Feed aggregator

SEC: Beware Hurricane Ida Investment Scams

Info Security - Mon, 09/06/2021 - 08:54
SEC: Beware Hurricane Ida Investment Scams

The US Securities and Exchange Commission (SEC) has warned investors not to fall for scams capitalizing on the Hurricane Ida recovery and clean-up operation.

The regulator’s Office of Investor Education and Advocacy claimed that disasters including hurricanes, floods and oil spills often attract opportunistic fraudsters, who use email and social media to promote their scams.

“These scams can take many forms, including promoters touting companies purportedly involved in clean-up and repair efforts, trading programs that falsely guarantee high returns, and classic Ponzi schemes where new investors’ money is used to pay money promised to earlier investors,” it explained.

“Fraudsters also may target individuals receiving compensation from insurance companies.”

The SEC said it took several enforcement actions against individuals and companies trying to cash in on the aftermath of Hurricane Katrina in 2005.

Some made misleading statements about the potential high-profits their companies could reap from clean-up efforts to inflate their share price and facilitate classic “pump and dump” scams.

“One of the best ways to avoid investment fraud is to ask questions. Be skeptical if you are approached by somebody touting an investment opportunity. Ask that person whether he or she is licensed and whether the investment they are promoting is registered with the SEC or with a state,” the regulator urged.

“Check out their answers with an unbiased source, such as the SEC or your state securities regulator. Know that promises of fast and high profits, with little or no risk, are classic signs of fraud.”

In terms of volume, investment scams numbered only around 8,800 last year, putting them in the bottom half of the most common types of cybercrime by victim count, according to the FBI.

However, they ranked at number three in total losses, costing victims over $336m in 2020. That puts the category behind only romance scams ($600m) and Business Email Compromise ($1.9bn).

Categories: Cyber Risk News

Dallas School District Reveals Major Data Breach

Info Security - Mon, 09/06/2021 - 08:28
Dallas School District Reveals Major Data Breach

One of America’s largest school districts has informed students, alumni, parents and employees that personal data from the past 11 years was exposed after a third-party gained unauthorized access to it.

The Dallas Independent School District (ISD) claims to serve 145,000 students in 230 schools across the region and boasts 22,000 employees.

However, it revealed last Friday that it was notified about a data security incident on August 8. Although the district is still working out which data was exposed for each victim, students, employees and contractors between 2010 and the present were likely affected.

“An unauthorized third party accessed our network, downloaded data, and temporarily stored it on an encrypted cloud storage site. The data have since been removed from the site,” it noted.

“To date, our cybersecurity experts have found no evidence indicating the data was otherwise accessed, disseminated, or sold. However, we cannot be 100% sure until our ongoing investigation is complete.”

The breached data includes full names, addresses, phone and social security numbers, dates of birth and employment and salary info for current and former employees and contractors.

For current and former students, it includes full names, social security numbers, dates of birth, parent and guardian info and grades. According to the alert, some students’ custody status and medical conditions may also have been exposed.

The district is offering 12 months of credit monitoring and ID theft recovery services and said it is continuing to investigate and remediate the incident. However, it’s still unclear what the attacker’s motives were.

“We confirmed that the unauthorized third party removed the data from the encrypted cloud storage site and has informed us the data was not disseminated or sold to anyone,” Dallas ISD claimed.

It’s also not clear how the attacker managed to access the electronic records, although the district claimed that its IT team had been working with forensic experts to fix “specific vulnerabilities that were exploited during this event.”

Categories: Cyber Risk News

DHS Makes Senior Cybersecurity Appointments

Info Security - Fri, 09/03/2021 - 18:16
DHS Makes Senior Cybersecurity Appointments

Two new senior cybersecurity appointments have been announced by the United States Department of Homeland Security.

Former lead solution engineer at Salesforce, David Larrimore, has been named as the Department’s chief technology officer. Between 2016 and 2019, Larrimore occupied the same position at the Immigration and Customs Enforcement (ICE) component.

Other roles held by Larrimore include an IT manager position at the General Services Administration and a job as a cloud strategist at the United States Department of Agriculture.

Larrimore is a graduate of Salisbury University in Maryland, where he obtained a Bachelor of Arts degree in Visual Communication.  

The second new appointment to be announced by the DHS was the accedence of Robert Costello to the position of chief information officer at the Cybersecurity and Infrastructure Security Agency (CISA).

Costello was previously employed at the United States Customs and Border Protection (CBP), stepping down in March this year to work in the private sector. He is also a United States Air Force and United States Air Force Reserve veteran. 

Over the course of nine years at CBP, Costello took on the roles of executive director of the Office of Information Technology’s Enterprise Networks and Technology Support Directorate and acting executive director of the Border Enforcement and Management Systems Directorate. 

Like Larrimore, Costello also previously worked at ICE, where he filled the position of director of network engineering, and also hold a Bachelor of Arts degree. However, Costello’s BA was in Organizational Leadership and he earned it in New York City at private Jesuit research university, Fordham University. 

“Larrimore and Costello’s appointments indicate that government is rethinking the type of talent it’s bringing in to help wrangle the country’s cybersecurity problem,” said Bill O’Neill, vice president of public sector at ThycoticCentrify, a provider of cloud identity security solutions based in Washington DC.

He added: “These individuals’ careers within military or law enforcement, coupled with their robust technical and engineering expertise reinforces DHS’s need for personnel that can leverage a proficient grasp of technology to both understand the inner workings of cybercrime and work efficiently to stop it.”

Categories: Cyber Risk News

Accellion Breach Impacts Beaumont Health

Info Security - Fri, 09/03/2021 - 17:00
Accellion Breach Impacts Beaumont Health

Another Accellion breach victim has been named nine months after threat actors exploited zero-day vulnerabilities in the company’s File Transfer Application.

Beaumont Health has notified approximately 1500 patient that their personal data may have been compromised in the December attack on Accellion software. 

Goodwin Procter LLP, which was hired by Beaumont to provide legal services, used Accellion’s File Transfer software to carry out large transfers on behalf of its clients. On February 5, Goodwin advised the healthcare provider that patient data may have been compromised.

A digital forensics investigation launched by Goodwin after news of the Accellion breach came to light found that an unknown user had exploited a vulnerability in the software to download certain files.

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” said a statement issued on August 27 by Beaumont Health.

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.”

The healthcare provider added that no financial information had been impacted by the incident and that neither Beaumont nor Goodwin had found any evidence of the compromised data being used improperly. 

Goodwin, on behalf of Beaumont, contacted impacted individuals by letter at their last known address on August 27 to notify them of the data breach. 

“The notice letter specifies steps impacted individuals may take in order to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont.

Following the incident, Goodwin is evaluating its data security procedures and protocols. 

News of the data breach comes a year after a phishing attack on Beaumont Health may have exposed the data of 6000 patients.  

Categories: Cyber Risk News

Student Sues Syracuse University Over Data Breach

Info Security - Fri, 09/03/2021 - 15:57
Student Sues Syracuse University Over Data Breach

A private university in New York State is being sued for negligence by one of its students over a data breach that may have exposed thousands of Social Security numbers.

Syracuse University (SU) suffered a data breach on September 25 last year after an employee fell victim to a phishing attack and clicked on a malicious link. 

The compromised account was secured by September 28, but the security incident may have exposed the names and social security numbers of nearly 10,000 students, alumni and university applicants. 

An investigation into the security incident, which finished on January 14, was reportedly unable to definitively state whether files containing names and security numbers had been accessed by an unauthorized third party. 

In February, Syracuse University, which offers a Master’s in Cybersecurity, began contacting individuals affected by the data breach to warn them that their personal information may have been exposed. 

Commenting on the breach, Steven Bennett, senior vice president for international programs and operations at SU, said in February: “This was a really regrettable event. I understand it’s quite upsetting to some people.”

He added: “We are looking to tighten up the management of any document that has personally identifiable information in it. That was something that, in the wake of this event, we realized we really needed to do, and that’s underway at the moment.”

On Thursday, one of the students who was impacted by the breach filed a class action lawsuit against SU in Onondaga Supreme Court. The plaintiff alleges that SU didn’t do enough to protect the personally identifiable information (PII) entrusted to its care. 

He claims that inadequate staff cybersecurity training and deficient cybersecurity protocols at the educational establishment left sensitive data vulnerable to exposure. The lawsuit further alleges that SU increased the potential harm caused by the breach by waiting four months after the incident to inform impacted individuals. 

The plaintiff decided to take legal action against the university after he discovered an unauthorized charge on his checking account in the wake of the breach.

In a statement to The Daily Orange, the SU’s senior associate vice president for university communications, Sarah Scalese, said that Syracuse University does not comment on pending litigation.

Categories: Cyber Risk News

Eight US States to Begin Accepting Digital Driving Licenses

Info Security - Fri, 09/03/2021 - 11:44
Eight US States to Begin Accepting Digital Driving Licenses

Tech giant Apple has announced that eight US states will start accepting driver’s licenses and other state IDs that are stored on iPhones and Apple Watch.

Arizona and Georgia will be the first states to allow their residents to use this system, and will be followed by Connecticut, Iowa, Kentucky, Maryland, Oklahoma and Utah.

The first locations to accept IDs that are stored in iPhone Wallets will be select airport security checkpoints and lanes run by the Transportation Security Administration (TSA). Unlike in other countries, where a passport is widely used to travel by air, Americans usually only require some form of state ID to travel by air domestically.

Apple said it has introduced new security features that mean users do not need to unlock or physically handover their phones to police of security officials, helping allay privacy concerns. The company stated: “Only after authorizing with Face ID or Touch ID is the requested identity information released from their device, which ensures that just the required information is shared and only the person who added the driver’s license or state ID to the device can present it. Users do not need to unlock, show or hand over their device to present their ID.”

Apple added that the iPhone Wallet is a more secure method of storing and presenting ID compared to a physical wallet, as the person’s identity data is encrypted and the use of biometric authentication ensures only the person who added the ID to Wallet can view it.

Jennifer Bailey, Apple’s vice president of Apple Pay and Apple Wallet, commented: “The addition of driver’s licenses and state IDs to Apple Wallet is an important step in our vision of replacing the physical wallet with a secure and easy-to-use mobile wallet.

“We are excited that the TSA and so many states are already on board to help bring this to life for travelers across the country using only their iPhone and Apple Watch, and we are already in discussions with many more states as we’re working to offer this nationwide in the future.”

Nevertheless, there are security concerns around having so much sensitive information stored on a single device. Ashutosh Rana, senior security consultant at the Synopsys Software Integrity Group, said "Applications such as Apple Pay, Apple Wallet and Samsung Pay are already being used to store sensitive information, namely credit card information and personally identifiable information in the form of event tickets or membership cards. It doesn’t surprise me that such technologies will be used to store drivers’ licenses and ID cards. This will provide a quick and convenient user experience on the one hand. Then again, it may also make the security of the mobile device itself even more critical as it’s essentially a one-stop shop for malicious actors. The scale of such applications are increasing, and therefore so too should the security of mobile devices and supporting frameworks.”

Civil liberties campaigners have also expressed fears over the shift to digital IDs, demonstrated by the recent debate surrounding vaccine passports. In regard to the use of mobile driver’s licenses, Digital Rights group, Electronic Frontier Foundation, recently wrote: “Designed wrong, it might be a big step towards national identification, in which every time we walk through a door or buy coffee, a record of the event is collected and aggregated. Also, any system that privileges digital identification over traditional forms will disadvantage people already at society’s margins.”

Categories: Cyber Risk News

Tech CEOs: Multi-Factor Authentication Can Prevent 90% of Attacks

Info Security - Fri, 09/03/2021 - 10:15
Tech CEOs: Multi-Factor Authentication Can Prevent 90% of Attacks

The use of multi-factor authentication (MFA) could prevent as much as 80–90% of cyber-attacks, according to figures cited by the US national security cyber chief.

Anne Neuberger, who’s deputy national security advisor for cyber and emerging technologies, said the stat was itself referenced by a number of the tech CEOs who attended a meeting with President Biden last week.

MFA is one of the five key measures that Biden has mandated be rolled out across federal government by November, as part of his executive order on cybersecurity.

Alongside MFA, she urged leadership teams at US organizations to implement four steps ahead of the holiday weekend. The others were strong passwords, prompt patching of all software, a review of incident response plans, and up-to-date backups which are segregated from the corporate network.

Given that the press conference with Neuberger was held on Thursday, it’s unlikely that these steps could be actioned in time by end-of-play Friday, especially her exhortation to “update and patch all software.”

However, it served once again to remind organizations that they must play their part in protecting the country and its national security from attacks.

As well as the executive order, Neuberger is said to have penned a letter to business leaders in June, urging them to take action against the mounting threat of ransomware.

It also follows a CISA and FBI alert this week warning that major ransomware attacks like those on Colonial Pipeline, JBS and Kaseya all occurred on holiday weekends.

To that end, Neuberger repeated CISA’s advice to firms that they should engage in threat hunting to try and head-off attacks before they can cause any damage.

“Security teams should proactively hunt on a network. It’s kind of like a digital version of walking the beat. Look for any initial signs of compromise or anything unusual on a network,” she said.

Interestingly, Neuberger also noted a slowing in the frequency of major ransomware attacks in the past couple of months, but wouldn’t be drawn on why this might be.

Categories: Cyber Risk News

FTC Bans Stalkerware App in Industry First

Info Security - Fri, 09/03/2021 - 09:30
FTC Bans Stalkerware App in Industry First

The Federal Trade Commission (FTC) has issued its first ever ban of a stalkerware app and its CEO, in what could be the start of a crackdown on this category of controversial surveillance software.

The FTC kicked SpyFone and CEO Scott Zuckerman out of the surveillance business due to concerns that the app “secretly harvested and shared data on people’s physical movements, phone use and online activities through a hidden device hack.” That's basically the definition of stalkerware.

A second complaint was that the app required purchasers to “root” the Android devices they were looking to eavesdrop on, potentially voiding warranties and exposing them to security threats.

“The stalkerware app company not only illegally harvested and shared people’s private information, it also failed to keep it secure. The FTC alleges that SpyFone did not put in place basic security measures despite promising that it took ‘reasonable precautions to safeguard’ the information it illegally harvested,” the FTC notice continued.

“The stalkerware apps’ security deficiencies include not encrypting personal information it stored, including photos and text messages; failing to ensure that only authorized users could access personal information; and transmitting purchasers’ passwords in plain text.”

Moreover, in August 2018, a hacker managed to obtain data on 2200 consumers by accessing the company’s server. The FTC claimed that SpyFone failed to investigate the incident as it had promised.

Stalkerware operates in a kind of grey market, with software often marketed by nefarious developers as a legitimate way of monitoring teens and children, such as the Monitor Minor tool. However, in reality it is used by stalkers, domestic abusers and violent ex-partners to threaten and intimidate victims.

The FTC’s action this week could signal a new regulatory zeal in cracking down on the category.

Although Russia and Brazil are the top two countries for stalkerware, the US is in third place, according to Kaspersky data. The number of users is also on the rise in the UK.

As well as banning Support King, which did business as SpyFone, and CEO Scott Zuckerman, from selling surveillance software, the FTC will require them to delete any information illegally collected from their stalkerware apps and notify victims.

Categories: Cyber Risk News

Texan Accused of Cyber-Stalking and Murder Dies in Jail

Info Security - Fri, 09/03/2021 - 08:57
Texan Accused of Cyber-Stalking and Murder Dies in Jail

A Texan who was indicted on capital murder charges after being accused of cyber-stalking real estate agents and threatening to sexually assault their children has died in jail. 

Andy Castillo was “released deceased” from the Lubbock County Detention Center on Friday at 4:33pm. Officials from the Lubbock County Sheriff’s Office haven’t revealed how the 58-year-old former resident of Lubbock met his end, but did say that Castillo was at the University Medical Center when he died. 

Castillo was charged in January 2020 over the cyber-harassment of realtors in the Waco area. He allegedly used apps to mask his identity before sending the realtors sexually explicit images and videos from multiple phones.

Castillo was further accused of downloading photos of realtors’ children from social media and sending these images to the realtors along with graphic descriptions of the ways in which he wanted to sexually assault the minors. 

Authorities believe Castillo may have stalked around 100 realtors in roughly 20 cities and 10 states. Police said that Castillo sent his last perverse and threatening message roughly five minutes before his arrest.

Castillo was charged with one count of cyber-stalking and two counts of criminal solicitation-aggravated sexual assault of a child. However, these charges were dropped in December 2020 when Castillo was indicted for the murder of two women who were roommates in Lubbock County.

Last September, cold case investigators linked DNA samples taken from Castillo when he was arrested in connection with the cyber-stalking to DNA evidence collected from the murder scenes of 21-year-old Cynthia Palacio and 21-year-old Linda Carbajal. 

Palacio was strangled to death in July 2003 and her roommate’s life was cut short nine months later. The bodies of both women were discovered on two different rural roads in Texas. 

“A lot of women have been victimized by this creep,” said McLennan County Sheriff Parnell McNamara.

Speaking after Castillo’s DNA had been found on Palacio’s blouse and necklace and under her fingernails as well as in semen on her thigh, McNamara said: “There’s no question in our mind that he committed this murder.” 

Categories: Cyber Risk News

FBI Warns Food and Agriculture Firms of Ransomware Threat

Info Security - Fri, 09/03/2021 - 08:15
FBI Warns Food and Agriculture Firms of Ransomware Threat

The FBI has issued a new alert warning companies in the food and agricultural sector that they are increasingly at risk of ransomware as their corporate attack surface expands.

The Private Industry Notification, seen by Infosecurity, noted that the vertical is a critical infrastructure sector which, if impacted by such threats, could negatively impact the food supply chain.

“Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants,” it continued. “Cyber-criminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems and internet-based automation systems.”

Attacks may target larger organizations, deemed more likely to pay higher ransom demands, and smaller firms perceived as softer targets. For both, the increasing move to IoT may offer a new attack surface to target, the FBI warned.

“According to a private industry report, cyber actors may gradually broaden their attack from just IT and business processes to also include the operational technology (OT) assets, which monitor and control physical processes, impacting industrial production regardless of whether the malware was deployed in IT or OT systems,” it noted.

As with all ransomware victims, those in the food and agricultural sector would suffer lost productivity, theft of proprietary and personal information, and reputational and financial damage, the alert claimed.

The industry has already been a target for attacks, most notably the May 2021 raid on Brazilian meat processing giant JBS USA, which the FBI said drove wholesale prices up 25% after various plants across the country were forced to close.

Other incidents cited in the alert include a US bakery which was forced to close for a week in July, a “US-based international food and agriculture business” that was hit by the OnePercent group in November 2020, demanding a $40m ransom, and the attack on beverage giant Molson Coors in March this year.

Categories: Cyber Risk News

US Imprisons Dark Web Moderator

Info Security - Fri, 09/03/2021 - 02:42
US Imprisons Dark Web Moderator

A man from Southern Illinois who moderated a website focused on child sexual abuse material (CSAM) has been sent to federal prison for 12 years and 7 months.

Thirty-seven-year-old Sparta resident Kory R. Schulein was indicted by a federal grand jury in October 2020 on a single count of knowingly receiving CSAM over the internet. 

Prosecutors said the unemployed man from Randolph County spent years downloading, sharing, and storing videos and images of minors being sexually assaulted. 

According to the indictment, in addition to being a moderator on a CSAM-focused website, Schulein was an active user of other dark websites offering similar content.  

Law enforcement first became aware of Schulein in 2018 during an FBI investigation of CSAM on the dark web. A federal search warrant was executed at this home address on October 1, 2019, after agents tracked his IP address.

CSAM was discovered by officers on a laptop computer and two external hard drives belonging to Schulein. The illegal and explicit content was downloaded from 2016 to 2019, according to court documents.

More than 9,000 images and videos of CSAM were stored by Schulein on an encrypted hard drive. 

The National Center for Missing and Exploited Children (NCMEC) confirmed the identities of some of the minors depicted in the more than 2,500 images and 100 videos found in Schulein’s possession.

Schulein was found to have posted 13,733 messages on dark websites that were focused on CSAM. Many of his posts included links to videos and images of children being sexually abused. 

The investigation into Schulein was carried out by FBI-Springfield in collaboration with the United States Marshals

Service. The case against him was brought as part of the nationwide initiative Project Safe Childhood. 

On April 29, 2021, Schulein pleaded guilty to knowingly receiving CSAM over the internet. Earlier today, he was 

sentenced to 151 months, or 12 and a half years, in prison. 

Judge Stephen McGlynn, when sentencing Schulein, noted that some of the images and videos collected by the

offender showed children in bondage and adults raping children, including 5-year-old girls and toddlers

Categories: Cyber Risk News

UK Gun Owners’ Data Exposed

Info Security - Fri, 09/03/2021 - 02:10
UK Gun Owners’ Data Exposed

The personal information of more than 100,000 UK-based firearm owners appears to have been leaked online.

The data was reportedly published on the blog of an animal rights activist in the form of a reformatted CSV file. When imported into Google Earth, the file showed individual home addresses where guns were believed to be stored, along with owners’ zip codes, phone numbers, IP addresses and email addresses. 

Blog readers were encouraged to “contact as many [gun owners] as you can in your area and ask them if they are involved in shooting animals.” 

News of the leak follows firearm e-tailer Guntrader’s confirmation in July of a data breach impacting more than 100,000 of its customers. 

Guntrader sells new and used shotguns, rifles, air rifles, air pistols and shooting equipment via its website, Guntrader.co.uk. In an email to site users, the site’s managing director, Alexander Andover, said that a database belonging to the company had been stolen.

Included in the stolen database was the personal information of users who had registered with Guntrader between 2016 and 2021 using the vendor’s own electronic gun register software. 

An investigation into the Guntrader breach and its repercussions has been launched by the UK’s National Crime Agency, which said that it “is aware that information has been published online as a result of a recent data breach which impacted Guntrader.”

The agency said: “We are working closely with the South West Regional Cyber Crime Unit, who are leading the criminal investigation, to support the organization and manage any risk.”

Guntrader said that the stolen data did not include any financial information. The site has advised users to change their passwords. 

The British Association for Shooting and Conservation (BASC) responded to the breach with a statement that read: “Our advice to members would be to check home security and be extra vigilant. Make sure all firearms are appropriately locked away and make sure buildings are kept secure.”

Mark Montaldo, a director and data breach specialist at UK-based CEL Solicitorssaid: “I’ve already spoken to several Guntrader users who are naturally afraid for their safety making this a really serious breach.”

Categories: Cyber Risk News

WhatsApp Fined a Record €225m for GDPR Violations

Info Security - Thu, 09/02/2021 - 13:56
WhatsApp Fined a Record €225m for GDPR Violations

WhatsApp has been hit by a record €225m fine by Ireland’s Data Protection Commission (DPC) for failing to discharge GDPR transparency obligations.

The DPC made the announcement today following the conclusion of an investigation that began in December 2018. This examined whether the popular messaging app “has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of its service.”

This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.

The DPC submitted its draft decision to other data protection authorities (DPAs) across the EU under Article 60 of the GDPR in December 2020, receiving objections to its proposed actions by eight DPAs. As no consensus could be found, the dispute resolution process under Article 65 of GDPR was triggered on June 3 2021.

The European Data Protection Board (EDPB) then adopted a binding decision on the case, instructing the DPC to reassess and increase its proposed fine. This decision was based on a number of factors, including the size of Facebook’s global annual turnover, with the EDPB stating that “the proposed fine does not adequately reflect the seriousness and severity of the infringements nor has a dissuasive effect on WhatsApp IE.”

Following its reassessment, the DPC has now imposed a fine of €225m on WhatsApp, in addition to a reprimand and “an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.” In total, WhatsApp must comply with eight actions within three months, one of which is an obligation to remind users of their GDPR rights.

The decision represents by far the highest financial penalty recorded for violating GDPR rules, more than quadrupling the $50m fine issued to Google in 2019 for failing to notify users about how their data is used.

Reacting to the decision, legal firm Cordery Compliance stated: “Transparency continues to be a key focus for DPAs across Europe. Organizations need to be clear over how they process data and they need to be honest about their data processing practices. Sometimes the transparency obligations under GDPR can be difficult to meet – especially in cases like this where WhatsApp was also processing data on non-users with whom it did not have a direct relationship. Just because this is hard however it doesn’t mean the obligations can simply be ignored.”

Ioannis Fragkoulopoulos, customer security director, Obrela Security Industries, commented: “WhatsApp’s privacy terms and conditions have come under scrutiny frequently in the past and the company has had to defend its terms and conditions many times, with users leaving the platform because of ambiguities and policy changes. This fine shows just how serious the Irish government is around transparency. When consumers sign up to platforms, they need to understand exactly how their data will be used and if it will be shared with third parties. This fine will reinforce the importance of this and act as a warning to other companies to be more transparent.”

In May, a German privacy watchdog ruled that WhatsApp's privacy policy, which was updated in January 2021 to ask its users to grant WhatsApp additional powers to share their data with its parent company, Facebook, was in breach of European data protection rules.

Categories: Cyber Risk News

UK Researchers Invent Device to Thwart USB Malware

Info Security - Thu, 09/02/2021 - 10:25
UK Researchers Invent Device to Thwart USB Malware

A team of researchers at a UK university have designed a new device, which they claim will mitigate the risk of malicious USB drives.

The “external scanning device” was designed at Liverpool Hope University and will soon go into production, having been granted a patent by the Indian government.

It has been engineered to overcome a major issue with operating systems — that if not configured correctly, they will trust all USBs regardless of what might be installed on them.

This could allow for the automatic transfer of malware from the thumb drive to the host PC.

However, the new device sits between the PC or laptop and USB stick, scanning the removable media for malware whilst disguising information about the computer so that it’s “nearly impossible” for any malicious code to infect the machine.

“Our invention safeguards the host computing device by providing an additional layer of hardware security, and by hiding the host operating system information. The disguised information effectively confuses the external memory device that is plugged into the computing device,” explained project lead, Shishir Kumar Shandilya.

“The invented device also scans the USB and decides the visibility and accessibility of the files present in USB devices at the host computer, giving either full access, partial access or a full block.”

Effectively, the new scanning device aims to “keep the malicious code busy” with a disguised OS, while it scans and categorizes the thumb drive.

The project is said to stem from a relatively new field known as Nature Inspired Cybersecurity (NICS), which takes ideas from the natural world and applies them to IT, to enhance cyber defense.

Shandilya, who is a visiting research fellow in Hope’s School of Mathematics, Computer Science and Engineering, claimed the team is in discussions with manufacturers about how to turn the full prototype into a commercially viable device.

Although not the threat they once were, USB-borne malware threats doubled in OT environments from 2019-2020, according to Honeywell.

There’s also a chance that the advent of hybrid working may lead to a resurgence in the use of thumb drives.

Categories: Cyber Risk News

Bad Bots Focus Attacks on E-Commerce Targets

Info Security - Thu, 09/02/2021 - 09:40
Bad Bots Focus Attacks on E-Commerce Targets

Nearly two-fifths (39%) of all internet traffic is comprised of “bad bot” activity, with e-commerce assets most at risk of attack, according to a new report from Barracuda Networks.

The security vendor’s Bot attacks: Top Threats and Trends report revealed that automated traffic accounts for the vast majority (64%) of all internet traffic today — including search engine crawlers and social media bots.

However, only a quarter (25%) of this can be labelled “good bot” activity. Much more is the result of automated scripts attempting account hijacking, web scraping and much more.

Most of the traffic analyzed in the report came from AWS and Azure public clouds, which it’s claimed make it easy for threat actors to set up accounts for their malicious bot activity.

North America accounted for 67% of bad bot traffic, followed by Europe and Asia. However, in Europe, malicious bots are more likely to come from hosting services or residential IPs, the report said.

Although automated, these attacks are designed to follow a normal workday so as to blend into other traffic.

Examples provided by Barracuda included a bad bot probing for security vulnerabilities by masquerading as a legitimate vulnerability scanner, and another brute forcing the login page of a medical service provider with stolen credentials.

Others included a web scraping bot attempting to steal information from a B2B e-commerce store, and another doing the same with pricing information (aka “price scraping”) on an Eastern European e-commerce site.

In fact, Barracuda warned that e-commerce apps and login portals are the most common target of advanced persistent bots — which are harder to detect as they closely imitate human behavior.

“When left unchecked, these bad bots can steal data, affect site performance, and even lead to a breach,” explained Barracuda’s VP of product management, application security, Nitzan Miron.

“That’s why it’s critically important to detect and effectively block bot traffic.”

An Imperva report from April this year claimed that bad bots might even be used by unscrupulous scalpers to buy-up in-demand COVID-19 PPE to profit from the pandemic.

Categories: Cyber Risk News

Sacked Employee Deletes 21GB of Credit Union Files

Info Security - Thu, 09/02/2021 - 08:55
Sacked Employee Deletes 21GB of Credit Union Files

A former credit union employee is facing a decade behind bars after pleading guilty to destroying large amounts of corporate data in revenge for being fired.

Juliana Barile, 35, of Brooklyn, submitted the plea at a federal court in Brooklyn on Tuesday, admitting to one count of computer intrusion arising from her “unauthorized intrusion into, and destruction of data” on her former employer’s computer system.

Two days after being fired on May 19 2021, Barile is said to have accessed the file server of the New York-based credit union, opened confidential files and deleted 21.3GB of data, including 20,000 files and almost 3500 directories, according to the Department of Justice (DoJ).

The deleted files apparently related to mortgage loan applications and the company’s anti-ransomware software.

She also sent a text message shortly after to a friend claiming: “I deleted their shared network documents.”

According to the DoJ, the credit union spent $10,000 fixing the unauthorized intrusion and deletion of documents.

“Ms. Barile may have thought she was getting back at her employer by deleting files, however she did just as much harm to customers. Her petty revenge not only created a huge security risk for the bank, but customers also depending on paperwork and approvals to pay for their homes were left scrambling,” said FBI assistant director-in-charge Michael Driscoll. 

“An insider threat can wreak just as much havoc, if not more, than an external criminal. The bank and customers are now faced with the tremendous headache of fixing one employee's selfish actions.”

The case highlights the importance of prompt offboarding of terminated employees. According to the court documents, a credit union employee requested that its IT support firm disable Barile’s network access, but this was not done in time.

Instead, she was able to use her username and password to access the file server remotely for around 40 minutes.

Categories: Cyber Risk News

Australian Couple Admits “Serious Cyber Hacking Offenses”

Info Security - Wed, 09/01/2021 - 19:29
Australian Couple Admits “Serious Cyber Hacking Offenses”

An Australian couple has admitted stealing personally identifiable information (PII) and using it to commit money laundering and deception offenses that netted them millions of dollars.

Jason Bran Lees, aged 33, and Emily Jane Walker, aged 29, were arrested in Adelaide in February 2020 along with a then 31-year-old unidentified co-conspirator who had moved from Adelaide to Sydney. 

The couple has since pleaded guilty to dozens of charges, including dishonest dealings with documents and being in possession of a computer virus with intent to commit a serious computer crime.

An Australian court heard that between July 2018 and February 2020, Lees and Walker hacked into the payroll documents of multiple businesses and organizations to steal information that included names, addresses, and birth dates. 

They used the data illegally obtained from more than 7,000 identity documents to establish hundreds of fraudulent bank accounts into which they diverted funds that were subsequently laundered into crypto-currency.

Among the stolen documents police found in the couple's possession were drivers' licenses and Medicare cards. 

Lees' lawyer, Andy Ey, said his client used "significant, sophisticated" malware to carry out his criminal activities and that his case involved laundering millions of dollars into Bitcoin. 

"This involved a computer program that would go in and divert a sum of funds," said Ey. "The computer program acted somewhat autonomously in that it would target whatever amount the business had in those accounts.

"Sometimes it was a very significant amount but as soon as those larger amounts were attempted to be transferred by this computer program to the other accounts that were created falsely, the bank would freeze on the funds immediately because it was so suspicious."

The investigation remains ongoing; however, police believe the couple stole at least $11m.

Prosecutors are seeking custodial sentences for the couple, who have been denied access to the internet since being granted house detention bail shortly after their arrest. 

"The offenses to which the defendants have now pleaded guilty are serious — cyber hacking offenses, for want of a better word — resulting in thefts," prosecutor Alex Rathbone told the court.

The couple’s co-conspirator, who has not been named in the Australian press, was sentenced last week to 11 years in jail with a non-parole period of six years and six months.

Categories: Cyber Risk News

SAP HANA SECURITY Solution Acquired by XYPRO

Info Security - Wed, 09/01/2021 - 18:32
SAP HANA SECURITY Solution Acquired by XYPRO

Cybersecurity company XYPRO Technology Corporation has acquired a critical security and compliance monitoring platform for SAP HANA and Linux environments from Hewlett Packard Enterprise (HPE).

The acquisition of Workload Aware Security (WASL) was announced on Tuesday along with the news that HPE will continue to sell and distribute the WASL tool. 

XYPRO said the deal would bring its mission-critical security expertise to the Open Systems and SAP HANA markets and customers. The company added that while it will support existing deployments of WASL and ongoing renewals, innovations to the platform will be made "to ensure SAP HANA customers remain secure and compliant."

The WASL platform makes it possible to perform a one-click assessment and remediation of Linux workloads and SAP HANA environments, cutting down the amount of time and money it takes to determine whether an application is compliant with the Security Technical Implementation Guide (STIG). 

"This acquisition further solidifies the strong partnership between XYPRO and Hewlett Packard Enterprise and positions XYPRO for even greater growth into new market segments," said Steve Tcherchian, chief product officer at XYPRO. 

"Just like NonStop customers have for over 35 years, SAP HANA customers now benefit from XYPRO's cybersecurity experience, secure development practices and strategic business relationships while enjoying great support and leading-edge security solutions."

Jeff Kyle, vice president and general manager, data solutions at HPE, said that the deal would help to strengthen security features in HPE's mission-critical solutions.

"We are committed to making cybersecurity a critical component to our mission-critical solutions to ensure reliable security monitoring and management of always-on activity," said Kyle.

"Our long-standing collaboration with XYPRO addresses these essential security needs and joint customers will further benefit from XYPRO's upcoming plans to integrate the Workload Aware Security (WASL) platform with its existing capabilities to target SAP HANA workloads. 

"As a leader in delivering solutions for SAP HANA workloads, HPE will further strengthen security features in mission-critical solutions such as in the HPE Superdome Flex server, which is an ideally suited platform for a range of industries leveraging SAP."

Categories: Cyber Risk News

SEC Sanctions Eight Firms Over Deficient Cybersecurity Procedures

Info Security - Wed, 09/01/2021 - 17:36
SEC Sanctions Eight Firms Over Deficient Cybersecurity Procedures

The United States Securities and Exchange Commission (SEC) has charged eight companies with cybersecurity failures that led to the exposure of personal information. 

Sanctions against the firms were announced on Monday in the form of three actions against Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). 

In a statement released August 30, the SEC said: "The Securities and Exchange Commission today sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm."

All the accused firms were Commission-registered as investment advisory firms, broker dealers, or both. They have all entered into agreements with the SEC to settle the charges laid against them.

An SEC investigation into the cybersecurity of Cetera Entities found that between November 2017 and June 2020, the personally identifying information (PII) of at least 4,388 customers and clients was exposed after the cloud-based email accounts of more than 60 personnel of Cetera Entities were taken over by unauthorized third parties.

Between January 2018 and July 2021, email account takeovers of 121 email accounts belong to Cambridge representatives caused the PII of at least 2,177 Cambridge customers and clients to be exposed. At KMS, between September 2018 and December 2019, 15 financial advisers or their assistants had their email accounts taken over by unauthorized third parties, resulting in the PII exposure of approximately 4,900 KMS customers and clients.

The SEC found that KMS and Cambridge "failed to adopt written policies and procedures requiring additional firm-wide security measures" until August 2020 and 2021, respectively. 

"It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks," said Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit.

Cetera Entities will pay a $300,000 penalty, KMS will pay $200,000, and Cambridge will pay $250,000.

Categories: Cyber Risk News

UK Cyber Security Council Appoints New Chief Executive

Info Security - Wed, 09/01/2021 - 15:00
UK Cyber Security Council Appoints New Chief Executive

The UK Cyber Security Council has appointed Simon Hepburn as its permanent chief executive.

Hepburn will succeed Don MacIntyre, who was appointed interim CEO of the Council in January 2021, shortly before it launched as an independent organization.

He is tasked with driving forward the remit of the self-regulatory body for the cybersecurity education and skills sector, whose activities are funded by the UK government. This is primarily to represent the cybersecurity profession, drive awareness and excellence across the industry and help close the UK’s cyber skills gap by providing a clear roadmap for those entering or progressing through roles in the sector.

Hepburn has a wealth of experience in developing skills and educational programs across various organizations, including leadership roles at a number of charities. Among his experiences, he founded Black Star Inc., where he advised on diversity and inclusion, leadership and management, people and change, strategy and organization development, careers and employability. He was also UK Director at the international social action charity City Year UK, where he oversaw school partnerships, program design and delivery, leadership program development and mentor experience.  

Commenting on the appointment, Dr. Claudia Natanson, chair of the Board of Trustees of the UK Cyber Security Council, said: “Simon Hepburn’s record is one of delivering at the sharp end of education and careers, for charitable organizations like the Council.

“The Council may well be the voice for the profession, but it is absolutely intended to be a ‘doing’ organization rather than just a ‘talking’ organization, so this attribute made him an excellent candidate for CEO; we welcome his passion and energy and look forward to him driving the organization forwards.”

Hepburn outlined: “I make no secret of my passion for supporting people and organizations to reach their full potential and make a positive contribution to society — it has been at the heart of my career to date. I intend to bring the full weight of that knowledge and experience to bear on the activities of the Council, benefiting the cybersecurity profession.

“I’m excited by the opportunity to work with one of the most critical sectors in our country, delivering education and skills support and resources to organizations and the professionals that are essential to the safe, secure and prosperous operation of the UK economy.”

Last week, the Council announced it had opened its membership application process.

Categories: Cyber Risk News