Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for July 2018

Claranet Acquires Training & Pen Test Experts NotSoSecure

Claranet Acquires Training & Pen Test Experts NotSoSecure

Managed IT services provider Claranet has announced the purchase of NotSoSecure, experts in ethical hacking training and penetration testing for networks, web and mobile apps.

The deal will see NotSoSecure, which works with a range of internationally-renowned businesses and organizations, encompassing government agencies, FTSE 250 players and Fortune 500 companies, join the Claranet portfolio, with the company’s founders Dan Haagman and Sumit (Sid) Siddharth remaining with the business.

Charles Nasser, founder and CEO of Claranet, said: “Our acquisition of NotSoSecure has been made as part of our vision to further enhance the security services and expertise that we are able to offer to our customers, as well as gain access to new global markets such as the US and Australia.

“NotSoSecure’s passion for excellence and desire to be at the forefront of cybersecurity training and innovation were crucial factors in this latest acquisition. Their ambitious aims for growth are very much aligned with our own, so we are eagerly anticipating the impact they will have on the success of the wider Group.”

NotSoSecure’s Siddharth added: “Since we established the business, the risk of cyber-attacks for organizations around the world has grown exponentially. However, this has not been matched by an increase in training and knowledge and, as a result, there is now a severe global skills shortage in cybersecurity.

“We are delighted to add our specialist, hands-on training and pen testing expertise to Claranet’s portfolio of services and look forward to extending our reach, so businesses can develop their capabilities and stay secure.”

Source: Information Security Magazine

Machine Learning, Cloud, Compliance and Business Awareness Drive Cybersecurity

Machine Learning, Cloud, Compliance and Business Awareness Drive Cybersecurity

Senior businesses awareness of cybersecurity, legal and compliance issues and cloud-delivered products are some of the trends driving the industry, according to Gartner.

According to its Top Six Security and Risk Management Trends, Gartner said that “business leaders are becoming increasingly conscious of the impact cybersecurity can have on business outcomes” and encouraged security leaders to harness this increased support and take advantage of its six emerging trends “to improve their organization’s resilience while elevating their own standing.” The trends are as follows:

  • Trend No. 1: Senior business executives are finally becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation
  • Trend No. 2: Legal and regulatory mandates on data protection practices are impacting digital business plans and demanding increased emphasis on data liabilities
  • Trend No. 3: Security products are rapidly exploiting cloud delivery to provide more-agile solutions
  • Trend No. 4: Machine learning is providing value in simple tasks and elevating suspicious events for human analysis
  • Trend No. 5: Security buying decisions are increasingly based on geopolitical factors along with traditional buying considerations
  • Trend No. 6: Dangerous concentrations of digital power are driving decentralization efforts at several levels in the ecosystem

In regard to cloud computing, which Gartner said is affected by trends 3 and 6, “new detections technologies, activities and authentication models require vast amounts of data that can quickly overwhelm current on-premises security solutions” and this is driving a rapid shift toward cloud-delivered security products which “are more capable of using the data in near real time to provide more-agile and adaptive solutions.”

Also with regards to emerging trends, Gartner predicted that “by 2025, machine learning will be a normal part of security solutions and will offset ever-increasing skills and staffing shortages” as well as offering solutions to multiple security issues, such as adaptive authentication, insider threats, malware and advanced attackers.

Peter Firstbrook, research vice-president at Gartner, said: “Look at how machine learning can address narrow and well-defined problem sets, such as classifying executable files, and be careful not to be suckered by hype.

“Unless a vendor can explain in clear terms how its machine learning implementation enables its product to outperform competitors or previous approaches, it's very difficult to unpack marketing from good machine learning.”

Source: Information Security Magazine

Hamas Uses Fake Dating Apps to Infiltrate Israeli Military

Hamas Uses Fake Dating Apps to Infiltrate Israeli Military

Hamas has been accused of running a sophisticated spyware operation designed to trick Israeli Defense Force (IDF) soldiers into downloading malicious apps.

Hundreds of IDF troops have been contacted by alleged fake profiles on social networking sites in what the military is dubbing Operation Broken Heart.

After building up a rapport with the soldier on WhatsApp, the ‘woman’ in question then typically sends them a link to download a convincing looking but malicious app.

These included dating apps with names like GlanceLove and ones featuring goals and live scores from the World Cup, such as Golden Cup.

One suspicious-looking profile which nevertheless had an Israeli number attached, belonged to a ‘Lina Kramer’ and was discovered in January. Those behind the campaign often try to cover up broken Hebrew by saying they’re immigrants, the IDF claimed

“Not long after the first attacker approached us, we’d already begun receiving dozens of reports from soldiers about suspicious figures and apps on social networks,” said ‘Colonel A,’ head of the IDF Information Security Department.

“Upon investigating the reports, we uncovered hostile infrastructure that Hamas tried to use to keep in contact with IDF soldiers and tempt them to download apps that were harmful, and use the soldiers to extract classified information."

The apps are said to be loaded with Trojan malware capable of switching on the mic and camera, accessing photos, phone numbers and email addresses of soldiers operating near the Palestinian border, and even gathering info on military bases.

The IT security department of the Israeli military has updated its guidance for soldiers in light of Broken Heart and is reportedly also sending fake messages to soldiers in a bid to raise awareness of the dangers of clicking on links from virtual strangers.

Source: Information Security Magazine

Iranian Attackers Spoof Security Site for Phishing Lure

Iranian Attackers Spoof Security Site for Phishing Lure

An Iranian APT group has been spotted building a phishing site, using a cybersecurity company which outed it as a lure.

Charming Kitten has been in operation since 2014 and its activities were laid bare in a December report by Israeli security vendor Clearsky Security.

The firm claimed to have found more than 85 IP addresses, 240 malicious domains, hundreds of hosts, multiple fake entities and potentially thousands of victims linked to the group.

In a series of tweets this week, the firm said it had discovered the same group building a phishing site designed to capitalize on interest in the vendor’s findings.

“The fake website is clearskysecurity.net (the real website is http://clearskysec.com ). They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services,” it said.

“These sign in options are all phishing pages that would send the victim's credentials to the attackers. Our legitimate website does not have any sign in option. It seems that the impersonating website is still being built because some of the pages have error messages in them.”

One of the fake pages even displayed content of a previously outed Charming Kitten campaign, according to the firm.

The group is just one of a growing list of Iranian APT groups most likely backed by the government. These include APT34, observed most recently by FireEye back in December targeting governments in the Middle East.

Also notable is the CopyKittens group uncovered by Clearsky and Trend Micro. Dating back to 2013 it’s focused on stealing data from Western and Middle Eastern government, defense and academic organizations via custom and commercial tools. 

Source: Information Security Magazine

Gmail Privacy Fears Emerge Over Third-Party Apps

Gmail Privacy Fears Emerge Over Third-Party Apps

Google is at the center of a new privacy storm after it was revealed that third-party app developers can read the content of Gmail users’ emails.

This “dirty secret,” as one source described it to the Wall Street Journal, affects users who choose to link their Gmail accounts to third-party applications for things like travel or shopping. 

In so doing they’re asked to grant permissions for the app to "Read, send, delete and manage your email." 

However, many users may not be aware that human eyes are perusing their personal emails as well as computer algorithms.  

The report claimed that in the case of marketing app Return Path, employees of the company read around 8000 Gmail users’ emails to help develop the app. Email management app developer Edison Software also allowed its employees to read "thousands" of emails to hone the Smart Reply feature.

For its part, Google claimed to have strictly vetted those firms allowed access to users’ emails and said users are asked explicitly for their permission to do so, consistent with its policies.

However, when it comes to third-party apps, user privacy has become a major issue following the Cambridge Analytica scandal in which the details of 87m Facebook users were sold by an app developer for use in targeted political advertising. 

The social network changed a policy in 2015 which allowed third party developers to access the data of app users’ friends.

Evgeny Chereshnev, CEO of privacy firm Biolink.Tech, claimed that the GDPR demands organizations improve awareness among users around how their data is being used.

“This type of access is going to going to continue, and people need to be aware that every time they connect to, or install, a third-party application on their mobile device, they are giving rights to those applications – often without even thinking about it,” he added.

“These applications gain access to users’ contacts, information about the user of the phone as well as things like GPS location, so this needs to be taken very seriously.”

Source: Information Security Magazine

Recorded ISSA Webinar: Internships – Do They Really Work?

Information Systems Security Association (ISSA) recently hosted a webinar Internships: Do They Really Work?  InfoSec Connect’s Domini Clark and Erin Hansen were on hand as panelists to lend their perspectives about internships in the information security field.

Internships can be a great way to test drive a career in cybersecurity and get a sense of the typical day in the life of a practitioner. Learn from the experts about what it’s really like to intern in the cybersecurity field and what it’s like to apply lessons learned in a real world environment.

View a recording of the webinar on YouTube here.

Bug Unblocks Friends for 800,000+ Facebook Users

Bug Unblocks Friends for 800,000+ Facebook Users

Facebook users might have seen information in their news feeds from users that had blocked them because a bug was reportedly unblocking people, the company announced yesterday.

On 2 July, Facebook started notifying more than 800,000 of its users that a bug in Facebook and Messenger had unblocked some users that had previously been blocked. Active between 29 May and 5 June, the bug did not allow a blocked user to see content within certain privacy permissions. However, if the post were public or visible to friends of friends, the blocked person could have seen the information. Users whose privacy setting were set to "friends only" when sharing content would not have had any posts revealed to a blocked friend. 

Facebook apologized for what happened and explained that the bug did not reinstate any blocked persons. The company also noted that “83% of people affected by the bug had only one person they had blocked temporarily unblocked.” The issue has been fixed, and users were encouraged to check their blocked list to make sure that their desired settings were as they should be.

It’s been a tough 2018 for Facebook, who recently announced that it had indeed continued to share data with 61 hardware and software makers even after CEO Mark Zuckerberg testified that the practice of sharing data with third parties ended in 2015.

In the wee hours of Friday 29 June, Facebook submitted 747 pages worth of answers to the questions posed by the Senate and House Committees on 10-11 April. Of the 2,000 questions asked, many related to the scraping of data from third parties brought to light by the Cambridge Analytica scandal.

“We’ve heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed. So, we’re taking additional steps to put people more in control of their privacy,” Facebook wrote.

Source: Information Security Magazine

Concern Mounts for SS7, Diameter Vulnerability

Concern Mounts for SS7, Diameter Vulnerability

The same security flaws that cursed the older SS7 standard and were used with 3G, 2G and earlier are prevalent in the Diameter protocol used with today's 4G (LTE) telephony and data transfer standard, according to researchers at Positive Technologies and the European Union Agency For Network and Information Security (ENISA).

Network security is built on trust between operators and IPX providers, and the Diameter protocol that replaced SS7 was supposed to be an improved network signaling protocol. But when 4G operators misconfigure the Diameter protocol, the same types of vulnerabilities still exist.

“As society continues to leverage mobile data capabilities more and more heavily, from individual users performing more tasks directly on their smartphones, to IoT devices which use it when regular network connections are not available (or not possible), service providers need to take the security of this important communications channel more seriously,” said Sean Newman, director of product management for Corero Network Security.   

Given that the Diameter protocols are slated to be used in 5G, reports of critical security capabilities not being enabled in the Diameter protocol used for 4G mobile networks are worrisome. Of particular concern is the potential that misconfigurations that lead to the vulnerability could result in distributed denial of service (DDoS) attacks for critical infrastructure relying on mobile access. An attacker would not need to harness any large-scale distributed attack capabilities.  

“The latest generation of denial of service protection solutions are critical for any organization that relies on always-on internet availability, but this can only be effective if service providers are ensuring the connectivity itself is always-on,” Newman said.

Concerns over the threats from smartphones have even been presented to Congress with pleas that they should act immediately to protect the nation from cybersecurity threats in SS7 and Diameter.

“SS7 and Diameter were designed without adequate authentication safeguards. As a result, attackers can mimic legitimate roaming activity to intercept calls and text messages, and can imitate requests from a carrier to locate a mobile device. Unlike cell-site simulator attacks, SS7 and Diameter attacks do not require any physical proximity to a victim,” wrote Jonathan Mayer, assistant professor of computer science and public affairs, Princeton University, in his testimony before the Committee on Science, Space, and Technology of 27 June.

Source: Information Security Magazine

Fourth Circuit Defines Standing in Data Breach Cases

Fourth Circuit Defines Standing in Data Breach Cases

Whether it’s news of Adidas, Ticketmaster or Typeform, the headlines have been littered with stories of yet another company hacked, which is why the United States Court of Appeals for the Fourth Circuit has weighed in on the issue of standing and the definition of the threat of future injury in data breach litigation.

Article III, Section 2, Clause 1 of the U.S. Constitution requires that that plaintiffs suffered an injury and that the injury is fairly traceable to the challenged conduct. The injuries, according to the American Bar Association, must be actual or certainly impending. 

In the case of Hutton v. National Board of Examiners in Optometry (NBEO), filed 12 June 2018, “The court held that the plaintiffs satisfied the Article III standing requirement by alleging hackers stole and misused their personally identifiable information (PII), even though no financial loss was incurred.”

Several cases have come before the court, and Beck v. McDonald from 2017 is one of particular importance to the Fourth Circuit's upholding of the Hutton ruling. In Beck, the court ruled that the plaintiffs did not have standing in the alleged “threat of future injury." The court’s position on the 2017 ruling was guided by the fact that laptops that contained personal information were stolen, but the information was not misused.

The difference found by the Fourth Circuit in Hutton is that the plaintiffs “noticed that credit card accounts were fraudulently opened in their names, which required knowledge of their Social Security numbers and dates of birth.” The NBEO never acknowledged a security breach, but the plaintiffs – who had fraudulent credit card accounts opened using their stolen information – made the case that the company was the only commonality among them; thus, their information had not been adequately protected by the NBEO.

While the NBEO filed to dismiss the case, arguing that no actual harm had been inflicted, “The court emphasized, unlike in Beck, plaintiffs were 'concretely injured' as credit card accounts were open without their knowledge or approval, qualifying as misuse, even if fraudulent charges were yet to occur.”

The floodgates for lawsuits have been opened, and it doesn’t appear that the river will dry up any time soon. With more plaintiffs filing claims that they were harmed after their personal information was compromised, the courts are trying to understand and define the actual and potential future harm that can result from unauthorized exposure.

Because of the ambiguity in determining the risk of future harm or the likelihood of misuse of stolen information versus actual harm, the circuit courts have disagreed on the issue of standing with Article III when ruling on data breach cases.

“Federal circuits across the United States are grappling with the issue of what satisfies the Article III standing requirement in data breach litigation, when often only a 'risk of future harm' exists,” wrote the National Law Review

Source: Information Security Magazine

NHS Developer Error Leads to Data Leak

NHS Developer Error Leads to Data Leak

A data leak at the NHS affecting 150,000 patients has been blamed on a software developer error.

The issue revolves around so-called Type-2 opt-outs, which patients can request when they don’t want their personal information to be used for anything other than their own care.

Some 150,000 of these objections recorded in GP practices between March 2015 and June 2018 were not sent to NHS Digital by outsourcing software developer TPP’s systems.

The error is only a minor one as the data was ultimately used in clinical audit and research, which is designed in any case to help improve patient care across the NHS, according to a statement by the parliamentary under-secretary of state for health, Jackie Doyle-Price.

“NHS Digital will write to all TPP GP practices today to make sure that they are aware of the issue and can provide reassurance to any affected patients. NHS Digital will also write to every affected patient. Patients need to take no action and their objections are now being upheld,” she explained.

“There is not, and has never been, any risk to patient care as a result of this error. NHS Digital has made the Information Commissioner’s Office and the National Data Guardian for Health and Care aware.”

Type-2 objections have now been replaced by a national data opt-out designed to simplify the registering of an objection to wider data sharing.

However, the incident is the latest in a long-line of data leaks and breaches stemming from third-party mistakes.

Incidents at PageUp, Typeform, and Inbenta Technologies have all had a major impact on client organization’s and their customers in the past couple of months.

Mike Smart, EMEA security strategist at Forcepoint, argued that developers must integrate multiple layers of protection into their products, especially with the requirements of the GDPR front-of-mind.

“It’s a clear indicator that relying too heavily on software will cause these mistakes to happen in the future,” he added. “We can’t afford to leave out the human element when deciding how we protect sensitive data, and must involve creative and lateral thinking in the testing and final checking stage before software goes live.”

Source: Information Security Magazine