Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for October 2018

EU Laws Could Spell Double Trouble for Firms

EU Laws Could Spell Double Trouble for Firms

Legal experts have warned organizations in certain highly regulated industries that they could be fined twice under new EU security laws with huge maximum penalties.

The GDPR has received most press since it was introduced at the end of May, but for operators of essential services (OES) and digital service providers (DSPs), there’s also a second piece of legislation to consider: the EU directive on the Security of Networks and Information Systems (NIS Directive), introduced a few weeks previously.

This means a serious breach could result in two fines for organizations in energy, health, transport, water and “digital infrastructure” sectors — i.e. providers of certain cloud and search, services and online marketplaces.

Crucially, both laws could result in maximum fines of £17m, or 4% of global annual turnover, whichever is higher.

“The NIS Directive and UK NIS Regulations say that NIS regulators should 'consult and cooperate' with data protection regulators, and the UK government had previously agreed that organizations should not be tried for the same offence twice,” explained Kuan Hon, a director in Fieldfisher's Privacy, Security and Information group.

“However, it has also said, 'there may be reason for them to be penalized under different regimes for the same event because the penalties might relate to different aspects of the wrongdoing and different impacts'.”

The ICO also recently confirmed that NIS Directive enforcement powers are separate from its own.

“In cases where a NIS incident impacts on personal data, we are able to take action under both NIS and data protection law if it is appropriate and proportionate to do so,” it said.

Hon advised EU organizations to register as OES or DSPs if required, adding that the deadline for UK DSPs is November 1. Pan-regional firms will have to comply with each member state’s individual NIS Directive legislation, while non-EU DSPs should first assess each service as to where its EU "main establishment,” or head office, is located, she added.

Source: Information Security Magazine

Criminals Earn Big with Fraudulent Label Services

Criminals Earn Big with Fraudulent Label Services

While data breaches result in huge losses for the victims, criminals are cashing out on fraudulent purchases by working with deceitful communities that offer such services as shipping labels, according to Flashpoint.

In today’s blog post, “Drop Networks, Label-Creation Services Sustain Shipments of Fraudulent Purchases,” analysts Luke Rodeheffer and Mike Mimoso detail the mechanics, methods and success rates criminals have with regard to cashing out on stolen cards and avoiding law enforcement. The success of these illicit tactics is the result of fraudulent shipping labels, mules and drop networks.

Through private, dark-web forum engagements, criminals are able to reap financial gains for their carded goods. In some cases, drop networks offer prepared shipping labels, which researchers say suggests that they might have a linked shipping services account.

Access to those shipping services accounts used in combination with the services’ APIs allows criminals to create thousands of labels for customers with a 99.9% effective rate. The labels are so essential to the process that in one underground service, customers are able to both create and distribute labels as PDFs. The customers then send the labels to mules who ship carded goods to buyers on the network. The goods are then resold in online marketplaces such as Amazon and eBay, according to Flashpoint analysts.

“These companies are often set up as limited liability partnerships (LLPs) posing as legitimate shipping or warehousing companies,” said Rodeheffer in an email interview. “Individuals are lured into working for what they believe is a legitimate reshipping operation that offers benefits such as flexible work scheduling.

"As noted, the companies claim to be freight-forwarding and -reshipping or logistics companies, and the individuals working for the companies often find advertisements on job message boards or receive spam messages offering such employment.”

Flashpoint expects that the drop networks will continue recruiting mules and expects that criminals will target financial services institutions, as well as telecommunications companies and electronic goods and consumer technology retailers.

“Label-creation services, meanwhile, will continue to be a valuable add-on for criminals with access to accounts belonging to private- and public-sector shipping services,” the analysts wrote.

Source: Information Security Magazine

Bots Targeting SSH Servers and Brute-Forcing Entry

Bots Targeting SSH Servers and Brute-Forcing Entry

Botnets have been growing more prevalent, and SophosLabs has discovered a new family of denial-of-service (DoS) bots used in distributed denial-of-service (DDoS) attacks. The family, dubbed Chalubo, has been used in attacks targeting internet-facing SSH servers on Linux-based systems, according to SophosLabs.

Using the ChaCha stream cipher, the attackers encrypt the bot and its Lua script, which researchers said is an indication of a Linux malware evolution. The anti-analysis techniques are principles more commonly used to thwart detection in Windows malware, though Chalubo does incorporate code from both the Xor DDoS and other Mirai malware families.

The Chalubo family attacked a SophosLabs honeypot on September 6, 2018, at which time researchers noted the bot attempting to brute-force login credentials against an SSH server. After gaining what they believed was access, the attackers issued a series of commands that revealed the bot’s complexity, dropping malicious components with a layered approach in an encryption not typical for Linux malware.

When it was initially analyzed, the malware had three components: a downloader, the main bot and the Lua command script. Since its detection, attackers have added commands that “retrieve the Elknot dropper (detected as Linux/DDoS-AZ), which in turn delivers the rest of the Chalubo (ChaCha-Lua-bot) package,” according to Sophos News.

“In addition, we now see a variety of bot versions that run on different processor architectures, including both 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC. This may indicate the end of a testing period, and we may see an uptick in activity from this new family.”

In related news, NETSCOUT also discovered a botnet propagation in which attackers are brute-forcing factory default usernames and passwords to launch DDoS attacks across the internet of things (IoT).

Throughout September, researchers observed 1,065 unique username and password combinations from 129 countries. Of those, interrogating botnets revealed 1,005 combinations of usernames and passwords in addition to those on Mirai’s default list. The combinations were used indiscriminately across IoT devices. An additional key finding of the research revealed that “attacks from bots using specific manufacturer default passwords are often perpetrated from similarly compromised devices,” NETSCOUT wrote.

Source: Information Security Magazine

Drawing Underrepresented Groups from the Shadows To Build the Cybersecurity Talent Pool

If you’ve been following this series, it should be clear by now that cybersecurity talent represents one of the biggest needs in IT but also one of the smallest talent pools. In Parts 1 and 2 I shared advice for attracting cybersecurity professionals to fill those right-now needs. Taking a longer term view, the demand will continue to grow, and it is in everyone’s interest to promote growth on the supply side as well.

Women and other underrepresented groups comprise a large, untapped talent pool. According to the National Cybersecurity institute, the U.S. Department of Labor’s 2015 population survey indicates that women hold only 19.7% of cybersecurity jobs, while African Americans, Asian Americans and Latinos combined hold only 12%. Women alone represent more than half of the U.S. population, so the potential numbers are out there.

Adjourn the Good ‘Ol Boys Clubs for Good

Discrimination is only one factor. For example, women continue to choose careers in traditional areas such as education, healthcare and social work. Just the same, lack of diversity can make cybersecurity departments look like good ol’ boys clubs, further discouraging members of underrepresented groups from pursuing careers in this space. Those who do often feel like the “odd stepchild” of a team or department. People in these situations report feeling as though their voice is not heard.

Leaders in the field need to make a point of integrating and welcoming women and other underrepresented groups, ensuring that they are engaged, contributing members of the team. One way to do this is to hire and/or develop members of underrepresented groups into your leadership ranks in IT and, ideally, cybersecurity. “Women at the senior level are beacons for other women,” says Elizabeth Ames, of the Anita Borg Institute for Women in Technology. Undoubtedly this is true for people of color as well.

Proactive Engagement

Another strategy is to implement targeted outreach programs. According to the Wall Street Journal, big banks like J.P. Morgan Chase and Citigroup are getting results by hosting events and programs targeting different groups. Some have even started “re-entry” programs to attract women who took a career break to start families.

Post openings on job boards of associations and magazines like the National Black MBA Association, Ascend Pan-Asian Leaders, National Association of Professional Women, Association of Latino Professionals for America, and others. For entry-level roles, recruit from colleges and universities that have large numbers of students from underrepresented groups.

Diversify Your Employment Brand

Members of underrepresented groups can promote their own interests by getting involved with organizations like the Women in Security special interest group within ISSA, Women in Technology (WIT), Blacks in Technology (BIT), the International Consortium of Minority Cybersecurity Professionals (ICMCP), and others. If your company is serious about attracting diverse talent, you should get involved in organizations like these — establish a reputation for supporting diversity in the cyberspace profession.

According to Sharon Florentine of, two other big issues are access to and the cost of training. A one-week class can cost $5,000. However, organizations like and SANS CyberAces are fighting this by offering free online courses. As I suggested in Part 2, companies can enhance their employment brand by providing training in general — combine that with targeted recruiting, and your company could become recognized for being a trailblazer.

Most commenters on this topic agree that women and underrepresented groups should be encouraged to explore cybersecurity careers at a young age. Melinda Gates, for example, recently launched a new initiative to attract and retain women in tech fields, citing a “leaky pipeline” in education as a key issue. Your company should attend career events at high schools and middle schools, ideally sending employees who represent the target demographics.

This post only scratches the surface of a large and challenging issue. If you have strategies that working for you, please share them, below.


Fortinet Gets ZoneFox, Bitdefender Grabs RedSocks

Fortinet Gets ZoneFox, Bitdefender Grabs RedSocks

Fortinet and Bitdefender are hoping that their latest acquisitions will augment their threat intelligence offerings, with each organization today announcing that it has completed an acquisition that will enhance its existing security solutions.

Fortinet has finalized its acquisition of the Scotland-based ZoneFox Limited, a privately held cloud-based insider threat detection and response company, while Bitdefender has acquired the Netherland-based RedSocks Security.

The acquisition of ZoneFox will enable Fortinet to deliver deeper visibility into endpoints and associated data flow and user behavior. Combining the existing offerings within the Fortinet Security Fabric with the capabilities available in the cloud-based ZoneFox solutions will also provide more comprehensive machine learning capabilities that are able to distill billions of events per day into threat leads to uncover blind spots and alert users of suspicious activities.

“We’re pleased to join the Fortinet team and bring together our shared vision of alleviating CISO concerns about insider threats,” said Dr. Jamie Graves, chief executive officer and founder, ZoneFox. “Integrating our solution with the Fortinet Security Fabric will allow us to extend our reach to a broad spectrum of Fortinet and third-party solutions to solve customers’ most difficult challenges in network security.”

With its acquisition of the behavior and network threat intelligence company RedSocks Security, Bitdefender will add nonintrusive, real-time breach detection solutions and incident response services, extending its existing multilayered security capabilities.

"At Bitdefender, we’re now able to offer our Bitdefender and new RedSocks customers even stronger protection from sophisticated attacks,” said Bitdefender CEO and founder Florin Talpes in today’s announcement.

“By bringing RedSocks network security analytics and threat intelligence into GravityZone, a complete endpoint prevention, detection and response platform, customers will benefit from a more comprehensive, layered approach to security and deeper visibility into their threat landscape.”

RedSocks founder Pepijn Janssen said, “When we started RedSocks in 2012, our goal was to build solutions that would serve any type of organization and offer them value for the long term. Together with Bitdefender, we will now achieve that goal. We are extremely proud to be acknowledged by and part of a visionary cybersecurity company like Bitdefender.”

Source: Information Security Magazine

Saudi Investment Site Defaced After Journalist’s Murder

Saudi Investment Site Defaced After Journalist’s Murder

The website of a Saudi Arabian investment conference hosted by the crown prince has just returned to normal after being defaced following the murder of a Washington Post journalist.

The Arab nation has now admitted Saudi national Jamal Khashoggi was murdered on a visit to his country’s consulate in Istanbul at the beginning of the month, having changed its story several times.

However, the country’s foreign minister has claimed that it was a rogue operation not ordered by the powerful prince, Mohammed bin Salman.

That’s a version of events disputed by Turkey, which says it has proof that the office of the crown prince received four phone calls from the consulate after the killing. Surveillance footage received by CNN also appears to show an imposter dressed as the journalist with fake beard and glasses leaving the consulate's back door on the day he was killed.

In response to the outrage, hackers managed to deface the website of the Future Investment Initiative, a pet project of the prince’s known as “Davos in the Desert.”

According to screen grabs taken by CBC News Network journalist, Nahayat Tizhoosh, it featured an image of the prince scything down Khashoggi with a large sword.

Also published were a list of names, phone numbers and Saudi government email addresses with the accompanying message: “thousands of terrorists and spies in the Saudi regime who perform malicious activities around the globe.”

Another statement on the defaced page read:

“For the sake of security for children worldwide, we urge all countries to put sanction on the Saudi regime. The regime, aligned with the United States, must be kept responsible for its barbaric and inhuman action, such as killing its own citizen Jamal khashoggi and thousands of innocent people in Yemen. The medieval Saudi regime is one of the sources for #Terrorism_Financing in the world.”

During the writing of this story, the website returned from a blank error page to displaying a live stream of the event.

Source: Information Security Magazine

NSA Tools Used to Attack Nuclear Energy Firms

NSA Tools Used to Attack Nuclear Energy Firms

Security researchers have spotted a new campaign using two attack frameworks and a backdoor allegedly developed by the NSA to spy on scores of targets in Russia, Iran and Egypt.

The tools were originally published in March 2017 by the Shadow Brokers, a group linked to Russian intelligence which claimed they came from the US spy agency.

They include DanderSpritz — which consists of “plugins to gather intelligence, use exploits and examine already controlled machines” — and FuzzBunch — a framework for different utilities to interact and work together which features various plugins to “analyze victims, exploit vulnerabilities, schedule tasks,” and more, according to Kaspersky Lab.

The DarkPulsar backdoor links to the two frameworks together, used with FuzzBunch to exploit vulnerabilities and gain remote access to a targeted system, before DanderSpritz is brought in to observe and exfiltrate the data.

“The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools. Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims,” the researchers explained.

“The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness. The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.”

Kaspersky Lab claimed to have found around 50 victims in Russia, Iran and Egypt, with Windows Server 2003 and 2008 typical targeted systems. The organizations in question were linked to nuclear energy, telecoms, IT, aerospace and R&D, the Russian AV vendor explained.

Source: Information Security Magazine

Have Cybersecurity Training, Will Travel

Have Cybersecurity Training, Will Travel

Late last week, members of the congressional staff had an opportunity to engage in cybersecurity training through the hands-on exercises brought to them, quite literally, by IBM's X-Force command cyber-tactical operations center (C-TOC) – a first-of-its-kind mobile security operations center.

With a focus on delivering response training and preparedness, onsite cybersecurity support and education and awareness, the mobile command center will be on tour throughout 2019, attending various events, as well as visiting schools and government facilities across the U.S. before it heads to Europe.

Modeled after the military’s tactical operations centers, these mobile facilities have also been used by first responders as incident command posts. Fully operational, the IBM X-Force C-TOC is a security operations center (SOC) on wheels. 

Credit: IBM Security
Credit: IBM Security

A sleek, black tractor-trailer adorned with a blue "X," the C-TOC is large enough to accommodate two dozen security staff members. It comprises a gesture-controlled cybersecurity "watch floor," data center and conference facilities and can be deployed in a variety of environments with its self-sustaining power and satellite and cellular communications. In addition, the C-TOC brings both a sterile and resilient network for investigation and response and a state-of-the-art platform for cybersecurity training.

"Experiencing a major cyber-attack is one of the worst crisis a company can face, and the leadership, skills and coordination required is not something you want to test out for the first time when you're facing a real attack," said Caleb Barlow, vice president of threat intelligence, IBM Security, in a press release.

"Having a mobile facility that allows us to bring realistic cyber-attack preparation and rehearsal to a larger, global audience will be a game changer in our mission to improve incident response efforts for organizations around the world."

By engaging in real-time, simulated cyber-attacks, security teams can use the C-TOC to evaluate their incident response plans through three gamified challenges. including Ox Response Challenge, OpRed Escape and Cyber War Game.

Source: Information Security Magazine

Facebook Is in Retail Therapy, Shopping for Security Firms

Facebook Is in Retail Therapy, Shopping for Security Firms

Facebook is apparently heeding the wisdom in the old adage, “When things get tough, the tough go shopping.” According to The Information, Facebook is currently shopping for a major cybersecurity firm.

After spending several months in the hot seat for its failure to protect user data, Facebook is reportedly looking to solve its cybersecurity problems by acquiring another cybersecurity company. Four inside sources have reportedly revealed that the company has engaged in acquisition conversations with several security firms, none of which have been publicly named. 

“It’s good to see such a huge consumer company looking to make a large move to improve their cybersecurity posture," said Guy Bejerano, co-founder and CEO, SafeBreach. "However, as we’ve seen on the enterprise front, improving defenses isn’t about just buying tools. For Facebook to truly move the security needle, they will also need to ensure that whatever investment they choose is deployed appropriately, configured correctly, and constantly validated to ensure their investment works as expected.”

According to The Information, the company is most likely looking to acquire a cybersecurity firm that would offer a software with features like analytics or tools that flag unauthorized access into which Facebook could wrap its own systems.

“Facebook is acknowledging two factors with the public statement about acquiring a cybersecurity firm. First, there is a shortage of cybersecurity talent. Second, the company will start making cybersecurity unique solutions part of their key business value to their customers," said Joseph Kucic, chief security officer at Cavirin.

"Obviously, Facebook could purchase products and solutions from vendors, but they want to create greater value that will be a market and product differentiator for them as they move forward with an acquisition.”

There's no word yet on when the big purchase might happen, but one unidentified source reportedly suggested a deal could be in the works by the end of the year.

Source: Information Security Magazine

75K Files Accessed in Insurance Exchanges Breach

75K Files Accessed in Insurance Exchanges Breach

Early last week, the Centers for Medicare & Medicaid Services (CMS) announced some suspicious activity in the Federally Facilitated Exchanges (FFE), an agent and broker exchanges portal.

On October 13, 2018, a CMS staffer noticed the anomalous activity that resulted in the agency declaring a breach on October 16. An unauthorized user reportedly accessed the files of approximately 75,000 individuals. Since learning of the unauthorized activity, the agent and broker accounts in question have been deactivated, according to an October 19 press release

“Our number-one priority is the safety and security of the Americans we serve. We will continue to work around the clock to help those potentially impacted and ensure the protection of consumer information,” said CMS administrator Seema Verma in the press release.

“I want to make clear to the public that and the Marketplace Call Center are still available, and open enrollment will not be negatively impacted. We are working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”

The breach reinforces the need for both private and public insurers to adopt the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law published in late 2017, according to Michael Magrath, director, global regulations and standards, OneSpan Inc.  

The NAIC’s Model Law doesn’t go into effect until January 1, 2019, but South Carolina was the first state to become an FFE state in May 2018 when it adopted the law with the South Carolina Insurance Data Security Act.

“Although written for states to adopt, there is nothing prohibiting the federal government from mandating tighter cybersecurity controls in its own programs, especially when it comes to protecting sensitive personally identifiable information (PII) such as health insurance information,” Magrath said.

"A key provision of the regulation is the use of multifactor authentication to protect against unauthorized access to nonpublic information or information systems, with 'nonpublic information' being the individual’s private information," he said.

Source: Information Security Magazine