Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for September 2018

Facebook Resets 90 Million User Passwords as Flaw is Discovered

Facebook Resets 90 Million User Passwords as Flaw is Discovered

Facebook has issued a password reset for around 90 million users, after a flaw was found in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else.

According to a statement by Guy Rosen, VP of product management at Facebook, the flaw was discovered on Tuesday 25th September, and affected almost 50 million accounts. He said that the flaw would have allowed an attacker steal Facebook access tokens which they could then use to take over people’s accounts.

“Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app,” he said.

Rosen confirmed that the vulnerability has been patched, and access tokens have been reset for the 50 million, and another 40 million as a precaution.

Rosen said: “This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted ‘View As’. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.”

He admitted that it was not clear if the accounts were accessed, or who was behind it, but law enforcement had been informed.

He said: “People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened.”

Oleg Kolesnikov, director of threat research and cybersecurity analytics at Securonix, said that it appears that the security issue was a result of a code change made to the video uploading feature on Facebook in July of 2017.

Sam Curry, chief security officer at Cybereason, said: “In the big picture this is just another day and another breach and once again 'privacy' is the victim. Whether 50 million, 100 million or 1 billion Facebook users were compromised is immaterial, as the real issue with any compromise is that this is another blow to our collective privacy.

“Today, consumers should be working under the assumption that their private information has been stolen by hackers ten times over. Today, consumers are reminded again to watch their identities and credit for abuse."

Tim Mackey, senior technical evangelist at Synopsys, said: “Because this issue impacted ‘access tokens’, it’s worth highlighting that these are the equivalent of a username and password combination but are used by applications to authenticate against other applications,” he said.

“If you’ve ever used a Facebook login button on a website, now would be an excellent time for Facebook users to review their App Settings to see which applications and games they’ve granted access rights to within Facebook.”

A spokesperson for the National Cyber Security Centre said: "There is no evidence that people have to take action such as changing their passwords or deleting their profiles.

“However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”

The news comes at the end of a particularly bad week for Facebook, after Instagram's founders resigned from the company, and WhatsApp's founder Brian Acton criticized the company in an interview

Source: Information Security Magazine

Mass. Gov. Announces Grants to Grow Cyber Resiliency

Mass. Gov. Announces Grants to Grow Cyber Resiliency

A call for new cybersecurity leadership came from Massachusetts governor Charlie Baker at yesterday’s 2018 Massachusetts Cybersecurity Forum. Hosted by Gov. Baker, the forum brought together more than 200 of the state’s foremost practitioners from the public and private sectors.

The forum included thought leaders from cybersecurity companies, universities and research and development centers to discuss ways to improve cyber resiliency in Massachusetts. To that end, Gov. Baker appointed US Navy captain Stephanie A. Helm as the first director of the MassCyberCenter at the Mass Tech Collaborative.

“The Center will play a central role to help convene discussions within state government, and with our industry and academic partners, helping move forward on a collaborative approach to address the cyber threats we face, “ said Cpt. Helm in a press release.

“I’m excited to lead this effort on behalf of the Commonwealth and to better prepare the state to manage future cyber threats. Cybersecurity is important for the well-being of our communities and I look forward to contributing to this team effort.”

Cpt. Helm brings 30 years of experience with her to the role of director. “We look forward to the work the MassCyberCenter will do under Cpt. Helm’s leadership,” said Gov. Baker. “The support and guidance the Council will provide, and the impact that our Cybersecurity Workforce Talent Challenge winners will make in support of the broader strategy to support cybersecurity in the Commonwealth and make Massachusetts’ public and private institutions more resilient to cybersecurity attacks.”

Massachusetts currently has three key cybersecurity projects through the Massachusetts Cybersecurity Workforce Talent Challenge. To fund efforts to train job seekers for entry-level cybersecurity positions, the governor also announced that the three projects will received a total of $385,868 in grants.  

Bay Path University’s Engaging Student Interns in Cybersecurity Audits with Smaller Supply Chain project will received $250,000, the largest portion of the grant funding, while STEMatch, a collaboration between community colleges and cybersecurity service and technology providers, will receive $61,178. A public-private partnership, MassHire Greater New Bedford Workforce Board, is slated to receive $74,690.

Also highlighted at yesterday’s forum was the work being done by the Cybersecurity Education and Training Consortium, driven in large part by the partnership between the Advanced Cyber Security Center (ACSC) and the University of Massachusetts.

Source: Information Security Magazine

Users Rage Against the Dying of Skype 7.0

Users Rage Against the Dying of Skype 7.0

While Microsoft had announced earlier this year that it will be replacing Skype Classic (Skype 7.0) with an updated Skype 8.0, the company said yesterday that it will end support of Skype Classic in two phases beginning on November 1, 2018.

In an update to users on upgrading to the latest version of Skype, editors wrote on September 27, “As we continue to focus on and improve Skype version 8, support for Skype versions 7, and below will end on November 1, 2018 on desktop devices and November 15, 2018 on mobile and tablet devices. Although you may be able to use older versions for a little while, we encourage you to update today to avoid any interruption.”

Since announcing the roll out of the newest version, Microsoft has boasted about the features of Skype 8.0. The Skype team wrote about the simplified navigation and easy-to-discover contacts, all creating a modern, fresh look and feel; however, it continues to encourage community members to send feedback on what features they would like to see in the version 8.0.

“We looked at how people use Skype apps, performing extensive testing across global markets and building prototypes to test new concepts. We also created a UserVoice site so you can vote on the feature changes you want us to prioritize. While we have plenty of work left to do, we hope you find these changes simplify your experience and bring you closer to those who matter,” the Skype team wrote.

The "work left to do" has some members of the Skype community feeling a bit disgruntled and somewhat unprepared for the November 1 transition. “You've barely begun the feature migration at this point, and Nov 1 is one month away. It's simply not going to be ready by then, and that's based on looking at the latest Insider/Preview builds (i.e. what the public will have in November). Skype 14 doesn't even have a tray icon yet (you close the window, its gone),” one user wrote.

“'Several months' after November should be the earliest consideration for the first wave, not the last splash. You should have waited for the work to actually be largely complete before making such an announcement. This seems like an unforced error and not a lesson learned,” wrote the user.

Source: Information Security Magazine

Security Staffing Low in Midsized and Large Orgs

Security Staffing Low in Midsized and Large Orgs

One of the greatest security challenges for midsized to large organizations is a function of staffing, according to research conducted by Osterman Research on behalf of ProtectWise and published in The Evolving State of Network Security.

Surveying 400 security analysts at companies with more than 1,000 employees, Osterman Research found that the number of security staff is not commensurate with the number of employees. On average, large organizations have only one security staff member for every 1,488 employees and smaller companies have only one security staff for every 189 employees.

To put that into context: The mean number of employees at the large organizations surveyed was nearly 26,000, with 17.5 of them being security personnel. The mean number of employees for midsized companies surveyed was 2,510, which translates to 13.3 security personnel.

According to the survey results, security teams are expected to significantly increase the number of hours they spend on security incidents, with the amount of time spent on identifying and remediating security incidents reportedly doubling for large organizations. However, the more mature companies that have invested in threat intelligence report fewer false positives and an overall reduction in the volume of their security alerts.

One tactic larger organizations are using to evolve in their overall security postures is becoming less reliant on endpoint security, the survey found. “Larger organizations have more sophisticated strategies that focus heavily on forensics and investigation, which are primarily centered around network communication,” said Gene Stevens, co-founder and CTO of ProtectWise.

“Larger organizations have larger attack surfaces than their midsize and smaller counterparts. Their security teams need to be able to see the numerous phases of an attack and how devices communicate with each other. Network visibility provides a straight path and is friendly to being deployed noninvasively.”

Overall, the survey suggests that larger enterprises are continuing to evolve their security strategies. The takeaway is that an endpoint-only strategy just doesn’t work for larger or more complex infrastructures, and security teams are understanding that,” Stevens said.

More than half of the analysts surveyed are using a combined endpoint and network security approach. Said Stevens, "This means they are not only establishing complete visibility but can also investigate and respond more efficiently. Specifically, endpoint detection and response (EDR) is being matched to network detection and response (NDR) and, for many organizations, a managed detection and response (MDR). These three pillars provide great coverage, strength in detection, and promote operational efficiency.”

Source: Information Security Magazine

DEF CON Voting Village Report Calls for Standards & Fixes

DEF CON Voting Village Report Calls for Standards & Fixes

Congress and national security leaders have been urged to take action to address issues in voting machines.

After DEF CON’s Voting Village came under fire from the National Association of Secretaries of State (NASS) over the introduction of an area designed to test voting machines, DEF CON’s report on the voting village said that Congress must act, as “problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security.”

In four steps to be taken, the report claims that Congress must take action, and also fund election security as “no state or local government will ever be able to raise enough capital to defend itself from a determined nation state” and security standards must be funded and implemented.

The other points called for a “Crisis Communications Plan” as State and local government election results web pages are “the most insecure component of our election infrastructure,” and while many local election officials have advocated for Congress to act and fund robust security practices, the report said it is not enough.

“National security leaders must also remind Congress daily of the gravity of this threat and national security implications,” it said. “It is the responsibility of both current and former national security leaders to ensure Congress does not myopically view these issues as election administration issues but rather the critical national security issues they are.”

DEF CON officials said that among the “dozens of vulnerabilities identified in the last two years” of the Voting Village, the insecure supply chain, capability for remote attacks despite insistence that the machines are ‘air gapped’, the ability to hack a machine in an average of six minutes and failure to fix serious flaws all prove a persistent problem.

“The failure to fix existing, reported vulnerabilities and the disconnect between the reports of election security experts and the reactions of some election equipment vendors speaks directly to the reason Voting Village was created,” the report said.

“The Voting Village aims to increase access to election security knowledge in order to better protect American democracy and the electoral system. We believe that knowing the risks involved in how America votes is always better than sticking our heads in the sand. Although we have redacted some information from this report, it is a realistic, if pessimistic, view of how easy it is for individuals to exploit bad design and sidestep election protections. We hope that it will move the United States towards action.”

Source: Information Security Magazine

SEC Fines Voya Financial Advisors $1m

SEC Fines Voya Financial Advisors $1m

In a landmark settlement case, the Securities and Exchange Commission (SEC) fined Voya Financial Advisors (VFA) for violations of the Identity Theft Red Flag Rules required of financial institutions. Though they never admitted or denied the SEC's findings, VFA has agreed to pay $1m to settle the charges for its failure to establish policies and procedures to protect against cyber intrusion.

The Red Flag Rules became effective as of January 1, 2008, though the Federal Trade Commission extended the deadline for compliance through the end of 2010. The SEC Order issued on September 26, 2018, resulted from events that took place over the course of six days in 2016 on VFA’s proprietary web portal.

One or more fraudsters was able to obtain passwords and gain access to VFA's portals by impersonating its contractors. Malicious actors successfully requested password resets via VFA’s support line, which then allowed them to create new passwords and access the personal information of thousands of the company’s customers. With that customer information, the fraudsters then created new customer profiles.

The rule, also known as the Identity Theft Rules, states “Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account."

The SEC found that VFA failed “to adopt written policies and procedures reasonably designed to protect customer records and information.” In addition, the dually registered broker-dealer and investment adviser failed to both develop and implement a written program to protect against identity theft.

Though VFA took steps to respond to the intrusion, the company did not successfully terminate the intruder’s access to the accounts, “due to deficient cybersecurity controls and an erroneous understanding of the operation of the portal.”

This is the first SEC enforcement action to charge an organization with violating the Identity Theft Red Flag Rules and will likely set a precedent moving forward. 

“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, co-director of the SEC Division of Enforcement, in a press release. “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”

Source: Information Security Magazine

Post Attack, Aspire Health Subpoenas Google

Post Attack, Aspire Health Subpoenas Google

Protected patient health data was reportedly stolen in the aftermath of a phishing attack on Aspire Health, a healthcare company that offers in-home care, according to USA Today.

On behalf of Aspire Health, Nelson, Mullins, Riley & Scarborough, LLP filed a federal case against John Doe 1 in Tennessee Middle District Court on September 21, 2018. Becker’s Health IT & CIO Report (HR) said the attack originated from an IP address in Eastern Europe with Google as the registrar; thus, Aspire returned to federal court on September 25 to file a motion to subpoena Google for more information on the unidentified suspect referred to as John Doe 1 in the court documents.

"The proposed subpoena to Google should provide information showing who has accessed and/or maintains the phishing website and the subscriber of the email account that John Doe 1 used in the phishing attack," Aspire attorney James Haltom wrote, according to HR. "This information will likely allow Aspire to uncover and locate John Doe 1."

Aspire reported that on September 3, 2018, a hacker gained access to the company’s internal email system earlier this month, whereby the malicious actor was able to forward  in excess of 120 emails to an external email account. The emails reportedly contained confidential and protected patient data. No additional information on the number of patients impacted has been made public thus far, nor are there any details about the specific data included in the stolen information.

“This attack on Aspire Health is a type of email phishing attack that happens all too often. While the ultimate goal of the attacker can vary, the technique of using spear-phishing to lure an unsuspecting person to a fraudulent log-in page to then steal their email login credentials and data that flows through that account, happens regularly,” said Matthew Gardiner, cybersecurity strategist for Mimecast.

“Fortunately there are many solid defenses against this technique, including the use of multi-factor authentication, anti-phishing and email monitoring services, as well as focused user awareness training. Coupled together, these security controls can significantly reduce the risk of these types of attacks being successful.”

Source: Information Security Magazine

Uber Fined $148m for Breach Cover-Up

Uber Fined $148m for Breach Cover-Up

Attempting to cover up a data breach was a failed mission for Uber, who yesterday announced that it has agreed to a $148m settlement. The fine for its 2016 data breach and cover-up sends a strong message not only to Uber but to organizations across all sectors that data breaches – whether disclosed or not – come at a hefty price.

Companies can no longer get away with poor cybersecurity and sweeping incidents under the carpet,” said Rob Shapland, principal cybersecurity consultant at Falanx Group. "I would expect many companies will have tried to hide the fact that they’ve been breached, especially given the size of the potential fines. This case, and Uber’s punishment for not revealing that the breach had occurred, will hopefully give companies further warning of the risks posed by cyber-attacks, so that they take the security of the data they hold more seriously.”

In November 2017 Uber shocked the cybersecurity community when it confessed that it had indeed attempted to hide the fact that data of 57 million users was stolen. In response to the settlement news, Tim Erlin, VP at Tripwire, said, “There’s no doubt that the cover-up behavior was impactful in how this settlement played out. It’s a good reminder to all organizations of how a good breach response plan can help avoid poor decision making in the midst of an incident.

The fine is huge, which has some commentators wondering whether it is intended to set a precedent in order to deter other organizations from attempting to cover up future breaches.

“Trying to keep [a breach] quiet will of course be an idea by some senior ranked employees. However, this is inevitably the wrong thing to do, and Uber is surely being made an example of what not to do,” said Jake Moore, security specialist at ESET.

“Being open about customer data breaches at the earliest opportunity is not only ethically the right thing to do, but helps protect people from a multitude of other attacks which could follow as a result.”

Moreover the fine speaks to the financial risks of compliance mismanagement. That a breach of such magnitude was able to happen was problematic enough, but paying the hackers $100,000 to delete the data and keep the breach quiet, rather than report the incident, was “A blatant disregard for governance and compliance, putting customers at risk,” said Pravin Kothari, CEO of CipherCloud.

“The takeaway lesson is that it is incumbent upon all of us to foster a culture in our companies such that our employees understand the ethical necessity of full disclosure and transparency. Protecting our customers and their data is not optional.”

Source: Information Security Magazine

Google Promises Chrome Updates after Sign In Synchronization Snafu

Google Promises Chrome Updates after Sign In Synchronization Snafu

Google has stepped into the debate over data security in its products, saying that signing out of Google “makes your authentication cookies invalid,” and that it will “be making some product changes.”

After it launched an update in Chrome 69, which meant that every time you logged into a Google service you were automatically signed into Google without notification, Google engineers have issued statements instructing on how to turn off sync in Chrome, while Chrome head Parisa Tabriz said that “the authentication cookie behavior is how we keep things synchronized” but feedback had been “heard and appreciated.” 

This led to some privacy concerns about sharing of data between different Google services. Google’s Privacy notice states: “Chrome periodically sends information to Google to check for updates, get connectivity status, validate the current time, and estimate the number of active users.”

Cryptographer Matthew Green published a lengthy blog criticizing the update, saying that the change has “serious implications for privacy and trust” as “if you’re in a situation where you’ve already signed into Chrome and your friend shares your computer, then you can wind up accidentally having your friend’s Google cookies get uploaded into your account. This seems bad, and sure, we want to avoid that.”

Green also highlighted issues in situations such as user searching for mental health conditions, asking how comfortable would they be if their real name and picture were always loaded into the corner? “The Chrome development team says 'yes'. I think they’re wrong.”

In an update published on Wednesday September 26, Chrome product manager Zach Koch insisted that “this change to sign-in does not mean Chrome sync gets turned on” and users “who want data like their browsing history, passwords, and bookmarks available on other devices must take additional action, such as turning on sync” and the addition is intended to remind users which Google Account is signed in and better help users who share a single device.

In a planned update in Chrome 70, due in October, a control will be added which allows users to turn off linking web-based sign-in with browser-based sign-in. Users that disable this feature will not be signed into Chrome if they sign into a Google website.

“We’re also going to change the way we handle the clearing of auth cookies. In the current version of Chrome, we keep the Google auth cookies to allow you to stay signed in after cookies are cleared. We will change this behavior so that all cookies are deleted and you will be signed out.”

Source: Information Security Magazine

Majority of Orgs Failing to Make Machine Learning Fair, Safe & Balanced

Majority of Orgs Failing to Make Machine Learning Fair, Safe & Balanced

New research from O’Reilly Media has revealed that almost nine out of 10 (86%) businesses are deploying machine learning technologies without considering important questions regarding data quality, consumer privacy and the quality of machine learning applications.

The firm conducted its research among 2000 senior business leaders in the EU, discovering that over half (55%) of EU businesses have not included privacy provisions in their model-building checklist, whilst 53% do not account for compliance and 62% don’t include fairness and bias.

Only 14% of those polled accounted for compliance, privacy, fairness and bias in their model-building checklist, and O’Reilly Media warned that failing to do so will result in failed results from flawed, biased and unethical applications that could also put people’s privacy at risk.

“There is much more to machine learning than just optimizing your business metrics,” said Ben Lorica, chief data scientist at O’Reilly Media and AI London Conference chair. “It’s critical that those developing these transformational applications understand the power they’re harnessing, and how small errors or omissions can lead to major problems down the line.”

Lorica argued that, too often, the task of developing machine learning technology falls to data scientists without insight from lawyers, compliance and privacy experts.

“Since the introduction of the GDPR, businesses should be on heightened alert for anything that could compromise consumer privacy,” he added. “Yet, over half of machine learning projects still fail to take this into account. This is simply storing up trouble for the future.

“Meanwhile, other failings such as bias and fairness will mean that organizations won’t get full value from their ML investment – and could even end up with applications that are fundamentally inaccurate and therefore less than useless.

“The problem with any new technology is that developers and engineers are often focused on its potential for good, rather than worrying about dangers such as privacy. To maintain public trust in these technologies, it’s critical that we address these problems before machine learning applications come online,” Lorica concluded.

Source: Information Security Magazine