Cyber-criminals behind the Maze ransomware attacks have claimed several more scalps over the past few days, including five law firms and a French industrial giant, all of which are thought to have had sensitive internal data stolen.
Brett Callow, a threat analyst with security vendor Emisoft, alerted Infosecurity to the developments over the weekend. The Maze group has a dedicated website where it first names victim organizations and then releases stolen data if they refuse to pay the ransom.
“This makes sense. The more data they publish and the more sensitive that data is, the less incentive an organization has to pay to prevent the remaining data being published,” said Callow.
“It's the equivalent of a kidnapper sending a pinky finger. If the organization still doesn’t pay, the remaining data is published, sometimes on a staggered basis.”
That’s potentially bad news for the latest firms to fall victim to Maze ransomware. At present, only two of the law firms have had sensitive customer data published but, ominously for the other victims, the group promises that the “proofs” are coming soon.
The French firm struck by Maze, Bouygues Construction, published a brief statement on Friday admitting a “ransomware-type virus” had been detected on its network the day before.
However, there’s no word from the firm so far on whether key data has also been lifted, as alleged by the Maze hackers.
“As a precautionary measure, information systems have been shut down to prevent any propagation,” the statement read.
“Our teams are currently fully focused on returning to normal as quickly as possible, with the support of experts. Installations are progressively being put back into service after being tested. Operational activity on our construction sites has not been disrupted to date.”
It’s not unusual for the group to charge its victims twice, $1m for the decryption key and a further $1m for ‘deletion’ of the stolen data. There’s the added jeopardy that, if they’re not paid, stolen data will be leaked onto Russian hacker forums, as has happened in the past.
UK law enforcers have tightened the net around the hackers that stole €13m ($14.4m) from one of Malta’s biggest banks, with the arrest of four men last week.
Malware planted on the Bank of Valletta’s servers back in February 2019 enabled hackers to transfer the money to accounts in the UK, US, Hong Kong and Czech Republic. The lender was forced to shut down all its operations after spotting the illegal activity and attempting to prevent the fund transfers.
However, £800,000 ($1m) was funnelled to an account in Belfast, with payments totalling £340,000 ($446,000) then disappearing from the account before it could be blocked.
According to the UK’s National Crime Agency (NCA), some of the money was spent at luxury stores including Harrods and Selfridges, to buy Rolex watches, and to purchase a Jaguar and an Audi A5.
Following the trail of money, NCA officers arrested three men on Friday on suspicion of money laundering, fraud and theft. These included a 33-year-old detained at Heathrow Airport as he returned to the UK from China, and two men aged 23 and 24 who handed themselves into a police station in Belfast.
These were preceded by the arrest of another Belfast man, aged 39, a day earlier, on suspicion on the same crimes, and the apprehension of two men aged 22 and 17 in London on January 22 after raids on properties in West Hampstead and Ladbroke Grove.
The arrests represent the latest stage in a 12-month investigation by the NCA and Malta Police Force Economic Crime Unit.
“The focus of our investigation is those suspected of having helped launder the proceeds of this cyber-attack, a large amount of which were funnelled through a bank account here in Belfast,” said NCA Belfast branch commander David Cunningham.
“It demonstrates how this type of criminality is often international in nature, and how tackling it is a priority for the National Crime Agency and partners, both within the UK and around the world.”
A notorious Russian threat group famed for its devastating ransomware attacks has funded a hacking competition being run on a dark web forum.
Sodinokibi—the creators of the REvil ransomware—stumped up $15,000 in prize money for the illegal hacking contest, which requires competitors to write original articles containing proof-of-concept videos or original code.
Articles can be submitted on five different topics, including APT attacks, developing exploits for searching for 0day and 1day vulnerabilities, and how to hack other people's crypto algorithms.
Along with the prize money, Sodinokibi offered the competition's overall winner an opportunity to "work with" the threat actors under "mutually beneficial conditions."
The competition was announced via the XSS forum, which counts several Sodinokibi representatives among its members.
News of the competition and its nefarious sponsors was published today in a report by researchers at Digital Shadows. While black hat hacking competitions on dark web forums like Exploit and XSS are nothing new, the researchers noted a significant increase in the number of high-stakes prizes on offer recently.
“Since its relaunch as XSS [in 2018], the former Damagelabs has organized three articles competitions, all with four- or five-figure prize funds,” the researchers noted.
By contrast, a 2010 competition that challenged participants to design a graphic that best represented the Russian-language segment of the internet (the "Runet") had as its prize a single iPad.
Digital Shadows’ research indicates that groups like Sodinokibi have taken an interest in these competitions to foster technical skills among forum members, increase awareness of the availability of ransomware on the forum in a savvy sales move, and gain valuable intelligence for future malware development.
For the forums, such high-prize competitions are a way to grow or sustain their membership.
Researchers wrote: "Cybercriminal forums need to attract and retain members in order to survive and being able to present a site as a valuable repository of articles discussing pertinent cybercriminal issues is a real draw."
Currently, the prize money up for grabs in legal white hat competitions outstrips what can be won on the dark web, but based on Digital Shadows' research, that situation could one day change.
A county in the Pacific Northwestern state of Oregon is yet to fully recover from a ransomware attack that happened over a week ago.
Cyber-criminals hit Tillamook County in a targeted attack last Wednesday, January 22. As a result, all internal computer systems under the county government, which 250 county employees rely on, went down.
The Tillamook County website, which hosts numerous departments, was also taken out in the incident. Other network connections were disabled to contain the spread of the malware.
The Emergency Communications District’s dispatch and 911 services were not affected; however, the County Sheriff's Office has experienced some issues with its phone system and email.
County Commissioner Mary Faith Bell said that the attack was initially thought to be a storage system technical issue. It was later identified as a ransomware attack despite no initial ransom demands being made by the attackers.
The day after the incident occurred, county officials contracted a forensic computer firm, Arete Incident Response, to investigate the attack.
Though the potential cost of the ransom is yet to be revealed, the actions of the county earlier this week hint that the attackers may have finally issued a demand.
On Monday, January 27, Tillamook County commissioners voted unanimously to negotiate with the cyber-attackers for an encryption key in a bid to regain control of the government's computer systems.
Addressing the board, Information Technology Director Damian Laviolette said: "At this time, we are looking to Arete to potentially begin the process of negotiation for an encryption key for the remainder of the systems we have been unable to protect or retain the integrity of."
Bell acknowledged that paying a ransom could not guarantee the security or safe return of the data. She said: “I think the lesson is to backup absolutely everything because I think this kind of thing will become more common. There are places in the world where people are just doing this for a living.”
To keep functioning, the county has had to revert to non-digital workarounds.
“A lot of the things like the library, we are checking books out by paper the old-fashioned way,” said Tillamook County Emergency Manager Gordon McCraw.
County phone lines were restored earlier in the week; however, no timeline has been given for when Tillamook's computers will be back up and running.
A data breach at Indian airline SpiceJet has exposed the personal information of over a million passengers.
Access to the airline's computer system was gained last month by a security researcher, who went on to report the breach to TechCrunch.
Using a brute-force attack, the researcher busted into an unencrypted database backup file containing the private information of more than 1.2 million passengers who flew with SpiceJet last month. According to the ethical hacker, the password protecting the data was easily guessable.
Data exposed in the breach included passengers' names, phone numbers, email addresses, and dates of birth. Among the passengers whose data was exposed were several state officials.
According to the researcher, the database file was easily accessible for anyone who knew where to look, leaving the budget airline vulnerable to cyber-attackers.
After successfully gaining unauthorized access to SpiceJet's passenger data, the researcher contacted the airline to warn them that a breach had occurred. The researcher said that their efforts to reach out to the airline elicited no meaningful response from SpiceJet.
The researcher went on to notify India's computer emergency response team (CERT-In) of the breach. The government-run agency confirmed that the breach had occurred and went on to issue an alert to SpiceJet.
While SpiceJet has now taken steps to secure the exposed database, the airline has declined to confirm CERT-In's findings.
A spokesperson for the airline said in a statement: “At SpiceJet, safety and security of our fliers’ data is sacrosanct. Our systems are fully capable and always up to date to secure the fliers’ data which is a continuous process. We undertake every possible measure to safeguard and protect this data and ensure that the privacy is maintained at the highest and safest level.”
SpiceJet is one of the country's largest privately-owned airlines, commanding an approximate 13% market share in India. The airline, which is headquartered in Gurgaon, flies over a million passengers a month and puts more than 600 planes in the air every day.
The security researcher who detected the security lapse has chosen to remain anonymous.
The British Council, which promotes wider knowledge of the UK and English language in over 100 countries worldwide, was hit by over 10 million malicious email attacks in 2019, according to official figures.
The data was obtained by Nimbus Hosting under the Freedom of Information Act and showed that the British Council blocked a total of 10,336,631 emails last year. Of those, 190,155 emails were intercepted or blocked because of suspected malware such as worms, Trojan horses and ransomware.
Furthermore, the organization also blocked 14,317 suspected phishing emails, whilst a further 10,132,159 emails were intercepted and logged as spam, many of which would have had the potential to contain viruses.
Tim Dunton, MD, Nimbus Hosting, said: “These figures are another reminder that cyber-criminals will continually bombard organizations with scam emails, hoping to trick employees into handing over private data, to breach the organization’s security systems or steal personal information. All it takes is for one hoax email to fall through an email systems’ imperfect filtration system before an organization must face the consequences of a severe breach of customer information.”
Moving forward, he added, it’s vital that all organizations like the British Council have the necessary anti-virus systems in place, as well as robust security procedures to keep hackers at bay.
A US government technology contractor has become the latest major target taken down by a ransomware attack.
Electronic Warfare Associates (EWA) counts the Department of Defense, Department of Justice and Department of Homeland Security among its clients. It describes itself as a veteran-owned business with a track record dating back over four decades.
The firm currently claims to be working on cutting-edge projects in areas such as blockchain, anti-drone capabilities, location tracking and quantum technology. However, its own tech credentials appear to have taken a knock with this latest ransomware attack.
At the time of writing, its websites for subsidiaries EWA Government Systems and electronic deadbolt producer Simplicikey are down, but there’s no word on how widespread the attack was and how it has impacted the organization.
Its government customers will want to know if the ransomware hackers have also stolen sensitive corporate information, as is increasingly the case in such attacks.
Late last year new malware with data theft capabilities dubbed “Ryuk Stealer” was discovered. Keywords found in the code including “military,” “engineering,” “defense,” “government” and “restricted” raised suspicions that the authors may be gearing up to target the stealer at organizations like EWA and its clients.
Alexander García-Tobar, CEO and co-founder of Valimail, claimed that a phishing email was the likely attack vector.
“Phishing is implicated in more than 90% of all cyber-attacks, and it is the preferred vector used by the Ryuk ransomware that hit EWA servers,” he added. “Therefore, it’s likely that email played a role in delivering this attack. Additionally, impersonation-based techniques are leveraged in the majority of phishing attempts, so as to convince the target the fraudulent message is from a trusted source.”
Ransomware attacks targeting municipalities caused a trail of chaos across the US last year, but this is the first major raid against a federal government contractor.
A Colorado man who worked as a moderator on the infamous AlphaBay marketplace is facing two decades behind bars after pleading guilty to racketeering charges this week.
Bryan Connor Herrell, 25, worked on the now-shuttered dark web site settling disputes between buyers and sellers of illicit goods, according to a Department of Justice (DoJ) notice.
Known by the online pseudonyms “Penissmith” and “Botah,” he’s said to have settled over 20,000 such disputes on the site whilst also monitoring transactions for signs of fraud.
It appears Herrell’s identity may have become known to police after FBI, DEA and Royal Thai Police officers raided the home of AlphaBay founder Alexandre Cazes in 2017. At the time they seized an open laptop which contained “the passwords/passkeys for the AlphaBay website, the AlphaBay servers, and other online identities associated with AlphaBay.”
While Cazes subsequently died in prison, of suspected suicide, investigations into his former colleagues continue.
AlphaBay is thought to have been the world’s largest dark web marketplace of its kind when it stepped up to fill the gap left by Silk Road.
However, it suffered the same fate as its predecessor after police managed to infiltrate and shut it down. Announced alongside the takedown of Hansa in July 2017, the site is said to have reached over 200,000 users and 40,000 vendors.
According to Europol, the site hosted over 250,000 listings for illegal drugs and over 100,000 for stolen and fake ID documents, malware, hacking tools, counterfeit goods and more.
The policing organization estimated that at least $1bn flowed through the marketplace since it was launched in 2014.
Herrell was paid in Bitcoin for his efforts, and likely received a handsome remuneration. However, after he pleaded guilty to conspiring to engage in a “racketeer-influenced corrupt organization,” he faces a maximum of 20 years in prison.
New figures cited by the UK government claim the country’s cybersecurity sector has achieved double-digit growth over the past two years, but Brexit threatens to undo much of the good work by making cross-border recruitment and sales harder.
Based on research from Queen’s University Belfast, the sector is now worth £8.3bn, with revenues from UK firms having increased 46% from 2017-19. The number of cybersecurity firms located in the UK also grew significantly over the period, by 44% from 846 in 2017 to over 1200 at year-end 2019.
In addition, investment into the industry was a record £348m last year, and topped £1.1bn over the past four years, the paper claimed.
The university argued that government-backed initiatives like HutZero, Cyber101 and the London Office for Rapid Cyber Security Investment (LORCA) have played a key role in helping start-ups and SMEs develop new products and services.
Andy Harcup, VP EMEA at Absolute Software, welcomed the news, arguing that it’s a reflection of the growing market demand for products designed to mitigate cyber-risk.
“However, whilst it’s great to see that cybersecurity has grown in priority on the corporate agenda as companies are spending more than ever on security, it must be mentioned that the threat landscape is developing even faster,” he added.
“Therefore, we must witness continued dedicated commitment from all organizations to tackle this problem head on. This involves the use or introduction of security tools that not only mitigate risk, but help the organization to respond, recover and actually fix the things that are breaking.”
The news comes as the UK officially leaves the European Union at midnight tonight. Experts and IT security professionals have warned that Brexit could have a “chilling” effect on the country’s nascent cybersecurity industry, by making cross-border intelligence sharing harder, and impacting jobs.
The world is already experiencing a cybersecurity skills shortage in excess of four million positions, with shortfalls in Europe having soared by over 100% from 2018-19.
It is predicted that Brexit will discourage many skilled job-seekers from coming to the UK, while the pipeline from UK universities remains weak.
Over 90% of UK IT professionals told RedSeal last year they believe Brexit will make chronic industry skills shortages even worse.
There are also question marks over UK sales to the continent. Boris Johnson’s government has refused to consider remaining in the single market, meaning likely trade restrictions that will hinder firms’ growth prospects.
The number of deployed Extended Validation (EV) SSL certificates has increased, with new measures by browsers to promote “secure” websites.
Speaking at the DigiCert Security Summit in San Diego, DigiCert senior director of business development, Dean Coclin, said that EV certificates are still important, but acknowledged that there is a need for more education around them.
One idea he discussed was to create a whitelist of sources that use an EV certificate, and allow all certificate authorities (CAs) to access the whitelist to improve validation. Another was to establish a minimum amount of time it could take to allow an EV certificate to be issued, but Coclin acknowledged that this was not popular as it may affect new companies who want an EV cert for their domain.
Another idea was to add “validated trademarks” into the certificate as they are recognizable and distinguishable, “and if we put these into the certificates, people would have an extra way of validating that the certificate is authentic.” These will have been validated by the CA, using a standard set of validations and rules.
The last option is to add a requirement that the CA checks the record to see what sort of certificate should be issued for a domain. “If you say you don’t want an EV certificate to be issued for a domain, and someone in a different location tries to issue a certificate, the CA could look at the record and see that they cannot issue one for that domain.”
Looking at the number of TLS certificates issues, Coclin said that around 78 million trusted web certificates are on websites globally, an increase by almost two million since last month, and DigiCert has issued 13 million since the beginning of the year.
For the individual certificates, Coclin said DigiCert had issued 27.4% of the domain validation (DV) certificates (the most was by Lets Encrypt with 49.7%), while DigiCert had issued 59.7% of the EV certificates and 96% of the organization validation (OV) certificates.
Pointing out that the number of TLS certificates had increased in recent years, Coclin said that this was about the move by browsers to highlight those websites not using HTTPS. “No website wants their domain to be seen as not secure, so certificates have increased,” he said.
The next step will be a red line through the address bar to show that a site is not secure, after that there will be an intermediate page saying that the page is not secure with a question of “do you really want to go to it?” The next step will be the same intermediate page saying “the following web page is not secure.”
He added: “Now who wants a website that you cannot get to? That should take us to 100% encryption on the web.”
Looking forward, Coclin predicted that the number of TLS certificates will increase, as well as Verified Mark Certificates in email as DMARC is further deployed. “EV is not going away, it has moved, but I think it is going to change again – maybe for the better or worse – but there are discussions going on and improvements being made, and we’ll see where that goes,” he concluded.
“We used to tell people ‘look for the lock’ but you cannot just do that anymore, as hackers know that is what we were told as they are getting free EV certificates and putting them on their sites and getting verified for 24-48 hours.”
Speaking at the DigiCert Security Summit in San Diego, DigiCert senior director of business development, Dean Coclin, said that “identity data is created on us all of the time,” but asked how protected it is.
He said that as we browse we create more and more data every day, and this data is about us and we should be sure it is “kept secure and in the right format.” Now with more devices available, cloud computing and IoT, we have ended up with the situation where we have big data, but not the “big data biology” on how it should be managed.
He said: “It is my data, not your data, and what is generated should be known by me and not some other company.” Citing the introduction of the GDPR in Europe in 2018 and the California Consumer Privacy Act (CCPA) this month in the USA, Coclin also referred to other legislations that had not passed, including the New York Privacy Act, which he said was “stronger than CCPA and gave private right of action.” However, he added that this failed in a legislative session, and he suspected that other proposed privacy laws would not pass in the current political climate.
Focusing on anonymity on the web, he said that there is a push to be more anonymous on the web, and particularly in the case of electronic voting “as you don’t want people to know who you voted for.”
Elsewhere, he said it was the same with email and IoT, that with the former you want to know that who has emailed you is actually that person, and with IoT, you want to know which devices are trusted and authorized to join your network.
On the other side, there are those “who do not want to be identified and cases where identity is important” and that is where Tor is important.
“Ideally for consumers, a strong privacy law is something that they need,” he argued. “For companies trying to comply, an over-arching privacy law, whether at state, federal or country level or global level would be even better, would be fantastic.”
Data is the new oil, but advances in quantum computing could be breaking encryption faster in the future.
Speaking at the DigiCert Security Summit in San Diego, Dr Michio Kaku, futurist and theoretical physicist, talked of the rise of quantum computing and its deployment in modern society.
Saying that after we built the world wide web, television, radio, radar and microwaves “and everything you see in a doctor’s office” the next step will be quantum. “If the first wave was about steam power, the second on electricity, the third on high tech, what will the fourth and fifth be about? The fourth wave we are now entering, it is physics at the molecular level, such as AI, nano and bio technology; then we will see the fifth wave of technology which will be dominated by physics at the atomic level.”
Kaku predicted the end of silicon, saying it “cannot compute at a quantum level” and now millions are being spent on this computing. However, while this technology is in its infancy, the threat is there.
In a press conference, Kaku said that we will head to a post silicon era and that the use of atoms can be used to break any encryption, so governments are getting ahead of the game “as there is much at stake, so now the race is on for the post quantum era where we want to find defenses against methods used by quantum computers to break codes.”
He added that today’s mainframes will be replaced by quantum computers, but mobile phones will not be replaced due to the need for a cooling infrastructure for the atoms.
Referring to Google’s announcement about its creation of a quantum computer, Kaku noted it was “premature” as while the computer was workable, it did not have any practical application for the consumer and it was compared with a modern super computer. “IBM said that because of that and not using such a fast super computer, their announcement was not such a big deal.”
However, he praised Google’s efforts, as he said that the tide has shifted, as people are no longer saying that this is a possibility for the future.
He also said that as the industrial age was powered by oil, the fourth and fifth wave will be powered by data. “Data will be the energy source of the future,” he claimed, “but data has to be processed. Oil has to go to refineries, in the same way data has to be raw, then processed. In the future, every aspect of human behavior, every aspect of human endeavor and every aspect of human enterprise will be reduced to data.”
However, this data can be hacked, and needs to be protected by encryption – and this can be broken with advanced quantum computing.
Kaku concluded by saying that all human activity will be digitized as data is wealth, and companies will want that information “and this means that data is vulnerable, and new ways to do encryption have to be devised.”
He also said that the arrival of quantum computing is not an immediate threat, but one for the coming years and decades so it is time to prepare and consider converting now. “Don’t do anything yet, but think about it and study the question” as it may take years for the conversion to take place.
He recommended four things you can do now:
- Increase the length of your keys, and you can make it more difficult for a quantum computer to crack things
- Consider symmetric, rather than asymmetric encryption, as symmetric gives you an extra layer of encryption
- Use increasingly complex trapdoor functions, such as lattice and elliptic curve technologies
- Use quantum cryptography, use quantum to fight quantum
An employee at a New York City medical center was tricked into giving out patient information by a threat actor purporting to be one of the facility's executives.
The data was shared by an individual at community-based non-profit the VillageCare Rehabilitation and Nursing Center (VCRN) who had received what they believed to be a genuine email from a senior member of staff.
VCRN were notified on or about Monday, December 30, that a cruel deception had taken place.
In a Notice of Data Privacy Incident statement published on VCRN's website, the company stated: "The unauthorized actor requested certain information related to VCRN patients. Believing the request to be legitimate, the employee provided the information."
Information obtained by the threat actor included first and last names, dates of birth, and medical insurance information, including provider name and ID number for 674 patients.
VCRN said: "Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event."
The medical center said that they weren't aware of any personal patient information having been misused as a result of this event.
Becoming a victim of a phishing scam has led VCRN to review its cybersecurity practices.
The center said: "We take this incident and security of personal information in our care seriously. We moved quickly to investigate and respond to this incident, assess the security of relevant VCRN systems, and notify potentially affected individuals. This response included reviewing and enhancing our existing policies and procedures."
VCRN has taken steps to notify all the patients who have potentially been impacted by the cyber-attack. A toll-free dedicated assistance phone line has been established for patients who wish to discuss any concerns they may have as a result of the incident.
The data breach has been reported to law enforcement and to the relevant regulatory authorities.
VCRN advised patients "to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution."
Cybersecurity firm Expel Inc. has announced a $1.4m investment to expand its operations in Fairfax County, Virginia.
The huge injection of cash will be used to increase the size of the company's Herndon headquarters and to create 164 new jobs in the company's engineering, customer experience, IT, marketing, and sales departments over the next three years.
News of the planned expansion was announced by the governor of Virginia, Ralph Northam, on Tuesday.
“Virginia has emerged as a national leader in cybersecurity and continues to be at the forefront of workforce development in this rapidly-evolving industry, thanks to companies like Expel, Inc.,” said Northam.
“We are thrilled to support this homegrown Northern Virginia business as they grow and expand and look forward to their ongoing success in Herndon.”
Victor Hoskins, president and CEO of the Fairfax County Economic Development Authority (FCEDA), voiced his support for the scheme.
“The security-focused industry cluster and the talent pool around it make Fairfax County and Northern Virginia a great location for Expel, and I am delighted that my office has had the opportunity to help the company expand its footprint in the Town of Herndon.
“We appreciate the company's vote of confidence in Herndon and Fairfax County and look forward to its continued growth here.”
The FCEDA and the Town of Herndon worked with the Virginia Economic Development Partnership to secure the project for Virginia and will support the company’s job creation through the Virginia Jobs Investment Program (VJIP).
Expel's co-founder and CEO Dave Merkel described Fairfax County as a prime location in which to grow the business.
“There's a fantastic pool of tech talent located in Northern Virginia, and we have close proximity to strong education institutions and major tech companies,” said Merkel.
Expel offers round-the-clock cybersecurity monitoring, providing transparent managed security both on-premises and in the cloud. The company was founded by Dave Merkel, Yanek Korff, and Justin Bajko in a barn in Virginia in 2015.
The company currently has 171 employees and 14 strategic partners, including Amazon Web Services, Microsoft Azure, CISCO, Crowdstrike, Palo Alto, and Carbon Black.
New research released yesterday by the Ponemon Institute reveals a dramatic increase in both the frequency of insider threats and their financial cost to businesses since 2018.
The report, "2020 Cost of Insider Threats: Global," shows that the average global cost of insider threats rose by 31% in two years to $11.45m, and the frequency of incidents spiked by 47% in the same time period.
To gather data for the study, researchers talked to 964 IT and security practitioners at 204 organizations in North America, Europe, the Middle East, Africa, and Asia-Pacific. All the individuals who contributed worked at a company with a global headcount of 1,000 or more.
Researchers learned that across all organizations in the past 12 months a total of 4,716 incidents had occurred that had been caused by an insider threat.
For a more detailed analysis, researchers split the incidents into three different categories of threat: those caused unintentionally by negligent employees or contractors, those perpetrated by credential thieves bent on using insiders' login information to gain unauthorized access to applications and systems, and those instigated by criminal and malicious insiders out to damage an organization from within.
Of the three profiles, credential thieves caused the most damage per incident, costing organizations an average of $871,000 per incident—three times more per incident than a negligent insider. However, the frequency of credential theft was 25% of all incidents, which limited the average annual cost to $2.79m per year.
Negligent employees or contractors, who were found to have caused 62% of insider threats, created the highest financial burden of the profiles, costing an average of $4.58m per year.
Malicious criminal insider threats were found to have occurred with the least frequency, making up just 14% of incidents. The financial ramifications of this rarer threat type were still significant, with researchers recording a per-incident cost of $756K and annual losses of $4.08m.
Proving the old adage "a stitch in time saves nine," researchers found that the longer an insider threat lingers the costlier it is to rectify. Incidents that took more than 90 days to contain cost organizations $13.71m on an annualized basis, while incidents that lasted less than 30 days cost roughly half, at $7.12m.
A US crackdown on perceived efforts by China to unfairly acquire US talent and R&D has stepped up a notch, with charges filed against a senior Harvard academic.
Charles Lieber, the chair of Harvard University’s department of chemistry and chemical biology, was arrested on Tuesday on one count of “making a materially false, fictitious and fraudulent statement.”
As principal investigator of the Lieber Research Group at Harvard, he has received $15m in government grants to research cutting-edge nanoscience techniques. However, such funding requires disclosure of any major foreign financial conflicts of interest.
It is alleged that, since 2011, Lieber has been a “strategic scientist” at Wuhan University of Technology (WUT), and that from 2012-17 he was a “contractual participant” in Beijing’s Thousand Talents Plan, which Washington claims is designed to recruit foreign science experts to steal research secrets.
He’s said to have made millions from these endeavors but allegedly lied about his involvement in both schemes. Lieber could be facing five years behind bars for making false statements to investigators.
Notably, Lieber’s case was published by the Department of Justice (DoJ) alongside that of two alleged Chinese spies who enrolled as students at US universities to steal research material.
Yanqing Ye is in fact a PLA lieutenant who studied at Boston University’s (BU) Department of Physics, Chemistry and Biomedical Engineering from October 2017 to April 2019, allegedly stealing info for military research projects and profiling US scientists for her bosses.
Zaosong Zheng conducted cancer-cell research at Beth Israel Deaconess Medical Center in Boston from September 2018 to December 2019, but was arrested trying to smuggle 21 vials of biological research out of the country on a flight to China. It’s claimed he wanted to publish the research results under his own name.
Visa fraud carries a charge of 10 years behind bars, as does acting as a foreign agent, and smuggling goods from the US.
The US Department of the Interior (DOI) has temporarily grounded its fleet of unmanned aircraft systems (UAS) while it checks whether equipment which is manufactured by foreign companies or contains parts made abroad represents a national security risk.
Drones are used by the DOI to protect national treasures and critical resources, in tasks such as: “emergency management; fighting wildland fires; conducting search and rescue; surveying Federal land; collecting research data; and assisting law enforcement, among others.”
“The [DOI] has been a leader in deploying UAS to better achieve its goals. These efforts include assessing, collecting, and maintaining information that relates to our critical American energy, transportation and defense infrastructure,” the DOI secretary David Bernhard said.
“In certain circumstances, information collected during UAS missions has the potential to be valuable to foreign entities, organizations and governments.”
While the drones remain grounded for all but emergency operations, the department will establish procedures for identifying which are made by foreign-owned companies or contain foreign-manufactured parts. DOI chiefs are being instructed to limit funds spent on such drones.
The temporary grounding measure was first flagged back in October 2019, so the latest order indicates persistent national security concerns in Washington. The overall effect appears to be rooting out and sidelining foreign kit in favor of US-made products.
“With this order, the department is taking action to ensure that our minimum procurement needs account for such concerns, which include cybersecurity, technological considerations and facilitating domestic production capability,” the order continued.
China is not mentioned by name in the order, but would be an obvious target here.
One of its biggest drone makers, DJI, contributes a small number of machines to the 800-strong DOI fleet.
“DJI makes some of the industry’s most safe, secure, and trusted drone platforms for commercial operators. The security of our products designed specifically for the DOI and other US government agencies have been independently tested and validated by US cybersecurity consultants, US federal agencies including the Department of Interior and the Department of Homeland Security, which proves today’s decision has nothing to do with security,” it said in a statement.
“We are opposed to the politically-motivated country of origin restrictions masquerading as cybersecurity concerns and call for policymakers and industry stakeholders to create clear standards that will give commercial and government drone operators the assurance they need to confidently evaluate drone technology on the merits of performance, security and reliability, no matter where it is made.”
Hackers compromised dozens of United Nations (UN) servers last summer in an attack which the world body kept a secret from its own employees, according to a new report.
The attack began in mid-July 2019 in what one senior UN IT official called a “major meltdown,” affecting servers in UN offices in Vienna and Geneva and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva.
Some 400GB is thought to have been exfiltrated by the hackers, including Active Directory lists of users. Although it’s unclear exactly what other info was taken, the servers in question could have provided access to sensitive details on UN employees, and commercial contract data, according to The New Humanitarian.
The OHCHR in particular handles highly sensitive data on human rights activists which could land subjects in deep trouble with governments back home.
According to an internal report on the incident seen by AP, the hackers exploited a Microsoft SharePoint vulnerability to access the UN network although the type of malware is unknown, as is the location of the C&C servers used to exfiltrate the data. It’s also unclear how the attackers maintained presence on the network once inside.
Most controversially, the UN seems to have used its diplomatic immunity to keep the incident a secret, despite it raising serious questions under the GDPR.
Staff were told only to reset their passwords, but not why, it is claimed.
“As the exact nature and scope of the incident could not be determined, [the UN offices] decided not to publicly disclose the breach,” said UN spokesperson Stéphane Dujarric.
The level of sophistication used and motivation for striking at the heart of the UN’s human rights efforts indicates a nation state actor, according to experts.
Traditional cybersecurity measures may not be successful against nation state hackers, meaning firms must focus on detection and response, according to Exabeam senior security engineer, Joe Lareau.
“One critical step all of these entities can take now is to monitor for tactics, techniques and procedures (TTPs) specific to various state-sponsored groups,” he added.
“Overall, we recommend building and using ‘defense in depth’ — multiple layers of controls that involve staffing, procedures, technical and physical security for all aspects of the security program.”
The future of security and privacy should be focused on the person and the impact upon them.
Speaking to Infosecurity at the DigiCert Security Summit in San Diego, DigiCert CEO John Merrill said that security is about privacy and trust, and who is on the other side, and there is more awareness of privacy thanks to regulations like GDPR.
“Look at it from a global sense, the technology is outpacing a lot of people’s understanding of and government’s ability to deal with it,” he said. “Look at facial recognition issues, we’ve just found out that companies have been keeping data with facial recognition stored on their servers: how do we handle that? The answer is that we are more aware of it and the technologies are there in some cases, for the internet we seem to be doing a pretty good job.”
Merrill went on to say that “technology is evolving faster than our ability to cope with it,” so are we therefore struggling to chase an impossible dream of protection? “Whether it is impossible or not, it is a worthy goal as the majority of users on the internet are safe because of the protocols that have been put in place over the last 20-30 years,” he said. “So they are not 100% safe, but as technology evolves, you’re going to have items that you have to deal with from a security and privacy standpoint.
“We may be behind with technology, but that does not mean you should stop running to try and figure it out.”
Merrill added that people should be the focus of security and privacy, whether it is with facial recognition or with their ability to use the internet, or go to the bank or use a phone, it is something that we have to do.
A hacker has taken to Twitter to share design secrets they allegedly obtained by compromising American automotive and energy company Tesla.
Posting on the account @greentheonly on Friday night, a hacker who calls themself "Green" said that Tesla was planning to introduce new hardware to their S and X model cars.
Modifications that Green claims are in the cards include the introduction of new battery options and a suspension redesign.
According to Green, Tesla has added a wireless device charger to its two oldest car models. The charger is allegedly integrated into the center console. Green also claims to have uncovered plans for a new type of charging port.
Another interior change that the hacker says is coming to the S and X models is something Green describes as "new lumbar," which could possibly mean a redesign of the front seats.
Aside from the cosmetic changes, Green claims that Tesla plans to introduce two new battery types into both models, which the hacker claims will be available in several configurations. Other information allegedly hacked from Tesla by Green revealed that the company plans to introduce a new suspension option.
Tesla hasn't confirmed or denied the hacker's findings. The company, which is based in Palo Alto, California, has not announced any plans to update the Model S or the Model X.
Following Green's Twitter post, Tesla has however "quietly added a wireless phone charger to the list of standard features posted on its website," according to Autoblog.com.
Tesla traditionally waits until the last minute to load information regarding new features into its computer system in a bid to avoid data leaks from occurring. Both Green and Autoblog speculate that an announcement of the new features for the X and S could possibly be around the corner.
Green wrote on Twitter: "Tesla seemed to have realized no matter what they do stuff leaks through firmware so froze releases on week 40 and just backported absolute necessary stuff to limit leakage. And now past the new year this must be hw [hardware] they put into cars now/vsoon so cannot avoid it."
Tesla started building the Model S in 2012. Three years later, the company launched the Model X. Unique and cutting-edge in their time, both cars now compete in an expanding electric luxury car market that includes Porsche's Taycan, the Audi E-Tron, and the Jaguar I-Pace.