speculates that the group is operating out of Pakistan.  

Adamitis said: "We have observed some Gorgon Group activity occurring from Pakistani-based IP addresses; however, IP addresses can be spoofed. We do not have enough evidence at this time to make any definitive comments on attribution."

Categories: Cyber Risk News

White Hats Shine a Light on Philips Hue Hack

Fri, 02/07/2020 - 11:45
White Hats Shine a Light on Philips Hue Hack

Security researchers have discovered a new exploit which could allow hackers to compromise home and corporate IT networks via smart light bulbs.

The CVE-2020-6007 flaw exists in the Zigbee wireless protocol used to communicate with IoT devices. Check Point white hats found a way to exploit the bug in popular Philips Hue smart bulbs to take control of the bulbs’ control bridge and then attack the network.

However, to achieve the above, a hacker would first need to implant malicious firmware on the bulb itself. By doing so, they can tamper with the settings remotely to trick the user into thinking there is a fault.

As the bulb appears “unreachable” in the user’s control app, they will try to reset it, by deleting it from the app and then instructing the control bridge to re-discover it.

Once the user has added the compromised bulb back onto the network, it can use the Zigbee vulnerability to trigger a heap-based buffer overflow on the control bridge by inundating it with data.

“This data also enables the hacker to install malware on the bridge – which is in turn connected to the target business or home network,” Check Point explained. “The malware connects back to the hacker and using a known exploit (such as EternalBlue), they can infiltrate the target IP network from the bridge to spread ransomware or spyware.”

Check Point disclosed the research to Philips and Hue brand owner Signify in November 2019 and waited until now to publish so the manufacturer had time to release a firmware update, which it has.

However, as the main problem lies with the Zigbee protocol itself, there could be a range of other IoT devices vulnerable to exploitation in a similar way.

This isn’t the first time critical flaws have been found in the popular low-power comms protocol. Back in 2015, Black Hat researchers outlined a range of threats to the smart home through its unsecure use of encryption keys.

Categories: Cyber Risk News

UK Government Under Fire Over NSO Group Links

Fri, 02/07/2020 - 10:40
UK Government Under Fire Over NSO Group Links

The British government is under fire after it emerged that controversial espionage software provider NSO Group has been invited to a secretive security trade fair next month.

According to the Guardian, the government will host the Israeli firm as an exhibitor at the closed-door Security and Policing Home Office event in early March.

The Farnborough-based event is marketed by the Home Office as “the official government global security event, offering a world-class opportunity to meet, network and discuss the latest advances in delivering national security and resilience with UK suppliers, colleagues and government officials.”

The NSO Group is currently being sued by WhatsApp in the US over allegations it helped to develop and deploy malware used to spy on over 1000 users of the messaging app.

Attacks using the firm’s Pegasus spyware have been detected by rights activists, journalists, political dissidents and others, and are thought to be used by repressive regimes to monitor those who oppose them.

However, NSO Group has always claimed it offers its tools for only legitimate law enforcement and intelligence purposes.

It was recently forced to deny involvement in the hacking of Amazon boss Jeff Bezos’s iPhone by Saudi Arabian crown prince, Mohammed bin Salman.

According to a report by UN special rapporteurs Agnes Callamard and David Kaye, Bezos received an MP4 file loaded with malware via WhatsApp which then proceeded to exfiltrate data on a massive scale.

“The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group's Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials,” the UN analysis claimed.

“This would be consistent with other information. For instance, the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group.”

Categories: Cyber Risk News

Facebook Encryption Plans Slammed by Children’s Charities

Fri, 02/07/2020 - 09:57
Facebook Encryption Plans Slammed by Children’s Charities

Facebook is coming under increasing pressure over its encryption plans after the NSPCC and 100 other organizations signed an open letter warning that more secure messaging could undermine child safety.

The social media giant is set to roll out end-to-end encryption for users of its Messenger and Instagram Direct services as part of efforts to improve user privacy and data protection.

However, encryption is often portrayed by governments and law enforcement as the bad guy, in protecting not only hundreds of millions of law-abiding users but also the small number who use it to hide criminal acts.

Child charities like the NSPCC agree, hence the open letter, which was also signed by Barnardo's, 5Rights, the International Centre For Missing and Exploited Children and Child USA. It argues that encryption provides a safe space for pedophiles to operate online.

“We urge you to recognize and accept that an increased risk of child abuse being facilitated on or by Facebook is not a reasonable trade-off to make,” the letter reportedly said.

“Children should not be put in harm's way either as a result of commercial decisions or design choices.”

The NSPCC claims that, according to FOI data obtained from UK police forces, Facebook, Instagram and WhatsApp were used in child abuse image and online child sexual offences on average 11 times per day over a 12-month period to March 2019.

Despite the pressure from the UK government and children’s charities, it’s unlikely that Facebook will change its plans, given its renewed commitment to data protection and user privacy.

Jake Moore, cybersecurity expert at ESET, agreed with the social network’s decision to press ahead.

“Encryption is the backbone of the internet; without it, you lose all security. If you create a backdoor to encryption, you undermine the encryption entirely,” he argued.

“I think Facebook are right to secure their applications, which in fact protects users. Taking away encryption allows cyber-criminals to view sensitive data, which creates more problems in the long run. You could also argue that if Facebook was to allow access to its messaging platforms, many users could simply move to other more privacy-focused applications.”

Categories: Cyber Risk News

Porn Sites Suffer Highest Number of DDoS Attacks

Thu, 02/06/2020 - 15:49
Porn Sites Suffer Highest Number of DDoS Attacks

A new study focused on distributed denial of service (DDoS) attacks has found that pornographic websites received by far the most attacks per site last year. 

To produce their "Global DDoS Threat Landscape" report, researchers at Imperva studied attack data gathered between May and December 2019. Their findings, published yesterday, reveal that websites in the adult entertainment industry received an average of 84.46 attacks per site.

Over the same period, the sites that received the second- and third-highest number of DDoS attacks were gaming and news industry websites, which received on average 13.33 and 10.16 attacks per site, respectively.

"Every adult site we tracked over the course of the year experienced an average 84 attacks which, between May and December, equates to 10.5 attacks per site each month," wrote researchers. 

Most of the DDoS attacks carried out over the observation period were aimed at the gaming and gambling industries. Gaming was the primary target, hit with 35.92%, while gambling accounted for 31.25%. A significant proportion of the total attacks—26.51%—was aimed at the computing and internet sector. 

The country that sustained the most DDoS attacks was found to be India. Hong Kong, which previously held the top spot, became instead the country in which most targets were attacked.

Despite observing the largest ever recorded DDoS attack in April, which reached 580 Mpps (million packets per second) at its peak, researchers found that the majority of attacks didn't exceed 50 Mpps/Gbps (gigabits per second). Most network attacks were short too, with 51% lasting fewer than 15 minutes in length.

The duration of an attack provides telling information regarding the identity of the attackers. 

Researchers wrote: "Most of the attacks we recorded were relatively short, lasting less than an hour. Furthermore, within a one-hour distribution, the most common attacks were those that only lasted for 10 minutes or less.

"This, combined with our observation that most attacks were low in terms of both volume and rate, suggests that these short-term, weak attacks were most likely performed by DDoS-for-hire (or stresser) groups whose limited resources tend to be spread thin in order to service as many customers as possible."

Categories: Cyber Risk News

Sentar Awarded $164m Cybersecurity Task Order by US Defense Health Agency

Thu, 02/06/2020 - 14:47
Sentar Awarded $164m Cybersecurity Task Order by US Defense Health Agency

Women-owned small business (WOSB) Sentar Inc. has been awarded a potential $164m task order to provide cybersecurity support to the Defense Health Agency.

Sentar announced yesterday that it had won the task order from the Naval Information Warfare Center (NIWC) to provide the Defense Health Agency (DHA) with cybersecurity risk management operations support (RMOPS) services. 

Under the terms of the contract, Sentar will support the DHA in efforts to protect military information technology platforms from cyber-threats. The company will also assist the DHA to address various cybersecurity initiatives, processes, and compliance requirements.

The newly awarded task order is the largest of its kind to be received by Sentar. If fully executed, this contract will extend the company’s support to the DHA through the next four years. 

Work under this contract will be conducted at NIWC Atlantic in Charleston, South Carolina, as well as at DHA facilities in San Antonio, Texas, the National Capital Region (NCR), and at many other Military Health System (MHS) locations around the world.

“We are incredibly excited to assist NIWC and the DHA under this effort,” said April Nadeau, Sentar’s senior vice president of Navy, Marine Corps, and Health IT. 

“This achievement would not have been possible without the hard work of our team. It’s an exciting time to be at Sentar!”

Under the new task order, Sentar will provide assistance to NIWC Atlantic in cybersecurity execution efforts across the MHS. The company's efforts will impact military treatment facilities (MTFs), programs of record (PORs), and medical devices within locations both inside and outside the continental United States.

"Our enduring support to the DHA and its military services stands among our proudest engagements, both for the mission itself, and for those we get to work with and support in achieving its objectives," commented Sentar’s vice president for health information technology, Joseph Sabin.

"With this latest award, we look forward to maintaining these relationships in addressing the challenges and opportunities to come."

Sentar was founded in 1990 with a mission to provide advanced Intel and cybersecurity services and products. The company has offices in Huntsville, Alabama; Charleston, South Carolina; Columbia, Maryland; and San Antonio, Texas.

Categories: Cyber Risk News

Governments Are Soft Targets for Cyber-criminals

Thu, 02/06/2020 - 13:46
Governments Are Soft Targets for Cyber-criminals

New research by AI-driven commercial insurance products provider Corvus has found that governments are more vulnerable to cyber-attacks than other organizations.

A report on the security of municipal governments and agencies identified three key factors that made governments particularly soft targets. Researchers found that governments had larger attack surfaces, lower usage rates of even the most basic email authentication schemes, and much higher rates of internal hosting than other organizations.

Government attack surfaces, consisting of open ports and applications, were found to be on average 33% larger than those risked by other organizations. 

Researchers wrote: "Greater attack surface is harder to defend (due to sheer scale) and presents attackers with more opportunities for a range of different attack types."

When compared to other organizations, governments were found to be more likely to use enhanced email security software but not as likely to protect themselves with basic email authentication schemes. On average, 15% of governments went for enhanced while 74% stuck with basic, compared to 12% and 80% of other organizations, respectively. 

Researchers noted that protecting the security of email "is an important step in preventing phishing exploits (the origin of 91% of all cyberattacks), and the majority of organizations of all types do not take it."

Governments were found to be 350% more likely to host internally than other organizations, making them much more reliant on their in-house IT teams to keep security measures updated.

Staying on top of security is tough when your software is older than a US presidential candidate. Researchers found that 29% of governments are running older versions of software, which are more likely to harbor vulnerabilities.

"In general, we’d expect municipalities to have better security than average, given their size and scale," wrote researchers, "but with more attack surface for potential exploits on vulnerable ports, lower usage rates of even the most basic email authentication schemes to protect against phishing, much higher rates of internal hosting (meaning it’s up to the often under-staffed and under-funded IT departments to keep up with security trends), and old software versions in use, governments are a soft target."

Categories: Cyber Risk News

Iranian Phishers Use Journalist’s Identity to Steal Info

Thu, 02/06/2020 - 12:00
Iranian Phishers Use Journalist’s Identity to Steal Info

Security researchers have discovered a new phishing campaign from Iranian state-linked hackers which uses the lure of an interview with a noted journalist to trick recipients into clicking.

The latest operation is the work of the Charming Kitten group, which was identified by London security vendor Certfa through the servers and settings it used in previous attacks, alongside other techniques.

It’s primarily designed to harvest email account info from journalists and political and human rights activists, as well as information about their contacts and networks.

The campaign is notable for spoofing the identity of a former Wall Street Journal writer, Farnaz Fassihi, to set up a non-existent interview with the recipient. However, the phishers made a glaring mistake: Fassihi is now at the New York Times, rendering the WSJ masthead on the email more than a little incongruous. The email also comes from a Gmail account.

The attackers use shortened links to legitimate sources in the footnotes of the email, enabling them to gain valuable basic information about the victim’s device, including IP address, type of operating system and browser.

“After communication and relative trust are established through the initial email, hackers send their victim an exclusive link as a file that contains the interview questions. According to our samples, Charming Kitten has been using a page that is hosted on Google Sites,” Certfa explained.

“This method is a relatively new tactic that has been widely used in phishing attacks by hackers in the past year in order to make the targets trust the destination domain. After clicking the download button on the Google Site page the target is sent to another fake page in two-step-checkup site domain where login credential details of his/her email such as the password and two-factor authentication (2FA) code are requested by phishing kits.”

The researchers also uncovered a new piece of backdoor malware, pdfreader.exe, which changes Windows’ Firewall and Registry settings to run automatically, gather device information and run new malware remotely on the machine.

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

Categories: Cyber Risk News