Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for May 2016

CEO Sacked After $56 Million Whaling Attack

CEO Sacked After $56 Million Whaling Attack

An Austrian aerospace manufacturer has sacked its CEO after his apparent mistakes led to the firm being defrauded out of €50 million ($55.8m) in a whaling attack revealed earlier this year.

FACC, which produces parts for the likes of Boeing and Airbus, said that in a supervisory board meeting last week it had decided to “revoke” Walter Stephan with immediate effect.

It added in a brief statement:

“The supervisory board came to the conclusion, that Mr. Walter Stephan has severely violated his duties, in particular in relation to the ‘Fake President Incident’. Mr. Robert Machtlinger was appointed as interim CEO of FACC AG.”

The incident in question appears to have been a classic whaling attack, in which a fraudster impersonating a CEO or senior board member emails a member of the finance department to request a money transfer out of the company.

However, it’s unclear exactly what mistakes Stephan played which led to his sacking, as the finance employee who made the mistake in transferring the funds and her immediate boss have already been dismissed, according to reports.

Such incidents have been on the rise in recent months.

Email security firm Mimecast interviews IT professionals periodically about whaling attacks and found 75% of respondents in March this year had seen an increase in attacks. That’s up from 55% in December 2015.

Also, the FBI warned in February that attacks had generated $2 billion for fraudsters over the past two years.

Orlando Scott-Cowley, cybersecurity strategist at Mimecast, warned firms not to be complacent when they read about whaling attacks.

“Every CEO needs to be ultimately responsible for implementing appropriate checks and balances, including security training and technology, to protect their employees and shareholders from crippling losses,” he told Infosecurity.

“It doesn’t matter how experienced or senior you are – you are still likely to fall for a well-crafted targeted attack. So assume you and your team will be duped, and plan accordingly. The incidents of these attacks are only set to grow. They are relatively easy for the criminals to conduct and are hard to protect against just using traditional security technologies.”

Wieland Alge, EMEA VP at Barracuda Networks said attackers usually spoof the CEO’s email address with a fake domain to improve their chances of success.

“It turns out that the one of the most effective defenses is a very transparent and open company culture. All departments, but particularly HR and Finance, must be able to communicate, preferably over the phone, with the CEO and CFO directly,” he added.

“This is quite a routine practice in young and fast moving companies, but becomes much less common in the larger businesses, sometimes down to the personality of the CEO and CFO, but more often down to well internalized habits. It goes without saying that properly configured and maintained email security systems also play a big part in preventing these kinds of attacks.”

Source: Information Security Magazine

Data from 360 Million MySpace Accounts Stolen

Data from 360 Million MySpace Accounts Stolen

Data pinched from around 360 million MySpace accounts is up for sale online, according to recent reports.

Lorenzo Fraceschi-Bicchierai at Vice Motherboard said the information can be purchased on criminal forums and is being sold by “Peace”, the same hacker who sold credentials for 165 million LinkedIn accounts this month.

Leakedsource.com, a service that allows users to check their credentials against stolen data sets, wrote in a blog that the information “may contain an email address, a username, one password and in some cases a second password.”

Further, Leakedsource.com stated that of the 360 million records stolen 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password (some did not have a primary password).

What’s more, the firm pointed out that “The methods MySpace used for storing passwords are not what internet standards propose and is very weak encryption or some would say it’s not encryption at all but it gets worse. We noticed that very few passwords were over 10 characters in length (in the thousands) and nearly none contained an upper case character which makes it much easier for people to decrypt.”

Although it is currently unknown when the information was stolen, the list of most commonly used passwords among the data would suggest the details are old, with culturally-based passwords linked to phenomenons most popular during the late 1990s and early 2000s.

MySpace was launched in 2003 before being purchased by News Corporation in 2005. The site went on to become the most dominant social-networking website in the world between 2005 and 2008, surpassing Google as the most visited website in the US in 2006. It was not until 2008 that Facebook overtook MySpace in terms of unique worldwide visitors, and since then its number of users has steadily declined.

Despite this the site, which recently claimed to have surpassed the threshold of one billion users, and still has an estimated 50 million unique visitors per month as of 2015. With this is mind, and taking into account the fact that many accounts – even if they are dormant – might still contain sensitive data can be leveraged in an attack, this data theft could pose a significant risk for MySpace users old and current. Additionally, it also shows that the site was hacked at some point, and MySpace either did not know about it or simply did not disclose it publically or to its customers.

Users who still have an active MySpace account are advised to change their password and, more importantly, change the password of other more sensitive services if they use the same password as the MySpace account.

Source: Information Security Magazine

Tumblr Breach Hit 65 Million as Pattern Emerges

Tumblr Breach Hit 65 Million as Pattern Emerges

A security expert has warned that there could be a lot more to come, following recent revelations of data breaches that happened several years ago at web firms including LinkedIn, MySpace and Tumblr.

Earlier this month, 167 million records were found to have been exposed after a breach at LinkedIn in 2012 – despite the firm claiming at the time that just 6.5 million users were affected.

Then last week it was revealed that around 360 million records had been stolen from social media site MySpace.

Most recently a Tumblr hack from 2013 which the firm only discovered and notified users about earlier this month, has been found to have exposed 65 million records.

This is despite the Yahoo-owned firm playing down the incident by claiming that only a “set of Tumblr user email addresses with salted and hashed passwords” was stolen.

Troy Hunt runs the Have I been pwned (HIBP) website which allows users to check whether their information has been stolen from any sites they have online accounts with.

He claimed in a new post that in the past week alone he’s loaded 269 million records into the system – almost as many as were in the entire site prior to that.

Data from all three web firms, along with a fourth – Fling – are for sale on the darknet, from the same vendor, going by the handle peace_of_mind.

These breaches are all of extremely large volumes of data and all happened at least three years ago but have been sitting dormant, leading Hunt to speculate there may be a connection.

“There’s been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can’t help but wonder if they’re perhaps related,” he suggested.

“If this indeed is a trend, where does it end? What more is in store that we haven’t already seen? And for that matter, even if these events don’t all correlate to the same source and we’re merely looking at coincidental timing of releases, how many more are there in the ‘mega’ category that are simply sitting there in the clutches of various unknown parties?”

Source: Information Security Magazine

US ICS-CERT Urges Admins to Mitigate New SCADA Risk

US ICS-CERT Urges Admins to Mitigate New SCADA Risk

The US Department of Homeland Security has issued an alert urging IT administrators in the energy sector to take steps to mitigate two serious vulnerabilities in SCADA products.

The alert came late last week from the department’s ICS-CERT, and concerns two bugs discovered by independent researcher Maxim Rupp in products built by US firm Environmental Systems Corporation (ESC).

Crucially, the products affected – ESC 8832 Version 3.02 and earlier versions – don’t have enough memory space to implement a patch, meaning a firmware upgrade is out of the question.

The alert continued:

Successful exploitation of these vulnerabilities may allow attackers to perform administrative operations over the network without authentication.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”

Both bugs have been given a CVSS v3 base score of 7.5.

The first – CVE-2016-4501 – is an authentication bypass vulnerability which could allow an attacker to make unauthorized modifications to the device’s configuration.

The second – CVE-2016-4502 – is a privilege management bug which could allow a hacker to “gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter.”

An attacker with only low skill could exploit these two vulnerabilities remotely, ICS-CERT warned.

To mitigate the risk of such an exploit, ESC recommends admins either upgrade the device, block Port 80 with a firewall, or manage the device not through the web interface but alternative means.

The affected product is used mainly in the energy sector in the United States, the advisory claimed.

Internet-connected SCADA systems are increasingly exposed to remote cyber attacks – especially those in mission critical deployments where administrators are reluctant to schedule downtime to patch them.

Last Christmas a major attack on power stations in Ukraine led to a serious power outage.

Source: Information Security Magazine

Brazil Offers High Security Risk for Businesses

Brazil Offers High Security Risk for Businesses

Brazil is one of the riskiest countries to do business in, according to BitSight Technology.

BitSight Security Ratings are a measurement of an organization’s security performance and range from 250 to 900, where higher ratings equate to lower risk. Much like credit ratings, BitSight Security Ratings are generated through the analysis of externally observable data such as compromised machines, vulnerabilities in important communication protocols and user behavior.

Taking a look at a random sample of companies in the United States, the United Kingdom, Singapore, Germany, China and Brazil, BitSight found that companies based in Brazil have the lowest aggregate Security Rating, while companies in the UK, Germany and the United States have the highest.

Brazil and the United States have the poorest performance when it comes to preventing and mitigating machine compromise stemming from botnet infections; Germany and the UK perform the best in the fight against botnets. China, Brazil and Germany meanwhile have a higher percentage of poorly configured email security protocols, such as SPF and DKIM.

Major vulnerabilities in important communication protocols such as Heartbleed, POODLE and FREAK continue to affect organizations within all countries included in the study; and, peer-to-peer file sharing is common across all countries included in the study, except Germany.

“Along with operational, financial and legal risk, cyber-risk should be a key consideration when extending operations globally. This includes understanding the risk associated with sharing sensitive data with global partners and vendors,” said Stephen Boyer, co-founder and CTO of BitSight. “Just as business practices and laws differ across countries, so do cybersecurity practices. When expanding globally, it is imperative to communicate best practices and establish a standard of security performance that can be implemented across the entire supply chain.”

Photo © Peace PhotoHunter

Source: Information Security Magazine

DHL Customers Phished Using South African Gov Website

DHL Customers Phished Using South African Gov Website

DHL customers’ credentials are being targeted once again by phishing, according to the Comodo Threat Research Labs.

What’s unique about this campaign is that a South African government website is being hacked to host the malicious phishing URL.

Specifically, a bogus email mimics a DHL shipment notification alerting the customer to fill in the required information in order to take delivery of a parcel. However, the link provided within the email does not take the user to an official DHL website, but instead to a compromised domain of the South Africa Accreditation Authority, a government entity.

When victims click on the link, they’re redirected to a site that is an exact copy of an official DHL website. Tricked customers may end up complying with payment requests and could ultimately end up with a system-wide infection.

“It’s a clear example of how compromised government assets may be utilized in phishing attacks targeting citizens. No organization or company is secure enough, unless the necessary measures are taken. Government assets are no exception,” said Fatih Orhan, director of the Comodo Threat Research Labs, in an alert.

DHL is warning its customers. A statement on the DHL website reads: “Attempts have been made to defraud Internet shoppers by the unauthorized use of the DHL name and brand via email communications and graphics which appear, on the surface, to have originated from DHL. In most cases the communications concern the sale of consumer goods over the Internet where payment may be requested before the goods are delivered. Please be advised that DHL does not request payment in this manner. DHL only collects money due for official DHL related shipping expenses.”

Photo © Lucian Milasan/Shutterstock.com

Source: Information Security Magazine

Defense Department Runs the US Nuclear Arsenal Using Floppy Disks

Defense Department Runs the US Nuclear Arsenal Using Floppy Disks

According to a report from the US Governmental Accountabilty Office, major governmental agencies including the Department of Defense, Treasury Department and the Social Security Administration have been using IT systems that are up to 50 years old. These are handling important functions related to taxpayer information, federal prisoners, military veterans and nuclear programs—and they’re deeply vulnerable to attack.

The Department of Defense, for example, runs its strategic air command system on an IBM Series/1 Computer—a 1970s computing system—and uses 8-inch floppy disks. This system coordinates the operational functions of the United States’ nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts.

The Department of the Treasury meanwhile uses assembly language code—a computer language initially used in the 1950s and typically tied to the hardware for which it was developed. And the Department of Veterans Affairs automates time and attendance for employees, timekeepers, payroll and supervisors using a bespoke software written in Common Business Oriented Language (COBOL)—a programming language developed in the 1950s and 1960s. It runs on IBM mainframes.

The list goes on and on.

What’s even more shocking is that the US government spent most of its annual IT budget last year to maintain these systems. More than 75% of the total amount budgeted for IT for fiscal year 2015 on operations and maintenance (O&M) investments, according to the GAO. That spending has increased over the past seven fiscal years, which has resulted in a $7.3 billion decline from fiscal years 2010 to 2017 in development, modernization and enhancement activities.

And there’s little end in sight. The President’s fiscal year 2017 budget request for IT was more than $89 billion, with much of this amount reportedly for operating and maintaining existing IT systems.

The Office of Management and Budgets (OMB) did recently begin an initiative to modernize, retire and replace the federal government’s legacy IT systems, but until that policy is finalized, the GAO warned that the government runs the risk of maintaining systems that have outlived their effectiveness—with great security risk.

“Many IT O&M investments in GAO’s review were identified as moderate to high risk by agency CIOs and agencies did not consistently perform required analysis of these at-risk investments,” it noted.

“The GAO’s report on the government’s archaic IT systems is alarming, but unfortunately not surprising,” said Bob Ertl, senior director of product management at Accellion, via email. “Layers of bureaucracy plus fierce competition for budget dollars are historically responsible for the public sector lagging behind in technology adoption. The problem with that is when you put off making technology upgrades, you put off making security upgrades.”

He added that the massive data breach at the Office of Personnel Management highlights this very issue.

“While it remains to be seen whether the lessons learned from that breach will be applied, hopefully this report from the GAO provides additional context for just how dire the security situation is at the federal government level,” Ertl said.

Photo © Yongcharoen_kittiyaporn

Source: Information Security Magazine

Swift Hackers Linked to ‘North Korean’ Lazarus Group

Swift Hackers Linked to ‘North Korean’ Lazarus Group

The recent Swift attacks on banks across the globe have links to the infamous Lazarus Group pegged for the Sony Pictures Entertainment hack, according to Symantec.

The security giant explained in a blog post that it identified three pieces of malware used in a newly discovered set of attacks on South-east Asian banks: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee.

On closer inspection it discovered code sharing between early variants of Backdoor.Contopee and Trojan.Banswift – which was used in the $81 million heist at the Bangladesh Bank.

“Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group,” it explained.

This means that at least one more bank, in the Philippines, is likely to have been attacked by the Swift hackers that have already been pegged for raids on the Bangladesh Bank, Vietnam’s Tien Phong bank and Ecuador’s Banco del Austro.

However, Backdoor.Contopee also provides a link to the Lazarus gang, which has been observed using the same malware. This raises the prospect that the hackers who attacked Bangladesh Bank and others are North Korean state-sponsored operatives.

Lazarus is linked to a string of attacks since 2009 aimed at US and South Korean organizations.

“The group was linked to Backdoor.Destover, a highly destructive trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment. The FBI concluded that the North Korean government was responsible for this attack,” explained Symantec.

“The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region.”

Global bank transfer messaging organization Swift responded this week by launching a five-point plan for its members designed to fortify their defenses against future attacks.

One of its main tenets is better information sharing within the industry, which Swift says it will help co-ordinate.

Given the level of sophistication in the attacks against Bangladesh Bank and others, it has been suggested in the past that those who carried them out could be insiders.

Source: Information Security Magazine

UK Banking Customers Could be Forced to Pay for Fraud

UK Banking Customers Could be Forced to Pay for Fraud

UK consumer and corporate banking customers could find they have to foot the bill for fraud themselves if they haven’t taken adequate security measures, according to new plans being mooted.

The Bank of England, GCHQ and the government are discussing the idea, which could also involve shutting out such individuals from banking services altogether, according to the FT.

At present in the UK, and most western countries, the banks foot the bill for fraud even if it came about because the victim failed to adequately secure their personal information and/or keep their computer up to date with security software and patches.

Fraud is big business these days, with online banking losses jumping 64% last year to reach £133.5 million, according to Financial Fraud Action UK. In addition, the value of e-commerce fraud jumped 19% from 2014 to 2015 to reach £261.5 million.

A new study from the UK Fraud Costs Measurement Committee (UKFCMC), Experian and PKF Littlejohn released this week claimed that fraud in total costs the UK economy £193 billion per year.

Plans to push more liability for fraud onto banking customers have been mooted for years, but they’ve proved controversial – not least because consumer groups claim it would disadvantage the elderly and those less capable of protecting themselves.

Any move of this kind would have to go hand-in-hand with greater help from financial institutions on internet security.

Javvad Malik, security advocate at AlienVault, described the plan as a “bad idea.”

“It will be difficult, if not impossible to agree what an acceptable baseline of security is. Will banks mandate which operating systems and browser versions are relevant? For example, will they block any visitors running windows XP?” he added.

“If that is the case, then the tables can very easily be turned if, in court, a customer asks a bank to demonstrate that all their systems involved in the online banking ecosystem meet the same level of base security controls. With many banks running legacy systems, it will be a difficult case to make – not to mention can potentially expose confidential information about the bank’s setup.”

Banks are best placed to invest in fraud detection and prevention at their end, he argued.

Source: Information Security Magazine

Data Leak Puts Ulster Prison Staff in Danger

Data Leak Puts Ulster Prison Staff in Danger

Lives were put at risk after the personal details of hundreds of Northern Ireland prison officers were emailed to a third party by mistake.

Staff names and dates of birth were sent out accidentally to a third party who is thought not to have been security vetted to receive such information.

The risk is that with such information, terrorists in the region could find out the addresses of prison staff.

A 52-year-old prison officer died just weeks ago following a bomb blast claimed by the New IRA.

“This is another result of cutbacks,” a source told Belfast Live regarding the email leak.

“The checks were previously done independently but they were moved in-house to save money.”

However, the Department of Justice claimed in a statement that the incident has been contained.

“A full investigation is under way and the incident has been reported to the Information Commissioner’s Office,” it added.

Tony Pepper, CEO of secure data transfer firm Egress, argued that email auto-fill was likely to blame, but that tools exist to help eradicate this kind of human error.

“Firstly, organizations need to have the means to securely share information both internally and with trusted external third parties using encryption tools that suit the ways their employees work – whether securing emails or large files, or providing a secure collaboration environment,” he added.

“Secondly, they need to ensure users retain control over their data from start to finish, even after it has been shared with a third party. For example, having the ability to retract an email sent in error, such as in this case, so that the recipient is unable to read the contents. Finally, this smart technology needs to be combined with user education, policies and procedures that help them to understand how to treat data.”

Firms would also benefit from tools which feature an element of artificial intelligence built in, he argued.

“Machine learning can harness the digital footprints employees leave behind every day and use these to discern what ‘good’ behavior looks like in comparison to ‘bad’,” Pepper explained.

“Aggregating and analyzing this information can then allow greater information security and assurance to be applied to any exchange of data, reducing the opportunity for employees to cause a data breach, whether by accident or intentionally.”

Source: Information Security Magazine