Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Australian PM Blames “Sophisticated State Actor” for Parliament Hack

Australian PM Blames “Sophisticated State Actor” for Parliament Hack

Australian Prime Minister Scott Morrison has blamed a “sophisticated state actor” for the recent attempt to hack the parliament’s computer network.

On February 8 news broke of the malicious activity which resulted in password resets for government workers.

Speaking today, PM Morrison said that there was “no evidence of electoral interference” and that steps were being taken to “ensure the integrity of our electoral system” – however he did not comment on which country was behind the attack.

“I have instructed the Australian Cyber Security Center to be ready to provide any political party or electoral body in Australia with immediate support, including making their technical experts available,” he added.

David Emm, principal security researcher, Kaspersky Lab, said: “Cyber-attacks on political parties are almost becoming commonplace – especially in the run up to elections. In an atmosphere of increased suspicion of the cyber-capabilities of different nations, the focus very often becomes intent on identifying the attacker.

“The news that all the main political parties in Australia were breached has shown that attackers will try to achieve their aims by compromising multiple routes – proving more than ever the importance of working together to ensure maximum protection from malicious actors, across geographical and political boundaries.”

High-Tech Bridge’s CEO Ilia Kolochenko added:“Powerful nation states have the requisite technology and other resources to cover up their attacks and operate in stealth mode. In light of incomplete or blurred visibility across many governmental IT systems, networks where virtually no single machine is up-to-date, alongside shadow and legacy applications, and a global cybersecurity skills shortage – it is unfortunately not that complicated for cyber-criminals to remain unnoticed.”

Source: Information Security Magazine

Chinese Surveillance Database Exposes Millions of IDs

Chinese Surveillance Database Exposes Millions of IDs

Security researchers have spotted a mass data leak from an unsecured database which exposed the personal details of over 2.5 million surveilled Chinese residents.

SenseNets Technology uses AI-powered technology in facial recognition cameras to record the movements of millions of minority Uighurs in the western province of Xinjiang, according to reports.

China has come under increasing international criticism for its treatment of the Muslim minority group, sending hundreds of thousands to ‘re-education camps’ in the desert.

Dutch researcher, Victor Gevers, made the revelations in a series of tweets late last week. The database in question exposed names, ID card numbers, birth dates, location data, employer and more on the tracked individuals.

“There is this company in China named SenseNets. They make artificial intelligence-based security software systems for face recognition, crowd analysis, and personal verification. And their business IP and millions of records of people tracking data is fully accessible to anyone, he explained.

“This database contains over 2,565,724 records of people with personal information like ID card number (issue & expire date, sex, nation, address, birthday, passphoto, employer and which locations with trackers they have passed in the last 24 hours which is about 6,680,348 records.”

The latter are said to have tracked individuals to specific locations such as mosques, hotels and internet cafes.

The original database was left exposed without any authentication needed. So far, the firm’s attempts to mitigate the privacy leak have faltered.

“Dear operators of SenseNets. It's a good thing you starting update that crappy Windows Server 2012 (which is pirated btw). But you switched off the firewall exposing your MongoDB and MySQL server AGAIN,” tweeted Gevers over the weekend.

He also cautioned that while such “advanced traffic monitoring” systems were by and large blocked to users outside of China, the same is not true of those inside the Great Firewall.

“With a Chinese proxy, they are accessible and open,” said Gevers, who works for non-profit the GDI Foundation. “In the last 17 days, over 86 million 'objects' were tracked. In January 386 million.”

The privacy snafu has shone a light on the scale of China’s authoritarian surveillance apparatus. Already a world leader in online censorship, under Xi Jinping the state is now extending its power to snoop into the lives of those deemed a security risk.

Felix Rosbach, product manager at comforte AG, described the incident as like 1984 “but with an even worse twist.”

“Sometimes personally identifiable information sits in silos and hackers only get access to a small amount of data which hold not that much of a value. But with the use of unique identifiers, like national identity card numbers, it is possible to combine datasets of multiple breaches. This enables hackers to use complex identity profiles of customers,” he warned.

“The most important thing organizations can do to protect identity information is to pseudonymize it. This ensures that personal data is protected whenever a breach happens and is even more important for IDs like PANs, social security numbers or national identity cards numbers."

Source: Information Security Magazine

UK Spooks Give Green Light to Huawei

UK Spooks Give Green Light to Huawei

There was finally a bit of good news for Huawei today after UK spies effectively gave the green light for the beleaguered Chinese firm to supply the nation’s 5G infrastructure.

GCHQ’s National Cyber Security Centre (NCSC) has reportedly decided that any risks posed by the Shenzhen giant can be managed, putting it add odds with its Five Eyes counterparts.

Australia, the US and New Zealand have all effectively banned the firm from supplying key infrastructure to build their national 5G networks while Canada is currently assessing the situation.

The fear is that the firm could be instructed by Beijing under local laws to assist in any possible intelligence operation in the future. It has also come under fire for alleged IP theft and breaking US sanctions on Iran — with Washington firing out a series of indictments last month.

However, the UK has always had a more nuanced approach to Huawei, having allowed the firm to compete for contracts as long as its kit can be assessed by GCHQ operatives in the Huawei Cyber Security Evaluation Centre (HCSEC).

This is despite that same centre highlighting significant shortcomings in the firm’s processes last year that “exposed new risks in UK telecoms networks,” meaning it has “only limited assurance” that Huawei equipment poses no threat to national security.

These issues will cost Huawei an estimated $2bn to mitigate over the coming years.

There’s also a chance that, even after the NCSC’s recommendation, the government could decide to align with its Western intelligence allies and order network operators to use equipment from other providers.

A DCMS review into the industry is set to report back in a month or two.

Huawei has consistently argued that it is not a security risk, and that it has instead merely been the victim of an escalating geopolitical dispute between the US and China.

Source: Information Security Magazine

MPs Repeat Calls for Russian Brexit Meddling Probe

MPs Repeat Calls for Russian Brexit Meddling Probe

MPs have repeated their calls for tech companies to be more heavily regulated to combat disinformation online, and for the government to investigate Russian meddling in the EU referendum.

The long-awaited final report into ‘fake news’ from the Digital, Culture, Media and Sport Committee was released yesterday, with some harsh words for Facebook and plenty of recommendations for the government.

Among other things, it recommended that a previously announced 2% tax on social media companies operating in the UK be used to fund regulator the Information Commissioner’s Office (ICO).

It also called for a compulsory Code of Ethics for social platforms overseen by an independent regulator, and legal liability for tech firms to take down any harmful or illegal content on their sites.

There were also wider calls for electoral law in the UK to be reformed to help improve transparency and regulation of online political advertising.

"We are open to meaningful regulation and support the committee's recommendation for electoral law reform,” Facebook said in response. “But we're not waiting. We have already made substantial changes so that every political ad on Facebook has to be authorized, state who is paying for it and then is stored in a searchable archive for seven years. No other channel for political advertising is as transparent and offers the tools that we do."

Another major part of the committee report was devoted to foreign influence in the UK political process. It’s something being investigated by special counsel Robert Mueller in the US, but so far campaigners have been frustrated by Theresa May’s reticence in launching any kind of formal investigation.

“We repeat our call to the government to make a statement about how many investigations are currently being carried out into Russian interference in UK politics,” the report concluded.

“We further recommend that the government launches an independent investigation into past elections — including the UK election of 2017, the UK referendum of 2016, and the Scottish referendum of 2014 — to explore what actually happened with regard to foreign influence, disinformation, funding, voter manipulation, and the sharing of data, so that appropriate changes to the law can be made and lessons can be learnt for future elections and referenda.”

The report also called for a total ban on foreign donations in UK elections.

Leave.EU is currently the subject of a criminal investigation by the National Crime Agency (NCA), referred by the Electoral Commission, after suspicions that Brexit backer Aaron Banks was not the source of a multi-million pound donation as he has claimed.

His firm Eldon Insurance, and Leave.EU, were fined £120,000 earlier this month by the ICO for serious data protection failings related to their use of voter data.

Source: Information Security Magazine

Dating App Says Stolen Data Was Sold on Dark Web

Dating App Says Stolen Data Was Sold on Dark Web

In the aftermath of multiple reports that millions of stolen records were dumped on the dark web, the dating app Coffee Meets Bagel confirmed that the accounts of approximately six million users were compromised in a breach, according to a Coffee Meets Bagel (CMB) spokesperson.

The company also said that the stolen data was indeed part of the trove of records that were sold by a malicious actor on the dark web marketplace, Dream Market. A Dubsmash spokesperson wrote that on February 8, 2019, the company learned of a data security incident that involved the sale of stolen user information.

In an email sent to Infosecurity, the spokesperson wrote, “With online dating, people need to feel safe. If they don't feel safe, they won't share themselves authentically or make meaningful connections. We take that responsibility seriously, so we informed our community as soon as possible – regardless of what calendar date it fell on – about what happened and what we are doing about it.

“We can confirm that approximately six million users were impacted. Beyond emails and names, no other CMB user information was compromised. This was part of a larger breach affecting 620 million accounts that got leaked across 16 companies.”

After the dark web vendor removed the first round of listings that were up for sale and noted, “All my listings have been removed, to avoid them being bought so many times and being leaked, as a respect for my buyers. But don’t worry, next round of breaches coming soon.”

Dream Market vendor profile
Dream Market vendor profile

Infosecurity also received confirmation from Dubsmash that the company learned of a data security incident that involved the sale of stolen user information on February 8, 2019.

“Dubsmash also launched an investigation and engaged independent, third-party cybersecurity experts to provide assistance. The investigation is ongoing. Dubsmash responded by notifying the potentially affected users and providing information to assist them.

“Dubsmash takes the security of all user information very seriously and is taking steps to prevent similar events from occurring in the future. We are continuing to strengthen security measures to ensure our networks and systems are secure,” says Dubsmash’s president, Suchit Dash. “We deeply regret any issues or concerns this incident may have caused our users.”

Password reuse is one issue that has led to numerous data breaches, according to Aaron Zander, head of IT at HackerOne. “That password we used hundreds of times in the early 2000s has come back to haunt us. Users can protect themselves with password managers, but it’s up to the operators of websites and apps to prevent themselves from becoming test-beds for valid credentials,” Zander said.

Source: Information Security Magazine

Two WordPress Plugin Authors Issue Bug Fixes

Two WordPress Plugin Authors Issue Bug Fixes

Two different WordPress plugins have caused a few headaches this week. Hackers reportedly exploited an old vulnerability found in the WordPress plugin WP Cost Estimation & Payment Forms Builder, according to Wordfence. A second and critical vulnerability was also found in the Simple Social Buttons plugin, according to WebARX.

The flaw in the WP Cost Estimation plugin, which is present in all versions prior to 9.660, has been fixed. Wordfence wrote in a February 13 blog post that any sites using the plugin are encouraged to update to the latest version.

“Developers of plugins and themes are incentivized to develop a product that sells. Few such developers are incentivized to build security and privacy into the development cycle, especially when product lifecycles are brief,” said Mike Bittner, digital security and operations manager at The Media Trust.

“Companies that hire them too often think of security and privacy testing as an expense rather than an investment in the business's long-term success; it's also possible these businesses are more interested in making a quick buck than longevity.”

The Simple Social Buttons plugin is reportedly prone to privilege escalation, according to Vulners.com. If exploited, an attacker could take complete control of administrator accounts or whole websites.

According to WPBrigade, the plugin has been downloaded more than 500,000 times. “WordPress’s latest vulnerability once again emphasizes the challenges and risks of using a large body of third-party–maintained code,” said Bryan Becker, application security researcher, WhiteHat Security.  

"Because the vulnerability in Simple Social Buttons requires that the attacker have access to a registered user, there aren't going to be much in the way of widespread attacks against the flaw. However, if a site allows open user registration, an attacker could take advantage of the flaw and gain unauthorized access to the affected site," Mikey Veenstra, GWAP, threat analyst, Wordfence wrote in an email.

"We have deployed a firewall rule that prevents this vulnerability from being exploited, though our primary recommendation is that any site using the plugin updates it as soon as possible. At this point, we have yet to see any known threat actors making use of this vulnerability, but it's likely due to how circumstantial an exploitable case would be." 

Source: Information Security Magazine

J.P. Morgan Launches First US Bank-Banked Crypto-Coin

J.P. Morgan Launches First US Bank-Banked Crypto-Coin

As the value of Bitcoin and other cryptocurrencies continues to fluctuate while governments consider marketplace regulations, J.P. Morgan announced that is launching the first US bank-backed cryptocurrency, JPM Coin.

“The JPM Coin is based on blockchain-based technology enabling the instantaneous transfer of payments between institutional accounts,” the press release stated. “Exchanging value, such as money, between different parties over a blockchain requires a digital currency, so we created the JPM Coin.”

According to J.P. Morgan, the coin differs from other cryptocurrencies, such as Bitcoin and Ethereum, because they are not collateralized, making their value specific to the coin. The coin is also distinguishable from fiat-back Stablecoins, which are reserves held at banks that claim to have a 1:1 fiat collateral.

The JPM Coin, though, is “1:1 redeemable in fiat currency held by J.P. Morgan.” The blockchain technology is permissioned, making it enterprise-grade secure because it is built by J.P. Morgan in collaboration with its partners. Use of the JPM Coin is only for institutional customers.

“JPM Coin is currently a prototype that will be tested with a small number of J.P. Morgan’s institutional clients, with plans to expand the pilot program later this year. JPM Coin is currently designed for business-to-business money movement flows, and because we are still in a testing phase, we don’t have plans to make this available to individuals at this stage. That said, the cost-savings and efficiency benefits would extend to the end customers of our institutional clients.”

J.P. Morgan said it has long supported the potentials of blockchain technology and the advancement of properly controlled and regulated cryptocurrencies. As it moves toward production of the JPM Coin, J.P. Morgan will continue to seek feedback and approval from its regulators.

“As a globally regulated bank, we believe we have a unique opportunity to develop the capability in a responsible way with the oversight of our regulators. Ultimately, we believe that JPM Coin can yield significant benefits for blockchain applications by reducing clients’ counter-party and settlement risk, decreasing capital requirements and enabling instant value transfer.”

Source: Information Security Magazine

CISOs Hit the Bottle as Workplace Pressures Build

CISOs Hit the Bottle as Workplace Pressures Build

UK and US CISOs are facing burnout as they struggle to cope with escalating cyber-threats, insufficient budgets and a lack of engagement from the board, according to Nominet.

The DNS security provider commissioned Osterman Research to poll over 400 security bosses on both sides of the Atlantic for its report, Life Inside the Perimeter: Understanding the Modern CISO.

It found that the stresses of the modern role are increasingly taking their toll on CISOs’ personal and professional lives.

Almost all (91%) respondents said they suffer moderate or high stress, with 60% saying that they rarely disconnect from their job — that’s despite most (88%) already working over 40 hours per week.

Part of this stress is caused by the pressure of keeping threats at bay: 60% of respondents admitted to finding malware which had been there for an unknown period of time. Nearly a third (32%) said that they’d lose their job or receive an official warning in the event of a breach.

However, a large part of the stress CISOs feel they’re under appears to stem from the attitudes of the board.

Only half (52%) said executive teams value the security team from a revenue and brand protection standpoint and nearly a fifth (18%) claimed board members are indifferent to, or see them as an inconvenience.

These findings chime somewhat with a Trend Micro study from 2018 which found that 43% of global organizations view security as an afterthought in IoT projects and only 38% even consult the CISO at all when deploying solutions.

Nearly two-thirds (65%) of the CISOs Nominet polled claimed this lack of engagement with the board was a major challenge. It may also explain why just 43% claimed they have sufficient budget to tackle current threats.

As a result of these factors, the pressure is reaching boiling point for many.

Over a quarter(27%) of CISOs polled said stress is impacting their mental or physical health, while 23% said the role is damaging their personal relationships. Even worse, 17% admitted they had turned to medication or alcohol to deal with workplace stress.

“CISOs around the world are facing mounting pressures amid a rapidly shifting cyber landscape. Criminals are forever finding ways to exploit vulnerabilities, and do not discriminate against the businesses they attack. Everyone is a target,” argued Nominet CEO, Russell Haworth.

“It’s no surprise that CISOs are facing burnout. Many lack support from within their organizations, and senior business leaders need to face the facts: the threats are real, and CISOs need to be given the resources and support to tackle them. If not, the board must face the consequences.”

Just last month, the newly appointed first CISO of NHS Digital resigned only three months into the job, citing personal reasons.

Source: Information Security Magazine

GandCrab Ransomware Slingers Target MSPs

GandCrab Ransomware Slingers Target MSPs

A software company has been forced to remind customers to patch a two-year-old flaw in a third-party plug-in, after reports it is being exploited to infect scores of companies with GandCrab ransomware via their managed security provider (MSP).

The issue relates to CVE-2017-18362, a flaw which affects the Connectwise Manage plug-in for the Kaseya VSA remote-monitoring tool. ConnectWise Manage is a professional services automation (PSA) product popular among IT support staff in MSPs.

“This vulnerability allows a remote attacker to execute arbitrary SQL commands against the Kaseya VSA database, which means they can create administrative users, change user passwords, or even create tasks to deploy software to all endpoints under management,” explained Chris Bisnett, co-founder of Huntress Labs.

“This week an unknown attacker leveraged the vulnerable integration to attack MSPs and their customers by tasking all managed endpoints to download and execute a ransomware variant known as GandCrab. This type of attack is particularly devastating because the Kaseya RMM tool has remote administrative (SYSTEM) access to all managed endpoints leading to a quick and complete compromise of all customer assets.”

The incident was first revealed in a Reddit post a few days ago with the user claiming if affected a “local mid-sized MSP with about 80 clients” — all of which were apparently infected.

Kaseya was forced to issue an update on the ConnectWise plugin bug.

“Kaseya takes security very seriously and recommends that all customers using the Connectwise Plugin for VSA upgrade to the newly released version of the Plugin immediately or alternatively remove all versions of this Plugin,” it stated.

The news is yet another example of the lengths ransomware authors are now going to in order to get their wares on as many victim machines as possible.

Other threat vectors include email spam, RIG and GrandSoft exploit kits, and compromised websites offering cracked apps for download.

As of last March, GandCrab had infected over 50,000 victims and extorted an estimated $300,000-600,000 from its victims, more than 70% of which are based in the US and UK, according to Check Point.

Source: Information Security Magazine

Love Bug Found in OkCupid Android App

Love Bug Found in OkCupid Android App

Only days after Infosecurity reported that OkCupid users said their accounts had been hacked, Checkmarx disclosed that the OkCupid Android App actually posed risks because of security failures in MagicLinks.

It’s well known that malicious actors love to exploit a good holiday, which puts users at risk on Valentine’s Day. To identify any potential vulnerabilities, researchers dove into the popular Android dating app only to discover that attackers could easily gain access to user information, including personal contact information such as email aliases, names, genders, dates of birth and locations.

In addition, researchers found that they could gain access to a user’s dating preferences, such as whether they’re looking to hook up, find new friends, and date short or long term and whether they’re open to non-monogamy.

According to researchers, most of the URLs that pass through the app are not vulnerable because OkCupid uses WebView, yet some URLs are designated as MagicLink, which Checkmark describes as opening “inside the main OkCupid WebView, which means that the user has no way of knowing whether its content is legitimate or not. For every MagicLink, what is shown on the screen is just part of the OkCupid application as far as the user knows.”

However, in the words of Pedro Umbelino, the researcher who was working on this research, “A MagicLink can be, among others, simply a URL that contains the string /l/. It’s that magic. Essentially, any link that contains /l/ will pass as a MagicLink. It’s hardly a problem for even the most inexperienced hacker to create a URL containing /l/.”

Using that string, an attacker could then create a malicious phishing page and share it with unsuspecting users in hopes that they enter their login credentials. Because users generally wouldn't be concerned by a page that opens inside the app, the average user would not suspect the link is actually malicious.

“By sending a crafted link to a malicious page, we managed to change the app’s interaction URL base from https://api.okcupid.com to our own controlled HTTP page. By changing the API endpoint to an attacker-controlled address, the attacker now permanently controls the flow of information between the victim and the API server,” researchers wrote.

In a statement shared with Infosecurity, an OkCupid spokesperson wrote, “A few months ago, Checkmarx alerted us to a potential security vulnerability in the android app. We quickly resolved the issue and have no reason to believe this impacted any users, on any operating system. Happy Valentines Day.”

Source: Information Security Magazine