Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for May 2016

ATM Robbers in $12 Million Japan Heist

ATM Robbers in $12 Million Japan Heist

Cybercrime gang members managed to steal a whopping 1.4 billion yen ($12.7m) from Japanese ATMs in a highly co-ordinated Sunday raid, according to reports.

Some 1400 cashpoints at various convenience stores around the country were targeted in a two-hour operation, “investigative sources” told the Kyodo news agency.

It’s likely that fake cards were used in the heist, cloned from information stolen from a South African bank, police believe.

Local investigators will now work with their South African counterparts through Interpol to find out how the data was stolen in the first place.

The ATM thefts took place just over a week ago, on the mornings of 15 and 16 May, with as many as 100 carders potentially involved in the operation.

They are said to have withdrawn the maximum amount of 100,000 yen ($913) in each of the 14,000 transactions attempted.

It’s the kind of operation that chip and PIN was largely developed to prevent. These newer cards, which are finally being rolled-out across the US and have been around in the UK for over a decade, are much harder to clone for these purposes.

However, this means most card fraud in the UK today is card-not-present – where the black hat simply uses the stolen data to commit fraud online rather than in the ‘real world.’

It’s not just carders using fake plastic that banks need to be on the lookout for, if recent reports are to be believed.

Almost all the ATMs in the world are at risk of being illegally accessed and raided – some even without the need to install malware – according to a Kaspersky Lab report from last month.

A big part of the problem is that many systems are still running on old and/or insecure systems like Windows XP – exposing them to exploitation by malware.

According to ATM data, around 1600 cards were used in the Japan attack, which spanned 16 prefectures across the archipelago.

Source: Information Security Magazine

Bank of England in Swift Security Warning

Bank of England in Swift Security Warning

The Bank of England has told UK banks they need to perform compliance checks to ensure they’re following cybersecurity best practice following the $81 million virtual robbery of the Bangladesh Bank in February.

Unnamed people “familiar with the effort” told Reuters that the order came in the second half of last month, although the central bank itself has refused to comment on the matter.

The checks are essentially designed to ensure banks follow the advice of inter-bank messaging system supplier Swift, which was at the center of the audacious cyber heist earlier in the year.

These apparently include user entitlement reviews to ensure only legitimate employees have access to the Swift network, which facilitates bank transfers and the like.

Also included on the checklist was an order to check the Indicators of Compromise that have been deduced from previous attacks by investigators at BAE Systems and elsewhere.

Also in there was a requirement to upgrade key Swift Alliance Access software by mid-May.

The news comes as yet another bank revealed it has been targeted by what appears to be the same group of hackers.

A week ago, Vietnamese lender Tien Phong Bank admitted it successfully identified and stopped an attempted theft of over $1 million via a third party provider which manages its connection to the Swift network.

At around the same time, Swift itself issued a lengthy notice urging banks to review their security controls.

This is despite claims from Bangladesh Bank staff that it was the messaging company itself – owned and run by a group of global financial institutions – that was to blame for the $81m robbery.

Technicians left several security holes when they were connecting the bank’s real-time gross settlement (RTGS) system to the Swift network, they claimed.

Swift has always maintained that in these incidents it is the banks themselves that are to blame.

Many security experts believe the black hats involved in this case have detailed knowledge of the inner workings of the system.

Source: Information Security Magazine

US Navy to Train Up a Hacking Team

US Navy to Train Up a Hacking Team

The US Navy is planning to create its own team of “ethical” sailor-hackers.

In a job posting, the Navy outlined its requirements for the Ethical Hacker program, an intensive five-day course that will take place June 6-10 in San Diego. It’s looking for 34 bodies to fill the seats, to undertake training administered by the International Council of Electronic Commerce Consultants or an authorized partner.

The course consists of a combination of lectures, team activities and case studies followed by beyond-site certification testing.

According to the Navy, a certified ethical hacker “is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in networks and/or computer systems and uses the same knowledge and tools as a malicious hacker upon request from an organization. The certification is for individuals who are responsible for securing (or testing the security of) computer networks.”

The military has ramped up its cyber-plans of late—sometimes in disturbing ways. Last fall, according to government contractors and former Pentagon officials, computer code and cyber-weapons capable of killing adversaries will be developed under a new half-billion-dollar military contract.

These cyber weapons will allow US troops to launch “logic bombs,” instead of traditional explosives, which essentially would force an enemy’s critical infrastructure to self-destruct—likely with the loss of human life.

Sources told Nextgov that the contract is the main part of an upcoming $460 million U.S. Cyber Command project, which will outsource “cyber fires” planning, as well as “cyberspace joint munitions” assessments to contractors. Raytheon, Northrop Grumman and Lockheed Martin are among the major defense firms expected to compete.

Earlier this year, the Pentagon announced what it called “the first cyber bug bounty program in the history of the federal government.” Essentially, the Department of Defense is inviting hackers to test the department’s cybersecurity profile.

The Hack the Pentagon initiative is a pilot program that will use commercial sector crowdsourcing to uncover vulnerabilities and probe around for flaws on the department’s public webpages. According to a list published by the Defense Department, it currently manages 488 websites, which are devoted to everything from the 111th Attack Wing and other military units to the Yellow Ribbon Reintegration Program.

Photo © Everett Historical

Source: Information Security Magazine

Social Media, Mobile Prove Too Much for Compliance Officers

Social Media, Mobile Prove Too Much for Compliance Officers

Compliance professionals are struggling to keep up with the explosion of communications channels, including social media and mobile devices, according to the latest Electronic Communications Compliance Survey Report from Smarsh.

The company’s sixth annual compliance survey reveals that gaps in enforcement, retention and policies remain very high, exposing firms to the risks of undetected fraud, errors and regulatory enforcement actions.

The primary purpose of electronic message supervision is to fulfill regulatory requirements designed to protect investors, such as SEC rule 17a-4, which requires firms to archive electronic business communications in non-rewriteable and non-erasable (WORM) formats for at least three years. In addition to retention, firms are required to perform risk-based review of correspondence and internal communications.

The compliance function must ensure the firm is compliant with these mandates, thereby minimizing the business risks of noncompliance, such as fines, reputational damage and loss of license to operate.

What that means in practice is that compliance professionals need to supervise all types of business communications, even when messages reside on personal devices and social media accounts. Making this a reality, however, presents challenges, and compliance to-date has not kept up with implementing retention and supervision systems for all the communications channels employees use for business.

Key concerns include growing regulatory scrutiny of electronic communications of all types, balancing privacy and compliance, management of the increasing number of communications channels, hackers and a dearth of personnel to meet the compliance burden.

To this last point, 40% of survey respondents believe too many or way too many messages are flagged for their review as part of the supervision process, indicating firms either don’t have the resources needed to effectively keep up with reviews, or they see too many false-positive search results which take up valuable compliance team time.

Nearly 90% of respondents expect the resources (time and/or money) dedicated to electronic message compliance to remain the same, or increase only slightly in the next 12 months. Fewer than one in 10 expect to receive a significant resource increase. Unsurprisingly, this concerns compliance professionals. More than one-fourth of respondents (28%) cited insufficient budgets as a top concern this year, up from 22% last year.

“Firms have an immediate need to rethink their traditional approach to the retention and oversight of electronic communications, especially as they aim to demonstrate a culture of compliance,” said Stephen Marsh, CEO and founder of Smarsh. “Our data illustrates that too many firms are not retaining and supervising different types of electronic communication, and not performing systematic supervision as regularly as necessary. Those that do have established surveillance programs are struggling to find efficiencies under the weight of a growing volume of electronic communication.”

Meanwhile, social media is the communication channel representing the highest perceived level of risk, cited by almost 50% of respondents. Yet more than 40% of firms that enable employees to use LinkedIn and Facebook do not have retention and supervision solutions in place, leaving them vulnerable. This compliance gap is even greater for mobile/text messaging, where almost 70% of firms that allow its use for business fail to archive the content.

Whether new content types are allowed or not, compliance professionals report low confidence that their firm is in full compliance with regulatory requirements for these communications. For instance, almost 60% of respondents from firms that allow text messaging for business communications have little or no confidence in their ability to produce these electronic records within a reasonable time frame.

Photo © Andrey_Popov

Source: Information Security Magazine

EU Data Protection Chief Calls for No Backdoors and a ‘Right to Encypt’

EU Data Protection Chief Calls for No Backdoors and a ‘Right to Encypt’

Law enforcement’s need for information access is critical and should be supported—but only in ways that ensure the individual’s personal privacy. That was the message from European Data Protection Supervisor Giovanni Buttarelli, speaking at the first public event that Europol has held on the specific subject of privacy.

Against the backdrop of several important court cases, as well as calls for enabling surveillance for counter-terrorism purposes, Buttarelli pointed out [PDF] that in many cases, law enforcement’s counter-terrorism flaws come down to poor collaboration rather than a lack of information. For instance, he noted that it is likely that most of the Paris and Brussels attackers were known to the local police as criminals, jihadis or some foreign fighters, and that information on them was included in the relevant EU databases.

“Of course law enforcement authorities need to do everything possible to fulfil their public function of ensuring law and order and justice for victims of crime and terrorism,” Buttarelli said, calling for more information and analysis. “The EU’s Counter Terrorism Coordinator recently told the JHA Council that there are still ‘significant gaps with regard to feeding Europol’ with information necessary on foreign terrorist fighters. This is an urgent problem because of the need for Europol to help match criminality and terrorist activity.”

He also discussed the idea of backdoors, comparing them to the state instructing all architects and construction companies to weaken, in a secret way, one of the points of entry in every private residence.

“Backdoors are not the solution to cybersecurity; they would be a new and dangerous part of the problem. What we need instead is to reinforce the global infrastructure, not to weaken it, to ensure that not only citizens but governments also are secure against attacks.”

He noted that a backdoor would be fundamentally different from the traditional wiretap. “Much more so than our homes, our mobile devices now contain revealing and sensitive data on almost every aspect of our lives, private and professional,” he said. “A trojan horse or built-in vulnerability in all smart phones, tablets and PCs would allow collection and retention of personal information on a much greater scale than ever before. It would set a precedent for the emerging Internet of Things where a whole range of everyday devices and objects will be connected.”

He also said that now may be time to consider establishing a right to encrypt, in addition to any moves to reinforce law enforcement capabilities.

He said that Europe has taken “a massive step in the right direction” with the final adoption of the General Data Protection Regulation and of the Directive for data protection in the police and judicial sector. And, the adoption of the Europol Regulation, which will make Buttarelli’s department responsible, in 2017, for the supervision of compliance of personal data processing.

The balancing of privacy and law enforcement needs was played out in two separate cases in Germany and Italy—with different outcomes. The German Federal Constitutional Court recently ruled on the police use of tracking devices in international terrorism cases, and found that privacy safeguards, transparency to parliament, public and individual legal protection and judicial review must be taken into account.

“According to the Court, it was disproportionate to use wiretap for more than just the most serious offences; and there were limits on the interference with the private spheres of individuals who are not suspected of terrorist activities,” he said. “And it was disproportionate also to transfer personal data to third countries where there were no guarantees of protection of the fundamental rights of the individuals in question.”

Meanwhile, the Italian Court of Cassation said in April that evidence acquired through trojan horses installed on electronic equipment could indeed be admissible in the most serious cases: anti-Mafia and anti-organized crime efforts, and to combat terrorism.

“The FBI-Apple argument in the wake of San Bernardino is just an early skirmish in a long battle,” he said. “A broad and informed public debate is now needed, just as President Obama himself has said. Is the question really one of privacy versus security, or is it rather one of overall security versus decryption?”

Photo © Nagel Photography

Source: Information Security Magazine

US Presidential Hopefuls Braced for Cyber Attacks

US Presidential Hopefuls Braced for Cyber Attacks

US intelligence officials are expecting a barrage of cyber attacks during the forthcoming presidential election campaign, according to reports.

In a statement seen by Reuters, Brian Hale, a spokesman for the office of US National Intelligence Director James Clapper said that previous campaigns had probably been targeted in this way.

“We’re aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations – from philosophical differences to espionage – and capabilities – from defacements to intrusions,” he added.

His words were backed by Representative Adam Schiff, a Democrat who site on the House of Representatives Permanent Select Committee on Intelligence.

“Given the intense scrutiny paid to the 2016 campaign, and the broad implications for U.S. foreign policy, it’s no surprise that actors are launching cyber attacks against presidential campaigns,” Schiff apparently claimed in a statement.

The FBI and DHS are apparently working to educate officials on both campaigns to help them fortify their IT systems against attack.

Hillary Clinton famously broke security protocol by using her personal webmail account for official business when Secretary of State.

Tripwire CTO, Dwayne Melancon, argued that a presidential hopeful would be the perfect target for a hacktivist.

“Since this has now been opened up to the public, I would like to see the advisories become more specific and more actionable in the near future,” he added.

Meanwhile, the same firm’s director of security and IT risk strategy, Tim Erlin, claimed “politics and cyber security are inextricably linked these days.”

“When you have an outspoken candidate with a strong position, they necessarily garner extra attention, both good and bad, both in real life and online.

“The increase in cyber attacks will involve more than targeting the candidates and their campaigns directly,” he added. “The population in general should be on the lookout for attacks that leverage political candidates, but target the average consumer.”

Source: Information Security Magazine

Bangladesh Government Sites Used in Phishing Campaign

Bangladesh Government Sites Used in Phishing Campaign

Bangladeshi government web pages have been compromised and used in phishing attacks, according to security researchers.

Domain name registrations under .gov.bd appear to have been used in attacks spoofing the likes of Wells Fargo bank, Google and AOL, according to anti-phishing firm Netcraft.

However, the vendor claimed in a blog post that the compromised server in question is “one of a few” hosted in the UK on a static IP address used by the hosting company Nibs Solutions.

The phishing pages are apparently still live after more than a week.

“The presence of multiple live phishing sites on the affected server, and the fact that the previous compromises have not yet been cleaned up, suggests that whatever security vulnerabilities might have affected the server are yet to be resolved,” Netcraft continued.

“Bangladesh has a relatively small presence on the web, with just over 30,000 websites making use of the entire .bdcountry code top-level domain. However, the ratio of phishing incidents to sites is quite high at roughly 1 in 100.”

The incident will add further embarrassment to the Bangladesh government after its central bank was caught out in a major cyber attack earlier in the year which led to the theft of over $80 million.

In that incident, hackers would have stolen $1bn but a spelling mistake in the routing instructions raised the alarm and a fifth transfer of $20m was stopped.

A war of words ensued between the bank and Swift, the global organization which owns and operates international bank transfer messaging infrastructure.

According to Reuters, Bangladesh Bank staff accused Swift technicians of leaving security holes when they were connecting the bank’s real-time gross settlement (RTGS) system to the Swift network.

However, Swift has refused to take any of the blame, claiming the fault is on the bank’s side.

It emerged earlier this month that a second bank, and Swift customer, had been targeted in the same way.

Source: Information Security Magazine

Japan Set to Develop Elite White Hat Agency

Japan Set to Develop Elite White Hat Agency

The Japanese government is set to create a new agency tasked with recruiting a crack team of white hats and conducting cybersecurity R&D ahead of the 2020 Olympics, it has been revealed.

The privately funded agency, which has the working title of the Industrial Cybersecurity Promotion Agency, will form the front line in the defense of the country’s critical infrastructure, according to the Yomiuri Shimbun.

It will be tied to the Economy, Trade and Industry ministry and staffed by “dozens” of security experts, the report claimed.

One half of the agency will apparently deal with the recruitment of cybersecurity experts, and the other with research.

The agency will also be involved in conducting cyber readiness exercises to test the country’s preparedness for a major attack ahead of, or during, the Summer Games. It will co-ordinate its efforts with universities and foreign agencies such as the US Department of Homeland Security.

According to the report, Japan currently lacks such a body to take charge of advanced R&D and nurturing cybersecurity talent to work for the government.

When it comes to CNI, it will cover industries including electricity, gas and chemical facilities, with the budget set to be thrashed out in fiscal 2017.

Japan has been a regular target in the past both for financially motivated cyber-criminals, hacktivists and stats sponsored operatives.

Security vendor Cylance claimed back in February that it had discovered a multi-year advanced targeted attack campaign focused mainly on Japanese companies and foreign organizations headquartered in Japan.

Operation Dust Storm appeared to be targeting Japanese critical infrastructure firms in the electricity, oil and natural gas, finance, transportation, and construction sectors, the firm said.

The country’s financial institutions have also been under fire of late from a wave of banking trojans such as Shifu.

Japan signed a cyber ‘agreement’ with the EU back in 2014 focused on “promoting cooperation on cyberspace through exchanges of our respective extensive experience and knowledge.”

Source: Information Security Magazine

Interview: Jacob Ginsberg, senior director, Echoworx

Interview: Jacob Ginsberg, senior director, Echoworx

End-to-end encryption has surfaced from behind the scenes to go mainstream, with Whatsapp and Viber both adding it to their users’ communications in the last few months.

As the technology has grown to become far more commercialized, privacy disputes between governments and technology companies have also become more evident. Authorities have looked to weaken secure communication in the interest of national security whilst tech organizations have stood firm in their refusal to such a precedent.

I recently sat down with Jacob Ginsberg, senior director at encryption specialist Echoworx to discuss the security benefits off end-to-end encryption and what he thinks the future holds for the technology.

Ginsberg explained that Echworx strives to demystify communication encryption and highlight the fact that, in reality, end-to-end encryption doesn’t need to be a “big and scary” topic.

“One of the big changes we’ve tried to introduce is making it less about propriety technology, and pushing that down people’s throats, and instead more about removing the obstacles between communities. That’s our focus,” he said.

“What we really want to do is put encryption into people’s hands, and sooner rather than later. What we’re seeing are two things: the first is realization that data persists; that if I have an email sitting somewhere, you can try to delete it, but data points are being collected and will persist for some time. The second is that the threshold for what is considered sensitive information is really going down.”

The use of end-to-end encryption in communications is a security game changer and something that should be implemented on a wider scale, Ginsberg argued.

“It changes the game in terms of whether you or not you’re shouting out your banking information on the street corner [for example] or discreetly passing it on to the person that you mean to. It makes a big, big, big difference and I don’t think people appreciate how big a difference it is and really understand what you are doing when you communicate online without it. It’s absolutely night and day, and we want people to realize that and we want people to embrace it, not just as a company but as good members of the technological community.”

Moving the conversation onto public attitudes towards encrypted communication, Ginsberg said there has been a notable increase in both awareness and understanding lately.

“A lot of this has to do with the media and raising awareness with high-profile cases that we’ve seen. Also, we are now applauding companies like Facebook for implementing it and talking about it. It seems like everyone across the board is interested in raising awareness and utilization, recognizing that it’s good for everyone,” he added.

Asked what direction he thinks arguments surrounding the much-discussed topic of government access to private, encrypted communication – brought to the fore so publically in the FBI vs Apple San Bernardino gunmen standoff earlier this year – will take going forward, Ginsberg said:

“I see it continuing to a certain extent; and that’s only because if you contextualize it and remove the technology and internet from it, this has been a constant theme between public sector and governments for a long time.

“It’s very interesting that countries are very much concerned with securing their own information and their own borders, but at the same time consider having access to their citizens’ information acceptable.”

To conclude, Ginsberg said he sees the widespread use of end-to-end encryption in communications becoming the norm, arguing it is already happening as fast as some governments will allow it.

“Companies are implementing it where there’s not even an immediate financial return because everyone realizes how important this is,” he added.

Source: Information Security Magazine

Firms Have 200+ Unencrypted ‘Password’ Files in OneDrive

Firms Have 200+ Unencrypted ‘Password’ Files in OneDrive

Organizations must take greater responsibility when it comes to the security and compliance of their OneDrive data, according to a new report from Skyhigh Networks.

The cloud access security broker (CASB) analyzed usage data for more than 27 million employees working at over 600 enterprises and found serious lapses – particularly concerning when over 58% of sensitive cloud data is stored in Office documents.

OneDrive was the most popular Office 365 app, used by 79% of organizations analyzed with over 100 users.

However, the CASB found that the average enterprise has 204 files containing the word “password” in the file name stored unencrypted in OneDrive.

“Generally, security experts don’t recommend storing all of your passwords in an unencrypted Word or Excel document, whether you store it in the cloud or on your computer,” the report noted. “Some of this data is sensitive but can be safely stored in the cloud with appropriate controls in place.”

What’s more, the practice is getting worse. There were only 143 such files found in Q3 2015.

With this kind of security practice at play it’s perhaps not surprising that 71% of organizations studied have at least one account compromised per month, 57% have at least one insider threat each month and almost half have a privileged user threat every month.

The problem is compounded by virtue of the huge volume of user-generated events in Office 365 each month – an average of 5.4 million. Of these, 256 were judged by Skyhigh Networks to be “anomalous” and just 2.7 actual threats – although the trick is finding this needle in a haystack.

“The challenge for enterprises today is how to develop the people, processes, and technology to identify these threats against the background noise of everyday Office 365 usage,” the report claimed.

Under Microsoft’s shared responsibility model, Redmond will take care of “platform security” but it’s down to individual customers to apply security and compliance controls to use the apps safely.

Skyhigh Networks EMEA director, Nigel Hawthorn, claimed that the number of sensitive cloud documents stored in Office formats will only increase as OneDrive is integrated more tightly into Office 365.

“Therefore, it’s imperative for businesses to educate their employees about how to safely store documents in the cloud; and that need is even more vital in industries where the nature of data is likely to be highly sensitive such as in financial services or healthcare, two of the biggest users of Office 365,” he added.

Source: Information Security Magazine