Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Majority of Orgs Unaware of IoT Security Threats

Majority of Orgs Unaware of IoT Security Threats

New research revealed that 86% of IT and security leaders believe their organization needs to improve its awareness of internet of things (IoT) threats, according to Trend Micro.

Connected devices are increasingly being used as gateways to the corporate networks. By compromising these devices, attackers can gain access to the greater corporate network, where they are then able to conduct even more damaging attacks.

In a survey carried out by Vanson Bourne, 1,150 IT and security decision makers across the US, UK, France, Germany and Japan revealed that the majority of participating organizations lack an understanding of cybersecurity in relation to the deployment of IoT projects. Survey participants held either C-level or management positions in companies across many sectors, including retail, media and construction.

“A common theme in cyberattacks today is that many are driven by a lack of security awareness, and this is accentuated with IoT security,” said Kevin Simzer, chief operating officer for Trend Micro in a press release.

“It’s a good first step to see that IT leaders recognize awareness levels need to rise across the organization. We recommend business leaders clearly acknowledge the IoT security challenges affecting their company, understand where their security requirements, and invest accordingly to make their security goals a reality.”

Despite an awareness that 59% of IoT attacks target corporate office devices, more than half of the participants said they have not yet identified the key capabilities that should be prioritized in their security solutions. Also, 37% claimed they’re not always able to define their security needs before implementing IoT solutions, according to the survey.

Organizations are exposed to damaging cyber-attacks stemming from this lack of security awareness in IoT, according to Trend Micro, given that manufacturing and the supply chain are next in line for the types of IoT devices that are most frequently targeted. 

To mitigate the risks of cyber-attacks resulting from compromised IoT, survey participants said they have a need for vulnerability management solutions and tools that monitor networks for anomalous behavior. Trend Micro recommends a strong network defense approach to ensure IoT devices do not add security risk at any part of a corporate network.

Source: Information Security Magazine

Malvertising in Apple Pay Targets iPhone Users

Malvertising in Apple Pay Targets iPhone Users

The Media Trust has discovered a recent malvertising campaign involving Apple Pay that is part of a large-scale phishing and redirect campaign targeting iPhone users visiting premium newspapers and magazines.

In today’s blog post, Michael Bittner, digital security and operations manager at The Media Trust wrote that the campaign was discovered when the security team helped “a winner of several Pulitzer Prizes and one of the largest daily newspapers in the West Coast, thwart a large-scale phishing and redirect campaign targeting iPhone users visiting premium newspapers and magazines.”

Disguised as a legitimate ad, the malware, dubbed PayLeak, delivers those newspaper or magazine visitors who click on the ad to a malicious domain registered in China. Upon arriving, the malware then checks to see whether the visitor’s device is in motion or at rest, upright or lying down and whether it is an Android or iPhone. In addition to determining whether the browser platform in use is Linux x86_64, Win32 or MacIntel, the malware also confirms whether there is malware detection technology running on the device.

When those conditions are detected, Android users are redirected to a fraudulent phishing site that falsely claims that they have won an Amazon gift card. The iPhone users, however, receive two successive popups. The first one is an alert that the device itself needs updating, followed by an additional notice that the Apple Pay app needs updating.

The popup messages are highly sophisticated, particularly the Apple Pay credit card information screen, which is convincingly identical in appearance to that of the Apple Pay, where users enter their credit card details.

Credit: The Media Trust
Credit: The Media Trust
Credit: The Media Trust
Credit: The Media Trust

Unsuspecting users then share their credit card information, while the malware logs additional device information, iOS version and IP, then sends that data to a malicious command-and-control server. According to Bittner, this information can potentially be used for a future man-in-the-middle attacks.

“Targeted sites with weaker security measures, such as those that do not monitor their digital environments for unauthorized code, could risk leaking their users’ sensitive information and leave the latter exposed,” Bittner warned.

Source: Information Security Magazine

Hackers Linked to Russia Impersonate US Officials

Hackers Linked to Russia Impersonate US Officials

In a targeted campaign directed at multiple organizations across law enforcement, media, pharmaceutical and other public sectors, hackers with alleged ties to the Russian government have been trying to infiltrate US government computers and networks, according to a new report published by FireEye.

Malicious phishing activity believed to be conducted by the advanced persistent threat (APT) hacking group APT29, also known as Cozy Bear, was detected on November 14, 2018. According to the FireEye report, “The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.”

Attackers reportedly compromised the email server of a hospital and a consulting company’s corporate website in order to distribute phishing emails. “The phishing emails were made to look like secure communication from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy,” FireEye said.

Impersonating an official from the US Department of Public Affairs, attackers distributed the phishing emails, which dropped a publicly available form from the US Department of State using a Cobalt Strike Beacon. The majority of targeted victims reported having received fewer than three emails, though the report noted that one target received 136 emails.

The activity is still being analyzed, and while FireEye has identified key similarities in tactics that correlate with past Cozy Bear activity, “the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file.”

Brandon Levene, head of applied intelligence at Chronicle, confirmed that the TTPs used in this case are identical – down to the metadata – to those attributed to APT29 in 2016. “It’s odd that the exact same techniques were reused given that they have nation-state resources to develop malware,” Levene said.

“If the reports that media is a target are true, it would be interesting and could show that attackers are attempting to observe and manipulate news cycles. For instance, attackers would have advance notice of news stories and could prepare social media posts to go out when the news hits that could discredit the news or otherwise manipulate it.”

FireEye also noted that if evidence supports the suspicion that the activity is coming from Cozy Bear, this will be the first uncovered activity of the group in at least a year. “The attackers will likely remain active and come back with more sophisticated intrusion attempts since this campaign was quickly discovered. They’re going to be forced back to the drawing board,” said Levene.

Source: Information Security Magazine

UK Government Failing on CNI Security, Say MPs

UK Government Failing on CNI Security, Say MPs

The government is failing to act with a “meaningful sense of purpose or urgency” to tackle the growing threat to critical national infrastructure (CNI), despite itself acknowledging the risks, according to a new parliamentary report.

The Joint Committee on the National Security Strategy report comes days after it criticized slow government progress on addressing crucial skills shortages in the sector.

Noting the impact of WannaCry on the NHS, increasingly destructive attacks launched by nation state like Russia, and the threat from organized crime groups which “are becoming as capable as states,” it cited the National Cyber Security Centre (NCSC)’s assessment that a major CNI attack is a matter of “when not if.”

“Identifiable political leadership is lacking. There is little evidence to suggest a ‘controlling mind’ at the center of government, driving change consistently across the many departments and CNI sectors involved,” it warned.

“Unless this is addressed, the government’s efforts will likely remain long on aspiration and short on delivery. We therefore urge the government to appoint a single Cabinet Office minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.”

Although the NCSC is doing good work, its limited resources threaten to be overwhelmed, while important regulation in the form of the NIS Directive covers only certain sectors, and in any case has been driven by leadership from the EU.

Part of the problem lies with the 2016 National Cyber Security Strategy, which doesn’t set out clearly defined objectives for protecting CNI. The government should therefore publish annual reports to improve transparency, which would also provide an opportunity to tweak the strategy in response to changing threats, the committee advised.

The government should also review each sector’s inter-dependencies and maturity and gain greater visibility into why the market has so far failed to deliver improved cyber resilience. A CNI-wide threat- and intelligence-led penetration testing program was recommended.

Regarding the necessary cultural change needed to improve cybersecurity in CNI organizations, the committee urged the government to consider improving board-level expertise and accountability, encouraging the management of supply chain risk, and the promotion of cyber insurance.

“We are struck by the absence of political leadership at the center of government in responding to this top-tier national security threat,” said committee chair, Margaret Beckett.

“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasizes the need for continual improvement to cyber resilience across CNI sectors.”

Experts welcomed the report’s findings.

“The Joint Committee is right to point out the importance of securing not just critical infrastructure itself, but the entire supply chain that supports it. We must never forget to question what an adversary might do to tamper with supply or design chains, even in areas such as open source software, where a cyber-criminal could introduce defects that practically an entire industry might use for many years,” said McAfee chief scientist, Raj Samani.

“Greater levels of transparency around technology design are vital. We need more visibility into what different components do, and how they do it. We also need greater visibility into what they should and shouldn’t be doing. More effort must be made to secure the most sensitive components of technology upon which we rely every day.”

Talal Rajab, head of cyber and national security at industry body, techUK, added that the issue required “utmost vigilance.”

“Much has changed since the strategy was published in 2016, with the threat to government and businesses constantly evolving,” he argued. “As the current strategy draws to a close, it is vital that cybersecurity becomes business as usual across all areas of government. The appointment of a Cabinet Office Minister designated as a cybersecurity lead could help ensure government remains one step ahead of the threat and drive real change across departments.”

Source: Information Security Magazine

ICO Breach Reports Continue to Rise in Q2

ICO Breach Reports Continue to Rise in Q2

The number of data security incidents reported to the Information Commissioner’s Office (ICO) has jumped 29% from Q1 to Q2, according to the latest figures.

While 3146 incidents were reported to the watchdog between April and June this year, the number rose to 4056 for the succeeding three months, highlighting the continued impact of the GDPR which mandates 72-hour breach notifications.

The overall increase in reported incidents year-on-year is a whopping 490%.

“Similar to what we observed in the ICO’s previous report, this doesn’t necessarily mean that organizations are experiencing more incidents — but it definitely means that more are now being reported,” said Egress Software Technologies CEO, Tony Pepper. “The increased awareness for organisations to tread carefully has been fuelled by GDPR, as well as the significant data breach incidents that recognizable brands have suffered.”

Disclosure of data usually accounted for the majority of incidents reported in each sector, followed by “security”.

The “general business” category accounted for the majority of incidents during the July-September period (847), followed by health (619), legal (311) and local government (300).

However, according to Egress, the biggest rise in reported incidents came from the media sector (633%), albeit from a low figure. General business (87%), legal (63%), transport and leisure (57%) and finance (49%) also saw significant increases.

The two biggest fines issued by the ICO during the period were the maximum £500,000 levied against Equifax for its notorious 2017 breach and £175,000 against private healthcare provider Bupa.

The value of fines increased 24% in the year to September 30 versus the previous year, to reach nearly £5m, but there are potentially much bigger penalties on the way under the new regime, a law firm has warned.

While the GDPR has raised awareness of data breaches and improved reporting, it is also threatening to overwhelm the regulator. The ICO complained in September that it has been receiving 500 calls per week to its helpline since the new law landed in May.

Source: Information Security Magazine

Instagram Bug, Now Fixed, Exposed User Passwords

Instagram Bug, Now Fixed, Exposed User Passwords

A security flaw in Instagram’s Download Your Data, a tool released in April this year, reportedly could have exposed user passwords, but the bug has now been fixed, according to multiple news reports. Apparently, the issue was that as part of the Download Your Data process, a URL containing the user’s password would have been emailed to the user.

“While this may seem somewhat harmless (the user sees his/her own password), it is actually quite dangerous. E-mail is not a secure communication channel for transmitting passwords,” said Amit Sethi, senior principal consultant at Synopsys.

“Several e-mail servers might have had access to the passwords, they may have been transmitted in clear text in some cases, and they would have been stored on some email servers and on the users’ devices. Some users may have even accessed the URLs on public computers, which may have exposed their passwords to other users. Given that users often reuse passwords on multiple sites, the impact goes beyond just Instagram accounts.”

Because email was involved, Sethi said that manual security testing would be required to find this security issue. “This is yet another example that illustrates why we cannot rely solely on automated tools for testing applications.”

Infosecurity Magazine contacted Instagram, but as of the time of publication, the company had not responded. The Information reported that Instagram notified its users about a flaw that potentially left passwords publicly exposed. An Instagram spokesperson told The Information that the issue was discovered internally and only impacted “a small number of people.”

“Regardless of the number of individuals affected, this event raises major concerns about the way that Instagram is handling its users' data. In light of the fact that Facebook owns Instagram and has been experiencing a number of security debacles of its own, it should come as little surprise that Instagram is now exhibiting similar issues,” said Rich Campagna, CMO, Bitglass.

The need for comprehensive cybersecurity measures is widely known today; however, many companies continue to display poor stewardship over the personal details belonging to customers, employees, and other parties. Unless organizations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals.”

Source: Information Security Magazine

Database Misconfiguration Leaks 26 Million SMS Messages

Database Misconfiguration Leaks 26 Million SMS Messages

A San Diego, California–based communications provider, Voxox, exposed a database containing at least 26 million text messages, including password reset links, two-factor authentication (2FA) codes and shipping notifications. The database was not password protected, which lead to the exposure of the personal information, phone numbers and 2FA codes in near real time.

“Unfortunately, these 26 million 2FA codes, password reset links and delivery tracking details leave the exposed individuals easy targets for threat actors engaged in account hijacking,” said Mark Weiner, CMO, Balbix. “A basic misconfiguration like the one that caused this exposure should never occur; implementing a password is a simple but crucial first step in securing data.  The organization and its customers might still be secure if they had early visibility into vulnerabilities across their entire attack surface –including passwords – and been able to correct it shortly after launching the service.

“It is mathematically impossible for humans to conduct the continuous monitoring of all IT assets and infrastructure needed to stay ahead of attack vectors. Security platforms developed with artificial intelligence and machine learning are essential to support security teams and proactively manage risk.”

The latest exposure raises questions about whether organizations have become too reliant on passwords and 2FA to verify user identities and whether user credentials can ever be fully secured.

“In this latest example, the use of a simple two-factor authentication method – a one-time passcode sent over SMS – could be easily intercepted in near time, eroding any possibility of establishing a level of trust,” said Keith Graham, chief technology officer of SecureAuth. “As organizations seek to prevent credential-based breaches, they must move beyond password and simple two-factor authentication methods, which are no longer enough to safeguard against today’s attacks.”

Still, the messages were sent in clear text with the ability to link a user’s mobile phone number to a service provider, which Michael Magrath, director, global regulations and standards, OneSpan Inc., said opens the door to serious privacy infringements. "The fact that one-time password (OTPs) codes were sent via SMS in clear text reinforces NIST’s decision to classify SMS-OTP as a restricted form of authentication in its 2017 revision of Special Publication 800-63-3, Digital Identity Guidelines. Like passwords, SMS OTPs are vulnerable to attacks and can be intercepted and reused.

“The only good news to come out of this for California-based Voxox is that these security infractions occurred before the California Consumer Privacy Act of 2018 goes into effect in January 2020.”

Source: Information Security Magazine

2FA Login Failure in Office 365 and Azure

2FA Login Failure in Office 365 and Azure

According to tweets from Microsoft, the company is investigating reports that Azure and Office 365 are again suffering issues that are leaving users unable to login using multifactor authentication (MFA). When users enter their login credentials and are sent an SMS with a two-factor authentication (2FA) code, the screen does not advance for the user to enter the code, according to a Reddit discussion.

Azure Support also tweeted, “Engineers are actively investigating an ongoing issue affecting Azure Active Directory, when Multi-Factor Authentication is required by policy.”

News of the issue comes less than a month after a reported login problem that left many admins and users unable to access their accounts for several hours. This latest issue is affecting global users, including people from Norway, Australia and the United States expressing frustrations via social media sites.

The most recent status update from Azure as of publication time stated: “Starting at 04:39 UTC on 19 Nov 2018 customers in Europe and Asia-Pacific regions may experience difficulties signing into Azure resources, such as Azure Active Directory, when Multi-Factor Authentication is required by policy.

“Engineers have deployed the hotfix which eliminated a connection between Azure Identity Multi-Factor Authentication Service and a backend service. The deployment of this Hotfix took some time to take effect across the impacted regions. We are seeing a reduction in errors, and customers may be seeing signs of recovery and authentications are succeeding.”

Since the hotfix has been deployed, engineers are continuing to monitor the ongoing performance and will provide updates as necessary.

“Another day, another Office 365 disruption, and another nuisance for admins and employees alike. With less than a month between disruptions, incidents like today’s Azure multifactor authentication issue pose serious productivity risks for those sticking to a software-as-a-service monoculture,” said Pete Banham, cyber resilience expert at Mimecast.

“With huge operational dependency on the Microsoft environment, no organisation should trust a single cloud supplier without an independent cyber resilience-and-continuity plan to keep connected and productive during unplanned, and planned, email outages. Every minute of an email outage could costs businesses hundreds and thousands of pounds. Without the ability to securely log in, knowledge worker employees are unable to do their jobs. The question is if your work email and productivity are dependent on Office 365, how much have these hours of disruption cost you so far?”

Source: Information Security Magazine

Vision Direct Notifies Customers of Data Compromise

Vision Direct Notifies Customers of Data Compromise

Vision Direct has apologized after customers' personal and financial details were found to have been leaked.

According to a statement, the data was compromised between November 3 and 4 2018 “when entering data on the website and not from the Vision Direct database” and included full names, billing addresses, email addresses, passwords and telephone numbers. Payment card information, including card number, expiry date and CVV, was also compromised. However, PayPal users are unaffected, Vision Direct confirmed.

“As the information was compromised as it was being entered into the site, any existing personal data that was previously stored in our database was not affected by the breach,” it said. “All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach.”

Anyone who visited the website and did not enter details should not be affected, it confirmed.

“We understand that this incident will cause concern and inconvenience to our customers,” Essential Retail reported. “We are contacting all affected customers to apologize and continue to inform you of any updates in the next few days.”

Source: Information Security Magazine

40% of UK Shoppers Want Cyber Monday Bargains, Half Willing to Buy from Previously Breached Retailers

40% of UK Shoppers Want Cyber Monday Bargains, Half Willing to Buy from Previously Breached Retailers

A new survey of 1000 UK consumers has found that 40% of UK shoppers are planning to make the most of big-name discounts available on Black Friday and Cyber Monday, with half of those stating they are happy to buy from retailers that have suffered a breach in the past.

The findings, from DomainTools, show that UK shoppers are just as keen as their US counterparts to spend online this winter period, and are even willing to overlook security concerns at previously breached retailers.

However, on a more positive note, DomainTools did discover that 63% of respondents are more likely to cross reference email domains with legitimate retailers’ URLs, which can go a long way to preventing successful phishing attacks. 

“The results of the survey provide us with both positive and negative outcomes,” said Corin Imai, senior security advisor at DomainTools.

“While it’s undoubtedly encouraging that respondents are more likely to check email addresses for tell-tale signs of phishing, it is concerning that so many remained happy to use companies which had been breached in the past. If customer details are accessed by cyber-criminals, it can leave them vulnerable to a variety of further crimes, up to and including identity theft. Consumers should be sending the message to companies that data protection matters.” 

Source: Information Security Magazine