Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

IRS to Mount Epic Cyber-Safety Campaign

IRS to Mount Epic Cyber-Safety Campaign

America's Internal Revenue Service is to launch a large-scale cyber-safety campaign to coincide with the busiest shopping period of the year.

According to the website Accountingtoday.com, the campaign by the IRS will begin on the Monday after Thanksgiving, commonly known to bargain hunters as Cyber Monday. 

"The campaign will emphasize to practitioners and taxpayers the potential dangers they face during the holiday shopping season and the filing season ahead," said Stephen Mankowski, national tax chair of the National Conference of CPA Practitioners.

"National Tax Security Awareness Week 2019 is slated to begin on Cyber Monday and run from December 2 through December 6," he continued. "This is the heaviest period of time when people are online and when phishing is most common."

YouTube videos will form a key part of the campaign, which will strongly urge taxpayers to only make purchases from known vendors and to regularly check their bank statements for any suspicious activity. 

Mankowski said that continued widespread ignorance of security best practices had been flagged as a concern during a recent meeting he attended with government officials in Washington, DC.

"During the recent Tax Forums, the IRS noted that a lot of people still are not aware of the basics of data security," he said. "The IRS has been making some headway, but much more is needed."

The news follows last month's efforts by the IRS to raise cybersecurity awareness within families as part of National Work and Family Month. 

On October 22, the IRS urged families and teens to stay vigilant in protecting personal information while connected to the internet. 

An IRS spokesperson wrote: "During National Work and Family Month, IRS is asking parents and families to be mindful of all the pitfalls that can be found by sharing devices at home, shopping online and through navigating various social media platforms. Often, those who are less experienced can put themselves and others at risk by leaving an unnecessary trail of personal information for fraudsters."

Cybersecurity "common-sense suggestions" shared by the IRS on their website include advice to always use a virtual private network when connecting to public Wi-Fi, a recommendation to encrypt sensitive files such as tax records stored on computers, and an admonition not to share personal information such as birthdate, address, age, and Social Security numbers online.

Source: Information Security Magazine

Facebook Bug Turns on iPhone Cameras

Facebook Bug Turns on iPhone Cameras

Users of the Facebook app have complained after discovering a bug that causes their iPhone cameras to activate in the background when they use the app. 

Multiple people have taken to Twitter to report that using the Facebook app on their iPhone has caused the device's rear camera to switch on and run in the background.

Eagle-eyed users noted that the problem seemed to occur as they looked at photos and watched videos that appeared on their newsfeed.

It isn't clear whether the cameras activated by the bug were recording what they observed.

The earliest incident relating to the bug was recounted on Twitter by software tester @neo_qa on November 2. 

The concerned Facebook user wrote: "Today, while watching a video on @facebook, I rotated to landscape and could see the Facebook/Instagram Story UI for a split second. When rotating back to portrait, the Story camera/UI opened entirely. A little worrying . . ."

CNET were able to replicate the bug, and other Facebook users chimed in to say that they had experienced the same issue, with one Twitter user, @selw0nk, quipping that "It's not a bug, it's a feature."

At the beginning of this week, more users of Facebook took to Twitter to report another bug that seems to be affecting the latest version of the iOS. 

This time, users said that when they navigated away from an image they had opened in the Facebook app, they could see a thin slice of the camera's viewfinder. From this, they concluded that whenever the Facebook app is opened, the camera is activated in the background.

Twitter user @JoshuaMaddux wrote on November 10: "Found a @facebook #security & #privacy issue. When the app is open it actively uses the camera. I found a bug in the app that lets you see the camera open behind your feed. Note that I had the camera pointed at the carpet."

The camera-related bugs have added fuel to the fire for people who believe that it's within the realm of possibility that Facebook might deliberately record its users as a way to gather information or target advertisements. 

After a week of silence regarding the first camera bug, Facebook's vice president of integrity Guy Rosen responded on Twitter to Maddux's November 10 tweet about the second bug. 

From his Android device, Rosen wrote: "Thanks for flagging this. This sounds like a bug, we are looking into it."

In a later tweet, Rosen said the camera bug had been created when an earlier bug was fixed.

"We recently discovered our iOS app incorrectly launched in landscape," Rosen wrote. 

"In fixing that last week in v246 we inadvertently introduced a bug where the app partially navigates to the camera screen when a photo is tapped. We have no evidence of photos/videos uploaded due to this."

Rosen later confirmed that nothing was uploaded to Facebook as a result of the camera-related bugs, because the camera was in preview mode. 

A fixed version of the app was submitted to the App Store yesterday.

Dr. Richard Gold, head of security engineering at Digital Shadows, commented: "Bugs such as these erode the already fragile trust between companies and the public, even though their origin might be completely innocuous."

Source: Information Security Magazine

Airbus Launches Human-Centric Cybersecurity Accelerator

Airbus Launches Human-Centric Cybersecurity Accelerator

Airbus has announced the launch of a human-centric cybersecurity accelerator program. It will feature a dedicated team of human factor and cognitive psychology experts that will work in collaboration with the UK’s National Cyber Security Centre (NCSC) and a range of other partners to gain crucial insights into human-centric approaches for improving cybersecurity effectiveness. 

The Accelerator will offer placements for qualifying university students and establish collaboration opportunities with research teams and businesses to help make the UK one of the safest places to do business in cyberspace. 

The launch follows the opening of the Airbus Cyber Innovation Hub, located in Newport, Wales, in April 2019.

Dr Kevin Jones, chief information security officer of Airbus, said: “With increasingly sophisticated attacks being attempted every day, it simply isn’t possible to protect every user against every cyber-attack. We therefore need to think differently and identify ways for security to work with an organization’s people, to better protect against an array of threats.

“With the right tools and approach, employees can be the strongest link in an organization’s cyber-defense. Our work aims to put people-centric thinking at the heart of an organization’s security and we’re keen to hear from likeminded researchers and organizations who are interested in getting involved with our new Accelerator.”

Airbus was recently forced to take action after a possible Chinese state-sponsored hacking operation was detected targeting multiple suppliers over the past year.

Dr Ian Levy, technical director at the NCSC, said the new initiative is a welcome one and recognizes the importance of a multidisciplinary approach that puts people at the center of cybersecurity development.

“At the NCSC, we recognize the vital role employees have to play in an organization’s cyber-resilience and we are pleased to collaborate on this program.”

Source: Information Security Magazine

Mexican Petrol Giant Pemex Hit by Ransomware

Mexican Petrol Giant Pemex Hit by Ransomware

Mexico’s state-owned petroleum giant Petróleos Mexicanos (Pemex) is insisting all operations are running normally after a suspected ransomware attack, despite reports to the contrary.

The firm claimed that operation and production systems remain unaffected and supply of fuel remains guaranteed. However, it admitted that an attack on Sunday did affect around 5% of its personal computers.

Reports, though, suggest the firm has been harder hit, with Pemex billing systems taken offline, forcing staff to rely on manual processes which means payment of staff and suppliers may be disrupted.

Invoices for fuel sent from Pemex storage facilities to gas stations were being filled in manually while some employees in the petrol giant’s refining business couldn’t access emails or get online on Tuesday, with computers running slowly, sources told Bloomberg.

Although an internal memo reportedly suggested Ryuk as the culprit, security experts have seen leaked ransom notes confirming that the attackers used the DoppelPaymer variant.

A Tor payment site revealed a ransom demand of 565 Bitcoins, (£3.9m, $5m).

The same ransomware is thought to have been used in an attack against Canada’s Nunavut territory earlier this month.

Pemex is the latest in a long line of big-name organizations targeted by ransomware this year. Norwegian aluminium giant Norsk Hydro suffered major outages after being struck in March. The firm later admitted that the attack may have cost it as much as $41m after production was disrupted.

German automation giant Pilz was crippled for over a week by ransomware last month, while US mailing technology company Pitney Bowes and French media conglomerate Groupe M6 admitted suffering attacks.

Over a quarter (28%) of UK firms were hit by ransomware over the previous 12 months, according to research from Databarracks published in July.

Source: Information Security Magazine

Orvis Passwords Leaked Twice on Pastebin

Orvis Passwords Leaked Twice on Pastebin

Internal passwords belonging to American retailer Orvis were twice leaked online in a double data breach. 

Credentials belonging to the luxury fishing equipment purveyor were posted on the website Pastebin.com last month, according to investigative reporter Brian Krebs

A swathe of plaintext usernames and passwords relating to everything from firewalls and routers to database servers and even administrator accounts was exposed for several weeks. 

The leaked files from the Vermont-based retailer included credentials for security cameras, door controllers, door and alarm codes, and FTP credentials, and even showed the combination to a locked safe in the company's server room. 

Krebs was tipped off about the data breach in late October by Wisconsin-based security firm Hold Security. Company founder Alex Holden said an enormous file containing internal passwords relating to Orvis had been posted to Pastebin on October 4 and again on October 22.

Holden's finding was corroborated by 4iq.com, a company that aggregates information from leaked databases online. However, a spokesperson for Orvis would only acknowledge that one much shorter breach had occurred.

Orvis spokesperson Tucker Kimball told Krebs: "The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones. 

"We are leveraging our existing security tools to conduct an investigation to determine how this occurred."

Orvis is America's oldest mail-order retailer and was founded in 1856. The company has 69 retail stores and 10 outlets in the US plus a further 18 stores in the UK, and employs 1,700 people. 

How the passwords came to be on Pastebin is unknown, though potential sources could include an internal threat actor or a malicious or perhaps simply careless third party. 

Kelly White, CEO of RiskRecon, commented: "Security teams need to get into the mindset that their risk surface spans to all people, processes, and technology that touch their data, including subcontractors. Too often, organizations require less of their vendors and subcontractors than they do of their own personnel. 

"While employees are formally trained in handling of sensitive information and required to use corporate administered systems, subcontractors are not; no training in handling of sensitive data and allowed to use their own systems. When incidents like this happen, it is no surprise that existing security standards aren't met—the subcontractor likely wasn't even aware of them." 

Orvis did not reply to a request for further comment.

Source: Information Security Magazine

PortSwigger Launches Web Security Academy

PortSwigger Launches Web Security Academy

PortSwigger has launched a free interactive training platform in an attempt to address the global shortage of cybersecurity talent. 

The makers of Burp Suite cut the ribbon on the new Web Security Academy last month following a soft launch of the platform in April 2019, which a PortSwigger spokesperson said had garnered "overwhelmingly positive user feedback."

The Web Security Academy features a vast amount of high-quality reading materials and interactive labs of varying levels of difficulty. Inside the free resource, users are able to access a safe testing environment in which to experiment without incurring any kind of legal risk.

Content will be continuously updated, with new topics and material added regularly to reflect the ever-changing nature of the cyber-threat landscape. Learning materials currently available on the site include labs on clickjacking, WebSocket, HTTP request smuggling, server-side request forgery, and XXE injection.

Users of the new platform can track their progress and indulge in a little healthy competition via live leader boards. Learning is offered at a pace set by the user and without the pressure of deadlines, although the first user to finish each freshly released lab will get their name in the Hall of Fame and win some Burp Suite swag. 

After six months of being tested out and tweaked in beta, the Web Security Academy was officially launched on October 29. 

The academy is led by PortSwigger founder and CEO and author of The Web Application Hacker's Handbook, Dafydd Stuttard, along with PortSwigger's world-renowned research team.

"There has been huge demand for a third edition of The Web Application Hacker's Handbook. After much thought, I concluded that writing another paper book wasn't the right option today. Much better to produce an online edition that is interactive, actively maintained, and accessible to everyone. The Web Security Academy is exactly that," said Stuttard.

The launch of the new free training website follows news reported last week that global IT security skills shortages have now surpassed four million. 

Research conducted by recruitment firm Outsource found that since 2014, the number of organizations reporting a problematic security skills shortage has more than doubled, from 23% to 51%.

Source: Information Security Magazine

Aqua Security Acquires CloudSploit

Aqua Security Acquires CloudSploit

CloudSploit has been acquired by Aqua Security for an undisclosed sum.

Aqua Security, the leading platform provider for securing container-based, serverless, and cloud native applications, announced the acquisition of security auditing and monitoring tool CloudSploit today. 

The American company said the addition of CloudSploit will enable them to expand into cloud security posture management (CSPM) and give their customers the option of continuous security monitoring.

Co-founded by Matthew Fuller and Josh Rosenthal, CloudSploit was built on open source foundations and has benefited from the contributions of cloud users and experts since its inception in 2015. 

CloudSploit’s SaaS-based platform allows customers to monitor their public cloud accounts and access an overview of their entire estate of cloud resources. It automatically manages cloud security risk and benchmarks against industry standards to ensure compliance.

CloudSploit works as an auditing tool to check the configuration state of services in users' IaaS accounts for potential misconfigurations that lead to security breaches. The platform also monitors activity in users' accounts for suspicious behavior and insider threats in real-time. 

"We are excited to add CloudSploit to Aqua’s cloud-native security portfolio," said Dror Davidoff, CEO of Aqua Security.  

"Aqua protects the world’s largest cloud native environments; with CloudSploit our customers can now continuously monitor and manage their cloud security posture across their multi-cloud infrastructures."

CloudSploit is the second open-source investment by Aqua since August, when the company announced its acquisition of Trivy Vulnerability Scanner

A spokesperson for Aqua Security said: "With the addition of CloudSploit and VM Security, Aqua’s customers can more effectively manage risk and protect against threats for their multi-cloud environments across the full application stack, from infrastructure, application workloads and code."

Aqua has also added significant new capabilities to its Cloud Native Security Platform (CSP), deepening protection of virtual machines. Aqua CSP now protects VMs for complete cloud workload protection.   

Aqua’s VM security solution delivers file integrity monitoring, machine image assurance, network discovery, and micro-segmentation to hosts for full visibility of infrastructure and application threats. Organizations can now protect their cloud native workloads from a single control panel for improved visibility and efficient remediation.   

Source: Information Security Magazine

Microsoft to Extend California Privacy Law US-Wide

Microsoft to Extend California Privacy Law US-Wide

Microsoft has announced plans to extend the privacy provisions provided in a landmark new Californian state law to users across the US.

The California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020. It’s set to offer more GDPR-like protections and rights to the Golden State’s citizens, such as the ability to find out what personal information of theirs companies are collecting and to prevent it from being sold to third parties.

However, it doesn’t go as far as the EU legislation in terms of large fines for erring companies, its definition of personal information, the need for Data Protection Officers (DPOs) and other elements.

That said, it has come under heavy criticism from tech firms that make money from selling their customers’ personal information. There have also been efforts at a federal level to draft a new law which would supersede the Californian one, but lawmakers are split down party lines.

That’s offered Microsoft an opportunity to differentiate from much of the tech sector by supporting the CCPA US-wide, just as it has done by promising to extend GDPR protections to all customers.

“While many of our customers and users will find that the data controls we already offer them through our GDPR commitment will be stronger than those rights offered by the new California law, we hope this step will show our commitment to supporting states as they enact laws that take us in the right direction,” explained Microsoft chief privacy officer, Julie Brill.

“We are optimistic that the California Consumer Privacy Act — and the commitment we are making to extend its core rights more broadly — will help serve as a catalyst for even more comprehensive privacy legislation in the US.”

Source: Information Security Magazine

UK Labour Party Hit By “Sophisticated” and “Large-Scale” Cyber-Attack

UK Labour Party Hit By “Sophisticated” and “Large-Scale” Cyber-Attack

The UK Labour Party has stated that it has been hit by a “sophisticated and large-scale cyber-attack” on its digital platforms.

As report by Sky News, a party spokesperson said that the attack failed to breach any data because of the party’s robust security systems.

“Security procedures have slowed down some of our campaign activities, but these were restored this morning and we are back up to full speed,” she said. “We have reported the matter to the National Cyber Security Centre.”

It is believed that the the attack was a Distribute Deniable of Service attack.

Commenting on the news, Corin Imai, senior security advisor at DomainTools, said: “This should be a significant concern to all voters in the UK regardless of their political viewpoints. During a General Election, it is imperative that the main political parties are all given a fair and impartial hearing, and considering the importance of digital campaigning in modern election cycles, a DDoS attack such as this could give other parties an advantage.

“While there is no indication of where this cyber-attack comes from, and it is obviously encouraging that the Labour party said these attempts failed, the incident is an example of just how susceptible to cyber-criminal activity our democratic process can be.”

Dean Ferrando, systems engineer manager – EMEA, at Tripwire, added: “Political organizations should boost their security resources in this particularly sensitive election period, and make sure they implement the necessary patches, system upgrades and security measures. There is always a danger that attacks on this scale are around the corner. It just means organizations need to be one (or four) steps ahead of the attackers.”

Source: Information Security Magazine

Two New Carding Bots Threaten E-Commerce Sites

Two New Carding Bots Threaten E-Commerce Sites

Two new carding bots that pose a threat to e-commerce platforms have been detected at the start of the busiest shopping period of the year. 

The discovery was made by an eagle-eyed PerimeterX research team, which launched an investigation after the number of cyber-attacks against their own checkout pages surged.

One of the new carding bots, named the canary bot, specifically exploits top e-commerce platforms. The other bot, dubbed the shortcut bot, bypasses the e-commerce website entirely and instead exploits the card payment vendor APIs used by a website or mobile app.

Carding is a brute force attack on a retailer’s website using stolen credit cards or gift cards. Threat actors use carding to mass-verify millions of stolen credit cards and generate a list of valid credit cards.

The validated credit cards are then typically sold on the black market for around $45 each and exchanged for untraceable gift cards that enable the cyber-criminal to mask their identity. 

To verify the cards, the attackers usually make a low-cost purchase. Once validated, a card can then be used for big-ticket items, resulting in hefty losses, which are often covered by retailers and payment processors. 

The sophisticated canary bot identified by PerimeterX researchers is eerily good at aping human behavior. 

Describing an attack by the canary bot, researchers wrote: "In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attack—all of the steps except for the carding attack exhibit normal user behavior through a website."

As can be expected from its name, the shortcut bot takes a more direct approach, skipping out on adding products to the cart and completing the billing process in an attempt to avoid detection. 

"The shortcut carding bots exploit the card payment vendor APIs used by a website or mobile app and bypass the target e-commerce website completely," wrote researchers. "We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators."

Researchers said that they had seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications. They also witnessed an increase in these new types of attacks across multiple unrelated customers, indicating the quick evolution of these attack tools.

"This dynamic is similar to competing startups that may be running their services on the same cloud vendor, and using the same open-source libraries," wrote researchers. 

PerimeterX advised e-commerce website owners to prevent users from getting to the payment page without items in their cart to stop basic carding attacks. 

Source: Information Security Magazine