Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for September 2019

City of Los Angeles Teams Up with IBM to Fight Cybercrime

City of Los Angeles Teams Up with IBM to Fight Cybercrime

The City of Los Angeles and IBM are joining forces with the LA Cyber Lab to help local businesses combat cybercrime.

In a new project announced by IBM Security on September 17, the American multi-national IT company will provide technologies and data that will give the city's commercial movers and shakers an edge in the event of a cyber-attack.

As part of the project, business owners will be able to access two new free tools made available by the LA Cyber Lab, a non-profit providing threat intelligence to local businesses. 

The first tool is a mobile application that any citizen can use to submit and analyze suspicious emails to determine their risk and if they are phishing attacks. The second tool, and the real centerpiece of this collaborative effort, is the cloud-based Threat Intelligence Sharing Platform (TISP), developed in collaboration with TruSTAR

Functioning as a kind of digital neighborhood watch, TISP will allow users to circulate their spear-phishing concerns and educate themselves on the latest business email compromise (BEC) or ransomware campaigns. 

A neat feature of the platform is that it reviews suspicious emails submitted by users, extracting key information and searching over 25 common and unique data sources, to indicate the level of risk posed. It can also correlate key information in the email to the associated threat group and their latest attack campaign. 

"Public safety in the 21st century isn't just about protecting our physical streets and neighborhoods—we need to protect the digital presence that is part of everyday life for our residents and businesses," said Los Angeles' mayor, Eric Garcetti. 

"The Threat Intelligence Sharing Platform and mobile app will advance the LA Cyber Lab's work that has made our city a national cybersecurity model, all while better defending Angelenos from cyber-threats." 

In a bid to help other cities in the US know what to do in the event of a cyber-attack, IBM is hosting three complimentary training sessions for municipalities in the IBM X-Force Command Cyber Range in Cambridge, Massachusetts.

At each of the sessions, which will take place on October 22, November 19, and December 10, 2019, attendees will experience a simulated attack in order to practice their response. 

The attack may be simulated, but the threat is very real. In this year alone, more than 70 American cities have become the victims of ransomware. 

Kevin Albano, associate partner, IBM Security Services, IBM Security, said: "While a collaboration like this takes time and the right partners, the process itself was refreshing as a result of the city’s eagerness and dedication to improving cybersecurity for the area. The development of the LA Cyber Lab two years ago was the first real push in the right direction, and the development of these solutions is only continuing that goal and leading the charge for other cities to become more prepared."

Source: Information Security Magazine

WeWork's WiFi Security Worryingly Weak

WeWork's WiFi Security Worryingly Weak

A lack of security on WeWork's WiFi network has left sensitive user data exposed.

In August, Fast Company revealed that WeWork had used the same WiFi password at many of its rentable shared co-working spaces for years, a password that appears in plain text on WeWork's app. 

The security of the real estate company's WiFi came under further criticism yesterday when CNET reported that the network's poor security had left sensitive data of WeWork users exposed.

Evidence of the exposure was provided by Teemu Airamo, who has been routinely running security scans on WeWork's WiFi network since May 2015. Airamo's scans, which were reviewed by CNET, show nearly 700 devices, including servers, computers, and connected appliances, leaking bank account credentials, email addresses, ID scans, and client databases, among other data.

Airamo said that multiple attempts made by him to alert WeWork's upper management to the security problem were met with indifference. 

WeWork has around 527,000 members renting out its 833 spaces in 125 cities around the world. The company filed for an initial public offering (IPO) in 2018. However, earlier this week the IPO was postponed until the end of the year after the company's reported valuation fell from $47 billion to under $20 billion. 

A spokesperson for WeWork said: "WeWork takes the security and privacy of our members seriously, and we are committed to protecting our members from digital and physical threats. In addition to our standard WeWork network, we offer members the option to elect various enhanced security features, such as a private VLAN, a private SSID, or a dedicated end-to-end physical network stack.

"We are in a quiet period and can't comment beyond this statement." 

Commenting on this report, Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team, said: "For the most part, as people connect to networks with shared passphrases, they are opening their devices up to be tricked onto a rogue wireless network where the attacker can connect to exposed file sharing services and tamper with connections to load fake websites.

"My recommendation for concerned WeWork customers is to set up a VPN for their own private use."

Source: Information Security Magazine

US Air Force Bids $95m Cybersecurity Contract

US Air Force Bids $95m Cybersecurity Contract

The US Air Force is requesting quotes from vendors that can provide support for a cybersecurity project under a contract worth up to $95m.

Vendors of any size are being sought to support an experimental cybersecurity platform development team that is part of the Air Force's LevelUP program. 

The team's engineers are looking for vendors that can give them access to a secure DevOps platform in which they can build and test new products. Testing will be conducted at every security level and classification on private, public, and hybrid clouds. 

Bidding vendors will need to prove that their company can process data securely at the second-highest security level for Defense Department systems, impact level five. 

To provide the development team with the support it requires, vendors will have to access classified information, something they cannot do from their local cafe over a cappuccino. Vendors will only be considered for this valuable contract if they have access to a facility with a secret level of security clearance that they can use when they need to handle classified data.

A Blanket Purchase Agreement (BPA) for up to 15 cloud vendors is being drawn up by the Air Force Life Cycle Management Center, with a performance period of up to five years. To be eligible to receive a BPA, companies must be based in the United States with no foreign ownership or control.

Bidders have until 12:00 PM CST on October 16, 2019, to submit a quote via email. Two Ask Me Anything (AMA) sessions are planned for September 25 and October 3; however, times and locations are yet to be announced.

The LevelUP program, which is based at the Command, Control, Communications, Intelligence, and Networks Directorate Joint Base in San Antonio, Texas, was founded with the strategy to create two main products.

One product, Unified Platform, is a tool that aggregates cybersecurity incident data in a single platform that is visible not just across the Air Force, but to other military branches too. The other is LevelUP Cyber Works, a “cyber factory” in which to develop and field new capabilities at the speed and scale required in today’s cyberspace operations environment.

Source: Information Security Magazine

Republicans U-Turn to Back $250m Election Security Boost

Republicans U-Turn to Back $250m Election Security Boost

In a surprise u-turn, senate Republicans have decided to back Democrat calls for an extra $250m to enhance the security of the nation’s voting infrastructure.

Speaking on the floor yesterday, senate majority leader Mitch McConnell said: “I’m proud the Financial Services & General Government bill will include a bipartisan amendment providing another $250 million for the administration and security of their elections, to help states improve their defenses and shore up their voting systems.”

Republicans have twice blocked attempts to bring legislation to the floor designed to improve election security, in 2018 and then again in July this year. Both times they claimed that states had still not spent the $380m they were given in 2018.

“This morning, after months and months and months of Republican resistance, and months of insistent Democratic pressure, senate Republicans have finally agreed to support our Democratic request for additional election security funding in advance of the 2020 elections,” responded senate minority leader, Chuck Schumer.

“A year ago, our Republican friends unfortunately and short-sightedly rejected this amendment. Well, maybe, just maybe, they are starting to come around to our view that election security is necessary; that if Americans don’t believe their elections are on the up-and-up, woe is us as a country and as a democracy.”

However, even this sum may not be enough to provide the safeguards needed to improve resilience against possible Russian intrusions.

Marian Schneider, president of election transparency non-profit VerifiedVoting, argued that more is needed to help states shore up their security ahead of the 2020 Presidential election.

“This amount falls short of the $600m that passed in the House, which is much closer to meeting the need for proper investment in election security. Congress has the obligation to protect the country from threats to national security and has the opportunity to act on this nonpartisan issue — after all, everyone votes on the same equipment,” she added.

“By making federal funds available, states will be able to replace aging, insecure voting equipment and implement modern security best practices, which include using voter-marked paper ballots and robust post-election audits. Despite the progress shown today, congress still needs to vote on bipartisan, comprehensive election security legislation to protect and ensure trustworthy elections backed by adequate funds for state and local governments to implement such measures.”

A senate report from July warned that Russian hackers had likely compromised voting infrastructure in all 50 states ahead of the 2016 election.

Source: Information Security Magazine

Senior Execs Shun Cyber Risk as Concerns Grow

Senior Execs Shun Cyber Risk as Concerns Grow

Nearly 80% of global organizations now rank cyber-risk as a top-five business concern, but just 11% are highly confident they can assess, prevent and respond effectively to attacks, according to new research from Marsh and Microsoft.

The insurer has teamed up with the computing giant once again to poll 1500 global organizations for its 2019 Global Cyber Risk Perception Survey.

It found those ranking cyber-risk as a top-five concern had risen from 62% in 2017 to 80% this year, while those confident in being able to deal with a threat fell from 19% to 11% over the period.

Ownership of and engagement with cyber-risk management seems to be a key challenge for many.

Although 65% of respondents identified a senior executive or the board as main owner of this function, only 17% of executives and board members said they’d spent more than a few days in the past year focusing on the issue. Some 51% spent several hours or less.

Similarly, 88% of organizations identified their IT/IT security teams as primary owners of cyber-risk management, but nearly a third (30%) of IT respondents said they spent just a few days or less over the past year focusing on this.

At the same time, adoption of new technologies continues apace, often without adequate safeguards.

Half of respondents said cyber-risk is almost never a barrier to the adoption of new tech, and although three-quarters (74%) evaluate risks prior to adoption, just 5% said they do so throughout the technology lifecycle. A significant minority (11%) do not perform any evaluation.

The report also revealed that organizations were likely to hold their own cyber-risk management actions to a higher standard than that of their suppliers.

That’s despite the fact that 39% said the risk posed by their partners was high or somewhat high versus just 16% who admitted their own organization poses high risk to their supply chain.

“We are well into the age of cyber-risk awareness, yet too many organizations still struggle with creating a strong cybersecurity culture with appropriate levels for governance, prioritization, management focus, and ownership,” said Kevin Richards, global head of cyber-risk consulting at Marsh.

“This places them at a disadvantage both in building cyber-resilience and in confronting the increasing complex cyber-landscape.”

Source: Information Security Magazine

MITRE Names 2019's Most Dangerous Software Errors

MITRE Names 2019's Most Dangerous Software Errors

Eight years ago, a list of the world's most dangerous software errors was published by problem-solving nonprofit the MITRE Corporation. Yesterday saw the long-awaited release of an updated version of this rag-tag grouping of cyber-crime's most wanted.

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors list (CWE Top 25) is a roundup of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.

What makes these bad boys so lethal is that they are often easy to find and exploit. And once attackers have gotten their grappling hooks into the errors, they are frequently able to completely take over execution of software, steal data, or prevent the software from working.

Each error was given a threat score to communicate its level of prevalence and the danger it presents. Topping the table of treachery with a threat score of 75.56 and leading by a huge margin is "improper restriction of operations within the bounds of a memory buffer."

The second-most lethal error was determined to be "improper neutralization of input during web page generation," also known as cross-site scripting, which had a threat score of 45.69. 

In 2011, a subjective approach based on interviews and surveys of industry experts was used to create the list. In 2019, the list's compilers took a data-driven approach, leveraging National Vulnerability Database (NVD) data from the years 2017 and 2018, which consisted of approximately 25,000 CVEs. 

MITRE's goal is to release an updated list each year based on data from that specific year. Asked why the gap between the first two lists was so long, a MITRE spokesperson answered: "Based on the previous methodology employed for the 2011 CWE Top 25 List, it was clear that there was no basis upon which to credibly change the list. 

"As new methodologies were explored, and upon selection of the current data-driven approach, it became valuable to produce a new list because it would validate whether or not the new data-driven methodology would result in a different list. And, since it did result in a different list, community stakeholders now have a new list to consume that is evidence-based and different from the 2011 list."

The lists are indeed different, but both include some of the same offenders. Explaining why, the spokesperson said: "Significant work remains in the community to educate developers, improve analysis tools, and for consumers of software products to understand that weaknesses exist, and that they have the ultimate leverage with respect to evaluating products and selecting those products that deliberately work weaknesses out. 

"Effective security can exist only if a broad number of stakeholders demand that it does. The 2019 CWE Top 25 List is a tool that different stakeholders can use to understand what the most prevalent weaknesses are and how to orient themselves toward defending against them."

Source: Information Security Magazine

Vacationers Hit by Skimming Attack

Vacationers Hit by Skimming Attack

People using mobile apps to book hotel rooms for their vacations have been targeted by a skimming attack. 

Research by cybersecurity company Trend Micro discovered that a series of incidents took place earlier this month in which the booking websites of two well-known hotel chains were hit by credit card–skimming malware known as Magecart. 

Both websites affected were developed by Spanish company Roomleader. One of the impacted brands has 73 hotels in 14 countries and is comparable in size and geographical distribution to Exe Hotels. The other undisclosed chain has 107 hotels in 14 countries and is comparable in size and geographical distribution to Eurostars Hotels. Exe and Eurostars both have websites powered by Roomleader.  

Attackers were able to pilfer data by replacing the original credit card form on the booking page of each website with a fake one, then stealing the data entered into the imposter form by the user. In this case, the thieves made off with users' names, email addresses, telephone numbers, credit card details, and hotel room preferences.

The researchers theorized that the reason why the attackers went to the trouble of creating a fake form may have been that the original form didn't ask users to fill in their credit card's card verification number, known as a CSC, CVV, or CV2.

To make the switch appear more legitimate, the digital bandits even prepared credit card forms in the eight different languages supported by the targeted hotel websites. 

Trend Micro's findings follow the discovery of another Magecart-using group by the company back in May of this year. That group, known as Mirrorthief, compromised an e-commerce service provider used by American and Canadian universities.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented: "There are companies and services, which any website or service can buy, that will not only monitor what is going on within any particular website, but proactively look for signs of maliciousness and notify website owners when something is amiss. Website and service owners don’t have to be surprised by things like this. They can proactively fight it. They just have to care enough to put the right controls in place."

Source: Information Security Magazine

Study Reveals Most Expensive State for Cyber Insurance

Study Reveals Most Expensive State for Cyber Insurance

Purchasing cyber insurance to protect your business from the ever-increasing number of threats will cost you more in Delaware than in any other US state. 

A new study by business insurer AdvisorSmith has found that the average cost of annual cyber insurance in the Blue Hen State is 8.34% higher than the national average and a staggering 32.49% higher than its cost in the cheapest state for cyber insurance, Arizona. 

Across America's 50 states and the District of Columbia, the cost of cyber insurance averaged out at $1,501 per year, or around $125 a month, but for Delaware business owners the price rose to $1,626.92 per year. In Arizona, where the cost of cyber insurance was 24.15% cheaper than the national average, policies were on average $1,139 per year.

The study was conducted using quote estimates gathered in August and September 2019, as well as rate filings supplied by over 50 insurance companies throughout America between January 2019 and September 2019. 

Premiums nationwide ranged from as low as $544 to as high as $2,642 for comparable insurance coverage, based upon companies with moderate risks. The premiums were based upon liability limits of $1m, with a $10,000 deductible and $1m in company revenue.

North Carolina was the second most expensive state for cyber insurance, with an average annual cost of $1,611. At the other end of the scale, after Arizona, Michigan and Minnesota offered the cheapest cyber insurance.  

Asked how the average cost of cyber insurance has changed since last year, AdvisorSmith's Adrian Mak said: "Premium increases in the cyber market are tracking at 5% or less, which is relatively stable for an insurance product."

The Marsh-Microsoft 2019 Global Cyber Risk Perception survey published yesterday found that only 17% of executives said they had spent more than a few days on cyber-risk over the past year. However, a little investment of time in their company's cybersecurity could save them money.

Mak said: "We are seeing insurance companies focus more on operational cybersecurity defenses, where they are raising premiums on companies that don’t address cybersecurity vulnerabilities, while charging less to companies that are following the latest cybersecurity best practices."

Describing how he expects the cyber insurance landscape to change going forward, Mak said: "The cyber insurance marketplace is expected to experience continued growth over the next decade. We expect more growth in the small and midsize business sector. Especially in small business policies, we are seeing cyber insurance bundled into package policies."

Source: Information Security Magazine

Facebook Disrupts Misinformation Campaigns in Ukraine and Iraq

Facebook Disrupts Misinformation Campaigns in Ukraine and Iraq

Facebook has taken down hundreds of Facebook and Instagram Pages and accounts after two separate coordinated campaigns were discovered attempting to influence user behavior in Iraq and Ukraine.

It’s possible that the fake news operations were an attempt to peddle misinformation ahead of elections in the Middle East nation last year and in the eastern European country a few months ago.

The social network removed 76 Facebook accounts, 120 Pages, one Group, two Events and seven Instagram accounts linked to “coordinated unauthentic behavior” in Iraq. One of more of the Pages managed to garner around 1.6 million followers while 339,000 accounts followed at least one of the groups, it said.

“The people behind this activity used fake accounts to amplify their content and manage Pages — some of which were likely purchased,” explained Facebook head of cybersecurity policy, Nathaniel Gleicher.

“Many of these Pages merged with one another and changed names over time. They also impersonated other people and used their IDs to conceal their identity and attempt to avoid detection and removal.”

The content itself was largely critical of the US occupation and pro-Saddam Hussein, according to an analysis by the Atlantic Council’s Digital Forensic Research Lab (DFRLab).

A much bigger operation was taken down in Ukraine, where Facebook was forced to remove 168 accounts, 149 Pages and 79 Groups. Around 4.2 million accounts followed one or more of these Pages and around 401,000 accounts joined at least one of the Groups, while a whopping $1.6 million was spent on Facebook and Instagram ads, the social network revealed.

Facebook linked the activity to Ukrainian PR firm Pragmatico, despite attempts to conceal its involvement.

“The people behind this activity used fake accounts to manage Groups and a number of Pages — some of which changed their names over time, and also to increase engagement, disseminate content and drive people to off-platform sites posing as news outlets,” explained Gleicher.

According to another DFRLab analysis, there may have been political intent behind this campaign, although it was also an attempt to build a national audience for media conglomerate Znaj Media Holdings, which is linked to Pragmatico.

“The pages primarily posted local Ukrainian news content, much of which was lifted from other Ukrainian news outlets with only partial attribution,” it concluded. “This network may have been partially politically motivated — some of the pages launched personal attacks against particular Ukrainian politicians — and partially commercial in nature.”

Source: Information Security Magazine

FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime

FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime

The Financial Services Information Sharing and Analysis Center (FS-ISAC) and Europol’s European Cybercrime Centre (EC3) have announced a partnership to combat cybercrime within the European financial services sector.

The FS-ISAC is an industry consortium dedicated to reducing cyber-risk in the global financial system, and the EC3 protects European citizens, business and governments from online crime.

The Memorandum of Understanding (MOU) between the two will aim to facilitate and enhance the law enforcement response to financially motivated cyber-criminals targeting banks and other financial institutions through a symbiotic intelligence sharing network.

The partnership is a response to the acceleration of sophisticated cyber-attacks in recent years affecting numerous countries and jurisdictions at once. The MOU will help foster a pan-European approach to intelligence sharing, ensuring the cross-border cooperation necessary for the detection, prevention and reduction of cybercrime. In addition to facilitating information sharing, the agreement will also enable education and resilience through training exercises and informational summits.

“Cyber-criminals are increasingly targeting financial services and institutions to the cost of citizens and businesses across the EU,” said Steven Wilson, head of EC3. “It is crucial to bring key stakeholders around the table to improve the coordinated response; this MOU with FS-ISAC builds a platform to allow us to do exactly that.”

Ray Irving, managing director of FS-ISAC, added: “Accelerated global digitalization combined with the growing sophistication of cyber-criminals demands a more concerted approach from both the public and private sector. Through a collaborative peer-to-peer network, FS-ISAC and EC3 are enabling intelligence sharing to better safeguard the global financial system.”

Source: Information Security Magazine