Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for April 2018

A Quarter of UK Manufacturers Suffer Cyber-Attack Losses

A Quarter of UK Manufacturers Suffer Cyber-Attack Losses

A quarter of UK manufacturers have suffered financial or other business losses stemming from a cyber-attack, according to a new study from industry body EEF.

The organization and AIG commissioned think tank the Royal United Services Institute (RUSI) to compile its Cyber-Security for Manufacturing report.

Of the 48% of manufacturers who claimed to have been struck by a cyber-incident, 24% said they suffered losses and the same number claimed their security processes were strong enough to repel any attack.

However, visibility into the scale of the problem appears to be a challenge. Some 41% claimed they don’t have access to enough information to assess their true risk exposure, while 12% said they don’t have the technical or managerial processes in place to assess risk.

A further 45% said they don’t have access to the right security tools.

The stats are concerning given that the manufacturing industry employs 2.6m people in the UK, accounting for 10% of the country’s output and 70% of its R&D, according to EEF.

Over a third (35%) of the vast majority (91%) of respondents who claimed they’re investing in digital transformation said cyber-risk was holding them back.

There’s also a clear and pressing need to demonstrate improvements in cybersecurity to increasingly demanding supply chain partners.

Over half (59%) of respondents said they’ve been asked by a customer to demonstrate or guarantee the robustness of their cyber-security processes, and 58% have asked the same of a business within their supply chain.

A worrying 37% of manufacturers said they could not do this if asked today.

“The importance of the manufacturing sector to the security of the UK economy cannot be overstated,” said RUSI director general, Karin von Hippel. “Increasing digitization creates further opportunities, but also exposes us to potential vulnerabilities to cyber-attacks, whether from criminals or nation-state adversaries. The sector needs to recognize these risks and respond accordingly.”

Source: Information Security Magazine

SunTrust Investigates Malicious Insider Breach

SunTrust Investigates Malicious Insider Breach

US regional banking giant SunTrust is notifying 1.5 million customers that some of their personal data may have been stolen by a malicious insider.

The Atlanta-headquartered financial services firm issued a formal statement on Friday, claiming that it is offering ongoing identity protection from Experian free of charge for all current and new customers, following the discovery.

“The company became aware of potential theft by a former employee of information from some of its contact lists. Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed,” it explained.

“The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver's license information. SunTrust is also working with outside experts and coordinating with law enforcement.”

Chairman and CEO, Bill Rogers, apologized for the incident and claimed the company had “heightened” monitoring of users’ accounts and increased other unnamed security measures.

“While we have not identified significant fraudulent activity, we will reinforce our promise to clients that they will not be held responsible for any loss on their accounts as a result,” he said in a statement.

"Our priority is protecting our clients and maintaining their trust. Beyond this incident, we want to help all SunTrust clients combat the increasing concern about identity theft and fraud, wherever it may occur."

The Experian IDnotify package being offered to customers includes credit monitoring, dark web monitoring, identity “restoration assistance” and $1m identity theft insurance.

Insiders were blamed for over a quarter (28%) of breaches analyzed in the most recent Verizon Data Breach Investigations Report, although there was no breakdown of how many were malicious and what proportion was down to negligence.

However, over-three-quarters (76%) of breaches were said to be financially motivated.

Source: Information Security Magazine

Irony of Leaky App at #RSAC Not Lost on Attendees

Irony of Leaky App at #RSAC Not Lost on Attendees

Every once in a while, 280 characters can make people scratch their heads. Learning about a security flaw in a mobile app designed for a security conference is one of those things that people find puzzling. Or not. 

Many members of the cybersecurity community are feeling a wide range of emotions – from unsurprised to angry – in the aftermath of learning about a leaky RSAC app. Few, however, are really shocked by the reported breach. 

Sophos’s NakedSecurity reported that a Twitter user at RSAC 2018 discovered a security problem in the conference app. RSAC tweeted a confirmation of the breach confessing, Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation.” 

The database was discoverable via an unsecured API that could be accessed via credentials hard-coded into the app. According to Twitter threads, the security researcher who discovered the flaw messaged RSAC to alert them to some security issues with their conference app. Only six hours later, the researcher thanked both Eventbase Tech and RSAC for quickly fixing the data leak, applauding the great response time and confirming that the attendee data was no longer accessible through the reported method. 

It's not uncommon for a conference to encourage attendees to use a mobile app to navigate their way through the exhibits, speakers, and additional events, even though the week's schedule and other pertinent details of the event are available on the conference website. Some conferences will advise downloading the app for "last-minute changes or updates." Many do, especially at a conference like RSAC, because there’s an inherent trust that the mobile app for a security conference is safe. But no technology is ever completely free from risk, which attendees learned the hard way back at RSAC 2014 when a mobile application exposed the personal information of attendees.

Ironically, a Google search for “RSA leaky conference app” resulted in a link to an RSAC presentation by a Kaspersky Labs security researcher who spoke earlier this week about leaking ads. The description of his talk? “Most developers currently use HTTPS to protect user data. But that doesn’t mean their apps are secure.”

Source: Information Security Magazine

NIST Launches Search for Lightweight Cryptographic Champions

NIST Launches Search for Lightweight Cryptographic Champions

The search for Lightweight Cryptographic Champions is on now that the National Institute of Standards and Technology (NIST) has launched a call for submissions of previously published and analyzed algorithms that will help set standards to better secure the entire market of the Internet of Things (IoT). 

Protecting the tiny networks within IoT devices demands a new class of lightweight cryptography, which is why NIST has kicked off its effort to find lightweight solutions to this heavyweight challenge of IoT security. 

One of the challenges in defending IoT devices is that most cryptographic systems were designed for desktops and servers, not the now-often-used smaller devices that have more limited computational resources. These devices, though, are everywhere, from critical infrastructure to medical devices to cars and common household electronics. In large part, they are vulnerable to cyberattacks because the are so difficult to secure. 

This week, NIST announced its push to establish viable solutions to the problem of securing data in the myriad gadgets across the IoT’s rather small and inexpensive networked devices. “Creating these defenses is the goal of NIST’s lightweight cryptography initiative, which aims to develop cyrptographic algorithm standards that can work within the confines of a simple electronic device,” NIST wrote in a blog post. 

“As industries adopt authentication apps for things like flu-shot syringes and baby formula, it’s important that there is agreement on security practices,” Matt Robshaw, a technical fellow at Impinj, told NIST. “It’s a good time to begin to establish guidance about which of these techniques will be most appropriate.” 

NIST computer scientist Kerry McKay said, "The IoT is exploding, but there are tons of devices that have nothing for security. There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason.”

Still in its draft form, the Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process details the proposed requirements and evaluation process and will soon allow the community to weigh in on the draft guidelines. Feedback received on the draft will inform the final submission process. 

One specification NIST is looking for in the submitted algorithms is an authenticated encryption with associated data (AEAD) tool so that recipients can verify the integrity of both the encrypted and unencrypted information in a message. Additionally, in order to reduce costs, any hash function must share resources with the AEAD.

NIST will accept comments on the draft for 45 days before releasing a formal document, after which time it anticipates accepting submissions over a six-month period. 

Source: Information Security Magazine

Google's Project Zero to Microsoft: 90 Days Are up to Fix Windows 10 Bug

Google's Project Zero to Microsoft: 90 Days Are up to Fix Windows 10 Bug

In January 2018, a researcher at Google’s Project Zero reported a bug in Windows 10's lockdown policy that would allow an attacker to bypass a Windows 10 security feature. The 90-day window to patch the flaw has passed, and despite Microsoft’s multiple pleas to prolong the inevitable public disclosure, the deadline for patching the issue will not be extended.

According to the bug report issued by researcher James Forshaw, the medium-severity bug could allow an attacker to add register keys that “would load an arbitrary COM visible class under one of the allowed CLSIDs.” Forshaw provided two files as proof-of-concept code using a DotNetToJscript tool that enabled arbitrary code execution, something that Windows 10 S was specifically designed to prevent.

“This issue was not fixed in April patch Tuesday therefore it's going over deadline,” Forshaw wrote. “This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It's not an issue which can be exploited remotely, nor is it a privilege escalation.”

Because the vulnerability only affects systems with Device Guard enabled, it's ranked as a medium severity. In order to exploit the issue, an attacker would have to already have code running on the machine. Still, an attacker could get around that by exploiting another remote code execution bug in Microsoft Edge.

The two tech giants have a long history of rivalry when it comes to responsible disclosures. This is not the first time that Google has denied Microsoft a request for extension. In 2016 Microsoft criticized Google for putting customers at risk after publicly disclosing a bug only 10 days after reporting the Windows vulnerability.

Then in February of this year, the 90 days had lapsed before Microsoft was able to patch a security flaw in Microsoft Edge. Though Google awarded a 14-day grace period, the fix was more difficult than Microsoft had anticipated. After the grace period ended, Google went public with the disclosure.

While Project Zero's customary time frame for a developer to resolve an issue is 90 days, there are some special cases when a grace period is granted, which happens most often when a flaw is difficult to fix.

Source: Information Security Magazine

LinkedIn Fixes User Data Leak Bug

LinkedIn Fixes User Data Leak Bug

LinkedIn has quietly patched a vulnerability which could have allowed malicious third parties to steal members’ personal data.

The flaw revolves around the business networking platform’s AutoFill button, which allows third-party sites to autofill information including users’ name, email address, phone number, location, and job.

It has been a part of the LinkedIn Marketing Solutions offering for several years. However, according to security researcher, Jack Cable, the feature could be abused by hackers.

He discovered earlier this month that any sites could use the feature, styling the iframe so it takes up the entire page and is invisible to the user.

This means that if a visitor clicks anywhere on that site, LinkedIn interprets this as an AutoFill button being pressed and sends the relevant user data to the malicious webmaster.

LinkedIn fixed the feature a day after being informed, restricting it to whitelisted sites paying to host ads. However, this still left users potentially exposed. That’s because any of those whitelisted sites which have cross-site scripting vulnerabilities would have allowed hackers to run the same maliciously crafted iframe on them to harvest user details.

The Microsoft-owned firm then issued another patch, and a statement, as follows:

“We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases and it will be in place shortly. While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsibly reporting this and our security team will continue to stay in touch with them.”

The incident comes at a sensitive time for online firms which collect and share data on users with third parties, following the Cambridge Analytica scandal which unearthed serious deficiencies in Facebook’s terms of service agreements with app developers.

Source: Information Security Magazine

Russian Twitter Trolls Spring into Action After Salisbury Attack

Russian Twitter Trolls Spring into Action After Salisbury Attack

Russian Twitter trolls have been sent into action again, this time looking to spread disinformation following the Salisbury nerve agent attack, according to government sources.

A Whitehall analysis purports to have measured a 4000% increase in tweets from Russia-based accounts, many of them automated bots, since the attack over six weeks ago.

One identified bot account, @partisangirl, is said to have reached 61 million users with 2300 posts over a 12-day period from April 7.

The research reportedly reveals that many of these accounts also commented on the alleged Syrian chemical attack by President Bashar, which some are disputing despite government claims to the contrary.

Another account, @ian5678, was banned by Twitter before being unblocked recently. Reports suggest it sent 100 posts a day reaching 23 million users. A prolific account with 33,000 followers, it contains largely pro-Kremlin conspiracy theory and anti-West rhetoric masquerading but purports to be that of a truth-seeking stock market trader.

Primer Minister, Theresa May, is said to have briefed Five Eyes partners and Commonwealth leaders Malcolm Turnbull, Jacinda Ardern and Justin Trudeau on the Russian campaign earlier this week.

“Russia is using cyber as part of a wider effort to undermine the international system,” she said in a reported statement. “This disinformation campaign is not just aimed at social media and the UK — it is intended to undermine the actual institutions and processes of the rules-based system, such as the Organisation for the Prevention of Chemical Weapons. We must do all we can at every turn to challenge this.”

Back in February 2017, Russian defence minister, Sergey Shoigu, admitted for the first time the importance to the Kremlin of state propaganda efforts, claiming a specialized unit had been established in the military.

“The information operations forces have been established, that are expected to be a far more effective tool than all we used before for counter-propaganda purposes," he’s reported to have told the lower house. "Propaganda should be smart, competent and effective.”

Cyber-propaganda efforts have been called out as a major trend by the likes of Trend Micro and ThreatConnect in the past, threatening to destabilize democracy and influence elections.

Source: Information Security Magazine

#RSAC: Panel Discussion on the Role of Machine Learning & AI in Cyber

#RSAC: Panel Discussion on the Role of Machine Learning & AI in Cyber

A panel of industry experts gathered at RSA 2018 in San Francisco to explore the role that machine learning and artificial intelligence is playing in the current cyber landscape.

Moderator: Ira Winkler, president, Secure Mentem

Oliver Friedrichs, founder and CEO, Phantom
Dustin Hillard, CTO, Versive
Dr Ramesh Sepehrrad, VP of technology and business resiliency risk, Freddie Mac

After opening the discussion by asking the panel to each give their own definition of what machine learning is, Ira asked the speakers to define what types of applications are most appropriate for the use of machine learning and AI.

Hillard: The places where it is most mature is around speech and image processing, and also around fraud detection. “The technology should be an enabler to solving a problem but sometimes it gets lost in what’s being accomplished.”

Friedrichs: Most people have woken up to the fact that machine learning and AI are not the panacea that marketing tells us they are, but they can add to the feature set of a product. Particularly recently we are seeing it used for “augmenting our decision-making, being able to augment [data] to increase capacity.”

Ira then asked the panel about the potential social implications of the use of machine learning and AI, and whether there are issues that arise in that regard.

Sepehrrad: “I’m very worried that it’s the technology defining the user experience, and not the user defining the technology. These are the things we have to think about as technologists – this is not an innovation challenge, it’s not just a cool idea that’s going to make money; this is something that’s going to have generational impact beyond us.”

Moving the discussion on, Ira asked about scenarios in which machine learning and AI can be targeted and manipulated for malicious gain.

Friedrichs: There’s a whole domain called adversarial machine learning, which involves attacking “a machine learning algorithm to trick it into doing something different.” In terms of security, attackers “will attack these algorithms by either getting passed them or causing them to train on things that eventually allow them to evade and create evasion scenarios.”

Is there the possibility of a ‘Skynet-like’ future, Ira asked, in which machine learning might become autonomous in bad ways that we do not want.

Friedrichs: Algorithms can definitely fight other algorithms – “it’s entirely conceivable.”

Hillard: “There are some mirco examples of how an algorithm can go off the rails and how, without enough controls and transparency,” things can go wrong. “If an algorithm is left unattended it can go down a path that was not perceived by the original designer of it.”

Sepehrrad: “I’d want to take a step back and ask whose finger is on the keyboard. We have to think through what the problem we are trying to solve is, and you really have to think through what the motivation is, the potential goal and the drive to achieve that goal.”

To conclude, Ira asked whether there are things that machine learning and AI should not be used for.

Hillard: It should never be used in any place in which it “increases complexity without improving the outcome.”

Source: Information Security Magazine

Still No. 1: Survey Says Cybersecurity Remains Top Concern for Risk Managers

Still No. 1: Survey Says Cybersecurity Remains Top Concern for Risk Managers

For three years running, cybersecurity has remained the top threat to businesses across multiple categories, including infrastructure, geopolitical and emerging risks. That’s according to the 11th Annual Survey of Emerging Risks, conducted by the Casualty Actuarial Society, Canadian Institute of Actuaries, and the Society of Actuaries' Joint Risk Management Section.

More than 200 risk managers, primarily based in North America, participated in the anonymous online survey, which revealed a key finding: Cyber continues to be a top current and emerging concern for 53% of respondents, followed by terrorism and technology.

Technology, the number three on the respondent’s top five list, saw a 3% increase in 2017. As innovation continues to change the threat landscape, technology risks continue to move up the rankings.

Cybersecurity in the interconnectedness of infrastructure ranked the number one emerging risk, while financial volatility fell out of the list of top five concerns. Cybersecurity risks around connected infrastructure have ranked as the top emerging risk since 2014, with financial volatility ranking second place, but for the first time the emerging threat of terrorism ranked second, knocking financial volatility out of the top five.

The survey also revealed that 42% of risk managers project good or strong global economic expectations for 2018, which is the highest ever recorded for this survey. Still, risks associated with natural disasters doubled in the aftermath of a tumultuous hurricane season and a heated political arena in the US.

Additionally, the category of geopolitical risks related to weapons of mass destruction, regional instability, and transnational crime and corruption ranked higher in 2017 than in years prior. The survey authors speculated that these results might have been impacted by the US election cycle.

The sentiment around cybersecurity risk is widespread, as evidenced in other reports released earlier this year. The World Economic Forum’s Global Risks Report 2018, released in January, placed cyber-attacks and massive data fraud among the year’s top five risks. In February, Microsoft's By the Numbers: Global Cyber Risk Perception Survey revealed that 56% of the more than 1,300 respondents said they would rank cyber risks as a top-five concern.

Each report reveals a growing consensus among risk managers that with a cyber-attack comes the risk of business interruption and damage to brand or reputation along with the potential of a data breach. 

Source: Information Security Magazine

#RSAC: Reschma Saujani: We Can End Cyber Gender Imparity in a Decade

#RSAC: Reschma Saujani: We Can End Cyber Gender Imparity in a Decade

Speaking at RSA 2018 in San Francisco Reshma Saujani, founder of Girls Who Code, said that she believes “the solution to the current tech talent deficit is women,” and that the industry has the potential to solve gender imparity in cyber within the next 10 years.

However, that will not be achieved without challenges, and there are changes that need to be made in our culture and policies to do so.

Saujani explained that for too long cyber and the tech industry has been presented to girls as an attractive career choice and something only suitable for males, and that we need to start showcasing the industry in the same way as the medical or law professions – both made up of at least 50% of women. 

“We’re turning girls off by the images that we’re showing them,” she argued. “We teach girls to be perfect, and we teach boys to be brave,” but if we want more girls to go into cyber, we have to change that, as coding is a skill that “teaches failure, over and over again. It teaches you how to be brave.”

The positive though is that, because the tech talent deficit problem is currently so bad, we can make a “big impact quickly,” and the important thing to remember is that it’s not simply about solving gender imbalance for parity’s sake, it’s about “giving girls the skills to code so that they can make a difference – because girls are change makers.”

“We have to change our culture,” Saujani said. “Culture matters, I really believe that culture can help change this and we can make that difference.” We also need to make changes in our policies, she added, and whether it’s in a classroom or in a company we have to “continue to track how we are doing in terms of race and gender – we can do better.”

“I am so proud [of what Girls Who Code has achieved] but we need more – we need more support, we need to teach more girls, we need more facilitators, more advocates and more male allies. I believe there has never been a better time to be a women, and there’s never been a better time to be a male advocate. We’re living in a really, really important time, and this is a problem that we can solve.”

Source: Information Security Magazine