Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for September 2019

Barclaycard: So Far, So Good for Strong Customer Authentication

Barclaycard: So Far, So Good for Strong Customer Authentication

Barclaycard has reported no negative impact from introducing Strong Customer Authentication (SCA) last weekend. 

The new user authentication rules mandated by the European Union's revised Payment Services Directive (PSD2) were introduced by the UK's leading acquirer on Saturday, September 14. 

Barclaycard analyzed transaction data from September 14 and 15 to check what effect the new two-step authentication rules were having. The company found that merchants had not experienced an increase in abandoned transactions, nor had they seen a spike in declined payments.  

"Our data offers encouraging news for merchants, whose transaction volumes have been, so far, unaffected by the go-live of SCA," said Paul Adams, director of acquiring at Barclaycard Payment Solutions.

SCA legislation officially came into force across Europe on September 14; however, the European Banking Authority (EBA) has given each member state the option to apply for extensions. 

One country that took them up on the offer was the UK, which secured an 18-month extension to the deadline. The UK's financial regulator, the Financial Conduct Authority (FCA), announced in August that the country's payments and e-commerce providers would have until March 14, 2021 to achieve full compliance. 

Action will not be taken by the FCA before that date against firms that haven't implemented SCA, provided that "there is evidence that they have taken the necessary steps to comply with the plan." However, the FCA is expecting third-party providers to implement SCA for online banking by March 14, 2020.

The new SCA legislation requires that all European Economic Area (EEA) transactions go through a two-factor authentication process, unless they qualify for an exemption. Transactions that are exempt include contactless payments below €50/£30; payments made at unattended terminals, such as parking lot payment machines; and recurring payments of the same value to the same merchant, such as subscription payments.

Customers can also skip two-factor authentication for payments made to trusted merchants by whitelisting that merchant with their issuer. 

To help merchants prepare for the changes required by SCA, Barclaycard, which handles nearly half of the nation’s credit and debit card transactions, has launched Barclaycard Transact, which went live over the weekend.

The fraud protection solution allows businesses to benefit from SCA exemptions while making sure that all high-risk transactions still go through two-factor authentication, in accordance with the regulation.

Adams said: "We have designed Transact to help our customers get the most out of the incoming regulation, by enabling them to provide a smooth payment experience for their shoppers, while at the same time reducing risk and managing fraud."

Source: Information Security Magazine

New Attack Group Targets Saudi IT Providers

New Attack Group Targets Saudi IT Providers

A previously undocumented threat group has been mounting what appear to be supply-chain attacks against IT providers in the Middle East.

Since July 2018, Tortoiseshell Group has targeted at least 11 organizations, using a deadly mix of custom-made and off-the-shelf malware. The majority of the companies to come under virtual fire are based in Saudi Arabia.

Tortoiseshell's nefarious activities were spotted by researchers at Symantec, who have recorded activity stemming from the group as recently as July 2019. 

At two of the organizations unfortunate enough to be attacked by Tortoiseshell, several hundred network computers ended up being infected with malware. Researchers believe that this unusually large number of compromised consoles is indicative of the group's desire to infiltrate particular computers. 

The exact intentions of the attackers are unknown, though Symantec's researchers believe that the threat group's end goal was to compromise the computers belonging to the customers of the IT firms targeted. And you can bet that they weren't going to all this trouble just to change people's screensavers to a goofy picture of an adorable puppy. 

Evidence gathered by the researchers suggests that the attackers were able to gain domain admin–level access to the networks of at least two of the IT providers upon which they preyed.  

Gavin O'Gorman, an investigator with Symantec Security Response, said: "Tortoiseshell deployed its information-gathering tools to the Netlogon folder on a domain controller, on at least two victim networks. This results in the information-gathering tools' being executed automatically when a client computer logs into the domain. 

"This activity indicates the attackers had achieved domain admin–level access on these networks, meaning they had access to all machines on the network."

Highlighting the inherent danger in hackers' gaining access at this level, O'Gorman said: "Shamoon is a good example of one of the worst-case scenarios, where an attacker can wipe every computer on a network by obtaining domain-level access."

The unique component used by Tortoiseshell is a piece of malware called Backdoor.Syskit, which is run with the "-install" parameter to install itself. Once it has settled its virtual butt on the couch of a computer, the malware collects and sends the machine’s IP address, operating system name and version, and MAC address to the C&C server. 

Tortoiseshell's last observed activity occurred in July, but there's every chance they'll be back for more.

O'Gorman said: "Groups tend to not go away, but rather they use different tools, and so it becomes difficult to connect their various attacks. For some groups we have been able to identify their activity spanning more than 10 years."

Source: Information Security Magazine

US Cybersecurity Firm to Create 52 Jobs in Ireland

US Cybersecurity Firm to Create 52 Jobs in Ireland

An American cybersecurity consulting firm has opened its first overseas site in the southern Irish city of Kilkenny.

The new office in the Republic of Ireland will become the European Headquarters and Security Operations Centre (SOC) for growing company Security Risk Advisors (SRA). SOC's current staff of three will grow to seven by mid-October and is expected to swell to 52 over the next five years. 

Having an office in Europe allows SRA to offer around-the-clock system monitoring to its US-based clients. It will also help the company support its growing European clientele and is likely to attract new customers east of the Atlantic. 

SRA's managing director, Tim Wainwright, said: "The proximity to top colleges and industry-leading companies, in addition to the quality of life in the South East region, made the decision to open our first international office in Kilkenny an easy one."

Wainwright has already chosen his favorite local watering hole, and the honor goes to Cleere’s Bar & Theatre in Kilkenny’s Irishtown. 

Support for SRA's international expansion is being provided by Ireland's inward investment promotion agency, the IDA

"The IDA walked us through incentives and hosted our initial visit. They introduced us to local stakeholders and helped us fill out paperwork. They have continued to work with us in support of setting up our office," said SRA’s Amanda Larsen. 

Irish minister of state at the Department of Housing, Planning, and Local Government, John Paul Phelan TD, said: "The decision to locate their office here is testament to Kilkenny’s highly skilled workforce, as well as its strong network of nearby educational institutions like Waterford IT and Carlow IT, which provide companies like SRA with the talent they need to succeed and grow.

"This announcement is a great boost for the city, and I wish SRA every success in Kilkenny."

SRA was founded as a virtual organization in Pennsylvania's largest city, Philadelphia, back in 2010, by a home-grown team of four Philly locals. Since then, the company has grown 20% on average every year and now employs around 140 people.

The company's growth strategy of mentoring a large number of university hires was so successful that in 2017 SRA opened a physical office on the city's Market Street. 

Two years of success followed, causing SRA to outgrow its original space. In June of this year the company announced the expansion of its office in Philadelphia to accommodate 25 additional employees, together with the opening of a new site in Rochester, New York.

Indicating that SRA plans to implement a similar growth strategy at their new European HQ, Larsen said: "We will be working closely with the Waterford Institute of Technology and Institute of Technology Carlow. The South East region has such a great amount of tech talent."

Source: Information Security Magazine

Government Report Warns of AI Policing Bias

Government Report Warns of AI Policing Bias

A new government-backed report has warned that the growing use of automation and machine learning algorithms in policing could be amplifying bias, in the absence of consistent guidelines.

Commissioned by the Centre for Data Ethics and Innovation (CDEI), which sits in the Culture Department, the report from noted think tank the Royal United Services Institute (RUSI) will lead to formal recommendations in March 2020.

It’s based on interviews with civil society organizations, academics, legal experts and police themselves, many of whom are already trialing technology such as controversial AI-powered facial recognition.

The report claimed that use of such tools, and those used in predictive crime mapping and individual risk assessments, can actually amplify discrimination if they’re based on flawed data containing bias.

This could include over-policing of certain areas and a greater frequency of stop and search targeting the black community.

It also warned that the emerging technology is currently being used without any clear over-arching guidance or transparency, meaning key processes for scrutiny, regulation and enforcement are missing.

RUSI claimed that police forces need to carefully consider how algorithmic bias may result in them policing certain areas more heavily, and warned against over-reliance on technology which could reduce the role of case-by-case discretion. It also said that discrimination cases could be brought by individuals unfairly “scored” by algorithms.

“Interviews conducted to date evidence a desire for clearer national guidance and leadership in the area of data analytics, and widespread recognition and appreciation of the need for legality, consistency, scientific validity and oversight,” the report concluded.

“It is also apparent that systematic investigation of claimed benefits and drawbacks is required before moving ahead with full-scale deployment of new technology.”

OpenText head of AI and analytics, Zach Jarvinen, argued that the best way of avoiding bias in AI is to implement “ethical code” at the data collection phase.

“This must begin with a large enough sample of data to yield trustworthy insights and minimize subjectivity. Thus, a robust system capable of collecting and processing the richest and most complex sets of information, including both structured data and unstructured, and textual content, is necessary to generate the most accurate insights,” he added.

“Data collection principles should be overseen by teams representing a rich blend of views, backgrounds, and characteristics (race, gender, etc.). In addition, organizations should consider having an HR or ethics specialist working in tandem with data scientists to ensure that AI recommendations align with the organization’s cultural values.”

Source: Information Security Magazine

Third of Brits Concerned About Election Interference

Third of Brits Concerned About Election Interference

A third of British adults are concerned about hackers interfering in future general elections or referendums, according to new research from SANS Institute.

The global IT training organization polled over 2000 individuals to better understand their concerns about the impact of cyber-related issues on society.

It found that 34% believe cyber-attackers could influence the democratic process in future.

A long-awaited parliamentary committee report issued earlier this year claimed that while it was difficult to say definitively if there was "successful" interference in the 2016 EU referendum, “there is, however, strong evidence that points to hostile state actors influencing democratic processes.”

Russia in particular came under scrutiny for the pro-leave propaganda circulated by its state-backed media outlets RT and Sputnik.

Election interference can also be more insidious: a senate report out in July argued that Russian hackers likely compromised voting infrastructure in all 50 states ahead of the 2016 Presidential election.

Just a fifth of UK adults responding to the SANS Institute poll said they thought the UK is well prepared to defend itself against future cyber issues, and nearly half (45%) claimed there’s not enough security experts in the workforce to protect the country from attack.

However, less than one in 10 (6%) said they thought being a cybersecurity professional was an important job in society, highlighting the major PR challenge facing the industry in trying to get more people to consider a career in the sector.

Skills shortages currently stand at nearly three million globally, including 142,000 in EMEA, according to (ISC)².

SANS Institute CTO, James Lyne, argued that it is the role of government, industry and parents and teachers to emphasize the important role cybersecurity professionals play in defending democracy and economic growth.

“The findings of the poll demonstrate a lack of awareness of what cybersecurity practitioners do to protect our national interests, economy and personal finances,” he added. “The UK will only be prepared to cope with the evolving geopolitical cyber-frontier if we can educate and nurture greater numbers of cyber-defenders and instil a sense of urgency in that new generation of cybersecurity professionals.”

The research was conducted to promote the beginning of the latest annual Cyber Discovery program, which aims to educate and inspire 13-18-year-olds in the UK to be the cybersecurity stars of tomorrow.

Source: Information Security Magazine

New Banking Regs Increase Cyber-Attack Risk

New Banking Regs Increase Cyber-Attack Risk

report released today by Trend Micro has found that new European open-banking rules could leave financial services organizations and their customers more susceptible to cyber-attacks.

The European Union’s Revised Payment Services Directive (PSD2) is designed to give users greater control over their financial data and the option to carry out open banking via a new breed of innovative fintech firms. According to Trend Micro's research, that increased control could come at a heavy cost. 

Vulnerabilities that could be exploited as a result of the EU's PSD2 include public APIs that allow approved third parties to access users' banking data and mobile apps that contain transactional data that could make users targets for phishing attacks.

Another concern raised by the report pertained to financial technology (fintech) firms that have no record on data protection and lack the resources of big banks.

In a quick survey of open-banking fintechs, Trend Micro found them to have an average of 20 employees and no dedicated security professionals. The report suggests that such setups make these fintechs ideal targets for attackers and raise concerns over security gaps in their mobile apps, APIs, data-sharing techniques, and security modules that could be incorrectly implemented.

Bharat Mistry, principal security strategist at Trend Micro, told Infosecurity Magazine: "The worst-case scenario here is that cyber-criminals could very easily develop malicious fake apps, especially for mobile smartphone devices where the App Store provider hasn’t taken sufficient measures to validate the source of the application. Then, using phishing campaigns, hackers could direct users to download and use malicious apps, thereby exposing banking credentials to prying eyes."

Open banking comes with the additional challenge of how and to whom blame should be ascribed when cybercrimes do inevitably occur.   

Mistry said: "Another aspect of this evolving open-banking world is the increasing complexity of proving responsibility when a fraudulent transaction occurs. The fault can potentially lie with the bank, the user, or the third-party provider; how smoothly will communication between these three parties go to resolve any such incident?"

Wherever the blame may lie, Mistry expects customers of financial services providers will expect their providers to shoulder the responsibility of maintaining cybersecurity. 

He said: "Cyber insurance is proving to be popular with organizations who want to offset their cyber liabilities; unfortunately, I cannot see individuals taking out such policies as most people are reluctant to pay for something that they think the service provider or bank should be taking care of."

Source: Information Security Magazine

Vulnerabilities in IoT Devices Have Doubled Since 2013

Vulnerabilities in IoT Devices Have Doubled Since 2013

A follow-up study into the security of IoT devices has revealed more than twice the number of vulnerabilities as were detected six years ago. 

In the 2013 study SOHOpelessly Broken 1.0, researchers at Independent Security Evaluators (ISE) highlighted 52 vulnerabilities across 13 SOHO wireless routers and network-attached storage (NAS) devices made by vendors including Asus and Belkin.

An examination of routers and NAS products by ISE published yesterday has flagged 125 common vulnerabilities or exposures (CVEs). The vulnerabilities captured by the new research, dubbed SOHOpelessly Broken 2.0, could affect millions of IoT devices.

For their latest study, ISE tested 13 contemporary IoT devices created by a range of manufacturers. Modern versions of several devices tested in the original 2013 study were also studied to determine whether manufacturers had upped their security game.

The results were fairly disappointing, with researchers able to obtain remote root-level access to 12 of the 13 devices tested. Among the weaknesses identified were buffer overflow issues, command injection security flaws, and cross-site scripting (XSS) errors.

"We were expecting to find issues in the devices; however, the number and severity of the issues exceeded those expectations. Our first reaction to a lot of our findings was: 'It can't really be this easy, right?'" said ISE researcher Joshua Meyer. 

Conducting the study has changed how Meyer uses IoT devices. He said: "I will be more selective of any IoT devices I purchase for personal use. I am also more aware of the features provided by my devices and disable all of the ones that aren't necessary to its security."

After completing the study, ISE sent vulnerability reports and proof-of-concept (PoC) codes to affected vendors. While the majority of companies acknowledged the reports, TOTOLINK and Buffalo have not yet responded.  

"Netgear and Drobo only responded to us after we continuously messaged them about the critical security issues in their products," said Rick Ramgattie, lead researcher at ISE.

Asked if any plans were afoot for a SOHOpelessly Broken 3.0, Ramgattie said the team is looking into starting a new IoT/Embedded Device research project mid-2020.

Ramgattie elaborated: "We aren't sure if it is going to be the same format as SOHO 1.0 and SOHO 2.0. We might mix things up and pick a smaller set of manufacturers and narrow in on new attack surfaces we have been wanting to dive into for a long time. 

"We might also research more enterprise devices, different protocols, and more complex data-processing workflows."

Source: Information Security Magazine

Nevada Students Top First Official National Cyber League College Rankings

Nevada Students Top First Official National Cyber League College Rankings

America's National Cyber League (NCL) has published official college rankings for the very first time, and the University of Nevada has come out on top. 

Cyber-savvy students at the Reno-based university prevailed against 5,026 students from 419 schools across the nation to achieve victory in the NCL's spring 2019 season. This impressive win contributed heavily to Nevada's securing the pole position on the inaugural NCL leaderboard published last week.

In second place was the University of Hawaii at Manoa, followed by California State University at Chico, which took third. Lingering at the bottom of the board in 100th place was Grossmont College, a community college in California.  

The NCL has been challenging high school and college students to demonstrate their cybersecurity skills by taking part in two cybersecurity competitions staged annually since 2011. Entrants step onto a virtual field of competition to solve a series of puzzles based on real-world scenarios. 

Previous challenges included identifying hackers from forensic data, breaking into simulated bank websites, and staging a recovery from a ransomware attack. The University of Nevada's winning team, the Nevada Cyber Club, completed all the challenges set in this year's spring season with 99.26% accuracy. 

Club member and computer science and engineering major Bryson Lingenfelter, speaking after his team's unequivocal victory, said: "I've learned a tremendous amount in three seasons of competing in NCL, and it's a major inspiration for my plans going forward with Cyber Club. NCL is how many of us got started with the club, and I hope to expand our use of competitions as learning tools in the future to engage even more people with cybersecurity." 

Competing in the NCL does more for students than simply give them a chance to vaunt their talent and learn new skills. Thanks to industry-leading cybersecurity skills-evaluation technology from Cyber Skyline, NCL competitors can obtain scouting reports of their performance, which they can use for hiring purposes.

"Cyber competitions like NCL provide a way for cybersecurity students to demonstrate their skills to employers, especially with many entry-level jobs requiring experience," said Franz Payer, CEO of Cyber Skyline.

"The new Cyber Power Rankings highlight the top schools producing new cybersecurity professionals. We're excited for what competitions can do to help address the cyber talent shortage.

Source: Information Security Magazine

New Test Service Launched to Gauge Tech Skills of Job Candidates

New Test Service Launched to Gauge Tech Skills of Job Candidates

A new testing service has been launched with the aim of gauging and ranking job candidates based on their technical skillsets.

TechRank, created by Pioneer Labs, is run by tech consultants and sources, tests and objectively ranks tech talent, helping companies hire the best and most capable person for tech-based roles. TechRank seeks to eliminate the subjectivity of personality and interview charm and to ensure that jobs are offered based on genuine skillsets.

Candidates take the TechRank test online, opting for the specific area relevant to their skills. Candidates are then logged in the TechRank system and alerted if a suitable job is advertised. Employers can sort candidates by their skill level quicker and more accurately than reading through large numbers of CVs.

TechRank was co-founded by Gurvinder Singh, Co-CEO, Pioneer Labs, and he explained how TechRank was born out of frustration.

“We were finding it highly time-consuming and difficult to find great tech talent. It was a constant problem. So, we asked ourselves what needed to change and how this could be facilitated – the answer was clearly testing. It’s great for both the candidate and the employer. We trailed the system in our own business and found that it worked really well. It made a huge difference to Pioneer Labs so we decided to create a version that other businesses could use – and TechRank was born.”

Speaking to Infosecurity, Singh said: “We are looking to disrupt tech recruitment. We believe tech recruitment has been broken for far too long. It’s been very difficult for employers to be sure they are hiring people with the right skills; skills that are suitable for the specific job they are being asked to do. Some people look great on paper, perform brilliantly at interview, but simply don’t have the level of knowledge required for the job on offer.

“In the future, I believe CVs will become obsolete in the tech industry. Skills matter more than words and finding the best skilled people is where companies, which are trying to build or maintain market share via technology, will be competing most vigorously.”

Source: Information Security Magazine

Webcam Security Snafus Expose 15,000 Devices

Webcam Security Snafus Expose 15,000 Devices

Researchers have discovered 15,000 private webcams around the globe which could be accessed by anyone with an internet connection, raising serious security and privacy concerns.

Working for Wizcase, white hat Avishai Efrat located the exposed devices from multiple manufacturers including: AXIS net cameras; Cisco Linksys webcam; IP Camera Logo Server; IP WebCam; IQ Invision web camera; Mega-Pixel IP Camera; Mobotix; WebCamXP 5 and Yawcam.

They appear to have been installed by both home users and businesses in multiple countries across Europe, the Americas and Asia.

By failing to put in place even cursory protection on the devices, these owners are exposing not only the webcam streams themselves but also, in some cases where admin access is possible, user information and approximate geolocation. In these cases, Efrat was also theoretically able to remotely control the device view and angle.

Control of such feeds and personal info could allow attackers to rob the premises being monitored, blackmail users, and even steal PII for identity fraud.

The problem lies with the cameras’ remote access functionality. In some cases UPnP was enabled without additional protections like password authentication or IP/MAC address whitelisting, whilst in others unsecured P2P networking was used.

“Web cameras manufacturers strive to use technologies which make the device installation as seamless as possible but this sometimes results in open ports with no authentication mechanism set up. Many devices aren’t put behind firewalls, VPNs, or whitelisted IP access – any of which would deny scanners and arbitrary connections,” explained Wizcase web security expert, Chase Williams.

“If these devices have open network services, then they could be exposed.”

Wizcase urged webcam operators to change the default configuration of their device in order to: whitelist specific IP & MAC addresses to access the web camera, add strong password authentication and disable UPnP if P2P networking is being used.

It also advised users to configure a home VPN network so the webcam would no longer be exposed to the public-facing internet.

Source: Information Security Magazine