Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for June 2016

Analyst: Brexit Cybersecurity Ramifications Could be Significant

Analyst: Brexit Cybersecurity Ramifications Could be Significant

After 43 years of inclusion, the UK has voted to leave the European Union in the historically unprecedented “Brexit” referendum vote. Aside from causing uncertainty in the world’s financial markets and across the political landscape, the result has implications for cybersecurity too.

While some cybersecurity pros say that Brexit will have little ill effect on the space, others aren’t so sure. For one, Michela Menting, research director for ABI Research, noted that the UK will need to review its role Europol and the European Cybercrime Centre (EC3), which is the focal point in the EU’s fight against cybercrime.

“Organized online criminal activities are undeniably best tackled from a cooperative, supra-national perspective, and the UK’s isolation that may result from Brexit would be an unwelcome development in the fight against cybercrime,” she said. “Further to this, new cybersecurity information and asset sharing structures will need to be put in place between the EU and the UK.”

There may also be a dampening impact on the country with regards to the UK workforce skills pool.

Brian Spector, CEO of Miracl, a cybersecurity firm based and operating in UK, told the International Business Times, “The UK has a well-documented shortage of tech talent that means it simply cannot compete globally without tapping into highly-skilled overseas workers. Splitting away from Europe would make it even more difficult for UK tech firms to compete with the US tech giants, because their talent pool would be so much larger than ours. To cut ourselves off from the rest of Europe therefore does nothing to protect the UK’s reputation as being open for business.”

Companies are also evaluating whether to keep outposts in the post-Brexit capital.

“Our R&D department in Shoreditch, London, comprises of developers from several different EU nations—including Italy, Finland and Germany,” Jamie Moles, security consultant for Lastline, American cybersecurity firm, told the International Business Times. “These guys live and work in London and travel around Europe for research purposes—as well as to return home to visit family. There is an obvious concern post-Brexit that the rules might change regarding their ability to stay in the UK and or travel freely around Europe. We will have to wait and see if these concerns are founded or not and will of course support our team to remain employed and productive.”

From a data privacy and protection perspective, there’s also the question of whether the UK will align with the upcoming GDPR and NIS Directive. Further, according to Menting, the decision whether to retroactively repeal or keep all past EU legislation adopted to date for data protection and privacy.

“Currently, all EU laws still apply in the UK; at least over the course of the next two years as the UK untangles itself from the Union,” she said. “However, the UK will need to determine not only whether they will (unilaterally) implement similar legislation in the future.”

There are directives on e-commerce and data protection that date back to the early 2000s, the EU Directive on Data Retention from 2006, and the Directive on Attacks against Information Systems, adopted in August 2013. The UK has adapted all of these in some shape or form into national legislation.

“The UK will have to rule on the continued applicability of these instruments, as well as how they will address the incoming GDPR and NIS Directive,” Menting said.

Many US companies find the EU regulations onerous and an impediment to trans-Atlantic commerce; which on the one hand would point to Brexit being helpful from a US trade perspective. However, both the GDPR and the NIS Directive state that operators and data controllers will be covered by the legislative requirements if they operate within EU markets and involve EU citizens—which leaves Britain in a position of little power to forge its own path.

“Seeing the high level of trade that the open market has brought in the UK in the past four decades, many UK organizations will need to comply if they want to continue trading and operating in EU markets,” she said.

She said that the EU stands to lose in a lack of free-flowing resources too—especially when it comes to the UK’s allocation of funding to cybersecurity startups.

“While the UK government has placed significant investments in the cybersecurity startup scene in the past few years, it is also uncertain whether this funding will continue to be allocated to EU and UK firms indiscriminately as it has in the past,” the analyst noted. “it would be unfortunate, and detrimental to the cybersecurity industry in the long run, for the UK to take a similar direction with these currently highly successful investment projects.”

Despite the uncertainty around these issues, it’s important to keep a level head, according to AN Ananth, CEO of EventTracker.

“Brexit is affecting everything,” he told Infosecurity via email. “Security always suffers in times of uncertainty. What’s happened is unprecedented and there is a lot of confusion as to the next steps. This is the kind of chaotic environment in which insecurity thrives.”

He added, “This is reminiscent of 2008 when the U.S. financial system suffered. That type of environment hurts security, which is already hard enough to maintain. At times like this, process and discipline can help. You should train like you fight, because you’ll fight like you train, as the saying goes. I would recommend that everyone keep calm and carry on.”

Photo © g0d4ather

Source: Information Security Magazine

UK CyberSec Governance Still in Good Hands Despite Brexit, Say Security Pros

UK CyberSec Governance Still in Good Hands Despite Brexit, Say Security Pros

After months of speculating, dubious political scaremongering and heated debate the European Union (EU) referendum has come and come, with Britain now confirmed to be cutting its ties with what many view as one of the strongest and most successful multi-national peace initiatives ever.

So, as the dust settles and the realities of the Brexit start to kick in, it has left many in the industry pondering what it means for the future of cybersecurity and privacy governance, with concerns surrounding the upcoming General Data Protection Regulation (GDPR) – which will now not directly apply to the UK – a prominent talking point.

However, security experts have been quick to allay such worries, stating that even without the GDPR, Britain’s’ cybersecurity governance will still be in good hands, with a strong likelihood the country will adopt a legislation directly modeled on the GDPR designed to minimize the barriers to continued trade.

“The long-term impact of a ‘Brexit’ on the legislative framework for privacy will probably not be hugely significant,” said Peter Galdies, development director at data governance, risk and compliance firm DQM GRC. “After Article 50 is invoked which gives our official ‘notice’ to leave the EU (which now looks likely to be after October 2016), there will be a mandatory 2-year MINIMUM period in which we remain a member of the EU whilst we negotiate an exit. During this time all existing legislation (including GDPR) will continue as before. Many forecast that this process might take much longer – with many estimates between three and six years.”

“The many organizations which already manage or contain personal data relating to EU/EEA state citizens (clients, prospects or employees) will continue to have to manage that data according to the requirements of the GDPR regardless of ‘Brexit’, or they will be in breach of the GDPR and risk large fines – so for many organizations nothing will change – the GDPR will apply even when we leave.”

These were sentiments echoed by Michael Hack, senior vice-president of EMEA Operations for Ipswitch, who said:

“Companies who have dealings with the EU have been busily preparing to comply with the new EU data protection law, the GDPR. Now the UK is out it will be governed by a different data protection regime. However, it will still need to adhere to suitable data protection measures in order to transfer data to and from the EU. So in many regards, the requirements of the GDPR will still apply and it is back to the business of preparing for it.”

Tudor Aw, head of technology sector at KPMG UK, was just as optimistic, stating that the core attributes that make the UK Tech sector so strong and attractive remain in place despite the Brexit.

“Technology is a sector that will only increase in importance and works without borders, I therefore continue to see the UK Tech sector as one that will not only withstand the immediate challenges of the referendum result, but one that will continue to grow and thrive,” he added.

Source: Information Security Magazine

US Cyber Command Gets First Taste of Action Against ISIS

US Cyber Command Gets First Taste of Action Against ISIS

The United States military has revealed that its ongoing battle with ISIS has given Cyber Command its first major opportunity to engage in digital combat.

During a hearing this week, Cybercom deputy commander, Lt. Gen. Kevin McLaughlin told the House Armed Services Committee that the battle with Islamic extremists has given his team the first chance to engage “at scale” in support of US Central Command.

“The war on ISIL is the first at scale opportunity to do that in support of US Central Command. In many cases this is the first actual live opportunity for these forces to conduct that type of mission,” he claimed, according to military intelligence website Debka.

McLaughlin is hoping eventually to have 6000 troops budget of close to $5 billion at his disposal as the US starts to put cyber at the heart of its military capabilities.

In fact, Air Force Brig. Gen. Charles L. Moore Jr. told the same committee that there’s hardly a mission today that doesn’t include some kind of cyber capabilities, the DoD reported.

The department is currently building up its Cyber Mission Force, a new body tasked with cyber defense and deterrence against state actors.

“While significant progress in all these areas has been made in the last year, significant challenges do remain, to include equipping the force, establishing a persistent training environment that is responsive to the many layers of required training, recruiting and retaining a professional force and finalizing the command-and-control structure for the Cyber Mission Force,” he revealed.

The US would do well to build up its cyber capabilities given the huge investment China is putting into the same areas.

The Pentagon’s annual report to Congress in May said as much, claiming that Beijing views “information dominance” as a key strategic means to winning a military conflict in its early stages.

The report continued.

“The PLA would likely use Electronic Warfare, cyberspace operations (CO), and deception to augment counterspace and other kinetic operations during a wartime scenario to deny an adversary’s attainment and use of information. Chinese military writings describe informationized warfare as an asymmetric way to weaken an adversary’s ability to acquire, transmit, process, and use information during war and to force an adversary to capitulate before the onset of conflict.”

Source: Information Security Magazine

PunkeyPOS Variant Slurping Data from US POS Terminals

PunkeyPOS Variant Slurping Data from US POS Terminals

Security researchers have spotted a new variant of the PunkeyPOS malware family designed to lift credit card details from victim organizations.

Panda Security’s PandaLabs unit claimed in a blog post that as many as 200 terminals have been affected so far, the vast majority of which are located in the United States.

Thanks to a misconfigured C&C server, the security vendor managed to access it and view a “Bots manager” panel which allows the malware authors to reinfect or update their current list of infected clients.

The malware itself is similar to that publicized in April last year, according to PandaLabs technical director, Luis Corrons.

“That malware [from] April 2015 was from the same family. This is a new version made in April 2016, but from a functionality level the malware behaves in the same way,” he told Infosecurity by email.

“Funnily enough, we found this one by accident: we were investigating a different case involving hundreds of restaurants, bars, etc. attacked by POS malware (not related to PunkeyPOS) and one of those POS was also infected with this one.”

In terms of functionality, the malware includes a keylogger responsible for monitoring keystrokes and a RAM scraper designed to read the memory of processors running on the system.

PunkeyPOS will decide which data is relevant and ignore anything that isn’t card data, which is read from the magnetic stripe and sold to fraudsters who can use it to clone cards for use at a later date.

“Once the relevant information has been obtained, it is encrypted and forwarded to a remote web server which is also the command and control (C&C) server,” Panda Security explained.

“In order to avoid the detection of the card information in case somebody is scanning the network traffic, it is encrypted before it is sent using the AES algorithm.”

The oddly titled malware is named after 80s US sitcom Punky Brewster.

Source: Information Security Magazine

Ormandy Donates £10K to Amnesty After Finding Bromium Bugs

Ormandy Donates £10K to Amnesty After Finding Bromium Bugs

Endpoint security firm Bromium has released more details of the vulnerabilities found by noted white hat Tavis Ormandy in its Bring Your Own Malware challenge launched at Infosecurity Europe this year.

During the show, the firm offered a £10,000 bounty to anyone who could find flaws in its technology, claiming the competition highlighted the importance of holding security vendors to account and ditching “marketing BS in favor of defensible design and rigorous evaluation.”

Although the firm’s co-founder Simon Crosby claimed to have deflected 189 attacks, of which 10 were unknown to Virus Total, Google researcher Ormandy found two bugs which allowed him to “escape micro-VM isolation” – one of the key features of the product.

“Tavis found a bug in an early build of vSentry 3.1 with support for an old version of Chrome that was sent to a customer to evaluate a feature, and mistakenly uploaded. A skilled attacker armed with a chain of additional bugs could exploit our bug to achieve code execution in the host Chrome browser,” Crosby explained.

“Fortunately, in a typical Bromium production deployment the Bromium Enterprise Controller automatically updates Chrome protection via ‘App Packs’ soon after Google releases a new version. Recent Bromium Chrome App Packs, for example, fix the known bugs you’d need to be able to exploit our bug.”

Ormandy also found a similar vulnerability in the firm’s protection for Internet Explorer, with Crosby arguing again that a “typical Bromium configuration” would mitigate the bug.

The Googler donated his £10,000 reward to Amnesty International, with Crosby matching the sum with $15,000 of his own.

Bromium is currently in the process of setting up its own bug bounty program and claimed it won’t be handing out any more money in the meantime.

Crosby revealed the firm engages pen testers every year in a bid to improve its products.

Source: Information Security Magazine

Hackers Make Off with Millions of Air India Frequent Flier Miles

Hackers Make Off with Millions of Air India Frequent Flier Miles

An orchestrated hacking campaign is targeting members of Air India’s frequent-flyer program, so far pilfering $23,745 worth of travel miles.

The Flying Returns program has more than 195,000 customer accounts. The Delhi Police said that the attack appears to have been aided by a company insider or travel agency staffer who knew the loopholes and vulnerabilities in the system. Those responsible created 20 separate email IDs to “divert the reward points earned by passengers,” according to Air India.

Praveen Lal, commercial manager at the airline, told the Times of India: “All the affected membership accounts have been suspended so that no further activity can take place from these accounts. The affected user IDs have been deactivated along with user IDs that have identical usernames and passwords. Also, all such user IDs that have not been active for the past three months have been deactivated.”

A senior police officer, who wished to remain anonymous, added: “Apart from the computer hacker, we suspect the role of a present or a former employee who may be aware of the intricacies and loopholes in the system. We have asked the airline to supply us a list of employees who have quit the company recently.”

This isn’t the first time that mileage accounts have been targeted. High-flying thieves with stolen usernames and passwords hacked into customer accounts at both American Airlines and United Airlines in late 2014, booking trips for themselves using people’s stores of miles.

A United Airlines spokesperson said that mileage transactions were made on only about three dozen accounts, and that the stolen goods would be restored into users’ customer accounts. American, on the other hand, was not so lucky: about 10,000 AA accounts were hacked.

Air India is looking into which flights may have been purchased with the stolen miles, but Kaspersky Lab warned back in 2011 that miles can be used as a form of online currency. It noted a case of a cyber-criminal selling access to a Brazilian botnet that sends spam, in exchange for 60,000 flight miles. In another instance, air miles were offered for stolen credit cards.

Photo © Markus Manila/Shutterstock.com

Source: Information Security Magazine

Crypto-Ransomware Victims Jump Five-Fold in Just a Year

Crypto-Ransomware Victims Jump Five-Fold in Just a Year

Kaspersky Lab has confirmed what many had feared with new stats claiming a five-fold rise in the number of users encountering crypto-ransomware in the period of just a year.

The Russian AV firm analyzed global users of its products with the Kaspersky Security Network feature enabled and compared two 12-month periods: April 2014-March 2015 and April 2015-March 2016.

When looking at ransomware as a whole – both encryption and ‘Windows blockers’ types – the number of users encountering the malware rose over 17% during the period, from 1.97 million to 2.3m.

For crypto-ransomware, which has almost become the de facto choice for black hats today, the number of users attacked rose 5.5-times – from 131,111 in 2014-2015 to 718,536 in 2015-2016, the firm claimed.

As if to highlight the popularity of this type of ransomware among cyber-criminals, the share of users encountering crypto-ransomware as a proportion of those encountering ransomware in general soared from 6.6% to 31.6% over the same period.

The figures seem relatively small on the global scale, but they are only those of Kaspersky Lab customers. Trend Micro, for example, claimed this week to have blocked 100 million ransomware threats for its global customers in the past six months.

Kaspersky Lab researcher Jornt wan der Wiel explained further the reason for the relatively low number.

“When Kaspersky Lab finds new malware, this is generally through automated detection and analysis. One such classification is ‘Trojan-Ransom’, and this is the category into which we put ransomware samples. This process relies on generic verdicts and these verdicts don’t differentiate between ransomware and other types of malware,” he told Infosecurity by email.

“Further, ransomware, like most other malware, works with droppers and downloaders. So if, for example, the ransomware is downloaded via a word document, and the AV already blocks this, then the ransomware is never downloaded and will not show up in the statistics.”

Given the apparently high RoI from ransomware – with many individuals and organizations deciding to pay up rather than lose their data – it’s perhaps no surprise that it continues to be a favored money-making tactic for the black hats.

Back in April, the FBI told CNN that its own estimates put losses to the cybercrime underground at $209 million in the first three months of the year alone.

The agency also warned that the usual fee of a few hundred dollars has been known to rise if ransomware authors believe the victim organization will pay it.

The Hollywood Presbyterian Medical Center famously paid around $17,000 to unlock its systems after being infected.

Organizations were urged to take preventative measure such as to back-up essential data – whilst ensuring one copy is always offline – use corporate-grade security, patch regularly, educate employees not to open suspicious emails.

In the event of infection, firms were advised by Kaspersky Lab not to pay the ransom and instead inform the police.

Source: Information Security Magazine

LinkedIn Fears as 1 in 5 Admit Connecting with a Stranger

LinkedIn Fears as 1 in 5 Admit Connecting with a Stranger

Intel Security has urged organizations to educate employees about the dangers of over-sharing on LinkedIn after new stats claimed nearly a quarter of Brits have connected to someone they don’t know on the social site.

The security firm polled 2000 UK-based 18-54-year-olds and found that over one in five had allowed a stranger to access their details by accepting a connection request.

Even more concerning was that over two-thirds (68.7%) admitted they had never wondered if someone is not who they say they are on the business networking site – a figure which rose to 71.5% in the 18-24-year-old age category.

Black hats are increasingly looking to sites like LinkedIn to harvest information on employees and their roles within a company, which they can then use to make spear phishing attacks – often the first stage in a targeted attack or APT – more convincing and effective.

They could also be the precursor to a whaling attack – where a scammer typically emails a member of the finance team pretending to be a CEO or CFO and requesting the transfer of funds outside the organization to an account in another country.

Often the cyber-criminal will pretend to be a recruiter or someone else in the same or similar industry, which can be enough to trick victims into accepting the connection request, explained Intel Security EMEA CTO, Raj Samani.

“Social networking sites are a treasure trove of data used by malicious actors in order to research potential targets for attacks, not only requesting to connect with senior executives but as many junior or mid-level employees at a company as possible,” he added.

“They then target senior level execs, using their existing connections with colleagues as proof of credibility by leveraging the principle of social validation. Once these connections are in place they can launch a targeted phishing campaign.”

Samani urged organizations to include LinkedIn security and privacy tips in employee awareness and training programs in a bid to counter the threat.

Source: Information Security Magazine

Password Reset After Hackers Target Carbonite Accounts

Password Reset After Hackers Target Carbonite Accounts

Online back-up company Carbonite has warned customers it’s resetting all user log-ins after discovering a number of unauthorized attempts to access accounts via potentially compromised and reused credentials.

The firm moved quickly to reassure customers that its own systems had not been compromised, adding:

“This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked. The attackers then tried to use the stolen information to access Carbonite accounts.”

User names, passwords and, for some accounts, personal information, appears to have been involved, Carbonite continued.

As a result, the firm said users will receive an email in the next few days asking them to reset passwords, which it recommended be strong and use unique credentials. It also suggested they reset any passwords used for other online services if they are the same or similar to the ones used for Carbonite.

To help customers spot phishing emails, Carbonite urged them to check the sender’s email address is carbonite@cloud.carbonite.com. It added that the URL if they click through should be account.carbonite.com and that it won’t request them to download or execute any executables.

However, users were quick to complain in the comments section that the password reset email still appeared dubious.

In response, the firm said it had put a banner on its homepage alerting users of the changes and posted the same message to social media channels.

The incident underscores the importance of users avoiding password reuse, as it improves success rates for brute force attacks, according to Imperva security researcher, Nadav Avital.

“The popularity of this attack is on the rise since it is fairly simple; it requires minimal resources from the attacker and there are lots of leaked credentials to work with,” he argued. “There are plenty of tools out there, including advanced ones that can mask the attacker’s identity through TOR, rotating the user-agent string and more.”

These types of attack also place an “intense load” on the authentication server of the attacked site, and can severely disrupt operations by leading to users being locked out of their accounts if safety procedures kick in, Avital added.

“Sadly, most sites lack the proper security measures to stop these attacks,” he concluded. “A proper mitigation must provide account takeover solutions such as detection of stolen passwords usage, detection of automated tools (bots) and detection of account access from malicious device.”

The incident also highlights the need for two-factor authentication, which would have overcome these issues, although some users find the process adds extra friction to the log-in process.

Source: Information Security Magazine

Clinton Foundation Also Breached by Russian Hackers – Report

Clinton Foundation Also Breached by Russian Hackers – Report

The Clinton Foundation is the latest major US political organization to have been breached in a large-scale operation by suspected Russian hackers ahead of the presidential election in November, it has been claimed.

Three people “familiar with the matter” told Bloomberg that government investigators identified a breach at the non-profit last week, after piecing together the hackers’ operations via the C&C servers used in attacks.

It’s thought that potentially embarrassing information relating to the Foundation’s activities could be made public and subsequently used by the Trump camp to score political points against Hillary Clinton’s presidential campaign.

The hackers responsible for long-running attacks on the Democratic National Committee and Clinton’s presidential campaign have also targeted at least 4000 individuals including party aides, advisers, lawyers and foundations over a seven-month period, Bloomberg claimed.

It’s believed there could be links to Russian state-sponsored groups. The Kremlin would certainly benefit from disseminating any information which could weaken the US and its next president on the international stage, although Moscow has denied any involvement.

Mark Kraynak, SVP and general manager of Enterprise Solutions at Imperva, claimed the incident proves all data has value, even if it’s not commercial.

“The problem is that the value to an intruder may be higher than it is to the data owner, at least until it is compromised,” he added.

“Situations like this are a great reminder of the need for all organizations to ensure the security of their data and that they have appropriate response mechanisms in place for the inevitable attack.”

In fact, both presidential hopefuls were warned back in May to expect a barrage of cyber-attacks during the forthcoming campaign.

At that time the FBI and DHS were said to be trying to educate officials on both campaigns to help them improve IT security – it seems with limited success.

Clinton is still under investigation by the FBI over her now infamous use of private e-mail channels to carry out official government business while secretary of state.

Source: Information Security Magazine