Info Security
London Police Adopt Facial Recognition Technology as Europe Considers Five-Year Ban
London's Metropolitan Police Service has announced that it will start using live facial recognition (LFR) technology to scan public areas for suspected criminals.
After trialing the technology for two years, the Met has said that it will have cameras up and running within a month. The cameras will be linked to a database containing images of suspects. In the event that a suspect is identified by the camera, an alert will be generated.
According to senior technologist with the Met, Johanna Morley, the facial recognition technology has an accuracy rate of 70%. Morley said false identifications were made by the cameras one in a thousand times.
Nick Ephgrave, an assistant commissioner, said: "As a modern police force, I believe that we have a duty to use new technologies to keep people safe in London. Independent research has shown that the public support us in this regard."
Civil liberties groups have described the planned introduction of the technology as "a breathtaking assault on our rights."
The Met said the cameras will only be deployed after consultation with local communities. Active cameras will be displayed overtly, leaving the public in no doubt that they are being watched as they go about their daily lives.
Commenting on the Met's decision to introduce LFR, the director of Big Brother Watch, Silkie Carlo, said: "It flies in the face of the independent review showing the Met’s use of facial recognition was likely unlawful, risked harming public rights and was 81% inaccurate."
A spokesperson for the campaign group Liberty said: "This is a dangerous, oppressive and completely unjustified move by the Met. Facial recognition technology gives the state unprecedented power to track and monitor any one of us, destroying our privacy and our free expression."
In September 2019, Cardiff's high court ruled that police use of automatic facial recognition technology to search for people in crowds is lawful. The technology is currently being used by South Wales police.
The Met is the biggest force in the UK, with jurisdiction over London and Greater London, with the exception of the City of London, which has its own territorial police force.
News of the Met's decision comes a week after the European Commission revealed it is considering a ban on the use of facial recognition in public areas for up to five years while regulators try to work out a way to prevent the technology from being abused.
#BSidesLeeds: Credential Stuffing Often Seen as “Volume” Cybercrime
Speaking at BSides Leeds, security researcher Darren Martyn explored the issue of credential stuffing, calling it an “exploding problem on the internet” and the “cyber-equivalent of volume crime.”
Saying that credential stuffing is “aided by data leaks,” Martyn argued that nothing much has been done about it “as it is not cool like ransomware, but the problem exists, and it affects everyone.”
The problem is further enhanced by tools created to enable credential stuffing to be done much more easily, and tools which are sold purely “to engage in post-compromise monetization strategies.” He said that as little as $10 can get you dumps of passwords which has been done by “low level hacking” and most of the tools are “idiot proof.”
He added that “kids revolutionized testing while we were writing Python scripts, and the kids write things that actually work.” As well as low level hacking efforts, you can build tools to do searches for data sets for you, and in his research he had stumbled across hundreds of accounts
In terms of how this makes money, he said that he had “cosplayed as a cyber-criminal” to find more information, and said that there is a “fantastic secondary market for logins” as people can add cash to gift cards using stored credit cards, or in video games where you can pay for in-game items.
Martyn said that despite the scale of the problem, “no-one cares as it affects the consumer who cannot pay for pen testing” and they are left out of pocket, “while the criminals laugh all the way to the bank.”
In terms of protection, he recommended consumers use a password manager and two-factor authentication to better protect their details and logins, while businesses should look to make automated login testing hard, but there were problems with rate limiting, temporary IP blocks and captchas as they can be bypassed.
Asked by Infosecurity what a good first step would be to better prevent credential stuffing attacks, Martyn said that, if you are a company, start by trying to make it expensive for the attacker.
“Rate limiting, temporary IP blocks and captchas don’t prevent, they just slow down,” he said, “but actually put in logging as you will know straight away when you are getting lit up by some script kiddie with Sentry, and your application logs start showing 'gajillions' of logins. See if your API is being brute forced, as no one really checks.”
#BSidesLeeds: Cyber is Running the World, More Innovation to Come
In the opening keynote at BSides Leeds head of cybersecurity research Daniel Cuthbert said that we are “in the best industry in the world” and, having spent 27 years doing cybersecurity, he has seen that it is the “misfits and weirdos who are doing amazing things.”
Cuthbert said that we are “going through interesting times” in what we are calling the 'fourth industrial revolution,' “and it is good as it is about cyber” and there has been a fundamental change in how we relate and talk.
Pointing to the 1984 film Revenge of the Nerds, he explained that if you look at the most powerful people in the world, they are people like Elon Musk and Mark Zuckerberg, and “people in technology impact how we work.”
Cuthbert also pointed out that law makers and politicians are getting more involved in cybersecurity issues, as once 'Spot the Fed' was played at DEFCON, distinguishable by their smart-casual clothing, eventually “they saw the need to get people like us back in the fold.”
This was made further evident by the likes of San Bernadino district attorney Michael Ramos using the term “lying dormant cyber-pathogen” after the shooting and locked iPhone debate, and Cuthbert also pointed at the FBI now having a dedicated page for cyber-criminals, which was mostly made of foreign nationals.
“Don’t stop what you’re doing; we do amazing stuff and people watch what we do,” he said.
European Energy Firm Targeted by RAT Linked to Iran
Security researchers have discovered a new cyber-espionage operation with links to Iranian state hacking groups targeting a major European energy organization.
Recorded Future’s Insikt Group detected command-and-control (C&C) communications between a C&C server and the victim organization, from late November 2019 until at least January 5 2020.
The C&C server is associated with PupyRAT, an open source, post-exploitation remote access Trojan (RAT) used in the past by multiple Iranian threat actor groups such as APT33 and Cobalt Gypsy.
“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion,” the security vendor wrote.
“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe.”
Recorded Future emphasized that the activity pre-dates the current escalation in tensions between the West and Tehran, following the US assassination of a leading Iranian general and the downing of a civilian aircraft by Iranian soldiers.
Security experts have warned that the stand-off could lead to a new wave of Iranian attempts to compromise and disrupt critical infrastructure in the US and elsewhere.
In fact, as Recorded Future argued, Iranian state hackers have been “amassing operational network infrastructure throughout 2019,” and shifted their focus from IT networks to physical control systems in utilities, manufacturing facilities and oil refineries.
The firm urged organizations take a defence-in-depth approach to guard against RATs like PupyRat.
This includes: implementing multi-factor authentication, and/or using a password manager to store unique, strong credentials, monitoring for sequential login attempts from the same IP against different accounts and analyzing and cross-referencing log data.
Ransomware Payments Doubled and Downtime Grew in Q4
The average ransomware payment more than doubled quarter-on-quarter in the final three months of 2019, while average downtime grew by several days, according to the latest figures from Coveware.
The security vendor analyzed anonymized data from cases handled by its incident response team and partners to compile its Q4 Ransomware Marketplace report.
It revealed that the average payment in the quarter was $84,116, up 104% from the previous three months. Coveware claimed the jump highlights the diversity of hackers utilizing ransomware today.
“Some variants such as Ryuk and Sodinokibi have moved into the large enterprise space and are focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout. For instance, Ryuk ransom payments reached a new high of $780,000 for impacted enterprises,” it argued.
“On the other end of the spectrum, smaller ransomware-as-a-service variants such as Dharma, Snatch, and Netwalker continue to blanket the small business space with a high number of attacks, but with demands as low as $1500.”
That said, Sodinokibi (29%) and Ryuk (22%) accounted for the majority of cases spotted in Q4 2019. Attackers using the former variant began during the quarter to use data theft to force firms to pay-up, which may have increased the figure for total losses.
Also during the quarter, the amount of downtime experienced by victim organizations increased from the previous three months — from 12.1 to 16.2 days. This increase was driven by the larger number of attacks targeting major enterprises with more complex network architectures, which can therefore take weeks to restore and remediate, Coveware claimed.
Phishing, RDP targeting and vulnerability exploitation remain the most popular attack methods, it added. Professional services (20%), healthcare (19%) and software services (12%) were the top three sectors targeted.
According to the data, 98% of organizations that paid a ransom received a decryption key, and those victims successfully decrypted 97% of their data. However, with multi-million-dollar ransoms now commonplace, the official advice is still not to give in to the hackers’ demands, especially as it will lead to continued attacks.
Sonos Backtracks to Offer Fixes for Legacy Speakers
Sonos appears to have bowed to customer pressure and will now offer security updates for legacy kit and ensure it can co-exist with newer systems.
The smart speaker firm issued a statement earlier this week warning that from May, “some of our oldest products will no longer receive software updates or new features.”
It claimed that the legacy products — Zone Players, Connect and Connect:Amp, first-generation Play:5, CR200 , and Bridge — were “stretched to their technical limits.” The firm urged customers to buy new items and take their old kit to a recycling facility.
That stance drew criticism from customers concerned that they wouldn’t be able to use old speakers in concert with newer, supported equipment.
A furore also erupted over the firm’s roll-out of a “Recycle Mode” for legacy equipment, which was designed to protect consumers from unwittingly buying old speakers. It effectively removes all user information and permanently bricks the device in preparation for recycling. But it has been argued that by doing so, recycling firms can subsequently do nothing but strip it for parts, which is more wasteful.
To its credit, Sonos appears to have reversed its stance. In an apology published on Thursday, CEO Patrick Spence said the firm would continue to offer security updates to legacy purchases, as well as finding a way for old and new equipment to work together.
“We are not bricking them, we are not forcing them into obsolescence, and we are not taking anything away. Many of you have invested heavily in your Sonos systems, and we intend to honor that investment for as long as possible,” he said.
“While legacy Sonos products won’t get new software features, we pledge to keep them updated with bug fixes and security patches for as long as possible. If we run into something core to the experience that can’t be addressed, we’ll work to offer an alternative solution and let you know about any changes you’ll see in your experience.”
Back in 2018, Trend Micro research warned that hackers could exploit flaws on internet-connected Sonos speakers to remotely control the devices themselves and infiltrate the networks they’re on.
This could present security challenges for corporates if remote workers have speakers operating on their home networks, it claimed.
US Cybersecurity Agency Issues Emotet Warning
America's Cybersecurity and Infrastructure Security Agency (CISA) issued a warning yesterday after observing an increase in the number of targeted cyber-attacks that utilize Emotet.
Emotet functions as a modular botnet that can steal data, send malicious emails, and act as a dropper, downloading and installing a wide range of malware onto a victim's computer. This sophisticated strain of malware was developed by threat group TA542.
CISA said: "Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information."
The agency warned that such an attack could result in the loss of money and of proprietary information as well as cause "disruption to operations and harm to reputation."
CISA advised users and system administrators to block email attachments such as .dll and .exe, which are commonly associated with malware, and to block any email attachments that cannot be scanned by antivirus software.
Further protection measures suggested by CISA are to implement firewalls, an antivirus program, and a formalized patch management process.
To stop a virus from running rampant around your network, CISA recommended segmenting and segregating networks and functions.
The warning comes a week after cybersecurity firm Proofpoint announced that Emotet was back and causing trouble with a new campaign after taking what appeared to be a Christmas break. Researchers spotted Emotet going after targets in the pharmaceutical industry in the US, Canada, and Mexico on January 13.
By Tuesday, the attackers had widened their net to go after victims in multiple industries in Australia, Austria, Germany, Hong Kong, Italy, Japan, Singapore, South Korea, Spain, Switzerland, Taiwan, and the United Arab Emirates.
"Based on past activity and what our researchers are seeing, organizations around the globe should take Emotet’s return seriously," wrote researchers. "On Monday alone we saw nearly three quarters of a million messages and they’re already fast approaching one million messages total."
This mass of messages, although large, isn’t the highest volume the researchers have ever seen from the TA542 group. Previously, researchers have seen the threat actors send over one million messages in just one day.
US County Suffers Two Cyber-attacks in Three Weeks
Albany County in the state of New York has been struck by two separate cyber-attacks in three weeks.
A five-figure ransom in Bitcoin was paid by Albany County Airport Authority (ACAA) earlier this month after their servers became infected with ransomware on Christmas day.
Airport CEO Philip Calderone said that the authority caught the virus from a company called LogicalNet, which, rather ironically, ACAA had hired to provide cybersecurity services. The attack came to light after LogicalNet reported that its management services network had been breached.
Calderone told Times Union: "We have severed our relationship with LogicalNet."
According to Times Union, while the airport's insurer reimbursed the authority for the rest of the undisclosed ransom payment, the airport authority is seeking to recover the $25,000 deductible it paid on its insurance policy from LogicalNet.
Three weeks later, on January 15, the Albany County town of Colonie was hit by a cyber-attack that took the town's computer system and email offline. Many departments were still experiencing problems on Friday.
Town spokesperson Sara Wiest said on Friday that the town was still trying to determine the exact nature of the attack. Wiest added that all the town's data had been backed up prior to the incident, allowing many departments to continue working despite not having access to the computer system.
In a forced return to last century's communication methods, the town sent out a news release regarding the cyber-attack via fax on Friday morning.
The release stated that there was no indication that any personal data had been compromised and reassured the public that the town's health and safety services were still functioning.
"These types of situations happen in a lot of different places and municipalities and they appear to be similar," said Colonie town supervisor Paula Mahan. "It’s happening in a lot of places and it’s something we have to get used to."
In March 2019, the City of Albany spent $300,000 in new servers, security software upgrades, firewall insurance, and other cybersecurity improvements after being hit by a ransomware attack. Fortunately, the city was able to fall back on its daily backups of mission-critical systems, and no ransom was paid.
Over Half of Organizations Were Successfully Phished in 2019
An annual report into the virulence of phishing scams has found that more than half of organizations dealt with at least one successful phishing attack in 2019.
The 2020 "State of the Phish" report, by cybersecurity and compliance firm Proofpoint, was produced using data from nearly 50 million simulated phishing attacks sent by Proofpoint to end users over a one-year period. In addition, researchers combed through third-party survey responses from more than 600 information security professionals and analyzed the fundamental cybersecurity knowledge of more than 3,500 working adults in the US, Australia, France, Germany, Japan, Spain, and the UK.
Among the key findings, 55 percent of surveyed organizations dealt with at least one successful phishing attack in 2019, and infosecurity professionals reported a high frequency of social engineering attempts across a range of methods.
Other forms of attack reflect cyber-criminals' continued focus on compromising individual end users. Spear-phishing attacks were reported by 88 percent of organizations worldwide, while 86 percent reported business email compromise (BEC) attacks and social media attacks.
Phishing via text/SMS, also known as smishing, struck 84 percent of organizations, while 83 percent reported experiencing voice phishing, or "vishing." Malicious USB drops had caused problems for 81 percent of organizations surveyed.
On a more positive note, the sixth annual "State of the Phish" report revealed that equipping individuals with instructions on how to avoid taking the phishers' bait garnered good results. Seventy-eight percent of organizations reported that security awareness training activities resulted in measurable reductions in phishing susceptibility.
“Effective security awareness training must focus on the issues and behaviors that matter most to an organization’s mission,” said Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint.
“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks.”
Proofpoint researchers noted an increase in the volume of reported phishing messages and identified a trend toward more targeted, personalized attacks carried out over bulk campaigns.
The volume of reported messages jumped significantly year on year, with end users reporting more than nine million suspicious emails in 2019, an increase of 67 percent over 2018.
Over 2000 WordPress Sites Hit by Malicious Redirects
Thousands of WordPress sites have been infected with malicious JavaScript in an attempt to promote scam websites, according to Sucuri.
The number of infections spiked last week, with hackers exploiting vulnerabilities in various plugins, including Simple Fields and the CP Contact Form with PayPal, the security vendor explained in a blog post.
After exploitation, the hackers are able to inject JavaScript which begins a series of redirects to a fraudulent “survey-for-gifts” website, where users are tricked into handing over personal info and unwittingly installing malware.
Among the domains registered as part of the campaign are gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com and admarketresearch[.]xyz.
“Unfortunately for website owners, this malicious JavaScript payload is capable of making further modifications to existing WordPress theme files via the /wp-admin/theme-editor.php file. This allows them to inject additional malware, such as a PHP backdoors and hacktools, to other theme files so they can continue to maintain unauthorized access to the infected website,” Sucuri explained.
“We encourage website owners to disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.”
The attackers have also been observed abusing/wp-admin/ features to create fake plugin directories that contain more malware, for example by uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to upload and unzip a compressed fake plugin into /wp-content/plugins/.
The two most common fake plugin directories spotted by Sucuri are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php.
The firm has seen over 2000 infected sites thus far compromised in this campaign.
WordPress is by far the biggest culprit when it comes to hacked website platforms. It accounted for 90% of compromised websites spotted by Sucuri in 2018, up from 83% in 2018. There was a big drop to Magento (4.6%) and Joomla (4.3%) in second and third.
Data on 30,000 Cannabis Users Exposed in Cloud Leak
Tens of thousands of cannabis users in the US have had their personal information leaked by a misconfigured cloud bucket, according to researchers.
Over 85,000 files including more than 30,000 records with sensitive personally identifiable information (PII) were exposed when software firm THSuite apparently left an Amazon Web Services (AWS) S3 bucket unsecured.
THSuite provides software that helps cannabis dispensaries collect the large volumes of sensitive user info they need to comply with state laws.
At least three clients were affected in the privacy snafu: Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company.
Exposed PII included names, home and email addresses, dates of birth, phone numbers, medical ID numbers and much more, according to vpnMentor.
As such, the leak affected both medical cannabis users and those who bought the plant for recreational purposes.
“Medical patients have a legal right to keep their medical information private for good reason. Patients whose personal information was leaked may face negative consequences both personally and professionally,” the researchers argued.
“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual.”
The revelations may also harm recreational users, especially if their employer prohibits cannabis use, they continued. The database apparently included scanned copies of government and employee IDs.
From a cybercrime perspective, the data trove would also offer a potentially lucrative opportunity for hackers to craft convincing phishing emails, texts and calls, and launch follow-on identity fraud attempts.
The researchers found the exposed database via a simple scan on December 24 last year. After contacting its owners on December 26 the problem was finally mitigated on January 14 2020.
Cloud misconfigurations like this remain a major source of cyber-related risk for organizations around the world. VpnMentor alone has been able to find millions of user records leaked by the likes of cosmetic giant Yves Rocher, Best Western Hotels and Canadian telco Freedom Mobile.
UN Wants US Probe into Bezos-Saudi Phone Hack
The United Nations has called for a US-led investigation into the alleged hacking of Jeff Bezos’s mobile phone by the crown prince of Saudi Arabia, Mohammed bin Salman.
The bombshell allegations, which broke on Wednesday, suggest that spyware was deployed via an MP4 file sent from a WhatsApp account belonging to the prince. The two had apparently met and exchanged phone numbers a month before the alleged attack on May 1 2018.
According to the analysis by UN special rapporteurs Agnes Callamard and David Kaye, “massive and unprecedented” exfiltration of data followed the initial spyware deployment, with data egress from the device jumping suddenly by 29,156% to 126 MB and then continuing undetected for months after.
“The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group's Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials,” the UN analysis continued.
“This would be consistent with other information. For instance, the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group.”
The NSO Group has “unequivocally” denied the claims.
It’s claimed that the Saudis targeted the world’s richest man Bezos because of his ownership of the Washington Post, whose columnist Jamal Khashoggi wrote in highly critical terms of the crown prince. He is believed to have been assassinated on a visit to the Saudi embassy in Turkey on October 2 2018.
In November 2018 and February 2019, the crown prince’s WhatsApp account is also said to have sent messages revealing details of Bezos’s affair, months before it became public knowledge.
“The information we have received suggests the possible involvement of the crown prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia,” argued the special rapporteurs.
“The alleged hacking of Mr. Bezos's phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the crown prince in efforts to target perceived opponents.”
The case also highlights the devastating impact of legitimate cross-border spyware sales from private companies to authoritarian governments, the UN argued.
“Surveillance through digital means must be subjected to the most rigorous control, including by judicial authorities and national and international export control regimes, to protect against the ease of its abuse,” it said.
“It underscores the pressing need for a moratorium on the global sale and transfer of private surveillance technology.”
It will be some cause for concern for Bezos and his personal security team that the attack went undetected for so long.
“For high value targets, the best protection is to compartmentalize how apps are used. For example, they might use WhatsApp or Signal for communicating with external contacts, and Teams for communicating with internals,” argued F-Secure principal researcher, Jarno Niemelä.
“It makes sense to separate use by device, I recommend communicating with external contacts with a different device to the one that you use for handling critical matters such as 2 factor authentication apps. It is also important to review application permissions regularly to deny access to apps that have fallen out of use.”
US Journalist Denounced for Alleged Involvement with Brazilian Criminal Organization
Brazilian prosecutors have denounced American journalist Glenn Greenwald for his alleged involvement with a cybercrime organization that hacked cell phones to commit bank fraud.
Greenwald is best known for a series of reports published from June 2013 by The Guardian newspaper that detailed the global surveillance programs of the United Kingdom and the United States. The reports were based on classified documents disclosed by Edward Snowden and whistle-blowing events involving WikiLeaks.
In a criminal complaint filed by federal prosecutors in Brazil on Tuesday, Greenwald is accused of being involved with a criminal organization that hacked mobile devices and committed bank fraud and money laundering.
According to the complaint, the organization is behind a number of hacks perpetrated last year in which cell phones belonging to public officials and prosecutors were compromised. Among the officials whose devices were hacked was the Brazilian minister of justice and public security, Sérgio Moro.
Seven individuals are named and denounced in the complaint, including computer programmer Gustavo Henrique Elias Santos and his wife, Suelen Oliveira, who allegedly recruited people to participate in a series of scams.
Greenwald was named as an auxiliary to the criminal organization’s activities after a recording of a conversation between the journalist and the organization’s alleged hacker Luiz Molição emerged. The recording was found on a MacBook seized by Brazilian police from the house of Walter Delgatti Netto, who prosecutors allege was one of the organization’s leaders.
In the audio, Molição confirms that a phone hack is ongoing. He then asks Greenwald for guidance on the possibility of "downloading" the content of other people's Telegram accounts before the journalist publishes certain articles on his website, The Intercept.
Prosecutors allege that Greenwald then advised Molição to cover the criminal gang's tracks by deleting archives of material that they had sent to the journalist. Deleting the material could hinder a police investigation and possibly reduce the criminal liability of the individuals behind the hack.
The complaint states that the criminal organization carried out 126 telephone, telematic, or computer interceptions and 176 invasions of third-party computer devices. An investigation into whether the hacks resulted in financial profits is ongoing, and the possibility of future judicial proceedings has not yet been ruled out.
The Intercept and Greenwald both released statements on Tuesday labeling the federal prosecutor’s allegations as an attack on Brazil’s free press "in line with recent abuses by the government of far-right President Jair Bolsonaro."
Fake Smart Factory Captures Real Cyber-threats
A fake industrial prototyping company created by cybersecurity researchers has become the target of real-life cyber-attackers.
Researchers at Trend Micro established the faux firm and maintained it for a six-month period in 2019 to learn about the threats facing companies that use Operational Technology. The honeypot was compromised for cryptocurrency mining, targeted by two separate ransomware attacks, and used for consumer fraud.
The fake concern consisted of real industrial control systems (ICS) hardware and a mix of physical hosts and virtual machines that ran the factory. Among these machines were several programmable logic controllers (PLCs), human machine interfaces (HMIs), separate robotic and engineering workstations, and a file server.
The honeypot went live on May 6, with a fake client base composed of large anonymous organizations from critical industries. By July 24, a threat actor had entered the fake company's system and downloaded a cryptocurrency miner. Researchers observed the attacker returning regularly to relaunch their miner.
By August, researchers had observed multiple incidences of compromise, with one threat actor performing reconnaissance activities and another causing system shutdowns. Ransomware attacks using Crysis and a Phobos variant were carried out against the fake company in September and October, respectively.
Greg Young, vice president of cybersecurity for Trend Micro, said the research indicated that industrial companies are primarily vulnerable to bog standard cyber-threats.
He said: "Too often, discussion of cyber threats to ICS has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes. While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely."
Young warned owners of small smart factories against the dangers of thinking that their company's size makes them somehow immune to the threat of cyber-attack.
He said: "Owners of smaller factories and industrial plants should not assume that criminals will leave them alone. A lack of basic protections can open the door to a relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line."
Smart factory owners can reduce the risk posed by malicious threat actors by minimizing the number of ports they leave open and also by strictly enforcing access control policies.
Facebook Crime Rises 19% as UK Tries to Police Social Media
The UK government is planning to police social media by issuing sites with a new code of conduct.
Social media firms will be required by law to protect children from viewing any content deemed to be "detrimental to their physical or mental health or wellbeing," according to a report published yesterday in The Daily Telegraph.
Failure to act in line with the government-backed code could result in fines and penalties that could potentially lose an offending company billions of pounds in revenue. The current code of conduct was created in 2017 and updated in April 2019.
News of the stricter code comes as statistics obtained from the British police reveal an alarming increase in the number of reported crimes linked to Facebook.
Data obtained from 20 different UK police forces under a Freedom of Information (FOI) request indicates that in the financial year 2019–20, the number of Facebook-related crimes reported to the police was 32,451. When compared to the same period in 2017–18, this total shows an increase in crime of 19%.
Official figures from the police list the total number of crimes with a connection to Facebook as 55,643. Data shared under the FOI request revealed that Leicestershire Police received the highest number of reports of Facebook-linked crimes. In total, the English Midlands force said it had recorded 10,405 such incidents, of which 408 involved victims categorized as "vulnerable."
Lancashire Constabulary reported the second-highest number of crimes linked to the social media giant. The North West England force said it had recorded 8,829 Facebook-connected crimes, of which 718 were harassment, 179 were sexual offences, 1,007 involved offensive messages, and 1,497 were classified as malicious communication.
Greater Manchester Police reported 8,230 Facebook-linked crimes, many of which involved "engaging in sexual activity with a child."
The FOI request was put out by the Parliament Street think tank. Figures obtained by the think tank via a FOI request for offenses that mentioned Instagram or Facebook in the crime notes found that Instagram had been used by pedophiles, stalkers, burglars, and drug dealers to commit 15,143 crimes since 2017. The total number of cases associated with both sites since 2017 is 70,786.
Apple Dropped iCloud Encryption Plans After FBI Complaint: Report
Apple dropped plans to offer end-to-end encrypted cloud back-ups to its global customer base after the FBI complained, a new report has claimed.
Citing six sources “familiar with the matter,” Reuters claimed that Apple changed its mind over the plans for iCloud two years ago after the Feds argued in private it would seriously hinder investigations.
The revelations put a new spin on the often combative relationship between the law enforcement agency and one of the world’s biggest tech companies.
The two famously clashed in 2016 when Apple refused to engineer backdoors in its products that would enable officers to unlock the phone of a gunman responsible for a mass shooting in San Bernardino.
Since then, both FBI boss Christopher Wray, attorney general William Barr and most recently Donald Trump have taken Apple and the wider tech community to task for failing to budge on end-to-end encryption.
Silicon Valley argues that it’s impossible to provide law enforcers with access to encrypted data in a way which wouldn’t undermine security for hundreds of millions of law-abiding customers around the world.
They are backed by world-leading encryption experts, while on the other side, lawmakers and enforcers have offered no solutions of their own to the problem.
Apple’s decision not to encrypt iCloud back-ups means it can provide officers with access to target’s accounts. According to the report, full device backups and other iCloud content was handed over to the US authorities in 1568 cases in the first half of 2019, covering around 6000 accounts.
Apple is also said to have handed the Feds the iCloud backups of the Pensacola shooter, whose case sparked another round of calls for encryption backdoors from Trump and others.
It’s not 100% clear if Apple dropped its encryption plan because of the FBI complaint, or if it was down to more mundane usability issues. Android users are said to be able to back-up to the cloud without Google accessing their accounts.
Microsoft Exposes 250 Million Call Center Records in Privacy Snafu
Microsoft briefly exposed call center data on almost 250 million customers via several unsecured cloud servers late last year, according to researchers.
Bob Diachenko spotted the major privacy snafu a day after databases across five Elasticsearch servers were indexed by the BinaryEdge search engine on December 28.
Each contained a seemingly identical trove of Microsoft Customer Service and Support (CSS) records spanning a 14-year period. The records included phone conversations between service agents and customers dating back to 2005, all password-free and completely unprotected, according to Comparitech.
Most personally identifiable information (PII) was redacted from the records, but “many” apparently contained customer email and IP addresses, support agent emails and internal notes and descriptions of CSS cases.
This presented not just a phishing risk but a valuable collection of data for tech support scammers who impersonate call center agents from Microsoft and other companies to install malware on victim machines and steal financial data.
“With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets,” explained Comparitech’s Paul Bischoff.
“If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.”
However, Microsoft was praised for acting swiftly to lock down the exposed servers.
After being informed by Diachenko on December 29, the firm had secured all data by December 31.
Microsoft is just the latest in a long line of companies that have exposed sensitive consumer data through cloud misconfigurations.
These include Choice Hotels, Honda North America, Adobe and Dow Jones.
Sometimes the leaks come from suspected cyber-criminals. Back in December, over one billion email and password combos were exposed via an unsecured Elasticsearch database, with many collected from a previous 2017 breach.
Campaigners Threaten ICO with Legal Action for AdTech Failings
Campaigners are threatening to take the Information Commissioner’s Office (ICO) to court for failing to enforce data protection laws in tackling what they see as widespread illegality in the adtech industry.
The Open Rights Group (ORG) responded to an update from the ICO last Friday detailing what action has been taken since the latter’s June 2019 report raised serious concerns about real-time bidding (RTB).
RTB is the process where website publishers auction space on their pages to advertisers in near real-time. However, that process often involves the advertiser seeing detailed information about the individual web user they want to reach, including their browsing history and perceived interests.
The ICO duly raised multiple concerns in its report claiming: the methods of obtaining informed consent from data subjects are often insufficient; privacy notices lack clarity; and that the scale of data profiling and sharing is “disproportionate, intrusive and unfair.”
It also argued that the widespread use of contractual agreements to protect how bid request data is shared, secured and deleted is inappropriate given the scale of the supply chain and type of data shared.
However, in an update last week, the ICO seemed to hold back from enforcing GDPR and other relevant laws, choosing instead to focus on positive steps taken by Google and the Internet Advertising Bureau (IAB) to act on its concerns.
That’s not good enough for the ORG’s executive director, Jim Killock, who filed an initial complaint with the ICO regarding RTB practices 16 months ago.
"The ICO is a regulator, so needs to enforce the law. It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance,” he argued.
"Last year the ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally entitled to.”
Killock and co-complainant Michael Veale, a lecturer in digital rights and regulation at UCL, are now considering whether to take legal action against the regulator for failing to act, or individual companies for breaking the law.
“When an industry is premised and profiting from clear and entrenched illegality that breach individuals' fundamental rights, engagement is not a suitable remedy,” argued Veale. “The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”
However, the ICO’s primary impulse has always been to educate rather than punish the industry, so it’s likely that harsher enforcement measures will eventually come for those in the adtech ecosystem that fail to change their ways.
“The most effective way for organisations to avoid the need for further regulatory scrutiny or action is to engage with the industry reform and transformation, and to encourage their supply chain to do the same,” argued ICO executive director for technology and innovation, Simon McDougall.
“I am both heartened at how much progress we have made, and disappointed that there are some who are still ignoring our message. Those who have ignored the window of opportunity to engage and transform must now prepare for the ICO to utilize its wider powers.”
KnowBe4 Donates $250,000 to Stetson University College of Law
Security awareness training provider KnowBe4 has donated $250,000 to Stetson University College of Law, Florida’s first law school.
The donation includes:
- Creation of the the KnowBe4 Cybersecurity Law Scholarship Fund which will provide $5000 merit-based scholarships for the next five years;
- Creation of the KnowBe4 Cybersecurity Law Program Fund to support the establishment and growth of the cybersecurity law program at Stetson Law
- A subscription to KnowBe4’s diamond-level new-school security training platform to enhance security and data protection awareness with Stetson’s staff, faculty and students
“We see this donation as a great opportunity to contribute to and build our community,” said Stu Sjouwerman, CEO of KnowBe4. “It’s also an opportunity to help fulfill the need to educate and train more cybersecurity talent. We’re excited to work with Stetson University College of Law to help develop an entire collegiate program that’s focused on cybersecurity in the Tampa Bay area.”
The agreement includes the creation of other initiatives, such as a weekend course on the topics of cybersecurity and data privacy for Stetson Law students, speaking events, student-led research, student organizations, internship opportunities for law students and providing general support for business law initiatives at Stetson Law with cyber-law course offerings and other resources related to cybersecurity law.
“We strive to be at the forefront of all that we do at Stetson Law – whether it is educating students in emerging areas of law or ensuring our faculty and staff are highly trained in new technology – so this collaboration with KnowBe4 is a fantastic opportunity to advance both our mission and theirs,” added Michèle Alexandre, dean of Stetson University College of Law.
Security awareness training provider KnowBe4 has donated $250,000 to Stetson University College of Law, Florida’s first law school.
The donation includes:
- Creation of the the KnowBe4 Cybersecurity Law Scholarship Fund which will provide $5000 merit-based scholarships for the next five years;
- Creation of the KnowBe4 Cybersecurity Law Program Fund to support the establishment and growth of the cybersecurity law program at Stetson Law
- A subscription to KnowBe4’s diamond-level new-school security training platform to enhance security and data protection awareness with Stetson’s staff, faculty and students
“We see this donation as a great opportunity to contribute to and build our community,” said Stu Sjouwerman, CEO of KnowBe4. “It’s also an opportunity to help fulfill the need to educate and train more cybersecurity talent. We’re excited to work with Stetson University College of Law to help develop an entire collegiate program that’s focused on cybersecurity in the Tampa Bay area.”
The agreement includes the creation of other initiatives, such as a weekend course on the topics of cybersecurity and data privacy for Stetson Law students, speaking events, student-led research, student organizations, internship opportunities for law students and providing general support for business law initiatives at Stetson Law with cyber-law course offerings and other resources related to cybersecurity law.
“We strive to be at the forefront of all that we do at Stetson Law – whether it is educating students in emerging areas of law or ensuring our faculty and staff are highly trained in new technology – so this collaboration with KnowBe4 is a fantastic opportunity to advance both our mission and theirs,” added Michèle Alexandre, dean of Stetson University College of Law.
Surge in Ships Seeking Cybersecurity Classification
A leading offshore safety and verification body has reported a rapid rise in the number of ships seeking to gain a cybersecurity classification.
Ship classification society Bureau Veritas Marine & Offshore (BV) says it has seen a surge in the number of ships applying for its "Cyber Managed" notation. The notation is based on BV's rule NR659 on cybersecurity for the classification of marine units, which was co-developed with marine security experts.
To be awarded a "Cyber Managed" class notation, ships must show that their design, construction, commissioning, and maintenance of onboard computer-based systems are in line with existing cybersecurity best practices and standards, such as IMO MSC-Fal 1-Circ3, NIST, and BIMCO.
A BV spokesperson said: "Cyber Managed works because it is based on a security risk assessment developed from an initial mapping of onboard systems that results in a practical set of requirements.
"The initial risk analysis and mapping exercise can be performed either during the newbuilding phase or at any time during the lifecycle of the vessel. As such, the notation is applicable to both new and existing ships."
As part of the risk assessment process, all the ship's onboard handbook and onshore security policies are reviewed by BV. Vessels are then surveyed to ensure that the documentation they supplied accurately reflects the condition of the hardware installed.
The notation doesn't require new equipment to be fitted to the ship, but rather it works by mitigating risk through protecting remote access and network connections. This can often be achieved through software updates.
According to BV, shipowners in Greece have been pioneers in applying the notation, which is now gaining traction across the entire maritime ecosystem with other shipowners, ship managers, charterers, insurers, and offshore operators. By the end of January 2020, BV predicts that more than 100 ships will be operating under the "Cyber Managed" notation.
"We see that shipowners are willing to invest in ensuring they are addressing cyber-risks, and their charterers are increasingly interested as well," said Paillette Palaiologou, vice president for the Hellenic Black Sea & Adriatic Zone, Bureau Veritas.
"We are seeing interest from insurers as well—and that this notation can be expected to be a factor in the response of underwriters’ assessment of risk."