Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2016

US Navy Admits To Data Breach, 130,000 Exposed

US Navy Admits To Data Breach, 130,000 Exposed

The US Navy has admitted to a data breach that exposed personal and sensitive information of 130,000 current and former sailors.

According to a US Navy statement, the organization was initially made aware of the breach at the end of October by Hewlett Packard Enterprise Services. HPE said that a company laptop being used by an “employee supporting a Navy contract” was compromised. Sensitive information – including names and Social Security Numbers (SSNs) of 134,386 sailors – was accessed by “unknown individuals.”

The Navy said it will be informing all those affected within the next few weeks, and is reviewing credit monitoring service options for affected sailors. So far there has been no sign that any of the data has been misused in any way, the Navy’s report said.

"The Navy takes this incident extremely seriously. This is a matter of trust for our sailors," said Chief of Naval Personnel Vice Adm. Robert Burke. "We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach."

In a statement released to Infosecurity Magazine, HPE refused to elaborate on the nature of the compromise or how it was discovered. "The security and privacy of our clients is a top priority for HPE. This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of Navy personnel," the statement said.

The US military is no stranger to data breaches. The huge hack on the US Office of Personnel Management exposed data on around 20 million people, many of them military and other federal government employees.

This announcement comes at a particularly embarrassing time for the US military, as it has just launched a ‘Hack the Army’ bug-bounty program. The Army will be offering cash rewards to anyone who finds a vulnerability in public-facing Army websites.

Source: Information Security Magazine

Locky Ransomware Spreading Via Facebook, LinkedIn

Locky Ransomware Spreading Via Facebook, LinkedIn

Security researchers have discovered ransomware being spread through images and graphic files being shared on social networking sites including Facebook and LinkedIn. Among the malware being distributed is the infamous Locky ransomware.

Check Point researchers have dubbed this new attack vector ImageGate. Their findings build on the discovery by Bart Blaze of malware being spread through Scalable Vector Graphics (SVG) files on Facebook Messenger. Users in that case were prompted to install a codec extension to view a video or image apparently sent by a contact. The extension downloaded the Nemucod downloader, which can spread malware and steal sensitive information.

Now Check Point’s security team claims to have discovered how the hackers managed to execute the malicious code embedded within the images. The attackers managed to exploit a misconfiguration contained within the design of these sites that could deliberately force users to download the malicious file.

Once downloaded, the malware becomes active when the file is open. In the case of the Locky ransomware, all files on the affected computer are encrypted until a ransom is paid. Recent statistics from Check Point revealed that Locky accounted for 5% of total global attacks spotted during the month of October, making it the second most prevalent bit of malware currently out in the wild.

Locky has also been increasingly targeting healthcare organizations in recent months.

Oded Vanunu, Head of Check Point’s Products Vulnerability Research, said that given the popularity of social networking sites like Facebook and LinkedIn, it’s not surprising that attackers are focusing their efforts there.

“As more people spend time on social networking sites, hackers have turned their focus to find a way in to these platforms,” he said. “Cyber-criminals understand these sites are usually ‘white listed’, and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities.”

Check Point added that it will release further details about the vulnerability once the affected websites confirm they have fixed the flaw.

In order to better protect yourself from these types of attacks, users should never download attachments from people they don’t know, or open attachments that look like an image but contain an unusual filename extension.

Source: Information Security Magazine

African and Asian Banks Hit by Targeted Zero Day

African and Asian Banks Hit by Targeted Zero Day

Security researchers have discovered a new series of attacks against banks in Africa and Asia utilizing a zero day exploit in a local word processing app.

The exploit in question is aimed at the InPage software package typically used by Urdu and Arabic-speaking people – with a claimed two million users worldwide, according to Russian AV firm Kaspersky Lab.

The zero day is delivered to individuals in targeted banks via a classic spear phishing email, which aims to use social engineering tactics to trick the recipient into opening a malicious attachment disguised as a legitimate document.

After successfully exploiting the vulnerability in question, the malware will phone home to a C&C server and download legitimate remote access tools, Kaspersky Lab claimed.

In some cases, Zeus-type malware is downloaded, the firm added.

Kaspersky Lab security expert, Denis Legezo, said it’s easy to understand why attackers are using bugs in localized software like InPage.

“The attackers adjust their tactics to their target’s behavior by developing exploits for custom software which doesn’t always receive the kind of scrutiny that big software companies apply to their products,” he explained.

“Since local software is not a common target of exploit writers, vendors are not very responsive to vulnerability reports and existing exploits remain workable for a long time.”

A similar tactic was used back in 2013 against the Hangul Word Processor (HWP) software popular in South Korea, the firm added.

Kaspersky Lab claimed that there are no reported incidents of cyber theft via this exploit, although banks are urged to double down on enterprise-grade security tools and user education on how to deal with unsolicited mail.

Banks, like all organizations, should also ensure they’re running the latest version of all key software, via automated patch management platforms.

Source: Information Security Magazine

Barclays Set to Launch Mobile ATM Cash Service

Barclays Set to Launch Mobile ATM Cash Service

Barclays Bank is hoping to improve ATM security by launching a new nationwide contactless cash withdrawal service for mobile devices next year.

The new mobile cash service, said to be the UK’s first, is currently on trial in the North of England and will roll out to over 180 branches and 600 Barclays cash points in the New Year.

Customers simply tap their Android smartphone against the ATM contactless reader and then enter the PIN as normal on the machine keypad to withdraw. Or to speed things up further, they can pre-enter their PIN and withdrawal amount and select if they want a receipt on the Barclays Mobile Banking app.

They then have 30 seconds to tap the contactless ATM reader and the cash will be dispensed.

Withdrawal limits are currently set to £100, but Apple devices will not be able to use the service.

This is because the iPhone NFC chip is reserved solely for the use of Apple Pay – no third-party provider gets a look-in.

Barclays UK CEO, Ashok Vaswani, claimed in a statement that the new service would make customers’ lives easier and their finances more secure.

“Our customers now expect to be able to use their smartphone to make their everyday purchases. We want taking out cash to be just as easy,” he added.

“With Contactless Cash customers can quickly and securely take-out money with just a tap of their smartphone – a first for the UK.”

Cindy Provin, chief strategy officer at Thales e-Security, welcomed the latest innovation in payments.

“It’s encouraging to see the payments industry continue its commitment to embracing digitalization to improve efficiency of payments and further reduce the possibility of fraud with ATM withdrawals,” she said.

“However, with risks to mobile payments – such as malware already present on an end-user’s device – it is critical that security remains front of mind when developing such innovations.”

The new service will also work with contactless cards.

Source: Information Security Magazine

Bletchley Park to House New National Cybersecurity College

Bletchley Park to House New National Cybersecurity College

World War Two code-breaking hub Bletchley Park is set to see active service again after plans were unveiled to house a new national cybersecurity college there.

The UK’s first National College of Cyber Security will end up in G Block, one of the biggest parts of the sprawling site, once renovations are completed in 2018.

The idea is to create a free-to-attend boarding school to nurture the country’s most gifted 16 to 19-year-olds and turn them into the cybersecurity leaders of tomorrow.

The syllabus will apparently be created by current cybersecurity leaders, with related subjects such as maths, physics and computer science also taught.

Once the £5 million project is complete, organizations from all over the UK will also be able to host security-related events, train staff and engage the public.

The college is the brainchild of QUFARO, a new non-profit created by cybersecurity experts currently working in organizations such as Cyber Security Challenge UK; The National Museum of Computing; the Institute of Information Security Professionals; BT Security, and Raytheon.

The group also aims to create new cybersecurity courses currently not available in the UK such as those aimed at teachers or professionals looking to change careers.

Its first course, the Extended Project Qualification (EPQ), is already up and running and available for school pupils and independent learners wanting to study the subject between GCSE and university degree level.

QUFARO is also preparing to launch a new £50m investment fund next year for entrepreneurs in the cybersecurity space.

QUFARO chair, Alastair MacWilson, argued that the current cyber education landscape is complex and disjointed, meaning the UK is at risk of losing talented youngsters to other sectors.

“For those interested in forging a career in cyber, the current pathway is filled with excellent but disparate initiatives – each playing a vital role without offering a truly unified ecosystem of learning and support,” he added.

“By connecting what already exists and filling the gaps, QUFARO will make it easier for budding professionals to grow their cybersecurity skills at every stage of their journey, and contribute more to the sector as a result.”

QUFARO was the brainchild of Tony Sale, the man who helped save Bletchley Park from demolition in the 1990s. The six letters of the name were apparently selected at random by a computer program.

Source: Information Security Magazine

Internet Society: Five Steps to Improve Trust Online

Internet Society: Five Steps to Improve Trust Online

The Internet Society has revealed five recommendations it hopes will improve online trust and help organizations better mitigate the risk of data breaches.

Its 2016 Global Internet Report claims data breaches are spiralling out of control, which in turn is causing consumers to hesitate going online.

Organizations are spending more on prevention, but this is not having a noticeable effect on the number or impact of breaches, it adds.

The report continues:

“Why are organisations not taking all available steps to protect those who entrust them with their personal information? Is it because they do not bear all the costs of the data breaches? Is it because there is not enough benefit to them in better protecting their users’ data? The answer to both questions is yes.”

Organizations must revisit their approach to put users front and center of solutions and increase transparency through breach notifications and disclosure, the Internet Society recommends.

The latter will in any case be forced upon all organizations which deal with the data of European citizens, according to the requirements of the European General Data Protection Regulation, set to come into force in May 2018.

Next up, the non-profit recommends best practice data security be made a priority. This could include preventative measures such as patching vulnerabilities, blocking phishing emails and embedded malware and training employees to spot attacks.

Firms can also mitigate risk by only collecting the minimum amount of user data required to run services, and encrypting data in transit and at rest, the report continues.

The Internet Society also advocates new rules regarding liability and remediation which place accountability for any breach firmly on the organization’s shoulders.

It concludes that by creating a market for trusted and independent assessment of the measures that firms put in place to keep customer data safe, they can begin to differentiate by indicating how secure they are.

Source: Information Security Magazine

Deliveroo Under Fire After Hungry Hackers Defraud Firm

Deliveroo Under Fire After Hungry Hackers Defraud Firm

Takeaway delivery service Deliveroo has come under criticism after an investigation revealed customers have had their accounts broken into and used to run up huge bills.

BBC’s Watchdog program discovered some users of the popular service were left several hundred pounds out of pocket.

"I noticed that I had a 'thank you' email from Deliveroo for a burger joint in Chiswick,” Judith MacFayden, from Reading, told the program. “I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London.”

Deliveroo claimed the accounts were hacked because customers reused credentials from other accounts which were compromised in a data breach.

It added that no financial data had been stolen as a result.

Deliveroo claimed it didn’t want to comment on which anti-fraud measures it has in place, for obvious reasons, but said it’s always working to improve such measures.

“Recently, this included frequently asking customers to verify themselves when entering a new address,” it added.

“On the rare occasions when fraud does occur, we work with customers to secure their account, reimburse them for fraudulent transactions and where appropriate work with the relevant authorities."

However, it does appear as if the firm’s checks were found wanting, for example by not being able to spot a single ‘customer’ creating multiple orders for delivery at addresses far from their home.

It’s also been argued that Deliveroo failed to ask returning customers to add their CV2 number to pre-saved account details – a simple step which would have made it impossible for hackers who broke into their accounts to complete orders.

James Romer, chief security architect Emea at SecureAuth, claimed firms need to add extra layers of authentication to the log-in process, as long as this doesn’t impact the user.

“Multi-factor, adaptive authentication, renders stolen credentials completely worthless, taking advantage of the contextual information that exists today around our identities, devices and locations, making it much harder to compromise accounts,” he argued.

Source: Information Security Magazine

Two-thirds of London Councils Suffered Breach in Past Four Years

Two-thirds of London Councils Suffered Breach in Past Four Years

Around two-thirds of London’s councils have been breached over the past four years, according to a new Freedom of Information request.

Identity management firm Secure Cloudlink’s research revealed that 21 out of the capital’s 33 local authorities had suffered a data breach over the period, although Hackney and Kensington and Chelsea refused to disclose the information – ironically for security reasons.

Barnet, Camden, Croydon, Greenwich, Lambeth, Lewisham, Wandsworth, Westminster and the City of London were among those affected, while Bexley, Bromley, Ealing, Enfield and Haringey were on the list of those which managed not to spill data during the period.

Fortunately, there’s no evidence to suggest that any breached citizens’ data has been subsequently been used in follow-up fraud or cyber attacks.

However, the research confirms that data protection in local government is still far from perfect.

“Designs that were once suitable have not been updated to keep pace with today’s digital economy, and because of this, hackers have been able to capitalise and steal information much more easily,” argued Secure Cloudlink chairman, Mark Leonard.

“The Cyber Essentials Scheme in fact is a government-backed initiative that aims to provide clearer guidance and advice for organisations looking to improve their cyber security housekeeping. Its advice is certainly valuable in providing the solid foundations to improving security practices. On top of this, education must also be balanced with having the necessary systems in place to counter threats.”

The FoI findings reflect those of UK privacy watchdog the Information Commissioner’s Office (ICO).

In the second quarter, the sector was the second most prevalent for data security incidents after healthcare.

Incidents in local government increased 44% from the previous quarter.

The ICO had the following:

“Local governments handle a large volume of information, much of which is sensitive; if the security of this data is compromised, this could potentially be distressing for any affected individuals. For example, in Q1 2016/17, 31% of local government incidents (19 incidents) affected health or clinical data.”

Source: Information Security Magazine

ESET Announces Raft of Security Additions in Version 10 Release

ESET Announces Raft of Security Additions in Version 10 Release

Speaking at a press event in Bratislava yesterday ESET’s chief technology officer Palo Luka announced some of the new encryption features that have been added as part of the company’s Version 10 release of its consumer security software, which launched last month.

“Version 10 was probably the smoothest and best release so far,” Luka claimed. “The features are pretty remarkable,” and are detailed below:

Script-based Attack Protection
Detects attacks by malicious scripts that try to exploit Windows Power Shell. Also detects malicious JavaScripts that can attack via your browser, with Mozilla Firefox, Google Chrome, Microsoft Internet Explorer and Microsoft Edge browsers all supported.

Luka explained that this new protection is especially useful in defending against “the worst kind of malware that you can get these days when you are a home user or a consumer”, which is ransomware.

Protection Against Ransomware
This adds another layer of protection against especially nasty types of malware. This layer is tracking processes and activity, thus alerting the user if a suspicious behavior is taking place.

Home Network Protection
This addition allows users to prepare for IoT threats in the home, enabling them to test their home router for vulnerabilities. What’s more, it also provides an easy-to-access list of connected devices.

“Often we don’t even know what’s connected to our networks,” Luka said, “so we figured it might be really useful to provide people with some sort of audit of what’s in their network.”

Web Cam Protection
Constantly monitors all the processes and applications running on a user’s computer to see which ones want to use the webcam – alerting the user to any that try to access the web cam unexpectedly and lets them block them.

ESET Password Manager
Employs AES-256 encryption – the world’s leading standard, as used by the military – to store and pre-fill all passwords with the use of a master password. It can also generate and store extra-strong new passwords each time the user needs one.

“People don’t use good passwords,” argued Luka. “We kept telling people which types of passwords they should use” but they still seem to use insecure credentials online. “This will help you [users] remember and generate very complicated passwords which are different for each site.”

ESET Secure Data
Lastly, this lets the user encrypt files and removable media (e.g. USB keys) for ultra-secure safeguarding of their data, protecting against data theft in the event of USB-key or laptop loss, and allows secure collaboration and data sharing.

Source: Information Security Magazine

Malware Gambit Uses Facebook, Google Chrome and SVG Images

Malware Gambit Uses Facebook, Google Chrome and SVG Images

Malware is spreading via Facebook, through messages that contain only an image.

According to security researcher Bart Blaze, the images have an extension for Scalable Vector Graphics (SVG), an XML-based vector image format for two-dimensional graphics, with support for interactivity and animation. This means that someone can embed any type of content, and any modern browser will be able to open the file.

It was also able to make it through Facebook’s filter—something that the social network has now fixed.

“Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image had been sent automatically, effectively bypassing Facebook's file extension filter,” Blaze said.

If a user clicks on it, he or she is redirected to a fake YouTube site in the Chrome browser, which pops up the message, "You must install the codec extension to watch this video."

That extension, which was in the Chrome store and thus evidently bypassed Google’s vetting process as well, is in reality the Nemucod downloader, which harvests credentials and is capable of spreading malware.

One security researcher got ransomware as an ultimate payload, tweeting:

@peterkruse

Confirmed! #Locky spreading on #Facebook through #Nemucod camouflaged as .svg file. Bypasses FB file whitelist.

Blaze notified the Facebook and Google Chrome security teams; Facebook is now filtering for SVG files, and the rogue Chrome extension was removed from the store.

Anyone affected should remove the malicious extension from their browser, run an antivirus scan and change the Facebook password afterwards. People should also notify any friends who received a malicious file from them.

“As always, be wary when someone sends you just an 'image'—especially when it is not how he or she would usually behave,” Blaze said. “Additionally, even though both Facebook and Google have excellent security controls/measures in place, something bad can always happen.”

Photo © rvisoft/Shutterstock.com

Source: Information Security Magazine