Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2016

UN Energy Tsar Warns UK of Cyber Threat

UN Energy Tsar Warns UK of Cyber Threat

The UK’s energy sector is at serious risk of a crippling cyber attack on its infrastructure, the head of the World Energy Council has claimed.

Speaking to City AM, director general of the council, Christopher Frei, claimed that the UK was not the only country in danger.

“In the last two years this issue has really come close to – if not to the top of – the issues keeping energy leaders awake at night. So cyber is a very big issue for energy infrastructure,” he told the paper.

However, the seriousness of the issue is being underestimated by lawmakers and energy officials alike, he confirmed.

The World Energy Council’s annual report released last month also highlighted the problem from cyberspace. It is now ranked as the number one issue in terms of ‘uncertainty’ facing the industry in the UK.

The report claimed:

“Since the last report, UK energy security has seen a marked refocusing on to non-industry-related external threats such as those from terrorism and cyber attacks, whether individual or state-sponsored.”

The problems affecting Ukrainian power suppliers over Christmas have shown the damage that a well targeted cyber attack can cause.

Tens of thousands of homes in the west of the country were said to have gone without power following the incident.

Jon Geater, CTO at cybersecurity firm Thales e-Security, argued that it’s vital robust security is put in place to safeguard the UK’s critical infrastructure.

“As ‘software eats the world’ and everything becomes data driven – even those things made of concrete, steel and flesh – we need to adapt our data protection strategies to fit the nuanced needs of these newly digital industries,” he added.

“To achieve the future smart and green connected cities that we want at the speed we want them they must reuse what the IT industry has already provided, both on-premise or increasingly in the cloud. That means that without expert adaptation they get the same kinds of problems we’ve been seeing for years in IT, but more worryingly – in this example – with more serious repercussions if things go wrong.”

Source: Information Security Magazine

BlackBerry Boss Spills the Beans on ‘Lawful Access’

BlackBerry Boss Spills the Beans on ‘Lawful Access’

BlackBerry boss John Chen has hinted that his firm may have complied with police access requests for encrypted BBM chats sent via its BlackBerry Internet Service (BIS) during an operation designed to dismantle a Mafia crime syndicate.

In a carefully worded blog post, the CEO and executive chairman of the Canadian mobile firm addressed reports from last week that claimed the Royal Canadian Mounted Police (RCMP) had accessed the global encryption key used to secure all BBM messages.

Court documents in the case – where incriminating messages were used to help to prosecute dozens suspected of involvement in organized crime – revealed that the RCMP ran a “BlackBerry interception and processing system,” and that it had “the correct global key when it decrypted messages during its investigation.”

However, it was not revealed in court exactly how it came by that key, according to Vice.

In a short blog post yesterday, BlackBerry’s Chen claimed of the case: “Regarding BlackBerry’s assistance, I can reaffirm that we stood by our lawful access principles.”

These principles state:

“Like others in our industry, from time to time, BlackBerry may receive requests from legal authorities for lawful access assistance. We are guided by appropriate legal processes and publicly disclosed lawful access principles in this regard, as we balance any such requests against our priority of maintaining privacy rights of our users. We do not speculate or comment upon individual matters of lawful access. Additionally, BlackBerry does not provide special deals for individual countries…”

Chen added that BlackBerry would always “do what is right for the citizenry, within legal and ethical boundaries.”

“We have long been clear in our stance that tech companies as good corporate citizens should comply with reasonable lawful access requests,” he added. “I have stated before that we are indeed in a dark place when companies put their reputations above the greater good.”

That stance puts it somewhat in contrast with Apple, which has taken a major stand recently against the US authorities over access to private messages.

Chen went on to confirm that the BlackBerry Enterprise Server (BES) remains inviolate when it comes to providing law enforcers with access to private messages. This is because the encryption key is handled by individual customers – meaning BlackBerry couldn’t help if it wanted to.

That’s why it has repeatedly turned down such requests from nations such as Pakistan.

Its uncompromising stance there eventually led to the government withdrawing its access demands, having previously ordered the firm to cease operating there.

BBM users will, however, feel more than a little nervous that if the RCMP had access to specific users’ messages, law enforcers in other countries may also.

Source: Information Security Magazine

Moscow’s Smart City Security Flaws Could Create Traffic Chaos

Moscow’s Smart City Security Flaws Could Create Traffic Chaos

Security researchers have warned that basic security flaws in smart traffic monitoring systems could allow black hats to change, falsify or even delete crucial data, potentially creating widespread disruption in the city.

Kaspersky Lab security researcher, Denis Legezo, highlighted a recent test of Moscow’s smart transportation system – a network of road sensors which gather traffic info to help officials alter traffic flow in real time and make future infrastructure planning decisions.

He revealed several basic security issues which made the system highly vulnerable to hackers.

The first was that the name of the manufacturer was printed clearly on the side of the sensor box.

Following up online, the Kaspersky Lab team was then able to find technical documentation on the vendor’s site – including crucial information on the firmware it uses, how it communicates with third party devices, and so on.

Its job was also made easier by virtue of the fact that each sensor device was accessible via Bluetooth, allowing a hacker to brute force it with ease.

The researchers were able to access the device firmware memory, and “change the way that passing vehicles are classified according to their length, or change the number of lanes,” Legezo explained in a blog post.

“To sum up, a car driving slowly around the city, a laptop with a powerful Bluetooth transmitter and scanner software is capable of recording the locations of traffic sensors, collecting traffic information from them and, if desired, changing their configurations,” he added.

“I wouldn’t say that traffic stats are a major secret, but tampering with sensor configurations could affect their validity. And that data could be used as a basis for controlling ‘smart’ traffic lights and other traffic equipment.”

That data could be hacked and compromised in a sabotage attempt, or even sold to third parties. Either way, it could spell trouble for the city authorities which rely on the accuracy of such data to make crucial traffic planning decisions.

To mitigate the risk of such an attack in the future, the city authorities need to hide the vendor’s name from view on the side of each sensor; change default names on devices and disguise their MAC addresses; use 2FA for Bluetooth authentication; and work with white hats to find and patch bugs, Legezo recommended.

Source: Information Security Magazine

#CPX2016 – Check Point CEO Talks Need For Prevention to Battle Crime

#CPX2016 – Check Point CEO Talks Need For Prevention to Battle Crime

It is time to develop a new security strategy away from detection and more about being proactive.

Speaking in the opening keynote of CPX2016 in Nice, Gil Shwed, CEO and founder said that having the best technology is not enough, and to secure business we need a strategy and remain one step ahead.

Speaking in his session titled “Staying one step ahead in cyber security”, Shwed pointed out that he will soon be double the age he was when he launched the company’s first firewall in 1993, and now attacks are continuing to grow and we need to do something about it.

Comparing conventional crime to cybercrime, Shwed said that a bank faces a bank robbery two to three times a year and its costs a maximum $10,000 that is kept in a bank, while in cybercrime some banks see an attack 20-30 times per hour on minimum and the damage is way over $50 million. “So it is a faster pace and bigger damage, but try to compare conventional attacks – someone may know how to try to rob a bank on one territory, but in cybercrime they can come from the other side of the world,” he said.

“Everyone has access and we are all vulnerable, and we need to adopt a different mindset as in the conventional world we detect with camera, so it is detection and alert. If it doesn’t work we watch and punish them and the best tool for fighting crime is deterrence. In cybercrime, we use detection and alerting but malware is evasive, and we know an attacker can be sitting in a different country and continent, and there is no one to punish them and the catch rate is very low.”

Sticking with the theme of detection not being enough, Shwed also said that once malware is inside the network, the damage is done, the cost of remediation is high and it is hard to detect and trace, yet 80% of vendors are focused on detection only.

“A different approach is for us to prevent attack with the principle of: block an attack before it happens; defend with the most advanced tools that stop today’s attack and tomorrow’s threats; and protect every frontier,” he said. “Also simplify as you cannot do this with 60 different systems, ten different controls and 50 experts, and you need one system to block an attack before they happen.”

Check Point used the conference to announce the release of a new series of appliances for small office, small enterprise and mid-sized enterprise, large to high end enterprise, high end enterprises and data center grade.

He said: “It comes to the way we think and moving from the old to the new world.” Strategy was being reactive, now we need to be proactive and be thinking holistically and focus our energy on prevention, prevention, prevention and if we used point and multiple consoles in the past, in the new world we need one consolidated system with single management and we are working hard to make it a philosophy and strategy, but a reality.”

#CPX2016 - Check Point CEO Talks Need For Prevention to Battle Crime

Source: Information Security Magazine

MoD Email Blunder Leaks Secret Nato Report

MoD Email Blunder Leaks Secret Nato Report

The Ministry of Defence (MoD) has been left red-faced after it emerged that an administrative error led to the accidental leak of a secret Nato document detailing ongoing military exercises.

The document, marked “NATO restricted” on every one of its 192 pages, was emailed to fishing and ferry operators at the end of March, according to the Herald.

It apparently contains long lists of email addresses, phone numbers and the location of military facilities as well as technical details related to the exercises including aircraft target areas, code decryption tables, authentication protocols and radio jamming information.

Also listed in the doc are dozens of code words, call signs and map co-ordinates, according to the report.

The exercises in question are Griffin Strike 16, taking place in the south-west of England and Wales, and Joint Warrior 161 in Scotland.

The latter is a major bi-annual event currently running from 11-23 April and comprises “a program of exercises conducted by land forces, warships, submarines and aircraft across the UK,” according to the MoD.

The ministry admitted the error, which occurred when it was meant to send a missive on how fishing vessels and ferries may be affected by the live drills.

However, a spokesman sought to play down the potential impact of the accidental leak.

“A communications issue around the Joint Warrior and Griffin Strike exercises was identified and appropriate measures have been taken. There is no impact to the public, military personnel or units participating in the exercise,” he told the Glasgow paper.

Mimecast director of security product management, Steven Malone, argued that even the most security-sensitive organisations can fall victim to a data leak thanks to end user error.

“Employees rarely share confidential or secret information on purpose but need more help to avoid potentially damaging mistakes,” he told Infosecurity.

“Data loss prevention technology is mature and absolutely vital for highly sensitive data, but it must be considered a last resort backup. Employee awareness and understanding of security is the most critical control.”

This isn’t the first time the MoD has been found wanting when it comes to cybersecurity.

Over a four-year period leading up to 2009, the ministry reported the theft of over 650 laptops, including on one occasion the key used to encrypt data on the machine.

Then in 2012 a database containing employee emails and passwords was hacked and dumped online by hacktivists NullCrew, after they managed to exploit a basic SQL injection vulnerability.

Source: Information Security Magazine

Google Boosts Privacy for Chrome Extension Users

Google Boosts Privacy for Chrome Extension Users

Google has updated the User Data Policy for its popular Chrome Web Store in a bid to improve user privacy and transparency over when data is collected by third party extensions and apps.

Teresita Perez and Athas Nikolakakos from the Chrome Policy Team explained in a blog post that transparency and choice have been core principals of the browser since its inception.

“Since early on, Chrome has included privacy-protecting features to give users control over their browsing experience, including incognito mode and granular privacy preferences,” they added. “Now, we’re consolidating and expanding our policies about user data to ensure our Chrome Web Store developers follow similar principles.”

The new requirements for developers will include greater transparency about the handling of user data and the disclosure of privacy practices.

They will also be required to post a privacy policy, and use encryption, if handling personal or sensitive information.

Under the new rules, users must also be asked to: “consent to the collection of personal or sensitive data via a prominent disclosure, when the use of the data isn’t related to a prominent feature.”

“We’ll notify developers when we discover items that violate the User Data Policy, and they’ll have until July 14, 2016 to make any changes needed for compliance. Starting July 15th, 2016, items that violate the policy will be removed from the Web Store and will need to become compliant to be reinstated,” they concluded.

“Protecting our users is our key priority, and we believe this change will make sure users are better informed and allow them to choose how their user data is handled.”

The policy update comes as Chrome is frequently targeted by cyber-criminals, who particularly favor uploading malicious extensions, as a way to spread malware far and wide for a relatively low TCO.

This is despite Google’s move two years ago to stop users from installing any extensions not hosted on the official Chrome Web Store.

Source: Information Security Magazine

Privacy Fears Undermine Internet Trust – Report

Privacy Fears Undermine Internet Trust – Report

Global netizens are more concerned about their privacy than they were a year ago, and few believing governments can be trusted to keep their personal information safe, according to a new independent study.

Canada-based thinktank the Centre for International Governance Innovation (CIGI) commissioned Ipsos to interview over 24,000 internet users across the globe on their attitudes to privacy and the like.

It found global trust in online services on the wane – 57% were more worried about their privacy than a year ago, while only 38% said they could trust that their activities in cyberspace were not being monitored.

Likewise, fewer than half (47%) said they could trust that their online activity was not being censored.

Trust in public and private bodies to keep personal data safe and secure is also at an all-time low.

Just 30% of respondents claimed governments are doing enough on this front, while a similar number (31%) said the same for private companies.

Given this growing uncertainty and doubt, it’s perhaps not surprising that 83% of those interviewed claimed to have changed their online behavior in a bid to better protect their privacy.

This includes things like avoiding opening emails from unknown email addresses (55%), doing fewer financial transactions (23%), or even using the internet less frequently (11%).

CIGI said the findings highlight the pressing need for multi-stakeholder dialog on how to create greater trust online.

“Internet users are expressing a clear lack of trust in the current set of rules and, more importantly, in the actors that oversee the sharing and use of personal data online,” said Fen Hampson, director of CIGI’s Global Security & Politics Program.

“There is an overwhelming consensus among respondents that the internet is everyone’s issue, and that no single actor or institution is absolved of responsibility or can be trusted more than others in the pursuit of its effective governance.”

Online privacy has never been more high profile, with controversy surrounding Privacy Shield, the replacement for EU-US data sharing framework Safe Harbor.

Also, last week the EU General Data Protection Regulation passed its final regulatory hurdle and will come into force on 4 May 2018.

Source: Information Security Magazine

Less than a Quarter of Businesses Are Cyberattack-Ready

Less than a Quarter of Businesses Are Cyberattack-Ready

On average, only 23% of organizations are capable of responding effectively to a cyber-incident. This is especially bad for companies in the retail and hospitality sectors, which were the top-attacked verticals in 2015.

That’s the word from NTT Group’s annual Global Threat Intelligence Report, which found that not only do 77% have no capability to respond to critical incidents, but that the addressable fixable issues of social engineering and exploits of old vulnerabilities continue to be popular attack vectors.

In fact, spear phishing attacks accounted for approximately 17% of incident response activities supported in 2015. In many cases, the attacks targeted executives and finance personnel with the intent of tricking them into paying fraudulent invoices.

The bad guys are putting more effort into social engineering too. Activity related to the reconnaissance phase of the Lockheed Martin Cyber Kill Chain (CKC) accounted for nearly 89% of all log volume. These logs accounted for approximately 35% of escalated attack activity, making reconnaissance the largest single element in the CKC.

The report also found that all of the top 10 vulnerabilities targeted by exploit kits during 2015 are related to Adobe Flash. In 2013, the top 10 vulnerabilities targeted by exploit kits included one Flash and eight Java vulnerabilities. That has changed as new Java vulnerabilities have dropped steadily since 2013. The number of publicized Flash vulnerabilities jumped by almost 312% over 2014 levels.

But here’s the kicker: Nearly 21% of vulnerabilities detected in client networks were more than three years old. Results included vulnerabilities from as far back as 1999, making them more than 16 years old.

The retail sector meanwhile experienced the most attacks per client, according to the report, at just under 11%—nearly three times as many attacks as clients in the finance sector. Retailers often process large volumes of personal information—including credit card data—in highly distributed environments with many endpoints and point of service devices. Such diverse environments can be difficult to protect, the report noted.

The hospitality sector faces many of the same challenges as the retail sector, also processing high volumes of sensitive information, including credit card data. Transactions in the hospitality sector, that includes hotels and resorts, tend to be sizable, which can make compromising those card numbers more attractive to attackers.

The hospitality sector also includes a significant number of loyalty plans that house even more personal information, and then next is insurance, government and manufacturing. While the finance sector showed the highest volume of attacks overall, on a per-client basis, retail clients experienced 2.7 times the number of attacks as finance.

The insurance and government sectors both ranked in the top five most attacked sectors in 2015, and manufacturing continued to detect significant attacks, consistent with levels experienced in previous years. Overall, clients in the top five sectors experienced more than 44% of the attacks observed by NTT Group during 2015.

The report also found that there’s been an 18% rise in malware detected for every industry other than education.

One bright spot: DoS/DDoS attack volume fell 39% from levels observed in 2014. Implementation of better mitigation tools, along with fewer attacks, combined for a drop in detections of denial of service (DoS) and distributed denial of service (DDoS) activities. But, extortion based on the victim’s paying to avoid or stop DDoS attacks became more prevalent.

Photo © LeoWolfert

Source: Information Security Magazine

3.8M Porn Users Compromised in Naughty America Hack

3.8M Porn Users Compromised in Naughty America Hack

Stolen databases containing emails and passwords of 3.8 million porn users have supposedly turned up on the Dark Web—the latest in a string of adult-themed heists.

A hacker advertising the info on the underground The Real Deal site claims to have taken the database from the owner of the Naughty America porno production house, as well as from affiliated groups like gay porn site Suite703 and related forums. The info is up for sale for just $300.

The low price tag could be due to the fact that the account passwords were protected with bcrypt, a strong cryptographic algorithm—and also, some of the data could be old.

As for its authenticity, that’s a matter of some debate. Security researcher Troy Hunt checked the data with subscribers to his HaveIBeenPwned service, and received at least one user confirmation. The person had signed up for a three-day trial for a Naughty America account before cancelling.

Forbes carried out its own investigation. “Forbes was unable to independently verify the figures, though the data dealer, going by the name of Peace, passed on additional databases containing more than the small sample provided on the market,” the outlet said. “Four of more than 30 individuals included in the leaks responded to Forbes’ attempts at contact, saying they had used Naughty America or Suite703 and planned to change their passwords. Two said they had cancelled their subscriptions more than a year ago. Naughty America’s privacy policy does not state the company will delete user information once an account is terminated.”

Several recent data breaches have hit adult sites of late, including the lifting of 237,000 user account details from porn site TeamSkeet. That went up for sale on a dark web forum for just $400. And in February, the dating website Mate1 saw 27+ million user account credentials, including plaintext passwords, turn up on the dark web forum known as Hell.

According to Hunt, the Mate1 data breach included “deeply sensitive” information such as drug use, income levels and sexual fetishes.

Then of course there was the infamous hack of 37 million records for customers of Ashley Madison, the online “dating” website for married people looking to have an affair. The information includes “all the customers’ secret sexual fantasies and matching credit card transactions,” the perpetrators said. The hackers, who call themselves The Impact Team, said they plan to release real names, profiles, nude photos, credit card details and fantasy information unless their demands were met.

Photo © Sergey Nivens

Source: Information Security Magazine

Uber Transparency Report Reveals Data Hungry Regulators

Uber Transparency Report Reveals Data Hungry Regulators

Uber has unveiled its first transparency report, revealing a tension with local regulatory authorities in the US which it hopes will spark a public debate over the amount and type of data they’re requesting.

This report features an overview of the information provided to US state and local regulators and law enforcement agencies between July and December 2015.

It differs from similar reports by the likes of Facebook and Twitter because, although it is a technology company, Uber also operates in the offline and highly regulated world of transportation.

Typical requests may include information about “trips, trip requests, pickup and drop-off areas, fares, vehicles, and drivers in their jurisdictions for a given time period,” Uber claimed.

Despite only receiving 33 data requests from regulators, these covered a massive 11.6 million passengers and 583,000 drivers – revealing that many of these were blanket requests.

“Of course regulators will always need some amount of data to be effective, just like law enforcement. But in many cases they send blanket requests without explaining why the information is needed, or how it will be used,” Uber complained in a blog post.

“And while this kind of trip data doesn’t include personal information, it can reveal patterns of behavior and is more than regulators need to do their jobs. It’s why Uber frequently tries to narrow the scope of these demands, though our efforts are typically rebuffed.”

In fact, Uber claims it complied as required around 58% of the time, and was successful in negotiating a narrower scope on only 42% of occasions.

“We hope our Transparency Report will lead to a public debate about the types and amounts of information regulated services should be required to provide to their regulators, and under what circumstances,” it concluded.

The report also revealed requests from airport authorities, which are effectively mini-regulators for the area around their particular airport.

Over 1.6 million passengers and 156,000 drivers were affected by the 34 requests made in this sector.

In addition, there were 408 requests from law enforcement for passenger account details and 205 driver account requests. Uber complied fully with 32% and partially with 53%, claiming it sometimes requires a subpoena, court order, or search warrant before providing different types of information.

Source: Information Security Magazine