Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2017

Fraudsters Pose as DfE Officials to Spread Ransomware

Fraudsters Pose as DfE Officials to Spread Ransomware

UK police are warning that fraudsters are posing as Department of Education officials in order trick schools into installing ransomware.

An Action Fraud notice claimed that the fraudsters have been cold calling education institutions pretending to be government officials and socially engineering the victim into giving them the email address of the head teacher, in order to send across “sensitive information.”

The resulting email contains a .zip attachment loaded with ransomware that will apparently demand up to £8000 to recover the files.

Action Fraud claimed similar cases have been noted where the fraudsters pretend to be calling from the Department for Work and Pensions, or even telecom providers.

The newly reported incidents represent an escalation in tactics designed to get ransomware on the networks of targets presumably selected because they may be relatively poorly secured, and be willing to pay a high penalty to gain access back to their data.

“Once again, hackers have preyed on the weakest link in security – the end-user – but this is not where the fault lies. It’s unfair to expect busy teachers to be able to tell the difference between an email from the Department of Education and these sophisticated mimics,” argued Fraser Kyne, EMEA CTO at Bromium.

“Hackers are clever and convincing con artists, yet the industry continues to try and convince us that they can be defeated through detection tools and user education. As we can see from the rise in such attacks, this approach is neither realistic nor effective.”

In related news, new tactics designed to deliver the Petya variant GoldenEye have been discovered using fake job application emails.

The new campaign is designed to target HR staff, with the ransomware hidden in a malicious attachment masquerading as a CV, according to Check Point.

The emails also contain a harmless PDF as covering letter in order to lull the recipient into a false sense of security, the vendor claimed.

Source: Information Security Magazine

NHS Data Security Incidents Top List Again

NHS Data Security Incidents Top List Again

The UK’s healthcare sector once again accounted for the largest number of data security incidents in Q3 2016, although the charity, education and finance sectors revealed a bigger jump in incidents from the previous quarter, according to the ICO.

The UK’s privacy watchdog claimed in its quarterly review for the period July-September 2016 that reported incidents for healthcare jumped over 3% from the previous quarter.

So-called “cyber incidents” stood at 74 for the period, while loss or theft of unencrypted devices was 65. Other reported incidents listed included failure to redact data (11), and failure to use BCC when emailing sensitive data (18).

In total, the ICO reported 239 incidents for the period, significantly higher than the next most affected sectors – local government (62) and “general business” (56).

However, it had the following by way of explanation:

“The health sector once again accounted for the most data security incidents. This is due to incident reporting being mandatory, the size of the health sector and the sensitivity of the data processed.”

It’s likely that we’ll get a clearer picture of how well or badly the NHS is doing on data security versus other sectors when the European GDPR comes into force, bringing with it mandatory 72-hour data breach notifications.

It’s notable that, despite lower overall numbers, the volume of incidents in the education (18%), finance (18%) and charity (21%) sectors all grew by more than healthcare.

The ICO advised organizations looking for quick wins to prevent such incidents occurring to disable autocomplete on users’ email address bars – reducing the likelihood of sending emails in error – and to clarify policy so that staff better understand when and when not to use encryption.

Ransomware was a major scourge for the UK’s healthcare organizations in 2016.

Nearly half (47%) of NHS Trusts in England claimed to have fallen victim over the past 12 months, according to an FoI request from NCC Group in August.

In one of the most high profile cases, North Lincolnshire and Goole NHS Foundation Trust’s IT systems were taken offline for several days in autumn 2016 after an infection, forcing some patients to be moved elsewhere.

Source: Information Security Magazine

Cyber Insurance Adoption Soared 50% in 2016

Cyber Insurance Adoption Soared 50% in 2016

Adoption of cybersecurity-related insurance grew 50% in the UK between 2015 and 2016, driven by fears of an online attack and the introduction of upcoming European data laws, a leading underwriter has revealed.

CFC Underwriting, which provides cyber insurance to over 20,000 clients globally, polled representatives from the industry at the 2016 Cyber Symposium in London late last year.

Some 23% claimed the “fear factor” of a costly attack had driven them to invest in insurance, while even more (26%) cited the European General Data Protection Regulation (GDPR) as a factor.

When introduced in early 2018, the EU GDPR will levy harsh penalties of up to 4% of global annual turnover for erring companies, and stipulates that data breaches must be notified within 72 hours.

Over half (53%) of respondents claimed that electronic computer crime will likely lead to an increase in insurance claims, followed by “non-physical business interruption” (25%).

A spokesperson clarified to Infosecurity the difference between the two categories.

“Nonphysical business interruption refers to any business interruption caused by non-physical perils (ie not a flood, fire, physical theft, quake etc.) – so this could include system downtime caused by cybercrime, but also general technology failures that mean the business can't operate,” they said.

“Electronic computer crime is different – it refers not to the business being able to operate normally, but mainly to the costs associated with the theft of data.”

The figures follow ones released by CFC Underwriting last month which revealed the extent of the cyber threat to UK firms.

It claimed to have handled over 400 claims on cyber policies in 2016, a 78% increase on 2015.

“There is a huge exposure out there for businesses and there is still a certain complacency amongst them that they have it under control,” said Lloyd’s CEO, Inga Beale. “At Lloyd’s we are seeing huge cyber insurance uptake, and last year we introduced 15 different types of cover just for cyber, in anticipation of this demand rising in 2017.”

Source: Information Security Magazine

Koovla Ransomware Urges Users to Read Up on Security

Koovla Ransomware Urges Users to Read Up on Security

Security researchers have discovered an unusual ransomware variant which offers a decryption key not if victims pay up, but if they read two articles on how to stay safe from malware.

Discovered by self-styled “ransomware hunter” Michael Gillespie, the “Koovla” variant is still in development, according to Bleeping Computer’s Lawrence Abrams.

Once downloaded, it works similar to the Jigsaw ransomware family in loading text line by line on the user’s screen.

Then, bizarrely, it claims the user will gain access to the decryption key as long as they read two security articles: one from Google’s security team on how to stay safe online, and another from Bleeping Computer detailing the Jigsaw variant.

It states:

“In order for me to decrypt your files you must read the two articles below. Once you have click the ‘Get My Decryption Key’ button.

Then enter in your decryption key and click the ‘Decrypt My Files’ button. Eventually all of your files will be decrypted đŸ™‚

If the timer reaches zero then all of your personal files will be deleted because you were too lazy to read two articles.

So User do you want to play a game?”

It’s unclear what the ransomware developer’s end goal is with this variant, although if it ever does make it into the wild it’s likely to contain some extra element to generate profits for the black hat.

As far as unusual ransomware families go, it’s up there with Popcorn Time.

Discovered last month, this ransomware has been designed to offer a free decryption key to any user prepared to send a malicious link to infect two of their contacts.

Ransomware is set to have another bumper year in 2017, although growth is likely to level out, according to Trend Micro.

The security vendor claimed in its 2017 predictions report that growth in the volume of new ransomware families discovered during the next 12 months would stand at 25%, with cybercriminals increasingly looking to generate bigger profits via things like Business Email Compromise (BEC) scams.

Source: Information Security Magazine

Massachusetts Makes Data Breach Records Public Online

Massachusetts Makes Data Breach Records Public Online

The state of Massachusetts has upped the ante on data breach transparency: The Office of Consumer Affairs and Business Regulation has decided to make reports of potential identity theft available to the public on its website.

Previously, those reports could only be accessed by a public records request.

State law requires that any organization that keeps personal information about a Massachusetts resident notify state officials, as well as affected customers, any time that information is compromised. This includes external hacking incidents, unintentional data leakage and insider mistakes, among other scenarios. It also includes incidents outside of the cyberworld—say, if a briefcase with papers is stolen or misplaced.

Hundreds of data breaches affecting thousands of Massachusetts residents were reported to the state in 2016, and information on all of them is now available in a handy spreadsheet format that details how many residents were affected, what kind of information was lost, whether the organization in question provided credit monitoring, and more.

Massachusetts has been out on front in cybersecurity, recently offering a $5 million grant that will be used to bolster cyber-research and the computing technology used by the University of Massachusetts.

“Cybersecurity has no boundaries. It is a global issue and a global fight in some respects,” Gov. Charlie Baker, speaking as the grant was announced at the UMass Center in Springfield, Mass., in 2016. He said, “The more information that becomes digitized, the more opportunity for mischief and chaos and disaster associated with cyberterrorism.”

It also recently announced plans to partner with Israel’s CyberSpark to work on development, research and training related to cybersecurity. During a stop on Baker’s Economic Development Mission to Israel, economic development leaders took part in the signing of a memorandum of understanding (MOU) between the Massachusetts Technology Collaborative and CyberSpark, a non-profit made up of academic, industry and government resources.

Photo © Lukas Staffanski

Source: Information Security Magazine

NSA Director to Head Up CIS Controls Group

NSA Director to Head Up CIS Controls Group

Curt Dukes, former director of information assurance at the National Security Agency (NSA), has been named the Center for Internet Security (CIS) executive vice president.

Dukes will be responsible for managing the Security Best Practices Automation Group, which includes the CIS Security Benchmarks, the CIS Controls and the tools to automate the evaluation of the standards.

“Curt Dukes’ three decades of senior executive leadership and his unparalleled track record of pioneering and managing complex cybersecurity products and services make him an ideal leader for the Security Best Practices Automation Group,” said John Gilligan, CIS board chair and interim CEO. “His addition will accelerate our efforts to provide our nation with effective solutions to address rapidly growing cybersecurity challenges.”

Dukes also will focus on the expansion of the content of CIS standards and increased adoption of CIS security best practices and standards. He will also lead the development and delivery of effective tools for scoring the implementation of CIS Benchmark and Controls standards and for automating the implementation of security best practices. 

The CIS Controls are a concise, prioritized set of practices that outline what every organization should do as their first steps in cybersecurity. They have been proven to mitigate 85% of the most common vulnerabilities.

One of the benefits of the CIS Controls is they are developed by experts based on their first-hand experience in the security field and are derived from actual threat data from a variety of public and private sources. In addition to being prioritized and relevant, the CIS Controls are updated regularly to stay in step with cybersecurity’s ever-changing threat environment.

“The cybersecurity industry is about innovation, and CIS is already a well-positioned leader in transforming security technology for today’s increasingly connected businesses,” said Dukes. “I am excited to join CIS as executive vice president and look forward to helping the Security Best Practices Automation Group continue its impressive track record of innovation and growth,” he added.

Dukes has served as the director of information assurance at the National Security Agency in Fort Meade, Md., since 2013. His responsibilities included the security of systems that handle classified information or are otherwise critical to the US military or intelligence activities. 

From 2007 to 2013, Dukes was director of the NSA/Central Security Service (CSS) Commercial Solutions Center, where he was responsible for leading the agency’s portal to the commercial world. His responsibilities included leveraging industrial relationships, while partnering with international and national intelligence communities, and the Department of Defense, to address the strategic needs of the NSA/CSS and the National Security community.

From 2004 to 2007, Dukes was NSA’s chief at the Systems and Networks Analysis Center, where he led a technical workforce providing technology risk assessments, cyber-defense operations and advanced vulnerability research.

Dukes earned an MS in Computer Science from Johns Hopkins University after completing a BS in Computer Science at the University of Florida.

Photo © Balefire 

Source: Information Security Magazine

Cybersecurity Group Launches to Help Activists

Cybersecurity Group Launches to Help Activists

Last week saw the launch of a new cybersecurity collective designed to help activists, journalists and human rights advocates better protect themselves from targeted online attacks.

Security Without Borders is the brainchild of Claudio Guarnieri, a cybersecurity professional who has roles at rights groups Amnesty International and Citizen Lab.

The site’s Twitter feed went live last Friday, shortly after the project was launched at the Chaos Communication Congress in Hamburg.

Its broad mission is to provide those in need with a group of volunteers ready to assist with security-related issues.

A note on the website's homepage has the following:

“We can assist with web security assessments, conduct breach investigations and analysis, and generally act as an advisor in questions pertaining to cyber security. As security services are often expensive to come by, SWB offers these services free to organizations and people fighting against human rights abuse, racism, and other injustices.”

Clicking on the Request Assistance button will take users to an online form, the details of which will then be forwarded to members of the collective, who include penetration testers, malware analysts, developers, engineers, system administrators, and hackers.

There are currently around 30 such members, according to Motherboard.

“Some of us work in corporate security, some of us in academia, and some others in human rights organizations,” notes the homepage statement. “We want to dedicate some of our time to the betterment of global society.”

There’s certainly plenty for Security Without Borders to help out with.

Activists, journalists and human rights defenders around the world are routinely targeted by oppressive governments and organizations.

In August, renowned campaigner Ahmed Mansoor spotted a suspicious looking text message sent to his iPhone and sent it to Citizen Lab.

The group subsequently discovered a highly sophisticated exploit chain designed exclusively to deliver Pegasus – what Citizen Lab described as “a government-exclusive ‘lawful intercept’ spyware product” designed by Israeli-based research firm, NSO Group.

Source: Information Security Magazine

Attacker Holds MongoDB Databases to Ransom

Attacker Holds MongoDB Databases to Ransom

A cyber-attacker going by the name Harak1r1 has been using ransomware to hijack unprotected MongoDB databases, locking down and replacing content before asking for Bitcoin to return the data, a security researcher has revealed.

Victor Gevers, co-founder of the GDI Foundation (a non-profit dedicated to making the internet safer), has spent the last 18 years carrying out security research and has made more than 5200 responsible disclosures in his time, including searching for unprotected MongoDB servers and warning companies of their risky status. 

On 27 December Gevers stumbled across a MongoDB database that was open to external connections – without an admin account password – which is often the case. However, when he accessed the open server, Gevers discovered this ransomware attack was a little different than most.

Speaking to Infosecurity, he explained that the attacker created a local copy of the data, deleted the original database, and then created a database and a collection within, both named WARNING.

“I have seen indications of silent theft but never that a database was deleted,” he added. “Replaced with a new one called WARNING, with only one collection (table) with one record, all named warning with one single message that leads to one bitcoin address. Stealing data is very common and has been going on for years, but monetizing open databases [in this way] for ransom is a new development.”

Gevers argued that this is just the latest example of the security risks that surround unprotected, open databases, describing them as “disasters that are waiting to happen”, with many instances of large data leaks involving unprotected MongoDB databases.

“Our advice would be to protect this server with a firewall blocking port 27017 and limit the access of the service with bind_ip to only accept local connections as option in the configuration. Or you can choose to restart the database server with -auth option after you create users who can access the database.”

Also, Gevers urged users to check MongoDB accounts to see if somebody added a secret (admin) user, check the GridFS to see if someone stored any files there, and check the logfiles to see who accessed the MongoDB.

Source: Information Security Magazine

Kaspersky Lab: 1 in 5 Firms Have No DDoS Protection

Kaspersky Lab: 1 in 5 Firms Have No DDoS Protection

Nearly one in five global businesses are not protected from DDoS attacks, with many unsure about the best plan of action, according to new research from Kaspersky Lab.

The Russian AV vendor polled over 4,000 IT professionals from SME and large organizations in 25 countries around the world, and discovered a sizeable 16% currently have nothing in place to prevent potentially crippling attacks.  

Worryingly, 30% claimed not to have put protection measures in place because they feel they aren’t likely to suffer such an attack, while 12% think a small amount of downtime is acceptable.

There’s also an assumption by many that either their internet service provider (40%) or data center/infrastructure provider (30%) will protect them.

Kaspersky Lab claimed that even if such an assumption is correct, many won’t be able to detect or deflect smarter attacks which typically seek to circumvent traditional filters – for example by using encryption.

That said, recent publicity of large scale DDoS attacks – most notably the Mirai-powered IoT botnet which disrupted many of the biggest names on the web – have had an impact on awareness levels, the research found.

A third of those with a DDoS mitigation strategy in place did so as a result of a risk assessment, while one in five (18%) claimed they’d been attacked before. An even bigger driver for DDoS protection among respondents is regulatory compliance (43%), Kaspersky Lab claimed.

The vendor’s head of DDoS protection, Kirill Ilganaev, argued that recent high profile attacks have highlighted just how disruptive DDoS can be.

“When hackers launch a DDoS attack, the damage can be devastating for the business that’s being targeted because it disables a company’s online presence. As a result, business workflow comes to a halt, mission-critical processes cannot be completed and reputations can be ruined,” he added.

“Online services and IT infrastructure are just too important to leave unguarded. That's why specialised DDoS protection solution should be considered an essential part of any effective protection strategy in business today.”

Source: Information Security Magazine

ICO ‘Breached Public Data’ Several Times Since 2013

ICO ‘Breached Public Data’ Several Times Since 2013

Data protection watchdog the Information Commissioner’s Office (ICO) has been forced to take action several times over the past few years to prevent breaches at its own offices, according to a new investigation.

A Freedom of Information request sent to the privacy commissioner by Liberal Democrat peer and former London mayoral candidate Lord Paddick revealed 40 complaints have been made against the organization since 2013.

Of those, seven resulted in the ICO effectively ordering itself to take action to prevent further breaches, two in compliance with advice being issued, and two with various concerns raised, according to the Evening Standard.

However, on three occasions, ICO staff apparently self-reported potential breaches when personal data on citizens was accidentally exposed.

Two of these were classed as “non-trivial data security incidents” and required full investigations, resulting in recommendations being made on how to improve data handling.

On a third occasion an incident apparently involved the release of a small amount of info on five people to a person with the same name. However, this was deemed not to require any further action.

Lib Dem Lords Home Affairs spokesperson Paddick argued the findings of the FoI request raised concerns about the safety of the public’s data.

“More and more of our data is being held by government agencies, if even the ICO can’t stick to the rules it does raise questions about how secure our data really is,” he’s quoted as saying.

The ICO is an independent organization tasked with upholding information rights in the UK, although the commissioner is chosen by a Commons select committee.

In the period July-September 2016 the watchdog find organizations over half a million pounds for data security failings.

An official ICO statement sent to Infosecuity had this:

“As the regulator for data protection we take our own responsibilities to comply with the legislation extremely seriously. We aim to have the necessary controls in place to mitigate the risk of accidental disclosures.

“Incidents involving the ICO are investigated fully in the same way as any other data controller and there have been a small number of cases over the past three years when action has been required. However, we want to be aware of and learn from all incidents, however minor, in order that we minimise the risks of serious incidents occurring.”

Source: Information Security Magazine