Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for May 2019

Chinese Dating Apps Leak US User Data

Chinese Dating Apps Leak US User Data

An unsecured Elastic database associated with dating apps has been discovered by a security researcher, making easily identifiable data exposed. Jeremiah Fowler, who has been working in the security software industry for over 10 years, found the database that held information about US data app customers, including their sexual preferences, lifestyle choices, and whether they were unfaithful to their partners. Fowler wrote on Security Discovery, "it is easy for anyone to identify a large number of users with relative accuracy based on their 'User ID.'"

According to Fowler, the IP address for the database was located on a US server and with the majority of users appearing to be Americans. He found that even though the data was hosted by "multiple dating applications," upon further investigation he found them to be developed by separate companies or individuals. 

He was able to identify the users' real identities online, as the dating applications logged and stored the user’s IP address, age, location, and user names. "Like most people, your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint," wrote Fowler. 

He attempted to contact the email addresses associated with the applications and identify the address and phone number using the Whois domain registration. "The address that was listed there was Line 1, Lanzhou and when trying to validate the address I discovered that Line 1 is a Metro station and is a subway line in Lanzhou," he explained on his blog. "The phone number is basically all 9’s and when I called there was a message that the phone was powered off.

"I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions. Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else."

Terry Ray, senior vice president and Imperva Fellow, told Infosecurity that he agrees with Fowler's sentiments: "There are several strange things about this leaky database, especially the fact that the applications appear to target English speakers yet have, at least in one app, a business location in China, as having all owner or admin contact falsified or unavailable. It makes you wonder who is storing this data from these particular dating apps and what the underlying purpose is.

"Furthermore, why are multiple dating apps storing their data in the same place, yet little or no connection between the apps, their product names or their business contacts?"

At the time of writing his blog, Fowler disclosed that the database was still "publicly accessible" and despite a large number of users, there was no personally identifiable information. He had not received responses to his emails. "What concerns me most is that the virtually anonymous app developers could have full access to user’s phones, data, and other potentially sensitive information," he wrote. "It is up to users to educate themselves about sharing their data and understand who they are giving that data to. This is another wake-up call for anyone who shares their private information in exchange for some kind of service."

According to Verizon, 22% of data breaches in 2017 involved the use of stolen credentials, with 36% of compromised data being personal information such as name, birthday and gender.

"Although the article notes that this database wasn’t storing personally identifiable information, the writer was, in fact, able to ‘identify’ some of the ‘persons’ with the credentials found, this highlights the importance that if you are storing user data, you are responsible for ensuring that data is protected," Ray told Infosecurity. "Further, if you’re an app user and want to remain anonymous, make sure you use different usernames and passwords as much as possible."

Source: Information Security Magazine

Checkers and Rally's Victims of Data Breach

Checkers and Rally's Victims of Data Breach

On Wednesday, Checkers Drive-In Restaurants alerted customers that it had been dealing with a data security issue involving "malware at certain locations."

On its website, the restaurant group announced that after discovering the issue, it "engaged leading data security experts to conduct an extensive investigation." Federal law enforcement authorities have also been informed in order to address the matter, with all parties working to contain and remove the malware.

"After becoming aware of a potential issue, we retained data security experts to understand its nature and scope," Checkers wrote on its website. "Based on the investigation, we determined that malware was installed on certain point-of-sale systems at some Checkers and Rally’s locations, which appears to have enabled an unauthorized party to obtain the payment card data of some guests." According to the website, not all locations were affected by this issue.

The malware was reportedly designed to "collect information stored on the magnetic stripe of payment cards." This included cardholder name, payment card number, card verification code and expiration date. Checkers has launched an investigation and is working with payment card companies to protect cardholders. 

The restaurant group has recommended that card users "remain vigilant" and review account statements. "If you believe there is an unauthorized charge on your card, please contact your financial institution or card issuer immediately," the website states. 

Other recommendations include ordering a credit report: "When you receive your credit report, review it carefully," the website continues. "Look for accounts you did not open, for names of creditors from whom you haven’t requested credit." 

The law firm of Federman & Sherwood has initiated an investigation into the data breach.

Source: Information Security Magazine

TA505 Suspected in Chilean Financial Institutions Malware Attacks

TA505 Suspected in Chilean Financial Institutions Malware Attacks

Investigators from CyberInt Research have identified further activities by the suspected Russian-speaking cyber-gang TA505, targeting financial institutions in Chile. The cyber-gang is continuing its "unauthorized and nefarious use of the same TTPs of legit software, this time leveraging MSI Installer to deploy the AMADAY malware family," according to the company.

The AMADAY implant allows cyber-criminals to steal financial institutions’ and retailers’ clients’ email correspondence and sensitive information. This further enables them to steal contact lists, allowing them to target additional organizations by sending seemingly legitimate malicious emails that appear to come from trusted sources.

TA505 has been active since 2014, with high-volume malicious email campaigns distributing the Dridex and Shifu banking Trojans, as well as the Neutrino botnet/exploit kit and Locky ransomware. They appeared again as the source for recent attacks against the global financial and retail industry from December 2018 to present, with attacks worldwide, including India, Italy, Malawi, Pakistan, South Korea and the United States.

“TA505 is highly motivated, very clever, and persistent,” says Adi Peretz, head of research at CyberInt. “It’s critical to monitor their activities to anticipate further attacks. Once the pattern of attacks in Chile was identified, other financial institutions can beef up their security, so they don’t end up being breached."

“Social engineering works because it recruits the weakest link in any cybersecurity operation – we humans,” continues Peretz. “The more prepared companies are, the better they can train their people to maintain security.”

In April 2019, Infosecurity Magazine reported that TA505 was using a TektonIT remote administration tool to target financial and retail institutions. CyberInt found that the tool was "virtually undetectable" by threat protection systems due to it being "legitimate software." 

"Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments," according to a CyberInt report. "Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed."

Source: Information Security Magazine

Cybersecurity Jobs Added to Government's Shortage Occupation List

Cybersecurity Jobs Added to Government's Shortage Occupation List

Cybersecurity engineers and analysts have been identified as being on the Shortage Occupation List (SOL), in the first full review of officially recognized careers where the shortages “are most severe and where the consequences of those shortages are most serious” since February 2013.

According to the UK Government’s Migration Advisory Committee (MAC), “job shortages in roles such as cybersecurity analysts/engineers and IT network engineers” are now recognized, while the “occupation as a whole ranked highly in our shortage indicators and had an above average vacancy rate.”

In the previous partial update, published in 2015, the job “cybersecurity specialist” was added under the section “information technology and communications professionals not elsewhere classified.” Then, the shortage related to “a person with a minimum of five years’ relevant experience and demonstrable experience of having led a team.”

Since the 2015 partial update, while the need for more skilled cybersecurity professionals remains in this list, it now states “there will be no minimum experience requirement as applying an experience caveat could hinder the development of cybersecurity at all levels.”

This change in requirement follows criticism of hiring practices, where five to 10 years experience is common and cited as a deterrent to new applicants.

In an email to Infosecurity, Ed Williams, director EMEA of SpiderLabs at Trustwave, said: “The security industry is to blame to some degree, there is very much a gatekeeper philosophy, which is starting to be broken down, but not nearly quick enough from my perspective. This industry is so fast paced and exciting, we should be pulling in the brightest and best – these don’t have to come from Computer Science backgrounds.”

The MAC stated the impact of the skills shortage on cybersecurity development, saying that there have been reported delays to “software improvements and features as they do not have the labor or expertise to fulfil demand” and this has led to “an increasing reliance on workers from outside the UK and there is a growing concern surrounding the future skills base for roles within new technical areas.”

The MAC cited “several sources amongst Government and the private sector” who agreed that there is a shortage of digital skills within the UK, evidenced by consistent vacancies in digital occupations, growth in demand for digital skills as well as documented deficiencies across the population in terms of digital skill. However, the MAC acknowledged that “there is not enough domestic supply of sufficiently skilled labor to fill this demand.”

According to Deloitte’s Digital Disruption Index for 2019, only 18% of respondents believe that UK school leavers and graduates have the right digital skills, while only 25% of digital leaders in the UK believe their workforce has sufficient knowledge and expertise to execute their digital strategy.

In the section 'Digital and IT Occupations,' careers as IT specialist managers, IT project and programme managers, IT business analysts, architects and systems designers, programmers and software development professionals, web design and development professionals and information technology and telecommunications professionals were listed as being in shortage. Cybersecurity careers appeared under section SOC 2139 – information technology and telecommunications professionals. 

The MAC said that “short-term mitigations have helped to fill shortages to some extent, but this has had limited impact as the skills required simply are not available.”

As well as short-term mitigations, the MAC said that long-term strategies also have their limitations; as up-skilling staff “is constrained by the lack of expertise in newer areas such as cybersecurity and secondly, these strategies are yet to mature, and so the scale of their impacts cannot truly be assessed until the future.”

As part of the UK’s Digital Strategy, it stated that “there will be even greater demand for people with specialist digital skills” as the digital economy grows. 

“As we leave the European Union, it will be even more important to ensure that we continue to develop our home-grown talent, up-skill our workforce and develop the specialist digital skills needed to maintain our world leading digital sector,” then Secretary of State for Culture, Media and Sport Karen Bradley MP stated.

She acknowledged then that “a strong pipeline of specialist skills – from coding to cyber” was needed, and initiatives like the NCSC’s Cyberfirst have enabled that. However, a more immediate solution is needed until the next generation begin work.

To be placed on the SOL, a job must meet three requirements:

  • Skilled (are the jobs skilled to the required level?)
  • Shortage (is the job in shortage?)
  • Sensible (is it sensible to try to fill those shortages through migration?)

According to the Migration Advisory Committee, being on the SOL conveys certain advantages:

  • Not having to conduct a Resident Labour Market Test (RLMT)
  • Exemption from the £35,000 minimum income threshold for settlement
  • Priority in the event that the cap binds

In the last Cybersecurity Workforce Study from (ISC)2, it claimed that there is a 2.9 million workforce “gap,” with the APAC region suffering the biggest shortfall of 2.14 million, followed by North America (498,000), EMEA (142,000) and Latin America (136,000).

Source: Information Security Magazine

Drone Use on the Rise, Public Safety at Risk

Drone Use on the Rise, Public Safety at Risk

Cybersecurity research firm IOActive has issued a stark warning about the potential, unseen risks surrounding the commercialization of drones – calling for manufacturers to take action.

In July 2018, analysts at Technavio predicted that the commercial drone market would grow by 36% (generating $11.61bn) between 2018 and 2022, but with that growth, IOActive has raised concerns about a range of new risks that could follow.

IOActive claimed that if the commercial market for drones is left unchecked, then we could start to see drones being weaponized, presenting potential hazards and threatening the safety of the public.

As drones become more commercially accessible and their functionality improves, they will also become more affordable, but what so often fails to keep pace when new tech such as this grows in popularity are in-built security features that keep it safe from malicious interference.

IOActive pointed to some key drone security risks that could arise as a result, including how malicious actors could program drones to fly to specific GPS coordinates to launch cyber-attacks on Wi-Fi networks (or other types of wireless networks), or even perform man-in-the-middle attacks and disseminate malware.

What’s more, there is also the real risk of disruption – seen recently in the chaos caused by drone sightings at Gatwick airport – and injury, with the potential for hacked drones to be used to ‘dive-bomb’ pedestrians or impact traffic intersections, IOActive explained. Then there’s the privacy issues, IOActive added, highlighting that drones have the capability to take photos and record audio and video in otherwise impossible to reach areas.

“With enough determination anything can be hacked, but the commercialization of the drone market is making it all too easy – and many of the consequences for security, safety and privacy have simply not been thought through,” said Cesar Cerrudo, CTO at IOActive.

“The range of drones is of particular concern as it opens up new areas of vulnerability that many will not have considered.”

Cerrudo urged manufacturers to shoulder their share of the responsibility for the products they are bringing to market to ensure they are as secure as possible.

“The relative speed at which these devices are taking to the sky raises several issues. While the use of drones within the military has been common for many years, those drones have been rigorously tested and built with security in mind – commercial manufacturers do not have the same concerns, they are more focused on getting their product to market than ensuring cybersecurity. This attitude needs to change.”

Source: Information Security Magazine

Insight Venture Partners to Acquire Recorded Future

Insight Venture Partners to Acquire Recorded Future

Insight Venture Partners has agreed to acquire a controlling interest in Recorded Future, a threat intelligence company, in addition to the minority stake it already owns. The all-cash transaction puts the value of Recorded Future at more than $780 million. 

According to its press release, Recorded Future is the largest privately held threat intelligence software company in the world, with more than 400 clients. Its solution is powered by its patented machine learning, alerting companies to unknown threats before they affect the business, helping teams respond to alerts 10 times faster. The solution pulls information from technical, open web and dark web sources and aggregates it with customer data. 

Insight Venture Partners is a leading global capital and private equity firm investing in high-growth technology and software companies. Founded in 1995, it has over $20 billion of assets under management and has cumulatively invested in over 300 companies worldwide.

According to Recorded Future's co-founder and CEO, Christopher Ahlberg, the investment will help the company "tap into the full potential of its technical roadmap" and solve some of "the most difficult and unique intelligence challenges" today.  

“My leadership team and I have had the privilege to work with Mike Triplett and the Insight team for a number of years, benefiting from their sage advice, industry knowledge and relationships," he commented. "This transaction is the logical next step for Recorded Future given the opportunities in front of us, as we fully realize the potential and vision of our strategy.”

Triplett, managing director at Insight, said: “Insight’s renewed investment is a testament to the vision and direction laid out by Recorded Future’s leadership team. They envision a world where everyone applies intelligence at speed and scale to reduce risk, remaining hyper-focused on providing clients with the threat intelligence necessary to understand their environments, manage risk, and combat malicious actors through contemporary awareness gained from the implementation of a threat intelligence-led security strategy." 

Pursuant to the terms of this investment, Triplett and Thomas Krane, VP at Insight, will join Recorded Future’s board of directors.

Recorded Future customers have included Bank of America, Nasdaq, Abbott and T-Mobile. 

Source: Information Security Magazine

Companies and Experts Call on GCHQ to Abandon "Ghost User" Proposal

Companies and Experts Call on GCHQ to Abandon "Ghost User" Proposal

Technology companies, trade associations, civil society organizations and 17 individual experts in digital security and policy have signed an open letter to the UK's Government Communications Headquarters (GCHQ), outlining concerns regarding a proposal by the intelligence center on allowing access to encrypted devices. The letter was shared with GCHQ on May 22, 2019, and made public on May 29, 2019.

GCHQ set forth its proposal for “silently adding a law enforcement participant to a group chat or call” in an Lawfare article in November 2018. This would "add a ghost user into encrypted chats" that would "require providers to suppress normal notifications to users." According to the letter, this would make users "unaware that a law enforcement participant had been added and could see the plain text of the encrypted conversation."

Written by Sharon Bradford Franklin and Andi Wilson Thompson, the letter to GCHQ explains how the ghost proposal would work, the ways in which technology companies would need to change their systems and the dangers that it would present. Specifically, the consortium outlined that if implemented, such access would “undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused.” 

Jake Moore, security specialist at ESET, told Infosecurity that the proposal by GCHQ "makes a mockery of the fundamental basics of encryption."

"Not only is it going against what privacy is all about, but if you create a back door for the good guys, the bad guys won’t be far behind. Encryption is there for multiple reasons and shouldn’t be messed with. GCHQ has always had an issue with breaking serious encryption but to now demand access to private chats has far-reaching implications. 

"Cyber-criminals are not just using WhatsApp and, if a law one day passes to read this application, it will just push them to use another app – if they aren’t already. There are many apps which already promise ultimate privacy and are heavily used and relied upon.”

The open letter from the group asks GCHQ "to abandon the ghost proposal and any other approach that would pose similar risks to digital security and human rights." They also request an open dialogue with the intelligence organizations to address law enforcement access to encrypted chats and messages. 

This news comes after Germany proposed giving access to security authorities to apps such as WhatsApp and Telegram. 

Source: Information Security Magazine

93% of Companies Are Overconfident of Their Ability to Stop Data Breaches

93% of Companies Are Overconfident of Their Ability to Stop Data Breaches

Organizations are not equipping themselves against privileged access management (PAM) abuse, according to a report by Centrify and Techvangelism. Nearly 80% of organizations were found not to have a mature approach to combating PAM cyber-attacks, yet 93% of the organizations surveyed believe they were somewhat prepared for threats that involve privileged credentials. 

“This survey indicates that there is still a long way to go for most organizations to protect their critical infrastructure and data with mature privileged access management approaches based on zero trust,” says Tim Steinkopf, CEO of Centrify. “We know that 74% of data breaches involve privileged access abuse, so the overconfidence these organizations exhibit in their ability to stop them from happening is concerning."

The report found that companies do not take "the simplest" of measures, with 52% stating they do not use a password vault. In fact, out of the 1,300 organizations across 11 industry verticals in the U.S. and Canada, 43% were identified as having a "nonexistent" PAM approach. 

The survey also revealed that over half of companies surveyed have some questionable privileged access control; for example, 52% use shared accounts for controlling privileged access; 58% of organizations do not use multifactor authentication (MFA) for privileged administrative access to servers, and 51% of organizations do not control access to transformational technologies with privileged access, including modern attack surfaces, such as cloud workloads, big data projects and containers.

Looking at industry-specific trends, 39% of technology organizations have a nonexistent approach to PAM, as do healthcare (45%) and government (42%), which are both highly regulated and handle sensitive data. The financial sector scored highest in the "mature" category, followed by energy and utilities (26%). 

Cathy Hall, PAM practice lead at Sila Solutions Group, wrote about the best practice for PAM for Infosecurity Magazine in April 2019: "The best way to handle … PAM … isn’t to simply check a box to satisfy a mandate, it’s to view it as a mission. A mission-based approach ensures that you improve security across your whole enterprise over time, rather than only satisfying a limited, one-time mandate." 

Source: Information Security Magazine

Report: 50% Increase in Exposed Data in One Year

Report: 50% Increase in Exposed Data in One Year

New research released by digital risk protection specialists Digital Shadows has revealed a 50% increase in exposed data in the last year.

In its report Too Much Information: The Sequel from its Photon Research Team, Digital Shadows discovered that misconfiguration of commonly used file storage technologies was largely to blame for the exposure of 2.3 billion online files in one year. That is a jump of more than 750 million files since the same study was carried out by Digital Shadows in 2018.

Almost half of the files were exposed via the server message block protocol, whilst other technologies such as FTP services (20%), rsync (16%), Amazon S3 ‘buckets’ (8%) and network storage devices (3%) were also cited by Digital Shadows as sources of exposure.

Speaking to Infosecurity Harrison Van Riper, Photon Research analyst at Digital Shadows, said: “It is surprising to see such a large increase in such a short amount of time, indicating that the issue of inadvertent data exposure is not one to be taken lightly.”

However, it is not just the sheer amount of data exposed in the last 12 months or even the means by which it was that causes concern, as the sensitivity of the exposed data is also a significant issue. Digital Shadows warned that with exposed data including passport details, bank records, medical and business information, organizations and individual consumers are at greater risk of GDPR punishments, targeted business compromise, identity theft and ransomware attacks.

“Every day, there are new files being exposed that are potentially sensitive personal or private information for businesses and consumers alike,” Van Riper added. “Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant. Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year. Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”

Source: Information Security Magazine

Fines Increase & Enforcements Fall in First Year of GDPR

Fines Increase & Enforcements Fall in First Year of GDPR

Data protection monetary penalties have increased by £2m in the past year, while the number of enforcements issued fell by more than 20 from the number issued in 2017.

According to PwC’s 2018 Privacy & Security Enforcement Tracker, monetary penalties issued to UK organizations for breaching data protection laws in the calendar year 2018 totaled more than £6.5m in 2018, over £2m more than the previous year.

The data also showed that while the total sum of fines has increased, the number of enforcements issued fell to 67 in 2018, from 91 in 2017.

After we marked a year since the deadline for GDPR compliance, the data also showed that private sector companies accounted for 86% of the enforcements, but scrutiny remains on the public sector given the sensitive nature of the data it handles. Also, a quarter (25%) of enforcement actions relate to personal data security breaches.

Stewart Room, lead partner for GDPR and data protection at PwC, said that the trend of enforcement remained constant in comparison with previous years, with marketing and security infringements dominating the regulatory agenda.

“The absence of any GDPR fines in 2018 was not surprising, as it takes many months for cases to work through the system, but we know that they are on their way,” he said. “As well as looking at how to improve their levels of legal compliance, I would encourage organizations to focus on how good approaches to the handling of personal data can help them to deliver on their business purpose, to help and sustain the creation of long term value and trust.”

In an email to Infosecurity, Emma Loveday-Hill, senior associate and data protection specialist at Prettys, said that as monetary penalty notices in the last year were issued under the old legislation (the Data Protection Act 1998), where the maximum fine was £500,000, there were still numerous high level fines issued due to the fact that there were a number of serious breaches.

“In terms of the reduction in enforcement notices, this is likely to be due to the fact that the ICO has been busy dealing with the backlog of complaints and issues brought to their attention since the introduction of the GDPR and DPA 2018,” she said.

“Investigations by their very nature take time to carry out, and given the likely number of the complaints and issues raised with the ICO, this has no doubt had an impact on how quickly enforcement notices are handed down.
“Our message is still very much ‘watch this space’ as the ICO are just getting started in terms of what they are doing under the GDPR and Data Protection Act 2018, and going forward we are likely to see a higher number of enforcement notices and fines coming through over the coming months as the ICO makes its goal for 2019 a clear one: breaches of data protection law will be taken seriously and financial penalties will be issued as a result of noncompliance.”

Data protection officer Steve Wright said that the drop in enforcements is in contrast to the “sheer quantity of notifications” which has gone up ten fold since May last year. “The ICO are possibly struggling to cope with the sheer weight of notifications, as each one requires trained individuals to examine the notification and the evidence provided (so heavily dependent upon manual inspection),” he said.

“When I was the DPO for a major retailer, the number of Subject Access Requests, complaints and new ‘Rights’ requests had gone from 250 per year to 1800 within six months (in 2018). That presented us with a huge challenge and cost; the amount of planning, process improvement, recruitment and training was nothing short of a huge military style exercise, and fortunately we were prepared for the drop date.

“I’m told this number has now stabilized and is expected to hover around the 1500 unique request per year, but still six fold increase and therefore a new cost of doing business with consumer data is and has hit the consumer facing businesses particularly hard.”

Wright also said that the ICO “has been on a massive learning curve” as the level of understanding about what it deems to be ‘notifiable’, and the ability to sort out the real issues (based on impact to the individual) from the noise, has taken time to learn.

“It stands to reason that just like any business, keeping up with demand is difficult to predict and manage. It also raises the prospects of less enforcement actions, but more interesting and prevalent cases that we can (as an industry) learn from.” 

Source: Information Security Magazine