Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for March 2019

Norsk Hydro Admits Ransomware Costs May Have Hit $41m

Norsk Hydro Admits Ransomware Costs May Have Hit $41m

Norsk Hydro is still in the process of restoring its IT systems after a devastating ransomware attack last week which has already caused the firm as much as £40m ($41m).

The Norwegian firm, one of the world’s largest producers of aluminium, was forced to call in national security authorities after it suffered a malware attack on March 18.

It soon emerged that the culprit was a strain of ransomware known as LockerGoga. However, the firm refused to pay the ransom and began the process of restoring from back-ups, drafting in experts from Microsoft and other third-party tech partners to “get business critical systems back in normal operation.”

In an update on Tuesday, the firm claimed that “most operations” are now running at normal capacity. However, the most affected area, Extruded Solutions, is only at 70-80% and its Building Systems business unit is still at a standstill.

Norsk Hydro expects Building Systems to gradually ramp-up production and shipments over the coming week.

“Based on a high-level evaluation, the preliminary estimated financial impact for the first full week following the cyber-attack is around NOK 300-350 million (£26-40m, $35-41m), the majority stemming from lost margins and volumes in the Extruded Solutions business area,” the update noted.

“Hydro has a solid cyber risk insurance policy with recognized insurers, with global insurer AIG as lead.”

It will be hoping that its insurance policy hasn’t been invalidated by a lack of adequate security measures, and/or that there are no surprises in the small print.

Both DLA Piper and Cadbury’s owner Mondelez are locked in legal disputes with their insurers over multi-million claims to cover losses from NotPetya. In the latter’s case, Zurich is claiming the attack was an 'act of war' and therefore not covered.

“Recovering the costs of the cyberattack even with reputable cybersecurity insurers can be non-trivial,” argued Securonix VP of threat research, Oleg Kolesnikov.

“Fortunately, NotPetya had a number of differences from LockerGoga, particularly in that, as UK officials believed, a nation-state-level malicious threat actor was involved with NotPetya, and the purpose of the NotPetya attack was more along the lines of a cyber sabotage than a classic ransomware attack.”

Source: Information Security Magazine

Polish Regulator Issues First GDPR Fine

Polish Regulator Issues First GDPR Fine

The Polish privacy regulator has issued its first GDPR fine, penalizing an unnamed firm over £187,000 for scraping public data on individuals and reusing it commercially without notifying them.

The firm is said to have taken personally identifiable information (PII) on over six million Polish citizens from the country’s Central Electronic Register and Information on Economic Activity.

However, it only informed the 90,000 individuals it had email addresses for, claiming that “high operational costs” prevented it from doing more, according to the regulator, the Personal Data Protection Office (UODO).

In fact, it should have used the postal addresses and telephone numbers it had to notify individuals about the data it used, the source of their data, the “purpose and the period of the planned data processing,” and their rights under the GDPR, it continued.

“The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because — as it was established during the proceedings — the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons,” the UODO said in a notice.

“While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.”

Some 12,000 individuals out of the 90,000 that were notified by the company apparently objected to its use of their data.

The move is another sign of the growing readiness of regulators to issue major fines to companies found to have deliberately violated the GDPR.

The biggest penalty so far was the €50m (£43m) levied against Google in France related to how the tech giant personalizes ads. However, as of February, over 59,000 breaches had been reported to GDPR regulators since the law was introduced in May 2018, with 91 fines issued, according to DLA Piper.

Source: Information Security Magazine

EU Parliament Approves Controversial Copyright Law

EU Parliament Approves Controversial Copyright Law

The European Parliament approved major new changes to EU-wide copyright laws which critics claim could lead to de facto mass censorship of online content.

Tech giants like Google and Amazon have been mobilizing their users for months to protest ahead of the vote, but in the end the Copyright in the Digital Single Market directive was voted in by 348 MEPs to 274.

Most controversial is Article 13, which requires sites and internet platforms to filter any user-generated content that is being uploaded without permission, or else be held liable for infringement. Although they already scan for unlicensed content, this will put a greater liability on such sites for doing so.

While artists have claimed that the new law will help protect their content from infringement, advocates of internet freedom argue that it could amount to backdoor censorship of the web — although memes and use of copyrighted content for parody are excluded.

Also hotly contested was Article 11, which demands that news aggregators and search engines pay to feature links from news sites on their pages.

As it currently stands, the law will only cause more confusion, not least because — as a directive and not a regulation — member states will be given greater latitude to interpret it when transposing into local law.

This could cause a great deal of inconsistency across the EU, argued the Electronic Frontier Foundation’s international director, Danny O’Brien.

“It’s unclear who is supposed to impose consistency in the EU between, say, a harsh French regime and a potentially softer German solution, or interpret the Directive’s notoriously incoherent text,” he wrote.

This could mean it falls to the courts to decide, with rights holders on one side and internet companies on the other.

“But there’s also opportunities for the courts to rein in the directive — or even throw out its worst articles entirely,” O’Brien added.

“One key paradox at the heart of the directive will have to be resolved very soon. Article 13 is meant to be compatible with the older E-Commerce Directive, which explicitly forbids any requirement to proactively monitor for IP enforcement (a provision that was upheld and strengthened by the ECJ in 2011). Any law mandating filters could be challenged to settle this inconsistency.”

Google also pointed to potential “legal uncertainty” and claimed the law will “hurt Europe’s creative and digital economies.”

The directive is now likely to gain approval when the European Council meets later this month, unless any member states change their minds.

Source: Information Security Magazine

So Long and Farewell: Dream Market Says Goodbye

So Long and Farewell: Dream Market Says Goodbye

Cyber-criminals have long relied on the Dark Web’s largest marketplace, Dream Market, to buy and sell illicit goods, but today threat researchers at IntSights and Flashpoint found that the notorious online store is scheduled to shutdown on April 30, 2019.

On March 26, multiple threat actors posted on the DNM Avengers forum after purportedly receiving messages stating that Dream Market would shut down at the end of April, according to Evelyn French, senior analyst, Flashpoint.

“A threat actor operating under the alias nigafawefawg stated that they received the following message, allegedly on Dream Market: 'This market is shutting down on 04/30/2019 and is transferring its services to a partner company, onion address: weroidj*********.onion (currently offline, opening soon),'" French said.

“Other threat actors commenting in the same thread reported receiving similar notification messages, while some threat actors denied receiving the notifications,” French continued. Flashpoint is also monitoring similar discussions on numerous other marketplaces and forums, including Empire Market Forum, Wall Street Market Forum, Pirate Ship, and Italian Deep Web.

Whether the closure is being driven by law enforcement or fatigue on the market itself or the founders are just trying to reinvent and start fresh, “the closure of Dream Market will be a big hit to dark web economy as Dream Market holds more than 65,000 listings of digital goods, including hacked databases, hacking tutorials, hacking tools, malicious software and almost 90,000 listings of different drugs,” said Ariel Ainhoren, head of the cyber threat research team, IntSights.

“A lot of dark web users started talking about drawing their balance from the site and vendors started talking about moving their business to other known markets, such as Wall Street and Berlusconi markets, but it is too early to tell what the effect of this announcement will be.”

As the message was released to all market users it seems that the owner or owners of the forum want to cash out in an orderly fashion. Though there has been some speculation that law enforcement is a driving force in the shutdown, Ainhoren said it seems less probable that law enforcement would issue this type of announcement.

“A couple of weeks ago two very known forums named Kickass and Torum went down after a threat actor named the Thedarkoverlord (9/11 papers) posted that he can be contacted on these forums. His activity drew a lot of fire and attention from law enforcement to these forums, and they suffered repeated attacks by unknown attackers until they were taken down. It could be that the targeting of these forums rang the bell for Dream Market operators to take their gains from six years of operation and close shop,” Ainhoren said.

Source: Information Security Magazine

Georgians Ask House for Study on Cyber-Bullying Law

Georgians Ask House for Study on Cyber-Bullying Law

Georgia residents today gave testimony before a House committee in support of HR 553, which would create a House study committee on cyber-bullying.

Meanwhile, a new cyber-bullying law will go into effect in the state of Michigan on March 27, 2019. In advance of the new law taking effect, Livingston County Sheriff's office deputy Bill Schuster spoke to parents about keeping kids safe online via a video shared on Detroit Free Press.

Ben Halpert, founder of Savvy Cyber Kids, told his state representatives, “Those wishing to cause our children harm now have more effective ways of doing so. The smartphone, any internet-enabled device, has taken the front door off our homes and invited in threats to our children.

“Thanks to iPhones, Android phones, and other technology, the bullied child is not only tormented at school, but also through their device, whether it is a school-issued Chromebook or their personal tablets, smartphones, computers or gaming systems.”

Halpert, who visits schools across the country to talk to students and staff about cybersecurity and online safety, said that before his presentations he issues students an anonymous poll asking what their biggest issue is with social media.

“It is always bullying,” Halpert wrote in his testimony.

“According to the Georgia Department of Education Georgia Student Health Survey, THOUSANDS of students are cyberbullied DAILY in our state through social media. But this is not just a student issue. Adults are targets of bullying and cyberbullying as well. We need to do more for the citizens of Georgia by studying the potential for legislation that addresses cyberbullying.”

Titania Jordan, chief parenting officer of Bark, also testified before the House committee. “Our technology has analyzed more than a billion messages, and our findings are harrowing. In 2018 alone, based on Bark data, over 60% of tweens and 70% of teens experienced cyberbullying, whether as a bully, a victim, or a witness,” Jordan's testimony read.

“And frankly, the term itself – cyberbullying – feels a little cutesy. What it really is? Online harassment, verbal abuse, threats, and even extortion.”

In support of her assertion that the House committee needs to take action, Jordan added, “The onus is on us as parents, communities, and governments, to address the proliferation of cyberbullying and its subsequent effects on our children. We ask that the House see the imperative need to start a subcommittee to confront cyberbullying.”

Source: Information Security Magazine

Telecom Fraud Scams on the Rise

Telecom Fraud Scams on the Rise

From the EU to Texas, law enforcement and security professionals are warning that the telecom threat landscape is evolving as fraudsters leverage telecom infrastructure to conduct network-based fraud attacks, according to multiple sources.

Infosecurity reported that according to the Cyber-Telecom Crime Report 2019 published by Europol and Trend Micro telecoms fraud costs the industry and end customers over €29bn ($33bn) each year. The report found that the evolution from switchboard operators to packet-switched networks and circuit switched networks in telecommunications has broadened the telecom threat landscape. As a result, criminals are supplanting traditional financial crimes with telecom fraud. 

While the report found that telecom fraud is increasingly originating from developing nations or failed economies, multiple media outlets across the US have warned of scam calls that are making their way around the country.

In both Ector County, Texas, and Middlesex County, Massachusetts, the sheriffs’ offices warned residents about a call scam that claims to be originating from the sheriff’s office. An audio clip tells the recipient that they failed to report to jury duty and must resolve this matter with urgency.

“Nationwide, these scammers are attempting to use the criminal justice system and the threat of arrest as a tool to frighten people into paying large sums of money,” said Middlesex Sheriff Peter J. Koutoujian told 7 News. “We want residents to be aware of these scams and these tactics in order to better protect themselves.”

Likewise, the state of Washington has also seen a rise in these phone scams, and reporter David Rasbach of the Bellingham Herald warned: “Scammers often try to disguise their identities by spoofing the information that appears in your call identification display and trick you into answering. They use local area codes, numbers that may look familiar or even impersonate a legitimate business, utility or government agency.”

Source: Information Security Magazine

Most Security Pros Are Impacted by Geopolitics

Most Security Pros Are Impacted by Geopolitics

Two-thirds of cybersecurity professionals have been forced to change where and with whom they do business because of escalating concerns around nation state attacks, according to Tripwire.

The security vendor polled 218 security professionals at the RSA Conference in San Francisco recently and found that geopolitical trends are exerting a surprisingly big influence on their roles.

It reflects an age in which technology providers like Huawei are being branded a security risk because of their links to hostile states, while state-sponsored attackers target both government and private sector organizations to steal sensitive information and cause disruption.

"It’s becoming clear that simply stating ‘we’re not a target’ isn’t a sufficient defense against these attacks. The interconnectedness of the modern economy means that our mental model of what constitutes critical infrastructure has become outdated," Tripwire VP of strategy, Tim Erlin, told Infosecurity.

"Most companies do better with predictability and stability, and this is true of physical as well as logical infrastructure. If you can’t count on the network within a specific country, your business will be adversely impacted. Additionally, if those business relationships are likely to make you a target for cyber-attacks, your business will be adversely impacted."

The impact of geopolitics on cybersecurity professionals is only set to increase: 87% claimed that nation-state attacks would increase ahead of geopolitical events in 2019, while over three-quarters (79%) said they are more concerned about state-sponsored cyber activity this year.

Nearly half (48%) of those polled said they believe cybersecurity implications are not taken into serious consideration when geopolitical decisions are made. A further 66% said governments are neglecting cyber versus other elements of national security.

It’s long been the UK government’s aim to make the nation the safest place in the world in which to do business online. That suggests at least that its leaders understand the importance of security at a national level.

However, its National Cyber Security Programme has been hamstrung by poor planning and management, according to the National Audit Office (NAO).

A report produced by the agency earlier this month claimed that the lack of an initial business case meant there was no way to assess whether the £1.9bn of funding was sufficient to meet its 12 strategic objectives.

What’s more, it failed to develop a “robust performance framework” soon enough, meaning that there’s still not enough evidence to prioritize funding on the objectives likely to deliver “the biggest impact, address the greatest needs and deliver best value for money.”

Source: Information Security Magazine

#Infosec19: Skills Shortages Are Exposing Firms to Cyber Risk

#Infosec19: Skills Shortages Are Exposing Firms to Cyber Risk

Over half (52%) of IT and security professionals believe that cybersecurity skills shortages are putting their business at an increased risk of attack, according to a new poll from Infosecurity Europe.

Now in its 24th year, Europe's leading cybersecurity show asked over 9700 of its Twitter followers a series of questions on skills challenges, as well as its community of CISOs.

The biggest barrier to recruiting was seen as a lack of available talent, according to nearly a third (30%) of respondents. This was followed by lack of recruitment budget (27%) and lack of interest in careers within the sector (26%).

As a result, nearly half (46%) said they have found it difficult to encourage new talent into the sector.

This chimes with current estimates from (ISC)2 that claim the industry is experiencing a shortfall of 2.9 million professionals, including 142,000 in EMEA. A separate report claims the number could rise to 3.5 million by 2021.

“There are shortages of technical skills, particularly in SOC analysis, threat intelligence, research, incident response and forensic investigation,” said Paul McKay, senior analyst at Forrester Research, and a speaker at Infosecurity Europe 2019.

“This is a result of difficulty in filling entry level roles, and keeping people interested once they’re there. At the top end, boards want CISOs to improve how they articulate business risk and manage the dynamics of how security can enhance the business strategy and vision. This requires commercial acumen and the so-called ‘soft skills’ — actually the hardest to master.”

Lisa Hamilton, Deloitte’s cybersecurity associate director, claimed that encouraging greater diversity would help to tackle these challenges.

“To do this, we need to be open-minded when sourcing talent, focusing less on prerequisites and more on behaviors, characteristics and enthusiasm,” she argued.

Infosecurity Europe will take place at London Olympia from June 4-6. Also at the show, security expert and HaveIBeenPwned? founder Troy Hunt will be this year’s Hall of Fame inductee.

Source: Information Security Magazine

Privacy a Top Concern in 'Biometric Exit'

Privacy a Top Concern in 'Biometric Exit'

Despite bipartisan concerns over privacy, most airlines reportedly support the use of facial recognition, and the US Customs and Border Patrol (CBP) has implemented facial recognition in 17 international airports, including Atlanta, New York City, Boston, San Jose, Chicago, and two airports in Houston, according to American Military News

Largely controversial because of privacy concerns, the facial recognition program will reportedly be in place across the country's top 20 airports by 2020, according to documents obtained earlier this month by BuzzFeedNews.

Intended to supplant the long-existing, time-consuming process of paper checking, the use of a cloud-based facial biometric matching service is touted as more secure and efficient. "CBP is solving a security challenge by adding a convenience for travelers. By partnering with airports and airlines to provide a secure stand-alone system that works quickly and reliably, which they will integrate into their boarding process, CBP does not have to rebuild everything from the ground up as we drive innovation across the travel experience,” a CBP spokesperson told American Military News.

At the forefront of the opposition is the Electronic Privacy Information Center (EPIC), which said that under the Biometric Exit program "CBP would create exit records for passengers and retain them in CBP's Advance Passenger Information System ("APIS"). CBP officers would take a photo of the passenger and match it to a photo in the flight-specific galleries in the Automated Targeting System ("ATS") consisting of compilations of photos from the Automated Biometric Identification System ("IDENT"), the Department of State's Consolidated Consular Database, and U.S. Citizen and Immigration Service's Computer Linked Adjudication Information Management System ("CLAIM 3").

"Photos of U.S. citizens could be retained until their identities were confirmed, and the photos of non-U.S. citizens could be retained for up to fifteen years in the DVS system in ATS."

While supporters point to enhanced passenger convenience through the use of biometrics, it is not only EPIC that has raised some privacy concerns. "Convenience versus privacy will be one of the biggest issues that the US will grapple with over the next few years," said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.

"For airports, sporting events and brick-and-mortar stores, facial recognition would be convenient and easy to move people through at a faster pace. Facial recognition combined with passive biometrics can provide a quick and easy way of identifying people. However, transparency of the process, how data is stored and removed and what it is being used for are all procedures that will have to be hammered out to protect people’s privacy.”

Source: Information Security Magazine

Orgs Grapple with Pros and Cons of Remote Workers

Orgs Grapple with Pros and Cons of Remote Workers

Despite the growing number of employees that work remotely, security professionals fear that remote workers pose risks to the enterprise, according to a new study published by OpenVPN.

An overwhelming majority (90%) of survey respondents said that remote workers are a security risk to the organization, according to the report Remote Work Is the Future – But Is Your Organization Ready for It? The report’s findings are based on a survey of 250 IT leaders, from the manager level through the C-suite.

Still, 92% of respondents agreed that the benefits of remote work outweigh the security risks. “For employees, it provides greater efficiency and lower stress levels: 82% of telecommuters reported less stress and 30% said it allowed them to accomplish more work in less time,” the report said. In addition, companies reportedly save an average of $11,000 per year per remote employee.

Despite the fact that 93% of organizations have a remote work security policy in place and 90% of organizations offer security training for remote workers, more than a third (36%) of companies have experienced a security incident due to a remote worker. That more than one in three organizations have suffered a security incident because of a remote worker is somewhat alarming when considering that nearly 70% of employees globally now work remotely at least once a week, the report said.

Of those who have suffered a security incident, 68% experienced it within the last year, yet the survey shows that nearly a quarter of organizations (24%) haven’t updated their remote work security policy in the same time frame.

While less than half (49%) of IT leaders said they only somewhat agreed that remote employees adhere to the organization’s remote work policies, the results vary depending on the role of the respondent. “Executives are particularly concerned about the risk remote workers pose, as nearly three-quarters (73 percent) of VP and C-suite IT leaders believe remote workers pose a greater risk than onsite employees, compared to 48 percent of IT managers and 45 percent of IT directors,” the study found.

Source: Information Security Magazine