Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2017

Paradise Papers Breach is Hell for Offshore Tax Avoiders

Paradise Papers Breach is Hell for Offshore Tax Avoiders

Media organizations across the globe went into overdrive on Sunday publishing the first in several instalments from a trove of breached secret documents listing dubious financial offshore dealings of the rich and famous.

In what could be one of the biggest breaches of its kind in history, the so-called “Paradise Papers” lift the lid on some questionable practices by figures as diverse as the US commerce secretary, Wilbur Ross, the Queen, Tory party donor Lord Ashcroft and organizations including Facebook, Twitter, Nike and Apple.

The 1.4TB data dump is said to come primarily from offshore law firm Appleby, which a fortnight ago issued a lengthy statement in a bid to preempt the revelations.

The firm issued a similar missive on Sunday as the first reports hit the news-stands, claiming:

“We wish to reiterate that our firm was not the subject of a leak but of a serious criminal act. This was an illegal computer hack. Our systems were accessed by an intruder who deployed the tactics of a professional hacker and covered his/her tracks to the extent that a forensic investigation by a leading international Cyber & Threats team concluded that there was no definitive evidence that any data had left our systems. This was not the work of anybody who works at Appleby.”

Among the revelations uncovered by the data breach are millions of pounds of investment from the Queen’s private estate to offshore accounts, secret financial dealings between commerce secretary Ross and a Russian firm part-run by Vladimir Putin’s son-in-law and millions of dollars of investment in Facebook and Twitter from Russian state companies.

Apple and Nike are also accused of major tax avoidance by investing in offshore funds like the one run by Appleby from Bermuda.

The incident comes 18 months after the 2.6TB Panama Papers leak exposed the shady financial dealings of numerous celebs and world leaders including Putin and Chinese President Xi Jinping.

High-Tech Bridge CEO, Ilia Kolochenko, claimed obligatory data security standards should be considered for law firms, which are becoming an increasingly attractive target for cyber-criminals.

“Many law firms still carelessly rely on the law for data protection, but this is in vain. Paucity of financial resources and lack of qualified personnel preclude law enforcement agencies from investigating and prosecuting the vast majority of crimes committed in digital space,” he added.

“This creates a very dangerous atmosphere of unlawfulness and impunity in the internet, undermining trust in the government and its ability to protect our society.”

Source: Information Security Magazine

Quarter of UK Employees Have 'Purposefully Leaked Business Data'

Quarter of UK Employees Have 'Purposefully Leaked Business Data'

New research from Egress Software Technologies has revealed that one in four (24%) UK employees have intentionally shared confidential business information outside their organization, typically to competitors or new and previous employers. 

The firm quizzed 2000 workers whose jobs required them to frequently use email to shine a light on risks surrounding email misuse within the enterprise.

Half of respondents said they either had or would delete emails from their sent folder if they had sent information somewhere they shouldn’t, with more than a third (37%) admitting they do not always check emails before clicking send.

Of those who had sent an email to the wrong person by mistake, one in 10 admitted to leaking sensitive data such as bank details or customer information. Less crucially, but no less embarrassingly, 40% had also accidently insulted the recipient or included rude jokes, swear words or risqué messages.

With regards to the human factors behind sending emails in error, 68% of respondents said ‘rushing’ was the biggest problem, whilst alcohol was also deemed to play a part in 8% of wrongly sent emails. Technology didn’t fare much better either, with almost have of those polled blaming autofill tech for selecting the wrong recipient from a list.

“Email is frequently misused by the UK workforce,” said Tony Pepper, CEO and co-founder, Egress. “While offending an accidental recipient may cause red faces, leaking confidential information can amount to a data breach. As we move towards the EU General Data Protection Regulation, it has never been more important to get a grip on any possible risk points within the organization and, as this research shows, email needs serious attention.”

Speaking to Infosecurity Jenny Radcliffe, social engineer, speaker and host of The Human Factor podcast, said that, from a technical perspective, to help nullify risks surrounding email misuse companies should employ filters for large files or extended distribution lists and not allow users to include large numbers of recipients on an email without at least a ‘warning’ message or a technical/managerial ‘check’ feature. 

“However, technical solutions only go so far and won't prevent a disgruntled employee causing damage or mistakes,” she added. “With 24-hour access to technology mistakes, mischief and malice will cause information to be widely distributed on occasion and the best defense for an enterprise remains good knowledge of individuals within the company. At line management level, being fully aware of what is ‘normal’ behavior from staff and addressing exceptions in an informed and practical way remains a good defensive measure in potentially detecting patterns of behavior that might eventually develop into serious risks for the organization.”

Source: Information Security Magazine

Global CISOs Unprepared for Evolving Threats

Global CISOs Unprepared for Evolving Threats

Research by the Ponemon Institute focusing on chief information security officers (CISOs) worldwide has found worrying levels of business readiness for cybersecurity threats.

Drawing on insights from 184 global CISOs, the report noted that today’s IT security strategies and tactics are shifting away from a focus on strong perimeters to smart data, networks, devices and applications.

According to 60% of CISOs surveyed, material data breaches and cybersecurity exploits are driving change in organizations’ attitudes to security programs, while another 60% of respondents believe security is considered a business priority.

Yet, while awareness levels are clearly growing, the report’s clear message is that there is plenty of room for improvement.

For instance, 80% of respondents said the internet of things (IoT) will cause “significant” or “some change” to their practices and requirements. However, most companies are not hiring or engaging IoT security experts (41%) or purchasing and deploying new security technologies to deal with potential new risks (32%).

“This new research provides a unique view into how CISOs are operating in today’s challenging environment,” said Mike Convertino, CISO at F5 Networks, which commissioned the report. “It’s clear CISOs are making progress in how they drive the security function and the leadership role they are assuming within companies. Yet in many organizations, IT security is not yet playing the strategic, proactive role necessary to fully protect assets and defend against increasingly sophisticated and frequent attacks.”

Finding the right talent is also a significant hurdle, with 56% struggling to identify and recruit qualified candidates. Almost half of surveyed CISOs branded their staffing as inadequate (42%).

Interestingly, 50% consider computer learning and artificial intelligence important to address staffing shortages. In two years, 70% say these technologies will be important to their IT security functions.

Most CISOs agreed cybersecurity threats are here to stay. Organizations represented in the study experienced an average of two data breaches in the past 24 months. About 83% said the frequency of data breach will increase or stay the same. Another 87% believe the severity of data breach incidents will increase or stay the same.

On average, respondents also experienced three cyber exploits or attacks in the past 24 months. Also, 89% of respondents said cyber exploits will increase or stay the same; while 91% predicted the severity of cyber exploits or attacks would increase or stay the same.

Advanced persistent threats (APTs) were ranked the top threat to the security system followed by DDoS, data exfiltration, insecure apps (including SQL injection), credential takeover, malicious insiders and social engineering.

Source: Information Security Magazine

EternalBlue is Back, with New Tricks

EternalBlue is Back, with New Tricks

An email-server message block (SMB) blended threat has been uncovered, which uses the compromised machine as a stepping stone to propagate laterally via the EternalBlue exploit.

Netskope Threat Research Labs said that the inclusion of the EternalBlue exploit is insidious because it will be launched internally from the newly infected machine, permitting direct access to shared SMB machines such as file shares and backup systems. This puts core data stores at risk in a fashion that may be impossible to anticipate. Also, SMB, a file sharing protocol that provides shared access to files in a network, is a widely adapted program, meaning the vulnerability has a considerable impact.

“We have observed that the presence of embedded document files in a cloud storage and collaboration services possesses a more significant threat to an enterprise environment since it arrives from a trusted source,” said Netskope researcher Ashwin Vamshi. “Once an endpoint is compromised with the second-stage payload like EternalBlue, it creates a wormed infection, leading all neighboring internal computers to be attacked via SMB from the newly compromised internal stepping-stone system.”

Earlier this year, The Shadow Brokers group disclosed a series of exploits, backdoors and several attack tools affiliated with nation-state activity. One of the exploits, EternalBlue, targets open SMB ports to leverage remote code execution, and has been widely used in attacks such as WannaCry, NotPetya and more recently Bad Rabbit.

In this case, the initial attack begins with a Swiss regional email which contains a Word Document with an embedded .lnk object, which is actually a backdoor that downloads the EternalBlue payload. From there, the threat moves from a cross-perimeter attack to an internal attack, with EternalBlue spreading itself across an organization’s network, without any user intervention, leading to internal attacks that organizations may not be prepared for.

“The use of cloud services by enterprises, along with the implicit trust, has led to an increase in malware attacks and thus posing a new challenge for organizations,” said Vamshi, adding that organizations should enforce policy on usage of unsanctioned services as well as unsanctioned instances of sanctioned cloud services.

Source: Information Security Magazine

Trump's Twitter Deactivation: Security Questions Arise

Trump's Twitter Deactivation: Security Questions Arise

Donald Trump’s Twitter account was deactivated briefly on Thursday night by a rogue employee at the social media company. The incident raises serious questions about the security of the president’s Twitter feed, which he uses to trumpet policy changes, saber-rattle with North Korea and connect with the American people.

The employee, who was working his or her final day at Twitter, accessed the president's personal account, @realDonaldTrump, and took it offline, so that visitors to the feed were greeted with the message, “Sorry, that page doesn't exist!” The account was down between about 6:45 and 7 pm ET.

Twitter initially posted a statement saying the “account was inadvertently deactivated due to human error by a Twitter employee. The account was down for 11 minutes, and has since been restored. We are continuing to investigate and are taking steps to prevent this from happening again.”

Later however, the company revised its assessment, saying that the deed was done “by a Twitter customer support employee who did this on the employee's last day.”

For his part, Trump used the opportunity to brag about his social media influence.

“My Twitter account was taken down for 11 minutes by a rogue employee,” he tweeted on Friday morning. “I guess the word must finally be getting out—and having an impact.”

A source told BuzzFeed that hundreds of Twitter employees have access to high-profile accounts and have the power to deactivate one. Despite discussions, no special protections on verified accounts have been implemented, according to the source.

Twitter users were swift to point out the potential security implications: “It is shocking that some random Twitter employee could shut down the president's account. What if they instead had tweeted fake messages?” tweeted POLITICO editor @blakehounshell.

Any impersonation would have been problematic given that the tweets are given weight as Trump’s preferred method of communication. The National Archives in fact plans to preserve the tweets as part of the president’s legacy of correspondence for future generations; where Abraham Lincoln had diaries and letters, this president has 140-character social media missives.

World leaders also take the Twitter posts seriously. When Trump tweeted, “Just heard Foreign Minister of North Korea speak at U.N. If he echoes thoughts of Little Rocket Man, they won't be around much longer!”, it increased tensions between the two countries, with North Korea weighing whether to take the statement as a declaration of war.

Jackson Shaw, senior director of products for One Identity, said via email that the insufficient protection of Trump's Twitter account points out potentially endemic security oversights at the company. Also, given password reuse, which the president may or may not be guilty of, the people with access to his account password could possibly compromise email accounts and more, making for a serious national security risk.

“I'm sure there was no process to take the rogue employee's access away when he or she resigned,” he said. “In fact, I'm sure their access was informally given: ‘Here's the Twitter password’ versus actually granting access by an identity access management or privileged access management system. This goes to show that Twitter and other social media accounts count as privileged accounts and should be treated just as if they are part of a company's most valuable IT assets. Reputation has incalculable value—as shown in this example. It should be protected accordingly." 

Source: Information Security Magazine

Synopsys Set to Acquire Black Duck Software

Synopsys Set to Acquire Black Duck Software

Synopsys is set to boost its application security testing portfolio with the acquisition of Black Duck Software.

Adding capabilities in IoT, DevOps and the Cloud, under the terms of the definitive agreement, Synopsys will pay approximately $565 million (or $548 million net) for the Massachusetts company. Black Duck provides products that automate the process of identifying and inventorying the open source code, detecting known security vulnerabilities and license compliance issues.

Synopsys said that the addition of Black Duck’s Software Composition Analysis solution will enhance its efforts in the software security market, and enable users to improve the software development cycle to allow continuous integration/continuous delivery and the move to the cloud.

Andreas Kuehlmann, senior vice-president and general manager of the Synopsys Software Integrity Group, said: “Our vision is to deliver a comprehensive platform that unifies best-in-class software security and quality solutions. Development processes continue to evolve and accelerate, and the addition of Black Duck will strengthen our ability to push security and quality testing throughout the software development lifecycle, reducing risk for our customers.”

“We’re excited to join an organization that shares our commitment to addressing security and quality issues at the earliest phases of the software development process,” said Lou Shipley, chief executive officer of Black Duck. “Doing so will enable us to provide leading solutions that enable customers to develop and deliver more secure and higher-quality software faster than ever before.”

Source: Information Security Magazine

Apple Red-Faced After iOS 11.1 is Hacked

Apple Red-Faced After iOS 11.1 is Hacked

Apple has released a slew of iOS patches including a fix for the KRACK vulnerability, but its new OS version 11.1 and Safari have already been hacked successfully several times this week by researchers.

Trend Micro’s Mobile Pwn2Own 2017 contest pitted some of the best white hat hackers in the business against iPhone 7 devices running the newly updated iOS version.

Tencent Keen Security Lab was the first to score a success, with a Wi-Fi exploit which earned them $110,000.

“They used a total of four bugs to gain code execution and escalate privileges to allow their rogue application to persist through a reboot,” explained Dustin Childs of the Tipping Point-founded Zero Day Initiative.

The same team were at it again with a successful Safari browser exploit.

“It took them just a few seconds to successfully demonstrate their exploit, which needed only two bugs — one in the browser and one in a system service to allow their rogue app to persist through a reboot,” said Childs.

“Next, Richard Zhu (fluorescence) also targeted the Safari Browser on the Apple iPhone 7. He used a bug in the browser and an out-of-bounds bug in the broker to escape the sandbox and execute code.”

Details of the attacks are being kept under wraps until Apple gets around to fixing them.

The tech giant will be more than a little embarrassed by the ease with which the researchers managed to pick holes in its software, just hours after it released iOS 11.1.

That update included a fix for CVE-2017-13080, one of several components of the infamous KRACK vulnerability in the WPA2 protocol discovered last month.

KRACK could allow hackers to steal sensitive information from victims or inject malware into targeted websites.

However, Apple has only made that specific fix available to iPhone 7 and later handsets, and iPad Pro 9.7-inch and later devices.

It was claimed last month that over two-fifths (41%) of Android devices are vulnerable to this kind of attack.

Source: Information Security Magazine

50K Australians Exposed in Server Misconfig Snafu

50K Australians Exposed in Server Misconfig Snafu

Personal details of almost 50,000 Australian employees have been compromised in the country’s largest data breach since the Red Cross leaks.

Reports state that up to 48,270 personal records from employees working in government agencies, banks and a utility have been exposed online by a third-party contractor thanks to a misconfigured Amazon S3 bucket. The files exposed include full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expense; however, iTnews reported that most of the credit card numbers were out of date or cancelled.

Insurance company AMP was hit the worst, with 25,000 staff records relating to internal expenses exposed, while Aussie utility UGL had 17,000 records exposed. About 3,000 employees at the Department of Finance, 1,470 at the Australian Electoral Commission and 300 at the National Disability Insurance Agency had their details openly accessible; and, 1,500 employees at Rabobank were affected.

 “Once the Australian Cyber Security Centre became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability,” the Department of Prime Minister and Cabinet told iTnews. “Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements.”

Cloud server misconfigurations are increasingly common, leading to data breach after data breach. One of the worst occurred in June when US defense contractor Booz Allen Hamilton left more than 60,000 US Department of Defense files publicly exposed in an Amazon S3 repository.

"Cloud computing is an increasingly popular way for centralizing storage and data access and often provides a cheaper more elastic and secure platform for enterprises to harness; however, their configuration can often be more than simple,” said Ian Ashworth, security consultant at Synopsys, via email. “Being internet-connected and widely accessible should dictate a greater level of diligence in their setup and tailoring to ensure they appropriately manage accessibility and control. Authentication and correct levels of authorization are two such essential measures for granting user access to the most sensitive of data or services.  When especially dealing with PII and payment details, additional storage protection measures should be employed providing an overall layered security architecture."

Source: Information Security Magazine

Just 35% of Corporate Attorneys Feel Prepared for a Data Breach

Just 35% of Corporate Attorneys Feel Prepared for a Data Breach

Only about a third (35%) of top corporate attorneys feel their organizations are prepared for a data breach.

That’s according to a survey from Grant Thornton LLP, which also found that 59% are very concerned about data security issues—an appropriate feeling, given the ongoing legal and organizational fallout that follows in the wake of exposure incidents. 

The 2017 Corporate General Counsel Survey, which included feedback from more than 190 corporate general counsel, also found that more than half (58%) of legal departments are highly involved in responding to organization-wide data security risks, and nearly a quarter (23%) of legal departments have a primary responsibility for cybersecurity issues.

“Proactively managing cyber threats is becoming more important each year, as businesses are estimated to lose $3 trillion to cybercrime by 2020—a figure which has tripled from $1 trillion in 2016,” said Vishal Chawla, national managing principal of Risk Advisory Services for Grant Thornton. “It’s an issue that is clearly keeping corporate attorneys up at night.”

Survey respondents cited a number of barriers to cyber-risk readiness. Most notably, more than a quarter (28%) named overburdened IT security teams as a factor, while 17% pointed to a lack of crisis management and incident response skills.

Still, most corporate attorneys report that their organizations are going on the offensive: Nearly seven in 10 report that their organizations have increased spending to improve cybersecurity.

The vast majority of organizations are adding data security policies (72%) or augmenting existing ones (62%), while 59% are implementing monitoring programs. Additionally, 47% are turning to outside advisors.

“Keeping up with the latest cyber threats is a real challenge,” added Erik Lioy, national managing partner of Grant Thornton’s Forensic Advisory Services. “Skills that are required today may or may not be sufficient tomorrow.”

He added, “The agile enterprise will be better equipped at all levels of the organization to turn risk into a competitive advantage.”

The firm also recommends that businesses move from thinking about risk in terms of management and compliance to thinking about it in terms of holistic solutions. According to Chawla: “A holistic approach aligns leadership and defines an organizations’ cybersecurity operational risks—as well as its cyber risk appetite and management plan.”

Source: Information Security Magazine

IoT Security Concerns Loom Even as Adoption Continues

IoT Security Concerns Loom Even as Adoption Continues

Most (90%) of consumers lack confidence in the security of internet of things (IoT) devices. Yet, more  than half own one or more IoT devices.

According to a survey by Gemalto, the main fear of consumers (cited by two-thirds of respondents) is hackers taking control of their device. In fact, this was more of a concern than their data being leaked (60%) or hackers accessing their personal information (54%).

However, despite 54% of consumers owning an IoT device (on average two), just 14% believe that they are extremely knowledgeable when it comes to the security of these devices.

Meanwhile, businesses are realizing that they need support in understanding IoT technology and are turning to partners to help, with cloud service providers (52%) and IoT service providers (50%) the favored options. When asked why, the top reason was a lack of expertise and skills (47%), followed by help in facilitating and speeding up their IoT deployment (46%).

"It's clear that both consumers and businesses have serious concerns around IoT security and little confidence that IoT service providers and device manufacturers will be able to protect IoT devices and more importantly the integrity of the data created, stored and transmitted by these devices," said Jason Hart, CTO, Data Protection at Gemalto. "With legislation like GDPR showing that governments are beginning to recognize the threats and long-lasting damage cyber-attacks can have on everyday lives, they now need to step up when it comes to IoT security. Until there is confidence in IoT amongst businesses and consumers, it won't see mainstream adoption."

The survey also found that IoT device manufacturers and service providers spend just 11% of their total IoT budget on securing their IoT devices. When it comes to protecting devices and the data they generate or transfer, just half (50%) of IoT companies have adopted a security-by-design approach.

According to the survey, businesses are in favor of regulations to make it clear who is responsible for securing IoT devices and data at each stage of its journey (61%) and the implications of non-compliance (55%). In fact, almost every organization (96%) and consumer (90%) is looking for government-enforced IoT security regulation.

"The lack of knowledge among both the business and consumer worlds is quite worrying and it's leading to gaps in the IoT ecosystem that hackers will exploit," Hart continued. "Within this ecosystem, there are four groups involved—consumers, manufacturers, cloud service providers and third parties—all of which have a responsibility to protect the data. 'Security by design' is the most effective approach to mitigate against a breach. Furthermore, IoT devices are a portal to the wider network and failing to protect them is like leaving your door wide open for hackers to walk in. Until both sides increase their knowledge of how to protect themselves and adopt industry standard approaches, IoT will continue to be a treasure trove of opportunity for hackers."

Source: Information Security Magazine