Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Facebook Announces Digital Wallet and Coin, Libra

Facebook Announces Digital Wallet and Coin, Libra

Because it possibly stands to faces billions of dollars in fines from the US Federal Trade Commission (FTC), Facebook, today announced its plans for Calibra, a Facebook subsidiary that will provide financial services and enable users to have access to and participate in the Libra network.

“Calibra will let you send Libra to almost anyone with a smartphone, as easily and instantly as you might send a text message and at low to no cost. And, in time, we hope to offer additional services for people and businesses, like paying bills with the push of a button, buying a cup of coffee with the scan of a code or riding your local public transit without needing to carry cash or a metro pass,” the news release stated.

Intended to be officially released in 2020, the digital currency is powered by blockchain technology. However, not all responses to the news have been positive. The cryptocurrency is “a glorified exchange traded fund which uses blockchain buzzwords to neutralize the regulatory impact of coming to market without a licence as well as to veil the disproportionate influence of Facebook in what it hopes will eventually become a global digital reserve system,” according to the Financial Times.

While some remain weary, given Facebook’s recent track record of failing to protect consumer data, the company added that “Calibra will have strong protections in place to keep your money and your information safe. We’ll be using all the same verification and anti-fraud processes that banks and credit cards use, and we’ll have automated systems that will proactively monitor activity to detect and prevent fraudulent behavior.”

The idea that social and financial data could be combined is worrying, said Ray Walsh, digital privacy expert at ProPrivacy.

“Although Facebook claims that it will keep the distinct data sets at arm's length – it is hard to believe that consumer habits will not be tracked in order to allow Facebook to better serve ads. After all, that is how the firm produces the majority of its revenue streams.

“Facebook has proven, time and time again, that it is not to be trusted with consumer data, and it seems unlikely that it does not plan to exploit as much consumer data as it is legally permitted to do so. Facebook's whitepaper claims that it will not source transaction data from the Libra Blockchain without consumer consent. For the time being, no privacy policies or Terms of Service are available for Libra coin.”

Source: Information Security Magazine

Accenture Acquires Deja vu Security

Accenture Acquires Deja vu Security

Deja vu Security has become a part of Accenture’s cyber-defense offerings through an acquisition announced on June 17.

The Seattle-based Deja vu Security was founded in 2011 and has been providing a range of business application security solutions with a focus on integrating security into the product development lifecycle. Accenture continues to invest in next-generation cybersecurity solutions that will deliver end-to-end security for clients’ business. Financial terms of the agreement were not disclosed.

No financial details of the deal have been disclosed. “Deja vu Security brings to Accenture a deep expertise in the techniques, tools and methods for securing connected devices and IoT networks,” the press release said. The transaction heightens Accenture’s ability to improve the “security of things.”

“For technology companies, third-party suppliers and consumers alike, IoT security controls often remain an afterthought which is why it’s critical that security is built in from the start for any new products, processes or services,” said Kelly Bissell, senior managing director of Accenture Security. “Deja vu Security’s team of innovative specialists brings considerable technical cybersecurity skills, making them a strong strategic fit and [helping] our clients reduce the risk of their connected solutions. We are very excited to welcome the Deja vu Security team to Accenture.”

Deja vu Security and its employees are reportedly excited about the transaction, according to the press release. “Accenture’s people-focused culture and innovative mindset are core values that both companies share, and our unique capabilities complement each other perfectly. We are thrilled to be joining such a high-caliber global organization,” said Adam Cecchetti, Deja vu Security’s chief executive officer.

Source: Information Security Magazine

DNS Attacks Grow More Frequent and Costly

DNS Attacks Grow More Frequent and Costly

Domain name server (DNS) attacks have grown in frequency and cost, according to multiple research reports published this week.

The Domain Fraud Threats Report from Proofpoint found that Chengdu West Dimension Digital, NameSilo, Public Domain Registry and GoDaddy are the top fraudulent domains. Of the millions of fraudulent domains registered, 1 in 4 have security certificates and more than 90% remain active on a live server. In addition, more than 15% have mail exchanger records.

“Fraudulent domains 'hide in plain sight' by using many of the same top-level domains (TLDs), registrars, and web servers as legitimate domains. For example, 52% of all new domain registrations in 2018 used the .com TLD. The TLD was similarly popular with fraudsters: nearly 40% of new fraudulent domain registrations used .com,” Proofpoint’s Ali Mesdaq wrote in a June 17 blog post.

In related news, IDC’s 2019 Global DNS Threat Report, commissioned by Efficient IP, found that DNS attacks cost an average of $1.07 million for organizations, a jump of 49% from last year.

While many organizations have faced a 34% increase in DNS attacks since 2018, more than 85% of top retail brands found domains selling counterfeit versions of their products and 63% of organizations suffered application downtime. The report also found that 45% of organizations had their websites compromised, and 27% experienced business downtime.

“One in five businesses lost over $1 million per attack and causing app downtime for 63% of those attacked,” a June 18 press release said. The study also highlighted the changing popularity of attack types, which reflect a shift from volumetric to low signal, including phishing, malware-based attacks and old-school distributed denial of service (DDoS).

“With an average cost of $1m per attack and a constant rise in frequency, organizations just cannot afford to ignore DNS security and need to implement it as an integral part of the strategic functional area of their security posture to protect their data and services,” said Romain Fouchereau, research manager European security at IDC.

Source: Information Security Magazine

#OktaForum: Biometrics Are Authentication Preference, Privacy Concerns Remain

#OktaForum: Biometrics Are Authentication Preference, Privacy Concerns Remain

Biometrics are seen as a positive step forward in authentication, but employees maintain privacy concerns.

According to a survey of 4013 workers across the UK, France and the Netherlands, the Okta Passwordless Future Report found that 78% of respondents use an insecure method to help them remember their password, including: using the same passwords for multiple accounts (34%), writing passwords down (26%),  17% typing passwords on a phone or computer (17%) and using well-known passwords (6%).

Dr Maria Bada, research associate at Cambridge University, said: “Passwords are often quite revealing. They are created on the spot, so users might choose something that is readily to mind or something with emotional significance.

“Passwords tap into things that are just below the surface of consciousness. Criminals take advantage of this and with a little research they can easily guess a password.”

The research also found that 70% of respondents believe biometrics would benefit the workplace, but 86% have some reservations about sharing biometrics with employers. 

Todd McKinnon, CEO and co-founder of Okta, said: “Passwords have failed us as an authentication factor, and enterprises need to move beyond our reliance on this ineffective method.”

Speaking to Infosecurity, McKinnon said that Okta sees the role of biometrics is the “last mile” and the value it provides is for the policy layer, and you need to determine what your policy is.

“There is still a bunch of work that has to happen to map that, and to have access to a certain server or application, so I envisage that there will be different levels that are high or low risk,” he added.

McKinnon pointed to the need for a central policy to link all of the biometric access data together for the appropriate scenario. He said that Okta provides the technology to enable access, but it is up to the customer to determine how they enable access, whether it is via a personal phone or a corporate device, “based on the resources you are trying to access.”

On the issue of trusting employees, McKinnon said that there are too many bad user experience cases where a person cannot get a text on a personal phone, or too much data is collected due to privacy issues “because the policy is not flexible and the company does not have the right resource to check, so they over-collect information.”

Dr Bada said: “Biometric technology can be promising in creating a passwordless future, but it's essential to create an environment of trust, while ensuring privacy and personal data protection.’’

Source: Information Security Magazine

#OktaForum: Trust is Key to Identity and Security

#OktaForum: Trust is Key to Identity and Security

Trust remains the most important factor in enabling security and identity management.

Speaking at the Okta Forum in London, Okta CEO Todd McKinnon said that every company is a technology company now, and if you are not a technology company “your replacement will be a technology company.”

McKinnon explained that technology comes with risks, such as the “war on talent” which is making finding the right people hard, while “unprecedented regulations” like GDPR are bringing frameworks to companies who preceded the technology revolution, while social networking has led people to be concerned about trust and privacy.

“There is a tremendous potential of technology, but it is not without issues and risks and can lead to the erosion of trust,” he said. “At Okta, we believe that the potential of technology is amazing, but a lack of trust won’t enable us to reach its potential, so we need to trust the new frontier as we’re all technology companies.”

McKinnon said that there is a “burden to be secure” and for Okta the solution is that identity is key. “Connect people to technology and get identity right and solve the trust problem,” he advised.

He went on to say that the use of any technology is not about identity or security, “but to push for you to be successful” and to enable that, Okta built the Okta Identity Cloud

McKinnon said that the company was focused on building the best products, having a comprehensive set of integrations, supporting use cases and building up data “to help you do the right actions in your environment.”

Speaking to Infosecurity, McKinnon explained that after the revolution of technology companies, the “backlash against technology” and the impact on privacy had “evened up the ante as companies need to get identity right.”

Source: Information Security Magazine

NYT: US Targets Russian Power Grid

NYT: US Targets Russian Power Grid

After news broke that the US has ramped up its digital attacks on Russia, according to a New York Times article, President Trump tweeted that the story was a "virtual act of treason by a once great paper…ALSO, NOT TRUE.”

Though there are no details of the malware that was reportedly placed inside Russia’s power grid system, the NYT reported that National Security Presidential Memoranda 13, a classified document, grants the Department of Defense (DoD) the power to conduct offensive online operations without receiving presidential approval.

Specifically, General Paul Nakasone, commander of the US Cyber Command, holds that authority to make these decisions about offensive strategies. Without confirming that the DoD is taking more aggressive measures, House minority whip Steve Scalise told Meet the Press on June 16, “I'm glad the administration has been taking aggressive actions."

“An offensive cyber-strategy is a necessary component of a larger military and diplomatic strategy against a determined US adversary like Russia. After all, let’s not forget that Russia has been targeting US utilities for several years, at least,” said Carlos Perez, R&D practice lead at TrustedSec.

“US-CERT warned just last year about Russia’s cyber-operations against multiple US utilities. We’ve also seen Russia put these capabilities to real-world effect, as in the case of the two cyber-induced power outages that affected Ukraine. We have to take this threat seriously, and having a cyber-response ready to go is of paramount importance."

Perez clarified that the operations described by the New York Times also do not constitute cyber-war, nor do they exceed the legal restrictions set by our own government.  

"The Department of Defense Law of War Manual has codified cyber operations, which this current action falls within. As you’ll notice, these guidelines include such operational objectives as reconnaissance, acquiring and securing access to key systems, and implanting access tools into infrastructure for the purpose of acquiring foreign intelligence, gaining information about an adversary’s capabilities and gathering information to determine intent, just to name a few.”

While trying to avoid the risk of escalating the situation with Russia, Perez said that this action and others taken by US cyber-ops teams are aimed at preparing the battle space with Russia, so that the US will be ready at some future point, should direct action need to be taken.

“This is also about deterrence, as we are signaling to Russia that we have the technical means and capabilities and the will to use them if we have to. As for the risk of ending up in a full-scale cyber-war, the reality is that we have been close to it with several events that have happened but remained in an economic, intelligence and influence conflict with Russia, as well as other countries, like China, Iran and, to a lesser extent, North Korea. These are low-intensity conflicts but they could escalate at any point, even without us engaging in our own offensive cyber-ops.”

Source: Information Security Magazine

Seven Million Venmo Transactions Published on GitHub

Seven Million Venmo Transactions Published on GitHub

Venmo users are being advised to set their accounts to private after a computer science student scraped seven million Venmo transactions, proving that users’ public activity can be easily accessed, according to The Next Web (TNW).

Over a six-month period, Minnesota State University computer science student Dan Salmon, collected a data set, which Salmon exported from MongoDB, of more than seven million Venmo transactions, which he published on GitHub.

“I am releasing this dataset in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key. There is some very valuable data here for any attacker conducting OSINT research,” Salmon wrote.

“I would highly encourage all users to switch their Venmo account to private by going to Settings > Privacy and selecting "Private" as well as Past Transactions > Change All to Private. Screenshot instructions are available here.”

"Transparency may often be used against the legitimate interests of end users. Probably very few of us wish to share all their payment transactions with the rest of the world even if we have nothing to hide. Venmo should explicitly and conspicuously notify all its users that their transactions are accessible by everyone unless they update their settings,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

“[The] developer’s API should be provided only to vetoed, properly verified third parties within a scope of a binding legal agreement capable of protecting users’ privacy regardless of technical flaws one may discover now or in the future,” Kolochenko said.

“Anti-scraping functionality probably requires holistic testing via an open bug bounty program, for example, to spot and remediate as many anti-automation bypasses as possible. This will not provide absolute protection but at least will considerably reduce the efficiency of data-scraping campaigns. Without all these common-sense measures, Venmo may face serious legal ramification and severe monetary penalties in many jurisdictions, let alone disgruntled users and loss of revenue."

In an email to Infosecurity, a Venmo spokesperson said, "Venmo was designed for sharing experiences with your friends in today’s social world, and the newsfeed has always been a big part of this. The safety and privacy of Venmo users and their information is always a top priority. 

"Venmo does a number of things to keep our users informed and help them protect and control their privacy, including:

  • "The social newsfeed: When people open the app, the first thing they see is the newsfeed. This is the first step in educating users that Venmo is a social forum and the newsfeed allows you to see what others have chosen to share on Venmo and the experiences that are happening on Venmo.
  • "Users choose what to share: Like on other social apps, Venmo users can choose what they want to share and which audience they share it with. It is very clear in each payment what audience it is being shared with and we have made this even more prominent in recent years."

Source: Information Security Magazine

Eliminate Outdated Identity Proofing, Says GAO

Eliminate Outdated Identity Proofing, Says GAO

The remote identity proofing used by four large government agencies has been deemed outdated by a new report released by the U.S. Government Accountability Office (GAO).

According to the report, the Postal Service, Department of Veteran Affairs, Social Security Administration and the Centers for Medicare and Medicaid Services use outdated tactics to verify citizens’ data over the phone.

Of the six agencies GAO interviewed, only two have eliminated the use of knowledge-based verification methods. The remaining four government agencies rely on “consumer reporting agencies (CRAs) to conduct a procedure known as knowledge-based verification,” the report said. That is, individuals are asked questions based on information available in their credit reports.

As a result, any fraudster could potentially use information available from the 2017 Equifax breach or the latest hack of the week to answer security questions and start collecting social security checks of vulnerable Americans or embezzle veterans’ healthcare benefits.

“The risk that an attacker could obtain and use an individual’s personal information to answer knowledge-based verification questions and impersonate that individual led the National Institute of Standards and Technology (NIST) to issue guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications,” the report said.

In addition to cost, agencies noted additional challenges to implementation, which include “mobile device verification[, which] may not always be viable because not all applicants possess mobile devices that can be used to verify their identities. Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” the report stated.

Beyond recommending that the agencies discontinue the practice of knowledge-based verification, the GAO also recommended that the NIST augment its technical guidance to include implementation guidance and assist agencies in adopting more security authentication processes.

“It’s unfortunate that data breaches have become a part of our modern lives. But this report shows most of the damage isn’t done in the initial breach. In fact, most of the real damage comes from account takeovers by social engineering contact center agents long after the breach. Here’s the reality – hackers aren’t going away. The solution is to de-weaponize personal information. Stop relying on it for authentication,” said Pat Cox, VP and GM at Neustar.

“Identity interrogation and knowledge-based authentication, where citizens verify their identity by demonstrating knowledge of personal information, as basic as address or date of birth – information which could have been gleaned from dozens of recent data breaches – isn’t stopping identity theft."

Source: Information Security Magazine

Microsoft Urges Azure Customers to Patch Exim Worm

Microsoft Urges Azure Customers to Patch Exim Worm

Microsoft has urged Azure users to update their systems following the discovery of a major new attack campaign targeting popular email server software.

The worm, which Infosecurity reported on last week, targets mail transfer agent product Exim running on Linux-based email servers. It’s claimed that Exim is running on over half (57%) of the world’s email servers, with as many as 3.5 million vulnerable to the new attack.

In a security update on Friday, Microsoft confirmed that the attack imperils servers running Exim version 4.87 to 4.91. It said that although Azure has “controls” in place to prevent the spread of the worm, customers could still be vulnerable to infection and should update their systems as soon as possible.

“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs. As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,” Microsoft explained.

“There is a partial mitigation for affected systems that can filter or block network traffic via?Network Security Groups (NSGs). The affected systems can mitigate Internet-based ‘wormable’?malware or advanced malware threats that could exploit the vulnerability. However, affected systems are still vulnerable to Remote Code Execution?(RCE)?exploitation if the attacker’s IP Address is permitted through Network Security Groups?”

Two waves of attack have been spotted in the wild, downloading a cryptocurrency mining payload to monetize the threat. The more sophisticated of the two uses Tor services and creates “deceiving windows icon files” to throw security teams off the scent.

As well as downloading the payload, the malware searches for additional vulnerable servers on the internet, connects to them, and infects them with the initial script, according to Cybereason.

Source: Information Security Magazine

Twitter Shuts Down 5000 State-Sponsored Accounts

Twitter Shuts Down 5000 State-Sponsored Accounts

Twitter has taken down nearly 5000 fake accounts, most of them apparently backed by the Iranian state, in a bid to clean the platform of government-sponsored attempts to spread propaganda.

The social network claimed in a post last week that it had closed 4779 accounts linked to Tehran, 1666 of which tweeted nearly two million times, with content “that benefited the diplomatic and geostrategic views of the Iranian state.”

Another subset of 248 accounts were engaged with discussions related to Israel, while 2865 “employed a range of false personas to target conversations about political and social issues in Iran and globally.”

Four accounts were lined to the infamous Internet Research Agency (IRA), the Kremlin-linked organization responsible for a mass disinformation campaign on social media ahead of the 2016 US Presidential election.

Also removed by Twitter during this cull were 130 fake accounts linked to organizations including Esquerra Republicana de Catalunya, which spread content designed to “inorganically influence the conversation” about Catalan independence.

Twitter closed down a further 33 accounts run by a “commercial entity” operating in Venezuela “that were engaging in platform manipulation targeted outside of the country.”

“Our Site Integrity team is dedicated to identifying and investigating suspected platform manipulation on Twitter, including potential state-backed activity. In partnership with teams across the company, we employ a range of open-source and proprietary signals and tools to identify when attempted coordinated manipulation may be taking place, as well as the actors responsible for it,” wrote Twitter head of site integrity, Yoel Roth.

“We also partner closely with governments, law enforcement, and our peer companies to improve our understanding of the actors involved in information operations and develop a holistic strategy for addressing them.”

Source: Information Security Magazine