Info Security

Subscribe to Info Security  feed
Updated: 2 hours 12 min ago

October is Cybersecurity Awareness Month

Fri, 10/01/2021 - 14:59
October is Cybersecurity Awareness Month

Today marks the start of the 18th Annual Cybersecurity Awareness Month in America, and this year's theme is “Do Your Part. #BeCyberSmart.”

The digital safety initiative was launched back in October 2004 by the National Cyber Security Alliance and the United States Department of Homeland Security to help the public stay safe and secure while online. 

"When Cybersecurity Awareness Month first began, the awareness efforts centered around advice like updating your antivirus software twice a year to mirror similar efforts around changing batteries in smoke alarms during daylight saving time," said the National Cyber Security Alliance. 

More recently, the annual event has become a major operation, bringing its message to consumers, small and medium-sized businesses, corporations, educational institutions, and young people all over the country.

"Since the combined efforts of the National Cyber Security Alliance and DHS have been taking place, the month has grown in reach and participation," said the Alliance.

"Operated in many respects as a grassroots campaign, the month’s effort has grown to include the participation of a multitude of industry participants that engage their customers, employees, and the general public in awareness, as well as college campuses, nonprofits, and other groups."

Like the previous long-running theme of the annual event, “Our Shared Responsibility,” this year's “Do Your Part. #BeCyberSmart” motif emphasizes the need for individuals to actively bolster their own cybersecurity.

“This evergreen theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity,” said the Cybersecurity and Infrastructure Security Agency (CISA). 

sub-theme has been attached to each week in October by the event's organizers, starting with best security practices and general cyber hygiene. In the second week, the emphasis will be on phishing attacks, which, according to a 2019 data breach report by Verizon, account for more than 80% of reported security incidents.

Week three will highlight the Cybersecurity Career Awareness Week led by the National Initiative for Cybersecurity Education (NICE). As a finale, the event will focus on making security a priority for both businesses and individuals.

Categories: Cyber Risk News

Business Leaders Admit Willingness to Pay Five-Figure Ransoms

Fri, 10/01/2021 - 10:34
Business Leaders Admit Willingness to Pay Five-Figure Ransoms

Two-fifths (40%) of business executives would be willing to pay at least a five-figure ransom to restore operations following an attack, going against the advice of governments and law enforcement, according to a new report.

Arctic Wolf polled 500 decision-makers from UK firms with over 1000 employees to better understand their security challenges in the new hybrid workplace.

Respondents’ readiness to pay their attackers is often cited as puzzling given that many (39%) don’t have comprehensive cyber-insurance policies in place. Moreover, these payments often fund pay-outs to digital extorters — a practice that is becoming increasingly controversial and has been banned by AXA in France.

However, their attitudes will be music to the ears of the many affiliate groups targeting countless organizations worldwide with ransomware.

As long as victims continue to pay, threat actors will continue to operate undeterred, which is why institutions like the National Cyber Security Centre (NCSC), the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) strongly advise organizations not to.

It’s also far from guaranteed that victim organizations will regain access to all of their data and systems following payment. There’s an added risk in that today’s threat actors are increasingly likely to have stolen corporate data, which they may monetize at a later date, even after payment.

Arctic Wolf also found that a fifth (20%) of UK execs have previously concealed a cyber-attack to preserve their reputation. Doing so not only impacts intelligence sharing and industry-wide threat prevention but could also land the organization in trouble with regulators.

Interestingly, despite the majority (67%) of respondents believing their company is more vulnerable to attacks if staff work remotely or in a hybrid environment, a similar number (62%) are unsure whether IT teams can identify and detect some threats accurately.

With a third (31%) having paid out between £36,000 and £216,000 to address security breaches in the past year, more investment in detection and response may be needed.

“The constant reports of successful ransomware attacks and growing cyber-threats from foreign adversaries over the past year have left executives feeling ill-prepared to protect their businesses against sophisticated attacks, and that belief has only been compounded by the operational challenges of running a business in a hybrid work environment,” argued Ian McShane, field CTO at Arctic Wolf.

“The best way for organizations to break out of this cycle of fear and uncertainty is to recognize that they don’t have a tools problem, but an operational one, and that embracing security operations will allow them to address the rapidly evolving threat landscape with ease and simplicity.”

Categories: Cyber Risk News

UK Cyber Security Council Appoints Four New Trustees

Fri, 10/01/2021 - 10:29
UK Cyber Security Council Appoints Four New Trustees

The UK Cyber Security Council has announced the appointment of four new trustees, taking its total number to eight.

The new trustees come with a range of backgrounds and expertise, designed to add legal, governance and education expertise to the Board of Trustees of the Council. They were appointed following a recruitment and selection process overseen by the four existing trustees:

  • Chitra Balakrishna: Currently a senior lecturer in cyber security, Open University, she has over 19 years of experience across academia and industry, with particular expertise in IoT and healthcare, smart cities and cybersecurity education
  • Edward Goodchild: Goodchild holds a number of positions in fields such as finance, law and business. He has extensive knowledge of professional registration, standards and ethics
  • Frances Le Grys: Le Grys has enjoyed a long career in the legal profession, including eight years as partner & general counsel
  • Nathan Nagaiah: An educational expert, Nagaiah has significant experience administering nationally recognized qualifications and advising on diversity

The four new trustees will join the inaugural leadership team of Dr Claudia Natanson (chair), Jessica Figueras (vice-chair), Mike Watson (treasurer) and Carla Baker (trustee), who were unveiled shortly before the Council officially launched as an independent body. They will help guide the activities of the Council in its remit to boost professional standards and career prospects for those working in cybersecurity. This includes working closely with the National Cyber Security Centre (NCSC) to define and develop the professional skills required by the UK.

Commenting on the appointments, Dr Claudia Natanson said: “The appointment of additional trustees strengthens the Council considerably, bringing a wealth of new perspectives and experience to the table. I’m delighted to welcome them all.”

Simon Hepburn, who was recently appointed chief executive of the Council, added: "The Council has a wide mandate, so a Board of Trustees with relevant backgrounds and diverse knowledge will help us both to prioritize and to be effective more quickly. They constitute an instant sounding board, with a vested interest in the success of the Council and I look forward to working with them.”

The Council plans to appoint four further trustees, who will be representatives of the organization’s membership.

Categories: Cyber Risk News

NCA and Europol Formalize Cooperation on Cybercrime

Fri, 10/01/2021 - 10:18
NCA and Europol Formalize Cooperation on Cybercrime

Crime-fighters in Europe and the UK have signed a new agreement to boost cooperation on cybercrime and other investigations.

The working agreement between the UK’s National Crime Agency (NCA), which investigates serious and organized crimes, and Europol will sit under the UK-EU trade and cooperation agreement (TCA). That’s the limited post-Brexit free trade agreement between the two parties signed at the end of 2020.

Although the NCA claimed that “operational cooperation” between the two had continued “effectively and without interruption” since the start of this year, the new working and administrative arrangement will herald a more formal working relationship.

“Shared capabilities protected under the TCA, and now also the new arrangement, include the presence of UK/NCA liaison officers based in Europol headquarters, access to Europol’s secure messaging system, the ability to attend and organize operational and other meetings at Europol, the ability to contribute to Europol analysis projects in order to benefit from the agency’s coordination and analytical functions, and the fast and effective exchange of data,” it explained.

The NCA pointed to its role in helping to ‘takedown’ the Emotet botnet and the DoubleVPN cybercrime service this year as proof of its enduring close relationship with law enforcement agencies in EU member states.

Cooperation on such matters was a key concern of security experts following the Brexit vote in 2016.

Given cybercrime’s borderless, transnational nature, police across jurisdictions recognize the need to share intelligence to promptly track and disrupt organized gangs.

“This arrangement with Europol supports our continued work to tackle the full range of crime threats facing the UK and our European neighbors,” said the NCA’s outgoing director-general, Lynne Owens.

“We are relentlessly focused on tackling serious and organized criminals, including those who abuse children, who fuel violence through trafficking drugs and firearms, who steal money and information through fraud and cybercrime, and those behind the people smuggling which risks the lives of migrants for profit.”

Categories: Cyber Risk News

Infant Fatality Could Be First Recorded Ransomware Death

Fri, 10/01/2021 - 09:54
Infant Fatality Could Be First Recorded Ransomware Death

A tragic case making its way through the courts in the US could prove to be the first recorded death due to ransomware.

According to papers filed in June 2020 (via NBC), Teiranni Kidd of Mobile, Alabama, is accusing Springhill Memorial Hospital and its owners of failing to mitigate a crippling cyber-attack and then conspiring to hide its impact on patient care.

Kidd’s daughter Nicko was born with her umbilical cord wrapped around her neck, a problem that has purportedly led to brain damage and the infant’s death several months later.

Fetal heart rate monitors would have usually picked up the issue. Yet, according to the Wall Street Journal, medical staff could not access these from the usual location as a display had been locked by threat actors seeking a ransom payment.

Computing systems were disabled for a total of eight days, including wireless tracking of medical staff and digital patient records, the report claimed.

“Nurses and other healthcare personnel were forced to use outdated paper charting methods and paper documentation to record and document Teiranni’s labor and Nicko’s delivery. Some of the paper forms used outdated terminology and had not been used in years,” the court documents allege.

“As a result, the number of healthcare providers who would normally monitor her labour and delivery was substantially reduced, and important safety-critical layers of redundancy were eliminated.”

If Kidd had known the extent of the technology outage at the hospital, she would have chosen to have her baby elsewhere, the suit contends.

The hospital denies any wrongdoing.

The case highlights the potentially tragic real-world consequences of mounting cyber-attacks. Hospitals came under particular strain during the pandemic as many ransomware groups spotted an opportunity to monetize their attacks.

One study in August claimed that half of US hospitals had been forced to shut down their networks during the previous six months due to ransomware.

In September 2020, it emerged that a woman died after being diverted from a German hospital compromised by ransomware. However, it was later reported that her injuries were so severe that she would likely have died even if the hospital had been able to admit her.

Categories: Cyber Risk News

Scammers Capitalize on Release of New Bond Movie

Thu, 09/30/2021 - 19:21
Scammers Capitalize on Release of New Bond Movie

The long-awaited release of the new James Bond movie is being exploited by cyber-criminals, according to cybersecurity company Kaspersky

No Time to Die is actor Daniel Craig's fifth and final fling with the internationally renowned 007 spy character created by author Ian Fleming. Bond first entered the public consciousness in 1952 with the publication of Fleming's novel Casino Royale

The big-screen adaptation of Casino Royale, which came out in 2006, was the first James Bond film to star Craig in the title role. After a delay of nearly 18 months due to the COVID-19 pandemic, Craig's last turn as the over-sexed Martini-drinking maverick MI6 spy is set to premiere today.

Cyber-criminals are taking advantage of the bigger than usual buzz around this particular Bond title by operating malicious pop-ups, digital adverts, and phishing websites dedicated to the new release.

To lure victims, scammers and criminals have been dressing up malicious movie files so that they appear to be a leaked copy of No Time to Die. In reality, the files contain unwanted software or malware. 

“With the premieres of new films and TV series moving online, this has fueled interest not only for cinephiles but also among scammers and fraudsters. Inevitably, such a long-awaited premiere as No Time to Die causes a stir,” said Kaspersky security expert Tatyana Shcherbakova.

“Users should be alert to the pages they visit, not download files from unverified sites, and be careful with whom they share personal information."

In the lead-up to the film’s premier, Kaspersky researchers found and analyzed malicious files disguised as the new movie and movie-related phishing websites. They found Trojans, malicious programs that can give cyber-criminals backdoor access to a victim's sensitive data.

Researchers also encountered adware, ransomware, and Trojan-PSW – stealers capable of gathering login credentials. 

Also doing the rounds were phishing websites set up to steal victims' bank details. The sites play only part of the movie before asking the viewer to register and enter their credit card information.

"However, after registration is complete, the user can’t continue watching. Money is debited from their card and the payment data ends up in the fraudster’s hands," warned researchers.

Categories: Cyber Risk News

Coast Guard is Commissioning Cyber Talent

Thu, 09/30/2021 - 18:38
Coast Guard is Commissioning Cyber Talent

The United States Coast Guard has launched a new program that gives cyber professionals the chance to become Coast Guard Cyber Officers. 

With the launch of the Direct Commission Cyber Officer (DCCO) program, the maritime security branch of the United States military is hoping to attract top cyber talent to work in cyberspace operations, information assurance, cyber threat intelligence, and cybersecurity.

The program is open to "high-performing cyber professionals" with "robust work experience" and "military members with cyber experience" who are aged between 21 and 40.

"We're bringing them in under our direct commission engineer program, our IT paths and even into FY '22, we're creating direct commission for cyber opportunities," said Rear Admiral Michael Ryan, commander of Coast Guard Cyber Command.

Speaking at a briefing that took place after the Joint Service Academy Cybersecurity Summit on September 23, Ryan said: "We're grabbing our best and brightest and enlisted members and giving them the opportunity to join the officer ranks." 

Applicants must be citizens of the United States and hold a valid security clearance. Candidates must be in good shape physically and mentally with a 2.5 GPA on a 4.0 scale and the ability to complete "a structured physical fitness program."

The Coast Guard said: "New Coast Guard Cyber Officers will immediately put their skills to use in vital operational cyber missions providing a secure and functional network upon which all other Coast Guard missions rely, and ensure the protection of the Marine Transportation System from malicious Cyber Actors.

"Selectees will have a chance to become key resources in what has become the Coast Guard's top emerging field, and will receive an initial assignment within the Coast Guard's Operational Cyberspace Workforce."

The DCCOs will complete a Direct Commission Officer (DCO) course in New London, Connecticut, that will last four to five weeks. There, they will receive "initial indoctrination to the traditions and programs of the service" and training on service-specific administration essentials.

"Following their initial assignment, DCCOs can anticipate broadening their experience within the cyber community, with increasing levels of leadership and management exposure with progression in rank," said the Coast Guard.

Categories: Cyber Risk News

Cyber-bullied Footballer Donates Compensation to Charity

Thu, 09/30/2021 - 17:19
Cyber-bullied Footballer Donates Compensation to Charity

A Kittitian soccer player has made a charitable donation of the compensation he received after being racially abused on social media. 

Midfielder Romaine Sawyers, who is currently on loan at Stoke City Football Club from his parent club, West Bromwich Albion, was victimized by 50-year-old cyber-bully Simon Silwood of Kingswinford, West Midlands.

Silwood was arrested after posting a comment on a Facebook group in January 2021 that said that Sawyers should be awarded the "Baboon D'Or." 

The comment was a racist pun based on the Ballon d'Or or Golden Boot, which is an annual award given to the world's best footballer. 

Sawyers told Walsall Magistrates' Court that reading Silwood's comment has caused him to feel "harassed, alarmed and distressed."

In a statement released earlier today, Sawyers said: “This is an incident that has affected me deeply, but I would like to encourage fellow players to report all racial abuse to the police." 

Silwood claimed that he had written the word “buffoon” and autocorrect had changed it to “baboon,” but he was convicted of sending an offensive message under the Communications Act in a trial that ended on September 9.

Earlier today, a judge at Birmingham Magistrates' Court sentenced Silwood to eight weeks in prison and ordered him to pay a £128 victim surcharge and a total of £1,000 in costs and compensation.

The judge told the court: "There is no place for racial abuse."

Sawyers stated today that he has donated the compensation to a local West Midlands charity. He explained: "It is important to me to turn this negative experience into something positive."

The 29-year-old footballer thanked the fan who came forward and reported the abuse and expressed his gratitude to the police who investigated the matter. 

Sawyers then called on social media companies to make a greater effort to keep racist abuse off their platforms. 

“It is widely accepted that social media companies must do more to stop the publication of racism on their platforms," said Sawyers. "I again urge them to take the necessary action required to prevent anyone from receiving the abuse I experienced."

West Bromwich Albion – the team supported by Silwood – have banned the convicted criminal from attending matches for the rest of his life.

Categories: Cyber Risk News

Vulnerability Exposes iPhone Users to Payment Fraud

Thu, 09/30/2021 - 10:36
Vulnerability Exposes iPhone Users to Payment Fraud

Many iPhone users are vulnerable to payment fraud due to vulnerabilities in Apple Pay and Visa, according to new research from the University of Birmingham and the University of Surrey.

The experts revealed they could bypass an iPhone’s Apple Pay lock screen to perform contactless payments when the Visa card is set up in ‘Express Transit mode’ in an iPhone’s wallet. Transit mode allows users to make a quick contactless mobile payment without fingerprint or facial recognition authentication, for example, at an underground station turnstile.

The team used simple radio equipment to uncover a unique code broadcast by the transit gates, or turnstiles, which unlocks Apple Pay. This code, dubbed ‘magic bytes,’ was used to interfere with the signals going between the iPhone and a shop card reader. The researchers could then trick the iPhone into believing it was interacting with a transit gate rather than a shop card reader by broadcasting the magic bytes and changing other fields in the protocol.

Therefore, this weakness could potentially be exploited by hackers to make transactions from an iPhone inside someone’s bag without their knowledge.

The technique even enabled the experts to bypass the contactless limit, enabling any amount to be taken without the iPhone user’s knowledge. This is because the shop reader believed the iPhone had successfully completed its user authorization.

The researchers emphasized that the vulnerability only applies to Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones.

Dr Andreea Radu, lecturer at the School of Computer Science, University of Birmingham, commented: “Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users.

“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”

Co-author Dr Tom Chothia, also from the School of Computer Science at the University of Birmingham, added: “iPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it. There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are.”

Responding to the findings, Brian Higgins, security specialist at Comparitech said Apple Pay and Visa users should consider switching service providers. "This kind of exploit is reminiscent of war-driving near-field-communication antenna data from contactless payment cards when they first became popular. Back then, it was almost impossible to attribute the raw data to an individual cardholder, so nobody was all that bothered.

“Now it’s possible to extract payments immediately with the right kind of equipment it’s rather unfortunate that neither Apple nor Visa are particularly bothered by the threat to their paying customers and, as is so often the case, it is left to the individual consumer to protect themselves. The research identifies plenty of service providers who have redundancies already built in to prevent this crime. The best advice would be to switch to one of those as soon as you can."

Categories: Cyber Risk News

Cyber Second Only to Climate Change as Biggest Global Risk

Thu, 09/30/2021 - 09:56
Cyber Second Only to Climate Change as Biggest Global Risk

Cybersecurity has been ranked as the second biggest global risk in a major new survey of 23,000 experts and members of the public.

The AXA Future Risks Report was produced in partnership with the IPSOS research institute and geopolitical analysis consultancy Eurasia Group. Its findings were compiled from interviews with over 3400 experts in underwriting and risk management, plus a survey of 19,000 members of the public.

Cyber came second only to climate change on the global stage but was rated a number one risk in the Americas and second in Asia, Africa and Europe.

The percentage of experts ranking it among their top five risks increased significantly from 51% last year to 61% in 2021, with only a quarter (26%) believing that governments are prepared for cybersecurity risks — a figure unchanged since 2019.

When asked why they elevated the risk level for cyber, experts pointed to the “shutdown of essential services and critical infrastructure” (47%) and “cyber extortion and ransomware” (21%) as key factors.

Interestingly, the report found that public awareness of these threats is less acute and more focused on identity theft and privacy issues.

AXA predicted the number of “significant cyber incidents” in 2021 would hit an all-time high of 144, versus just 26 a decade ago and only one back in 2003. However, it was unclear what qualified as “significant.”

The report argued that the surge in serious events has increased the urgency to “clarify the roles of the state and insurers in helping to secure vital economic functions.” It added that greater public-private cooperation was needed to improve protections for essential public services.

The prospect of established global rules to govern cyberspace is as distant as ever, AXA claimed.

“Ideally, a mix of punitive actions and diplomacy would establish norms for governments to keep cyber-espionage within limits, and not tolerate ransomware gangs operating from their territory,” it argued.

“Espionage will likely continue, since states have strong incentives to try to gain surreptitious access to their adversaries’ networks and a growing market in hacking-for-hire services is bringing advanced hacking tools into the reach of more state actors.”

In the future, insurers, governments and multi-national organizations must work together more closely to define what constitutes cyber-related acts of war, the report concluded. It pointed out that this is because it gets increasingly difficult to differentiate and categorize various incidents.

Insurers traditionally don’t cover acts of war, which has led to expensive lawsuits in the past over these definitions.

In a World Economic Forum (WEF) report, cyber-attacks fell from second to fourth between 2019 and 2020 in terms of top global business risks. However, they were ranked first in North America and the UK and second in Europe.

Categories: Cyber Risk News

API Flaw Exposes Elastic Stack Users to Data Theft and DoS

Thu, 09/30/2021 - 08:59
API Flaw Exposes Elastic Stack Users to Data Theft and DoS

Security researchers have disclosed a serious and wide-ranging API vulnerability stemming from the incorrect implementation of Elastic Stack, which could create serious business risk for customers.

Elastic Stack is a popular collection of open source search, analytics and data aggregation products, including Elasticsearch.

Salt Security claimed that nearly every provider customer is affected by the vulnerability — which relates to design implementation flaws rather than a bug in Elastic Stack code itself.

Its Salt Labs team first identified the issue in a large online B2C platform providing API-based mobile applications and SaaS offerings to millions of global users.

“The APIs contained a design flaw, and Elastic Stack was configured with implicit trust of front-end services by back-end services. As a result, we were able to query for unauthorized customer and system data,” Salt Labs said in a blog post.

“We were further able to demonstrate additional flaws that took advantage of this Elastic Stack design weakness to create a cascade of API threats, many of which correspond indirectly to items described in the OWASP API Security Top 10.”

These include excessive data exposure, security misconfiguration, exposure to injection attacks due to lack of input filtering, and lack of resources and rate limits.

Salt Labs said the data it could access from the B2C firm via exploitation of the flaw included customer account numbers and GDPR-regulated information.

The injection attacks made possible by the vulnerability could enable threat actors to launch DoS attacks, as well as data theft, it claimed.

“Our latest API security research underscores how prevalent and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs observed the same architectural design mistakes in almost every environment that uses it,” said Roey Eliyahu, co-founder and CEO of Salt Security.

“The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk.”

According to recent research from the company, global API attacks have soared by 348% in the past six months.

Categories: Cyber Risk News

Cybersecurity CEO Arrested in Russia on Treason Charges

Thu, 09/30/2021 - 08:42
Cybersecurity CEO Arrested in Russia on Treason Charges

Group-IB boss faces 20-year jail term if found guilty

Ilya Sachkov, the outspoken CEO of Russian cybersecurity firm Group-IB, has been arrested on state treason charges.

Moscow’s Lefortovo court ordered the 35-year-old, who is said to spend most of his time at the company’s headquarters in Singapore, to be held in custody for two months.

During this time, the firm’s leadership will pass to co-founder Dmitry Volkov, according to a brief statement from Group-IB.

The security firm claimed operations would continue as usual while its lawyers digest the court’s statement.

“Group-IB’s team is confident in the innocence of the company’s CEO and his business integrity,” it said. “Group-IB’s communications team refrains from commenting on the charges brought and the circumstances of the criminal case due to the ongoing procedural activities.”

Yesterday, the firm also revealed that police had searched its Moscow office on Tuesday.

“Law enforcement officers left Group-IB’s office at night the same day. Group-IB’s communications team also said that the reason for the search was not yet clear, but noted that all the company’s offices around the world continued providing support to customers and partners as usual,” it explained.

Reports suggest Sachkov, who President Putin has awarded for his cybersecurity work in the past, was arrested on suspicion of conspiring with foreign intelligence services. Such charges are said to carry a sentence of 20 years behind bars.

However, the real reason is unclear. The prominent Russian businessman joins a long list of journalists, military personnel, government officials, scientists and others accused of treason in recent years.

He has been blunt in the past about Russia’s harboring of cyber-criminals within its borders — an issue taken up with enthusiasm by the Biden administration.

Categories: Cyber Risk News

Canadian Vaccine Passport App Exposes Data

Wed, 09/29/2021 - 18:34
Canadian Vaccine Passport App Exposes Data

Canadian vaccine passport app PORTpass may have exposed personal information belonging to hundreds of thousands of users. 

According to a report by CBC News, the app's operators left data, including names, identification documents, and email addresses, on an unsecured website. The personal information was allegedly stored in plain text and could be accessed by the public. 

Following a tipoff received on Monday, the news source investigated the security of the PORTpass website. CBC News said it was able to verify that app user’s information, among others: "Email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver's licenses and passports can easily be viewed by reviewing dozens of users' profiles."

In an article published September 28, the news source wrote: "CBC is not sharing how to access those profiles, in order to protect users' personal information."

CBC added: "The information was not encrypted and could be viewed in plain text."

The team behind the app is based in Calgary and led by Chief Executive Officer Zakir Hussein. In response to concerns over the app's security, Hussein reportedly denied that PORTpass was experiencing any verification or security issues.

However, the app's website has been taken offline, and visitors to the site are currently met with the message, "We are updating. Stay tuned."

PORTpass is described on Google Play as "a secure and contactless way for a member of the public to gain access to a building, site, or ticketed event using their secure MapleCode."

Hussein reportedly said the app has more than 650,000 registered users across Canada. 

Trevor Morgan, product manager with data security experts comforte AG, commented: "Unless the app vendor goes to great lengths to apply data-centric security such as format-preserving encryption or tokenization to protect sensitive data by obfuscating sensitive data elements, situations like this one will happen again and again, and people will hesitate to adopt such tools. 

"Any time an organization collects and processes peoples’ health information, it has the ultimate responsibility to protect that data and ensure it is never presented in readable format to unauthorized users." 

Categories: Cyber Risk News

US Mulls Cyber-attack Reporting Mandate

Wed, 09/29/2021 - 17:27
US Mulls Cyber-attack Reporting Mandate

Legislation requiring critical infrastructure companies to report cyber-attacks to the federal government has been introduced in the United States Senate.

Leaders of the Senate Homeland Security and Governmental Affairs Committee put forward the new cyber-incident reporting bill yesterday. If enacted, critical infrastructure owners and operators would have to report cyber-attacks to the government within 72 hours. 

The proposed bill echoes the defense authorization bill passed by the House of Representatives that requires critical infrastructure owners and operators to report significant cybersecurity incidents within a 72-hour time frame.

Included in the new legislation is a proposal to create a Cyber-Incident Review Office within the Cybersecurity and Infrastructure Security Agency (CISA). The role of the office would be to receive, aggregate, and analyze reported incidents.

The new bill would also make it mandatory for organizations, including businesses with more than 50 employees, nonprofits, and state and local governments, to inform CISA of any ransomware payments they make. Organizations infected with ransomware would be required by law to consider recovery tactics other than paying their attackers. 

CISA would be empowered under the new legislation to subpoena entities that flout the incident-reporting and ransomware-payment requirements. Potential penalties for those that do not comply include referral to the Department of Justice and being banned from federal contracting. 

Under the legislation, participants from federal agencies would create a Joint Ransomware Task Force "to coordinate an ongoing, nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation."

Homeland Security and Governmental Affairs chairman Gary Peters, who introduced the bill, said it could help to limit the impact of cyber-assaults.

“When entities, such as critical infrastructure owners and operators, fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” said Peters in a statement.

Earlier this month, Peters said that the Federal Information Security Modernization Act – which was last updated over six years ago – did not go far enough to protect federal networks. He then called for cyber-attack reports to be shared by the federal government in a timely manner.

Categories: Cyber Risk News

YouTube Pledges to Block all Anti-Vaccine Content

Wed, 09/29/2021 - 17:20
YouTube Pledges to Block all Anti-Vaccine Content

YouTube has announced it will block all anti-vaccine content on its platform, expanding beyond COVID-19.

The video-sharing site outlined its updated medical misinformation policy in a blog post published earlier today. This includes content that alleges approved vaccines cause chronic health effects, such as autism, cancer or infertility, that they do not reduce transmission or contraction of disease or that substances in vaccines can track those who receive them.

These rules will apply both to routine immunizations for conditions like measles or hepatitis B, as well as general statements about vaccines.

YouTube explained it had “learned important lessons about how to design and enforce nuanced medical misinformation policies at scale” while tackling misinformation about the COVID-19 pandemic in conjunction with health authorities. In this process, it “looked to balance our commitment to an open platform with the need to remove egregious harmful content” and revealed it had removed more than 130,000 videos for violating its COVID-19 vaccine policies since last year.

The social media company added: “We’ve steadily seen false claims about the coronavirus vaccines spill over into misinformation about vaccines in general, and we're now at a point where it's more important than ever to expand the work we started with COVID-19 to other vaccines.”  

However, it said there are “important exceptions” to these new guidelines due to “the importance of public discussion and debate to the scientific process.” As such, the site will continue to allow content around vaccine policies, new vaccine trials and historical vaccine successes and failures. Additionally, personal testimonials relating to vaccines are permitted as long as the channel “doesn’t show a pattern of promoting vaccine hesitancy.”

YouTube stated: “Today’s policy update is an important step to address vaccine and health misinformation on our platform, and we’ll continue to invest across the board in the policies and products that bring high-quality information to our viewers and the entire YouTube community.”

The announcement follows the decision by YouTube on Tuesday to remove Russian state-backed broadcaster RT’s German-language channels from its site for violating its COVID-19 misinformation policy.

Many in the cybersecurity industry argue that disinformation is a cybersecurity issue. Otavio Freire, CTO at Safeguard Cyber, argued last year that: “Disinformation is a cybersecurity issue. It has already been used as a means for brand value destruction to create divisiveness and conflict within a company's employees, used as a social engineering lure, and as a form of ransomware; where if you want the disinformation to stop, you need to pay."

These actions come amid growing criticism of social media firms like YouTube, Facebook and Twitter for failing to stem the flood of vaccine misinformation on their sites this year. 

Categories: Cyber Risk News

Mental Healthcare Providers Report Data Breaches

Wed, 09/29/2021 - 16:20
Mental Healthcare Providers Report Data Breaches

Data breaches at two American mental healthcare providers may have exposed thousands of individuals’ personal health information (PHI). 

Horizon House, Inc., which is in Philadelphia, Pennsylvania, warned that 27,823 people might have been impacted by a cyber-attack that took place in the late winter.

The mental health and residential treatment services provider detected suspicious activity on its IT network on March 5. An investigation revealed that the healthcare provider’s IT system had been infected with ransomware. 

In a security notice, Horizon House said: “Horizon House systems were accessible by an unknown actor between March 2, 2021, and March 5, 2021, and certain data was exfiltrated from the Horizon House systems.”

A review of the files compromised in the incident determined that the unknown cyber-attacker gained access to data including names, addresses, Social Security numbers, driver’s license numbers, state identification card numbers, dates of birth, financial account information, medical claim information, medical record numbers, patient account numbers, medical diagnoses, medical treatment information, and health insurance information.

Horizon House has notified all the individuals affected by the security breach and advised them to be on the lookout for fraudulent activity. 

Meanwhile, the Samaritan Center of Puget Sound issued a data breach warning after a computer, server and other electronic equipment were stolen from its locked offices in Seattle, Washington.

Although the stolen computer and server were password-protected, the Center raised concerns that a brute-force attack could render them accessible. 

Data stored on the stolen server included the names, appointment dates, diagnoses, copies of charting content, addresses, phone numbers, copies of deposited checks, training videos, insurance information, Social Security numbers, and copies of billing statements of clients who accessed services before July 19.

The Center, which provides spiritually integrated counseling and mental health support, reported the July 19 theft to the HHS’ Office for Civil Rights as a data breach impacting 20,866 individuals. 

“The Ravenna facility has been the subject of a number of attacks and break-ins during the last year,” wrote the Center’s clinical director, Matthew Percy.

He added that physical and electronic security were both being tightened.

Categories: Cyber Risk News

More Than Two-Thirds of Organizations Are Targets of at Least One Ransomware Attack

Wed, 09/29/2021 - 13:00
More Than Two-Thirds of Organizations Are Targets of at Least One Ransomware Attack

Most organizations are more concerned about ransomware than other cyber-threats. This is a key finding from the 2021 Global State of Ransomware Report  by cybersecurity company Fortinet

Unveiled today, the survey also reveals that while the majority of organizations surveyed indicated they are well prepared for a ransomware attack, including employee cyber training, risk assessment plans and cybersecurity insurance, there was a clear gap in what many respondents viewed as essential technology solutions. 

Based on the technologies viewed as essential, organizations were most concerned about remote workers and devices, with Secure Web Gateway, VPN and Network Access Control amongst the top choices. While ZTNA is an emerging technology, it should be considered a replacement for traditional VPN technology. However, the low importance of segmentation (31%) was most concerning, a critical technology solution that prevents intruders from moving laterally across the network to access critical data and IP. Likewise, UEBA and sandboxing play a crucial role in identifying intrusions and new malware strains, yet both were lower on the list. Another surprise was secure email gateway at 33%, given phishing was reported as a common entry method of attackers.

Organizations More Concerned about Losing Data

The top concern of organizations regarding a ransomware attack was the risk of losing data, with the loss of productivity and the interruption of operations following closely behind. In addition, 84% of organizations reported having an incident response plan, and cybersecurity insurance was a part of 57% of those plans. Regarding paying the ransom if attacked, the procedure for 49% was to pay the ransom outright, and for another 25%, it depends on how expensive the ransom is. Of the one-quarter who paid the ransom, most, but not all, got their data back.

Ransomware Concerns Consistent Globally

While, for the most part, the findings of the survey were consistent among respondents globally, there were a few differences regionally. For example, respondents in EMEA and LATAM were more concerned about ransomware attacks and more likely to be victims than their peers in North America and APJ, (79% and 78% respectively compared to 59% in North America and 58% in APJ.) In addition, phishing lures were the primary attack vector in North America, while in APJ and LATAM, remote desktop protocol exploits and open vulnerability ports were the primary attack vectors.

The Need for Integration and Intelligence

Almost all respondents view actionable threat intelligence with integrated security solutions or a platform as critical to preventing ransomware attacks and see value in AI-driven behavioral detection capabilities.

While almost all of those surveyed felt they are moderately prepared and plan to invest in employee cyber awareness training, the survey showed that organizations need to recognize the value of investing in technologies. 

Commenting on the news, John Maddison, EVP of products and CMO at Fortinet, said: “According to a recent FortiGuard Labs Global Threat Landscape report, ransomware grew 1070% year-over-year. Unsurprisingly, organizations cited the evolving threat landscape as one of the top challenges in preventing ransomware attacks.

"As evidenced by our ransomware survey, there is a huge opportunity for the adoption of technology solutions like segmentation, SD-WAN, ZTNA, as well as EDR, to help protect against the methods of access most commonly reported by respondents," he added. 

"The high amount of attacks demonstrates the urgency for organizations to ensure their security addresses the latest ransomware attack techniques across networks, endpoints, and clouds. The good news is that organizations are recognizing the value of a platform approach to ransomware defense.”

Categories: Cyber Risk News

ICO Reveals 60% Rise in Nuisance Contact Reports

Wed, 09/29/2021 - 11:00
ICO Reveals 60% Rise in Nuisance Contact Reports

The UK’s Information Commissioner’s Office (ICO) recorded a 60% rise in reports of nuisance calls, texts and emails in the first six months of 2021 compared to 2020, according to official figures analyzed by litigation firm Griffin Law.

In the first half of 2021, the ICO received an average of 13,925 reports of nuisance calls, texts and emails per month; this compared to just 8680 per month throughout the whole of 2020. The disparity was even greater when comparing the total number of reports in the first half of 2020 with 2021 (38,269 vs. 83,558, an increase of 116%).

The majority of nuisance contact reports in 2021 related to telecoms services, such as broadband, tv or phone, averaging just over 2000 per month. This was followed by communication relating to banking (1059 per month) and accident claims (620 per month).

In contrast, the most frequent type of nuisance contact in 2020 was accident claims, with an average of 1946 reports per month. Interestingly, calls, texts and emails relating to telecoms services averaged just 1182 reports per month during 2020, while for banking it was 534 per month.

The month with the highest number of nuisance contact reports was March 2021, at 17,728. This compared to just 6484 reports in March 2020.

Griffin Law also noted that the most active month for nuisance calls in 2020 — October at 13,131 — is still less than five of the first six months of 2021.

Security experts believe these figures are linked to the surge in social engineering scams and cyber-attacks since the start of the COVID-19 pandemic. Ed Blake, area vice president EMEA for Absolute Software, explained: “’Nuisance’ contact has become synonymous with malicious cyber-attack attempts, which usually starts with a phishing, spam or malware email or text, sent to a recipient under the guise of a legitimate service or brand name.

“This is not to say that all reports of nuisance contact have malicious undertones, but it is certainly something that end-users and business decision-makers must be aware of, particularly as the remote working climate has increased the cyber threat facing businesses.”

In June, the ICO fined a home improvement company £130,000 for inundating consumers with nearly a million nuisance calls.

Categories: Cyber Risk News

CISA and NSA Deliver New Security Guidance for VPNs

Wed, 09/29/2021 - 10:36
CISA and NSA Deliver New Security Guidance for VPNs

The US authorities have released new guidance for organizations on hardening their VPNs against compromise by reducing the attack surface.

The Cybersecurity Information Sheet comes from the NSA and Cybersecurity and Infrastructure Security Agency (CISA).

It warned that multiple nation-state actors had exploited known vulnerabilities in products over the past year to steal credentials, execute arbitrary code remotely on devices, weaken and hijack encrypted communications, and read sensitive data.

“These effects usually lead to further malicious access through the VPN, resulting in large-scale compromise of the corporate network or identity infrastructure and sometimes of separate services as well,” the agencies claimed.

Their advice is to select standards-based (IKE/IPSec) VPNs from reputable vendors with a proven track record for fixing vulnerabilities quickly and mandating the use of strong authentication credentials.

Once the device has been selected, organizations can proactively harden the equipment by requiring “only strong, approved cryptographic protocols, algorithms, and authentication credentials.”

The VPN attack surface can be further reduced by patching promptly, restricting external access by port and protocol, and running only the strictly necessary features, the notice continued.

Finally, organizations were urged to protect and monitor access to and from their VPNs with intrusion prevention (IPS), web application firewalls (WAFs), network segmentation, and remote and local logging for continuous monitoring.

The warnings come after a pandemic in which VPNs used by home workers were heavily targeted by both state-backed and financially motivated cyber-criminals.

In October 2020, researchers warned that various groups were using the Zerologon vulnerability with VPN bugs to compromise victim networks.

In August last year, a major British high street retailer was called out for using VPN servers with unpatched critical vulnerabilities, which put it at risk of ransomware and other threats.

Categories: Cyber Risk News

Most Third-Party Cloud Containers Have Vulnerabilities

Wed, 09/29/2021 - 10:02
Most Third-Party Cloud Containers Have Vulnerabilities

The vast majority of third-party code used in cloud infrastructure contains vulnerabilities and misconfigurations, which could leave organizations exposed to attack, according to Palo Alto Networks.

The security vendor’s Unit 42 Cloud Threat Report 2H 2021 used data from various public sources better to understand the threat from cloud software supply chains.

It revealed that 63% of third-party code templates used to build cloud infrastructure contain insecure configurations, while 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities.

Unvetted third-party code can introduce vulnerabilities and malware inserted on purpose by threat actors. A Sonatype study from earlier this month revealed a 650% spike in upstream supply chain attacks of this nature.

To highlight the challenge, Unit 42 analyzed public Terraform modules and found over 2500 were misconfigured in areas such as encryption, logging, networking, backup and recovery, and identity and access management.

“Teams continue to neglect DevOps security, due in part to lack of attention to supply chain threats. Cloud-native applications have a long chain of dependencies, and those dependencies have dependences of their own,” the vendor explained.

“DevOps and security teams need to gain visibility into the bill of materials in every cloud workload in order to evaluate risk at every stage of the dependency chain and establish guardrails.”

Alongside its analysis of public data sources, Unit 42 was recently commissioned by a SaaS customer of Palo Alto Networks to run a red team exercise on its environment. It revealed critical flaws in its software development processes, which exposed the firm to attacks similar to those on SolarWinds and Kaseya.

“The customer whose development environment was tested in the red team exercise has what most would consider a mature cloud security posture,” the vendor claimed. “However, their development environment contained several critical misconfigurations and vulnerabilities, enabling the Unit 42 team to take over the customer’s cloud infrastructure in a matter of days.”

Categories: Cyber Risk News