Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for December 2015

Over Half of Firms Report Spike in Whaling Attacks

Over Half of Firms Report Spike in Whaling Attacks

Over half of organizations have seen an increase in so-called whaling attacks over the past three months, exposing them to potentially costly fraud, according to new research from Mimecast.

The email security firm polled over 400 IT professionals in the UK, US, South Africa and Australia to better understand the prevalence of this increasingly common online scam.

It found 55% of respondents reported an increase in whaling—where a fraudster emails a senior member of the finance team pretending to be the CEO in a bid to trick them into making a large wire transfer out of the company.

The most popular method of attack is domain spoofing (70%), with domain squatting (16%) some way behind.

Unsurprisingly the majority of whaling attempts impersonate the CEO (72%), while a significant minority (35%) pretend to be the CFO.

Gmail (25%) is used more often than Yahoo (8%) or Hotmail (8%), Mimecast found.

The barrier to entry for such attacks has become dangerously low, with attacks likely to increase as long as they continue to reap rewards for the online scammers, according to Mimecast cybersecurity strategist, Orlando Scott-Cowley.

“Whaling has become an effective malware-less threat for enterprises. The cost of getting it wrong and falling foul of the social engineering can be significant,” he told Infosecurity by email.

“So as a business you’ve got to make sure your staff are fully aware of the threat, and don’t simply trust what they read in emails without verifying the request by other means. Concentrate on senior members of staff as attackers will choose mid to upper managers because of the authority they carry in the business.”

Scott-Cowley added that IT managers should configure their email systems to flag any messages arriving from outside the company containing suspicious-looking content.

Just over the past year, the number of high profile whaling attacks hitting the headlines has soared—indicating that many more are likely going unreported.

Back in February it was revealed that fraudsters made off with a massive $17m from a single firm after persuading a senior exec at commodities trader Scoular to wire funds to a Chinese bank.

And in June, magazine publisher Bonnier Group fell for the same trick, this time transferring out at least $1.5m before the scam was spotted.

Photo © Tory Kallman

Source: Information Security Magazine

Over Half of UK Malicious Files were Ransomware in 2015

Over Half of UK Malicious Files were Ransomware in 2015

Over half (54%) of all malware targeting UK users in 2015 contained some form of ransomware, according to worrying statistics from Bitdefender.

The security vendor analyzed data from the year only to find the global ransomware epidemic particularly virulent in Blighty.

Nearly one in 10 (9.1%) of all ransomware infected emails worldwide were apparently headed for UK users before Bitdefender intercepted them.

This meant the UK came in second only to the US (21%) in the global ransomware stakes—presumably because of its high internet penetration and relatively high GDP.

In the States, the proportion of malware files classed as ransomware was even higher than in the UK, at 62%.

The majority were apparently accounted for by the prolific CryptoWall and CryptoLocker. The former famously managed to extort over $1m from victims in just six months.

“These numbers show that ransomware masterminds have made countries such as the UK and US priority targets to attack, most likely because they consider both to be highly profitable markets,” said Bitdefender chief security strategist, Catalin Cosoi.

“In 2015, the creators of the notorious CryptoWall ransomware have managed to extort more than $325 million from US victims. We also have to consider the use of sophisticated encryption algorithms that often leave victims no choice but to pay the ransom.

Cosoi claimed that in some cases even the FBI has urged companies to pay the ransom, although the Feds still publicly advise organisations to take preventative measures such as ensuring systems are fully patched and up-to-date and users don’t open unsolicited emails.

The bad news is things are going to get even worse for firms in 2016, according to Bitdefender.

Ransomware will increasingly spread to new platforms such as Linux, potentially exploiting vulnerabilities to encrypt even more files deeper in victims’ machines, the firm claimed.

Photo © Robing

Source: Information Security Magazine

APAC Industrial Control Security Market to Top $1 Billion

APAC Industrial Control Security Market to Top $1 Billion

The APAC market for industrial control systems (ICS) security is set to top $1 billion in just four years as industry players begin to understand the growing cyber threat to operational technology, according to new research.

Frost & Sullivan made the predictions in its new Asia-Pacific Industrial Control Systems Security Market report out today.

It pointed to several market drivers, not least the fact that increasing numbers of firms are looking to the Internet of Things to improve efficiency and competitiveness.

As they do, these businesses are realizing the need for ICS security in the design phase of such projects, F&S said.

In combination with this trend, companies running industrial systems are also increasingly appreciating the fact that cyber attacks can affect their uptime.

This has led to some energy plants in the region implementing compliance projects for the North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC-CIP) or the National Institute of Standards and Technology (NIST).

APAC governments are also leading the charge to improved ICS security for critical infrastructure, the report claimed.

For example, Tokyo has established the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which in turn founded the Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR) Council to improve information sharing among critical infrastructure verticals.

“In recent years, industrial control systems used in the automation of industrial plants were increasingly connected to the internet for its benefits. However, cybersecurity was not part of the original design process, which made the systems vulnerable to cyber threats,” said Frost & Sullivan senior industry analyst, Charles Lim.

“Therefore, it is vital that the industry understands the threats pertaining to operational technology and ensure that the right cybersecurity solutions are in place to address this.”

The hike in spending comes not a moment too soon, as the analyst predicts attacks on ICS will become increasingly complex and politically motivated—whether carried out by hacktivists, nation states or terrorists.

From revenue of just $163m in 2014, the market for ICS security will grow to a whopping $1.2bn by 2019, the report claimed.

Photo © Mopic

Source: Information Security Magazine

Charge Anywhere Certifies PoS for EMV

Charge Anywhere Certifies PoS for EMV

Charge Anywhere has acquired an EMV smart-card certification that will allow it to bring compatible payment processing solutions to the US.

The company has certified its ComsGate Payment Gateway to the First Data Rapid Connect platform, which enables Charge Anywhere to switch EMV transactions for merchants and acquirers in the US using the First Data Nashville, Omaha, Atlanta and South platforms.

Charge Anywhere’s series of encrypted point of sale (PoS) hardware devices are designed to accept EMV chip, chip and PIN, PIN debit and credit card payments, and are integrated to the Charge Anywhere software platform. The card payment solution can be implemented as a stand-alone solution or can be integrated into third-party software applications.  A free software development kit is available to integrators.

Charge Anywhere uses the Miura Shuttle product line of EMV PoS terminals, which includes models M006, M007 and M010. They can be used with Android and Apple smartphones or tablets, and with Windows computers. 

"We have successfully deployed tens of thousands of Miura Shuttle terminals in projects outside of the US, and we are confident that US merchants and acquirers will embrace this EMV PoS solution as the most complete and cost-effective product when upgrading their payment acceptance systems to accept chip cards and get the benefit of the EMV liability shift," said Paul Sabella, Charge Anywhere CEO.

The move is a good one for Charge Anywhere, which last year found previously undetected malware on its systems that may have allowed attackers to capture card details from as far back as 2009.

“The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic,” it said at the time. “Much of the outbound traffic was encrypted.  However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.”

Photo © wavebreakmedia

Source: Information Security Magazine

Center for Internet Security Releases Companion Guides

Center for Internet Security Releases Companion Guides

The Center for Internet Security (CIS) has announced the release of three new Companion Guides to the CIS Controls. 

More than 12,560 individuals and organizations have downloaded the CIS Critical Security Controls for Effective Cyber Defense Version 6.0, since their release to the public on October 15. The CIS Controls are a recommended set of actions that provide specific ways to stop today’s most pervasive and dangerous cybersecurity attacks.

“These new guides represent the ecosystem of working aids we're developing along with the CIS Controls to combat the increasing challenges and complexity of cybersecurity. Our expert panels will continue to create Companion Guides such as these to address specific challenges using the CIS Controls,” said Tony Sager, senior vice president and chief evangelist at CIS.

“The same privacy content was in the recent V. 6.0 of the CIS Controls, but since our panel of experts and I consider privacy of such paramount importance, we opted to release this information in a separate Companion Guide as well,” he added.   

The three new Companion Guides to the CIS Critical Security Controls Version 6.0 are:

Internet of Things Security Companion to the CIS Critical Security Controls V. 6.0: A proliferation of smart devices are driving increased connectivity to custom corporate intranets to the Internet, providing adversaries and hackers new access vectors to launch attacks against these important networks. This Companion Guide for the CIS Critical Security Controls outlines how the CIS Controls are directly applicable to the current and future Internet of Things (IoT) networks.

Mobile Security Companion to the CIS Critical Security Controls V. 6.0: Mobile devices are starting to replace laptops for regular business use. Organizations are building or porting their applications to mobile platforms, so users are increasingly accessing the same data with mobile as with their laptops.  Also, organizations have increasingly implemented bring your own device (BYOD) policies to manage this trend. This Companion Guide helps individuals and organizations apply the CIS Controls to tackle the problems inherent in the increased use of mobile devices.

Toward A Privacy Impact Assessment (PIA) Companion to the CIS Critical Security Controls V 6.0: An effective posture of enterprise cybersecurity need not, and indeed, should not compromise individual privacy.  Many laws, regulations, guidelines, and recommendations exist to safeguard privacy, and enterprises will, in many cases, adapt their existing policies on privacy as they apply the Center for Internet Security Critical Security Controls for Cyber Defense Version 6.0. At a minimum, use of the CIS Controls should conform to the general principles embodied in the Fair Information Practice principles (FIPs) and in Privacy by Design.

An appendix was included in the latest version of the CIS Critical Security Controls to address the importance of safeguarding privacy, and is now a stand-alone Companion Guide. It provides a framework to help organizations create a privacy impact assessment.

“Effective cybersecurity should not compromise individual privacy,” said CIS CEO Jane Holl Lute. “Every organization needs to look at their cybersecurity posture in order to assess and mitigate potential privacy risks. The new Companion Guides provide solutions for many of these challenges, including safeguarding users’ privacy configurations, patching vulnerabilities and restricting unauthorized users.”

Photo © watcharakun

Source: Information Security Magazine

Guilty Plea Entered in Newswire-Hacking Insider Trading Case

Guilty Plea Entered in Newswire-Hacking Insider Trading Case

Hacking and insider trading: Two criminal tastes that seem to taste great together—if ethics charges are your dish of choice. A Georgia-based man has pleaded guilty to participating in the $100 million insider trading scheme that involved hacking into commercial news distribution services.

Alexander Garkusha, who authorities say traded on inside information, pleaded guilty in federal court in Brooklyn, New York, to conspiracy to commit wire fraud, becoming the first defendant criminally charged in the case to admit wrongdoing.

"I am very sorry I did this," Garkusha said in court, according to Reuters. "I know that it was against the law."

In August it came to light that an international ring of con men and criminals managed to make $100 million in the stock market by gaining advance access to press releases set to be sent across the wire by PR Newswire, Business Wire and Marketwired. Phishing was the initial vector.

The campaign lasted from 2010 until this last May—a five-year period during which more than 150,000 press releases with earnings figures and other market-impacting corporate information were pilfered and analyzed prior to their release—offering market brokers an opportunity to make some very savvy investments, hours to three days ahead of the game.

For instance, on one day in 2013 the group was poised for a positive earnings report from Panera Bread—and proceeded trading more than 75,000 shares in a little over an hour to make $900,000.

For his part, Garkusha, an executive at Alpharetta, Ga.-based  real-estate developer, said that he made $125,000 trading in stocks over a three-month period, using corporate press releases obtained before they were released publicly.

Garkusha was arrested in August. The feds have detained a mixed crew of hackers and stock traders in the case, charging nine people in the US and Ukraine with federal criminal charges, including securities fraud, computer fraud and conspiracy. The Securities and Exchange Commission also brought civil charges against the nine, plus 23 other people and companies in the US and Europe. Prosecutors said the defendants made $30 million from their part of the scheme.

Charges remain pending against four other defendants, on indictments filed in Brooklyn and Newark, New Jersey: Arkadiy Dubovoy, Igor Dubovoy, Leonid Momotok and Vitaly Korchevsky. They have all pleaded not guilty.

Photo © pixfly

Source: Information Security Magazine

Panda Security: New Malware Hit 230,000 Per Day in 2015

Panda Security: New Malware Hit 230,000 Per Day in 2015

New malware will grow exponentially in 2016, with cyber-criminals increasingly taking to JavaScript and PowerShell to launch successful attacks against their victims, according to Panda Security.

The Spanish security vendor claimed the pattern would repeat 2015, when the number of new malware samples discovered daily hit 230,000.

It warned of an increase in infections via JavaScript and Windows admin tool PowerShell.

The latter is a scripting tool designed to automate the administration of the OS and associated apps, but it is being favored by cyber-criminals keen to fly under the radar of traditional defenses.

Panda’s prediction of an exponential rise in new malware is not quite in line with the predictions of some of its rivals, who see malware growth slowing.

Kaspersky Lab said earlier this month, for example, that the volume of new malware it discovered in 2015 dropped by 15,000—from 325,000 in 2014 to 310,000.

Elsewhere, Panda predicted mobile and Internet of Things devices would be increasingly under fire next year. When it comes to Android, cyber-criminals are likely to launch more threats designed to root the device—making it almost impossible for AV tools to stop.

Rootkits will also be favored to help the bad guys hide from security tools, it said.

Mobile payment platforms in particular could be under threat—especially those which attract a large number of users, said Panda.

And there’ll be no let-up in the volume of ransomware attacks which have become a major headache for consumers and corporate users alike.

“The extra security measures being discussed are moving beyond just having an antivirus on your PC, but also including having mobile device protection installed on tablets and phones,” PandaLabs director, Luis Corrons, told Infosecurity.

“Ensure all devices, including where possible IoT devices such as routers, have the latest updates installed. Where possible have advanced security solutions installed that analyze and classify the behavior of all executables.”

Photo © ScandinavianStock

Source: Information Security Magazine

Foreign Hackers Infiltrate US Power Grid – Report

Foreign Hackers Infiltrate US Power Grid – Report

Potentially state-sponsored foreign hackers have launched a series of successful advanced attacks against the US power grid infrastructure over the past decade, giving them critical access which could enable remote control, according to a new report.

Unnamed “top experts” told AP that attackers had struck at the heart of the nation’s ageing operations networks around a dozen times over the period—although such attacks have largely gone unreported.

Rather than effect massive blackouts across the country now, the hackers are likely to be sitting tight inside these networks until a more propitious time, it is believed.

Although the US regularly defends attacks from Russia, China and even the Islamic State, it was a recently discovered intrusion by Iranian hackers which has caused most consternation.

They are said to have targeted power provider Calpine—which has over 80 plants in North America—back in August 2013.

In a classic APT-style intrusion, the attackers first targeted a contractor of the energy firm. From here they obtained usernames and passwords to remotely connect to the Calpine network.

Although the level of access they achieved could have enabled them to shut down power plants, they instead chose to steal detailed engineering drawings of networks and power stations across the country.

This gave them knowledge of what devices they’d need to hack to target specific plants—although it has been suggested these were out of date and so not as useful as at first thought.

Also stolen apparently were plans showing how individual plants transmit information back to the company's virtual cloud.

Cylance researcher Brian Wallace first made the discovery, finding over 19,000 files stolen from all over the world by the group, including from Pakistan International Airlines, the Israel Institute of Technology, Mexican oil firm Pemex and the Navy Marine Corps Intranet.

Iran-based IP addresses and snippets of Persian comments in the code led investigators to speculate about the origin of the attack, although the involvement of the nation’s government was too tricky to attribute.    

Key parts of the US power grid run on outdated software for which there are no longer patches, yet they are connected to the internet to make management easier—crucially exposing them to these kinds of attacks.

However, business continuity is built into the system, making a nationwide blackout difficult to effect.

It’s not just the power grid that’s at risk. A new report claims Iranian hackers managed to break in and gain access to the industrial control systems of a New York dam—in a move which could have allowed them to control the flood gates.

It’s claimed that the US has the highest number of internet-connected industrial control systems in the world—over 50,000.

Photo © Jim Parkin

Source: Information Security Magazine

FTC: Oracle in the Wrong Over Java Updates

FTC: Oracle in the Wrong Over Java Updates

Oracle will be forced to allow customers to easily uninstall old, insecure versions of Java SE after agreeing to settle regulator charges that it deceived consumers about its security updates.

The FTC claimed in a press release that Oracle had promised Java users that by installing its updates they would be “safe and secure.” However, it apparently failed to tell them that the update only automatically removed the most recent prior version of the popular software.

This strategy potentially left older, insecure versions of Java on user machines which could then be exploited by hackers.

What’s more, the FTC claimed that internal documents showed Oracle knew its Java update mechanism was “not aggressive enough or simply not working” as far back as 2011.

The business software giant did inform customers of the need to remove older software versions, via notices on its site. But these failed to explain that the update process didn’t automatically do this, violating Section 5 of the FTC Act, the regulator claimed.

The firm finally sorted the problem out in August 2014, it is claimed.

Oracle will now be required to notify any customers during the update process if they have outdated Java software versions; to inform them about the risks involved with having old software running; and to give them the option of uninstalling it.

It will also need to post a “broad notice” on its site and social channels about the FTC decision and how users can remove old versions of Java.

The FTC added:

“The consent order also will prohibit the company from making any further deceptive statements to consumers about the privacy or security of its software and the ability to uninstall older versions of any software Oracle provides.”

The regulator has posted a consumer blog here and full details of the agreement with Oracle, including the open letter it must post to customers, here.

Photo © Gil c/Shutterstock.com

Source: Information Security Magazine

US Congress Passes Controversial Info-Sharing Bill

US Congress Passes Controversial Info-Sharing Bill

On Friday, the US Congress passed cybersecurity information sharing legislation after more than five years of debate. The Cybersecurity Act of 2015 (formerly the Cybersecurity Information Sharing Act, or CISA), was passed as part of the Omnibus Spending Bill.

Specifically, CISA gives companies the ability to share cybersecurity information with federal agencies, including the NSA, “notwithstanding any other provision of law:” i.e., it provides liability protection and antitrust exemption for those sharing information.

To effect this, it calls for info-sharing portals to be set up with agencies like the FBI and the Office of the Director of National Intelligence, so that companies hand information directly to law enforcement and intelligence agencies instead of going through the Department of Homeland Security and the court vetting system contained therein. And, it allows the use of specific threat data by law enforcement without specific court approval when there is a known, specific threat.

Other aspects include:

  • It’s voluntary. There is no requirement to share information or to use shared information.
  • It requires reasonable efforts to protect the distribution of PII unless that information is relevant to the cybersecurity purpose (e.g. the registration details of a criminal domain).
  • It makes clear that shared data can be used in criminal prosecutions, but cannot be used as evidence of regulatory violations.

The legislation has been highly controversial, with detractors arguing that it could allow organizations to circumvent privacy norms and civil liberties, including the requirement for warrants when it comes to surveillance. There is no mention of warrantless wiretapping and the like as part of the bill’s language, but opponents are concerned that the language is sufficiently vague as to provide a loophole for just such snooping.

“We are deeply disappointed that Congress has passed CISA into law, despite our serious concerns that it will undermine privacy and cybersecurity,” said Robyn Greene, policy counsel at New America’s Open Technology Institute (OTI), in a statement to media. “Hopefully, the private sector, the intelligence community, and law enforcement will construe its dangerously broad provisions as narrowly as possible, so that the impact on online privacy is minimized.”

Opponents are also particularly upset that it was packaged with the Omnibus, a virtually un-vetoable, must-pass package that will provide operational funding and avoid a government shut-down for the time being. OTI, along with 50 other security experts and civil society groups, wrote to Congress in the wake of the bill’s passage, they strongly oppose the bill “because of its weak privacy protections, and opposing leadership’s choice to refuse to hold a stand-alone vote and instead force it into law as part of the must-pass omnibus spending bill.”

Sean Tierney, Morgan Stanley’s former cyber-emergency response chief and current vice president of threat intelligence at IID, has a different take. He said that CISA removes many of the main impediments to widespread cybersecurity information-sharing, while maintaining the current level of protection for personally identifiable information (PII).

“Study after study has found that fear of liability for shared information keeps organizations from fully participating in threat intelligence exchange,” he said in a blog. “For the past two years, IID has partnered with the Ponemon Institute to study this topic. Last year 55% of respondents said the potential liability of sharing keeps their companies from more fully participating in a threat intelligence exchange program. This increased to 62% of respondents in this year’s study.”

And some are in the middle when it comes to reaction, and note that the interpretation of the law will be everything. Paul Kurtz, former White House cybersecurity advisor and current CEO and co-founder of TruSTAR Technology, noted that the devil will be in the details.

"This is the first tangible demonstration of a partnership between Congress, the Administration and the private sector to address the critical need for cyber incident sharing to help protect our economy and national security,” he said, via email. “Providing liability relief for companies sharing cyber incident data amongst themselves and with the government provides a foundation on which to build a more collaborative cybersecurity defense. However, information-sharing should not have to cost us our privacy, and now it will be up to the private sector to build an infrastructure that both promotes security and preserves trust."

One thing that’s agreed upon is that there’s much more work that can be done. OTI and others are urging Congress to consider other measures in the cybersecurity space, including: Reforming the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act to ensure that security researchers are able to identify and responsibly disclose vulnerabilities without fear of prosecution or civil liability; establishing a grant program that would support small businesses in implementing programs that accept and reward vulnerability reports; incentivizing businesses to practice better cyber hygiene; and creating scholarships programs for individuals in underserved communities to study computer science and software engineering.

“For over five years, the information sharing debate took up all of the air in the room when it came to cybersecurity policy,” OTI’s Greene said. “Now that it is over, we hope that Congress will finally turn its attention to passing legislative reforms that will improve cybersecurity while also respecting or even enhancing privacy. Congress should begin to work to ensure that security researchers can find and disclose vulnerabilities free from the threat of prosecution or civil liability, and create programs that will make cyber-hygiene and tech education more accessible to and achievable by individuals and businesses.”

Source: Information Security Magazine