Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

UK ICO Investigates Facial Recognition Technology in King's Cross

UK ICO Investigates Facial Recognition Technology in King's Cross

The UK Information Commissioner's Office (ICO) has launched an investigation into the use of facial recognition technology in London's King's Cross. The announcement followed news of the technology's use at Granary Square, a large, private development in the area.

Granary Square is a 67-acre development comprising 50 buildings. Press reports detailing the use of facial recognition in security cameras at the site first surfaced on Monday. According to the Guardian, its developers, Argent, Hermes Investment Management and AustralianSuper, admitted to using facial recognition technology "in the interest of public safety and to ensure that everyone who visits has the best possible experience."

The ICO acknowledged media reports that facial recognition was in use around King's Cross and pledged to investigate, calling the technology "a potential threat to privacy that should concern us all." Use of facial recognition systems without people's knowledge is a particular worry, Information Commissioner Elizabeth Denham added.

"As well as requiring detailed information from the relevant organisations about how the technology is used, we will also inspect the system and its operation on-site to assess whether or not it complies with data protection law," Denham said in a statement.

“Put simply, any organisations wanting to use facial recognition technology must comply with the law – and they must do so in a fair, transparent and accountable way," she added. "They must have documented how and why they believe their use of the technology is legal, proportionate and justified."

This isn't the first time that privacy advocates have expressed concerns about the use of facial recognition technology in central London. In December, privacy campaigners attacked the Metropolitan Police force for using the technology in SoHo, Piccadilly Circus and Leicester Square.

In May, San Francisco voted to ban the use of facial recognition by city departments altogether, making it the first city to do so. Oakland, California, and Somerville, Massachusetts, followed suit. July saw the House of Commons Science and Technology Committee recommend a suspension of facial recognition trials by the UK Government until the technology can be properly evaluated.

Source: Information Security Magazine

1.5% of Web Logins Use Breached Credentials

1.5% of Web Logins Use Breached Credentials

It's official: 1.5% of web logins use breached credentials, according to research published by Google. The company analyzed its own data to reach that number, which it presented at the USENIX conference this week.

Many websites still rely on only a combination of username and password to grant users access. Large data breaches have leaked billions of these credentials online, and they have been documented in databases like cybersecurity researcher Troy Hunt's Have I Been Pwned. People who reuse their email and password combinations across different sites are therefore vulnerable to credential-stuffing attacks, in which cyber-criminals attempt to access multiple websites using their stolen credentials.

In February, Google published an extension to the Chrome browser called Password Checkup. When a user enters credentials into a website, Google checks them against a database of over four billion breached usernames and passwords, warning the user if those credentials have been stolen and published in the public domain.

In the first month of operation, almost 670,000 people participated in the service, logging in 21 million times. Of those logins, 1.5% involved breached credentials, the research found.

People reused breached credentials on over 746,000 distinct domains, Google said. Video streaming and adult websites were most at risk of hijacking. Up to 6.3% of logins at those sites relied on breached credentials. Comparatively, only 0.3% of logins involved breached passwords at financial sites, and only 0.2% at government sites, the company said in a blog post yesterday. This could be because those sites had stricter password requirements, said the report. You probably couldn't use your dog's name as a password on many government sites, unless your dog's name happened to be "hs#s8d77sD^a," it said.

The research found that users took steps to reset one in four (86%) of unsafe passwords flagged by the Password Checkup extension. Of the new passwords, 94% were as strong or stronger than the originals, and an encouraging 60% were strong enough to be secure against brute-force dictionary attacks, in which it would take an attacker over 100 million guesses to identify the new password.

Source: Information Security Magazine

Data Breach Numbers Skyrocket in 2019

Data Breach Numbers Skyrocket in 2019

The number of data breaches spiked dramatically in the first half of this year compared to previous years, according to a report from vulnerability intelligence company Risk Based Security. Its analysis found that breach numbers for the first six months of 2019 grew by 54% compared to the same period last year, while the number of exposed records grew 52%.

The growth in data breach volume bucks a trend that saw the number of breaches plateau in 2017 and 2018.

"The reason? Over 1,300 data leaks, mostly exposing email addresses and passwords, were documented in the first half of 2019," the report said. "Although these tend to be relatively small events, averaging fewer than 230 records exposed per incident, these leaks have contributed substantially to the number of access credentials freely available on the Internet."

The number of records exposed in 1H 2019 (4.19 billion) may be larger than in 2019 (2.74 billion), but historical record volumes are more erratic. The first half of 2017 saw six billion records exposed, the report said.

According to the report, eight breaches within the first half of this year accounted for 3.2 billion breached records, or 78.6% of the total. Three of the breaches were among the largest of all time.

Six of the top eight breaches stemmed from misconfigured databases or web applications: (982 million records), First American Financial (885 million), Cultura Colectiva (540 million), two unknown organizations in India and China (275 million and 202 million, respectively) and Justdial (100 million).

Web-based breaches like these are by far the most common in terms of exposed records, accounting for 79% of total breaches in the first half of the year.

Only two of the top eight – Dubsmash's 161 million record-breach and Canva's loss of 139 million records – were down to other hacking techniques.

The number of breaches doesn't tell the whole story, either. While the first half of this year yielded more breaches than ever before, the majority had a moderate to low severity score and exposed 10,000 records or fewer.

The type of data stolen also plays a part. Email addresses and passwords are still the primary records stolen, present in 70% and 65% of stolen data sets, respectively. These can be used for credential stuffing when shared across multiple sites, but they can also be changed, the report points out.

More critical data was less commonly stolen. Addresses, credit card and Social Security numbers were only stolen in 11% of attacks, with account numbers only showing up in 10%.

Source: Information Security Magazine

ECB Shuts Site After Subscriber Data Breach

ECB Shuts Site After Subscriber Data Breach

The European Central Bank (ECB) has been forced to shut down one of its websites following a cyber-attack which may have compromised customer data.

The bank said in a brief statement that hackers had compromised its Banks’ Integrated Reporting Dictionary (BIRD) website, which is hosted by an external third party.

It claimed that malware had been injected onto the server “to aid phishing activities.

“As a result, it was possible that the contact data (but not the passwords) of 481 subscribers to the BIRD newsletter may have been captured,” the statement continued.

“The affected information consists of the email addresses, names and position titles of the subscribers. The ECB is contacting people whose data may have been affected.”

The BIRD website is said to provide the banking industry with info designed to help produce statistical and supervisory reports.

The ECB said that as it is physically separate from any other external and internal ECB systems, no market-sensitive data has been affected by the incident.

The BIRD website has been closed until further notice and the European Data Protection Supervisor informed about the breach.

This isn’t the first time the ECB has been hit by hackers. In 2014, attackers managed to compromise a database containing website form data – stealing 20,000 email addresses which they then tried to hold to ransom.

The financial sector has always been a major target for hackers.

It has seen a 67% increase in security breaches over the past five years, with the average cost of cybercrime for financial institutions jumping $1.4m over the past year to reach $13m, according to an Accenture report from earlier this year.

Source: Information Security Magazine

Apache Struts Called Out For Incorrect Security Advisories

Apache Struts Called Out For Incorrect Security Advisories

A leading open source project has come under fire for issuing misleading security advisories which may have put customers of its software at unnecessary risk.

Security vendor Synopsys analyzed 115 separate releases for popular web application framework Apache Struts and matched them up against the relevant advisories from the open source project.

In total, 24 of the 57 Apache Struts security advisories – nearly half – made mistakes when listing the versions of the framework that were impacted by vulnerabilities.

In fact, 61 additional versions of Apache Struts were impacted by at least one previously disclosed vulnerability, potentially exposing users to attack.

“While our findings included the identification of versions that were falsely reported as impacted in the original disclosure, the real risk for consumers of a component is when a vulnerable version is missed in the original assessment,” Synopsys argued.

“Given that development teams often cache ‘known good’ versions of components in an effort to ensure error-free compilation, under-reporting of impacted versions can have a lasting impact on overall product security.”

On the plus side, the Apache Software Foundation and Apache Struts team were praised for their “diligence” in collaborating with Synopsys on fixing the mistakes. An updated Apache Struts Security Advisories page was published earlier this week.

Apache Struts will be known to many as the web app framework which Equifax failed to patch back in 2017, leading to a major breach of personal and financial information on more than half of all Americans and millions of UK consumers.

That incident has already cost the credit agency in excess of $1bn, as well as the jobs of the CEO and other senior executives.

Source: Information Security Magazine

Network Deception Techniques Cut Dwell Times, Says Report

Network Deception Techniques Cut Dwell Times, Says Report

Companies using decoy systems to lure hackers away from legitimate targets spot hackers in their networks much more quickly than those who don't, according to a survey released today. The study, conducted by analyst company Enterprise Management Associates (EMA) and commissioned by deception technology vendor Attivo Networks, found that companies using deception techniques detected hackers on the network almost two months sooner than those that didn't use the techniques.

Deception technology attempts to throw attackers off the trail by offering up decoy assets for them to attack. Modern solutions include things like fake credentials, browser histories and registry entries, which lure attackers to decoy systems. They are typically invisible to legitimate network users but accessible via dual-use tools like PowerShell, which attackers often use to traverse networks.

EMA surveyed 208 respondents, ranging from IT managers through to CISOs and line-of-business managers, across various sectors. Roughly half of the organizations (55%) used deception technology. Of those that did, around half used commercial solutions, while 18% relied on traditional honeypots or honey nets and 30% used homegrown or open source solutions.

One of the most significant differences in the effects of deception technology was on dwell time (the length of time that attackers lurk in the company network). On average, respondents who had discovered attackers in their infrastructure reported a 31.9-day dwell time. Users of deception technology who considered themselves highly familiar with it reported a dwell time of 5.5 days in their networks, compared with nonusers, who said that companies faced a 60.9-day dwell time.

Those that used deception technology most often created decoy IT infrastructure systems like LDAP servers and IT network devices like switches and routers. Almost one in five (19%) of respondents emulated these systems, with enterprise applications like CRM and ERP coming a close second at 15%. They most often deployed decoy technology in cloud-hosted systems and applications, followed by their own applications and servers.

The use of deception technology also played a part in how companies discovered breaches. On average, 26% of respondents learned of them from outsiders. Fewer than one in five (18%) companies using deception technology found out about it this way, compared to 36% of the companies that didn't use it.

Source: Information Security Magazine

Clickjacking Still Popular Among Online Scammers

Clickjacking Still Popular Among Online Scammers

Clickjacking is alive and well, hijacking browsers that visit hundreds of popular websites, according to research released this week. A paper published by researchers at the Chinese University of Hong Kong, Microsoft Research, Seoul National University, Purdue University, and Pennsylvania State University, found that many of the world's most popular sites are still fooling visitors into following deceptive links to unexpected destinations.

Clickjacking is a well-established technique in which third-party scripts or browser extensions can hijack users' clicks, redirecting them to alternate locations. Online crooks can use them to download malware to a victim's computer or to commit advertising fraud, redirecting clicks to online ads and earning commission.

Advertising click fraudsters used to use online bots to automatically click online ads at scale, but ad networks got wise to this practice. Instead, attackers have recently begun redirecting legitimate page clicks from real users, the paper says.

The researchers developed their own browser analysis system, called Observer, and used it to monitor JavaScript-based URL access. They used Observer to analyze the top 250,000 websites on traffic-analysis site Alexa.

Observer found 613 websites using 437 third-party scripts that intercepted user clicks. That may not sound like many, but the websites collectively received 43 million daily visits, according to the paper.

These scripts tricked users into following links by disguising them as legitimate site content. Observer spotted 3,251 clickjacking destination URLs, with 36% related to online advertising.

Attackers used three devious techniques to intercept user clicks. One involved intercepting hyperlinks by tampering with tags or embedding hyperlinks in huge page elements that covered at least 75% of the browser window. The second used event handlers such as navigation event listeners, which would open the malicious URL when the user clicked anything on a page.

The final technique was visual deception, which either mimicked legitimate page content such as Facebook Like buttons or put a transparent overlay element over legitimate content. Attackers could use either approach to send hijack a user's click on a button or other page element.

Source: Information Security Magazine

Researchers Discover Stealthy Crypto-Miner “Norman”

Researchers Discover Stealthy Crypto-Miner “Norman”

Security researchers have found a stealthy new cryptocurrency mining malware variant which was used as part of an attack that infected almost an entire organization.

After being notified of unstable applications and network slowdowns in a client organization, security firm Varonis decided to investigate further.

“Almost every server and workstation was infected with malware. Most were generic variants of cryptominers. Some were password dumping tools, some were hidden PHP shells, and some had been present for several years,” it explained in a blog post.

“Out of all the cryptominer samples that we found, one stood out. We named it ‘Norman’.”

Norman is a high-performance miner of Monero currency that differed from many of the other samples discovered in its sophisticated attempts to stay hidden.

Unusually, it is compiled with Nullsoft Scriptable Install System (NSIS), an open source system usually employed to create Windows installers.

The injection payload is designed to execute a cryptocurrency miner and stay hidden, said Varonis.

It avoids detection by terminating the miner function when the Task Manager is opened by a curious user. Once closed, it will re-inject the miner and start again.

The miner itself is XMRig, obfuscated in the malware by UPX and injected into either Notepad or Explorer depending on the execution path.

Varonis believes the cryptocurrency mining malware it discovered could be linked to a PHP shell it found in the victim organization continually connecting to a command-and-control (C2) server. Like Norman, the PHP shell used DuckDNS for C2 comms.

“None of the malware samples had any lateral movement capabilities, though they had spread across different devices and network segments,” the firm explained. “Though the threat actor could have infected each host individually (perhaps via the same vector used in the initial infection), it would have been more efficient to use the PHP-Shell to move laterally and infect other devices in the victim’s network.”

However, it also claimed there were no coding similarities between the two, or communications capabilities between the crypto-mining malware and PHP shell.

The malware authors could be French speaking, given the language was present in some of the code.

Varonis urged firms worried about crypto-jacking to: keep operating systems up-to-date; monitor network traffic and web proxies; maintain anti-virus on endpoints; keep an eye on DNS and CPU activity; and have an incident response plan ready and tested.

Source: Information Security Magazine

#Alevelresults: Cybersecurity Options Appear

#Alevelresults: Cybersecurity Options Appear

While around a third of 18-year-olds have been accepted for a university place through UCAS, new opportunities have been opened for cybersecurity experience.

Although statistics from UCAS show that 28.5% of the 18-year-old population have been accepted through UCAS, with 33,630 international students from outside the EU and 26,440 students from within the EU accepted, there is an overall 1% decrease in the number of people placed on undergraduate courses in the UK so far.

However, options exist for those students looking for a career path into cybersecurity, which “are a really good alternative to the stress of Clearing” according to CREST president Ian Glover.

He told Infosecurity that cybersecurity higher apprenticeships are not only an alternative route for those who do not get the choice of first or second university course, but they provide an excellent way to get a degree, along with work experience and without having to take on large student loans.

“Programs like the government’s cyber apprenticeships that provide structured learning, with assessed work activities, result in qualifications and experience that allow young people to enter and progress in the cybersecurity profession,” he said. “It also opens up a career in cybersecurity to a far wider and more diverse group of young people.”

Also offering opportunities today is Immersive Labs, who is offering free access to its cyber-skills development platform. Backed by Goldman Sachs and developed by an ex GCHQ trainer, the technology will give students access to a purpose-built set of ‘labs’ which drop the user into entry-level cybersecurity challenges. 

Each lab is run through the browser and drops the student into a simulated incident which appears as it would to a security team in a company, and encourages them to teach themselves the skills to progress. 

James Hadley, Immersive Labs founder and CEO, said: “The world is crying out for cybersecurity talent, yet the majority of ways we are trying to train these people are broken. While university can be a valuable path for some, its rigid conditions can also be exclusive.

“Not everyone wants to sit in a classroom learning passively. My experience at GCHQ taught me the best cyber-talent is creative and curious; they learn by breaking things and thinking on their feet. Unfortunately, this jars with traditional teaching methods, which I fear is leading to an unnecessary talent drain. We have opened up our platform to give these individuals an opportunity to learn.”

The offer remains open for today and for a week after to those who can prove they haven’t got into their first choice of university via a sign-up form on the website. The labs will stay available for six months and will be periodically updated with new content.

Source: Information Security Magazine

Choice Hotels Breach: Hackers Leave Ransom Note For 700K Records

Choice Hotels Breach: Hackers Leave Ransom Note For 700K Records

Hackers claim to have stolen 700,000 customer records from Choice Hotels thanks to an exposed MongoDB instance, it has emerged.

The US-based chain, which runs franchised outlets in over 40 countries worldwide, is now being held to ransom after the hackers left a note demanding 0.4 Bitcoin (around $3800) in payment for the data, which they claimed to have copied.

Security researcher Bob Diachenko worked with security firm Comparitech to discover the database, which was left completely exposed online. However, hackers had already got there. It was only left online for four days without password protection before attackers found the account.

Although the database held 5.6 million records in total, Choice Hotels told Comparitech that most of these related to test data. Of the 700,000 genuine records stolen, names, email addresses and phone numbers of customers are among the details taken.

The server itself is said to have been owned and managed by a third party who was working with the hotel chain on a new “tool.”

“We have discussed this matter with the vendor and will not be working with them in the future,” Choice Hotels told Comparitech in an email.

“We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a Responsible Disclosure Program, and we welcome Mr Diachenko’s assistance in helping us identify any gaps.”

Diachenko believed the ransom note was left by an automated script set up specifically to target exposed MongoDB databases, although it didn’t succeed in wiping the data.

This is only the latest of many similar incidents involving unsecured MongoDB instances.

This year alone, hundreds of millions of individuals have had their personal data exposed, including 200 million Chinese CVs, 12.5 million Indian mothers, and 808 million records from an email validation firm.

Unsurprisingly, hackers are getting wise to these misconfigurations: earlier this month it was revealed that attackers stole 2.1 million records from a Mexican bookstore, demanding a ransom.

KnowBe4 security awareness advocate, Javvad Malik, argued that the Choice Hotels incident is yet another example of user error.

“While Choice Hotels may be correct in that the data was hosted by a third party and none of their servers were compromised, it does not change the fact that it was their customer data which was breached,” he added. “It has an obligation to ensure the security of its customer data whether its kept by themselves, or handed over to a third party.”

Source: Information Security Magazine