Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

One in Four Security Pros Would Steal Company Info to Bag Better Job

One in Four Security Pros Would Steal Company Info to Bag Better Job

A workplace behavior survey by Gurucul has found that a quarter of IT security professionals would steal information from their company if doing so might help further their career.

The survey was conducted at the 2019 Blackhat USA Conference in the form of a questionnaire. When asked "Would you take company information to help you apply for a more senior role at a competitor?" 24% of the 476 respondents answered yes. 

Interestingly, the respondents who admitted that they would steal company information were happy to do so on the mere promise that it might help their career progression. Perhaps a higher number of respondents would have said yes if the proposed theft was guaranteed to give them a leg up on the career ladder. 

Despite one in four respondents apparently one step away from making off with company data, the department in their company that those surveyed considered to be most at risk from fraud was the finance department. 

The survey also asked respondents about their internet use and found that 44% of respondents spend at least an hour a day at work surfing the web for non-work-related activities. More than a quarter (28%) spend at least two hours a day visiting sites that aren’t related to their jobs.

Which sites are IT security professionals visiting on the sly while at work? Social media tops the list at 32%. More than 10% people admitted to looking for a new job while at work, while 19% said they explored possible vacations.

Asked to consider external threats, 76% of respondents said they had tightened up third-party access to their systems in light of recent third-party breaches. The third-party vendors that respondents most expected to find in the library with the lead pipe along with a blushing Miss Scarlet were managed service providers (MSPs). 

The survey found 34% of respondents were most concerned about third-party access by MSPs, while 30% had a similarly bad feeling about developers. 

Commenting on how close an eye companies should keep on their employees, Saryu Nayyar, CEO of Gurucul, said: “Companies should draw the line at monitoring activity and access logs, not people. Identify threats with behavior-based security analytics. Don’t try to watch what every person is doing at all times to root out the malicious insiders. True threats will surface with the right technology, and users won’t feel like it’s 'Big Brother' if it’s analytics – just a bunch of numbers!"

Source: Information Security Magazine

UK Gov Launches £30m 5G Competition

UK Gov Launches £30m 5G Competition

The UK government has launched a nation-wide funding competition for projects designed to bring 5G to the British countryside. 

The Rural Connected Communities competition will fund up to 10 different 5G research and development projects to run over the course of two years as part of the 5G Testbeds and Trials Programme. The competition is open to applications from groups from across the UK and is expected to attract consortia built from a mixture of academia and organizations in the public, private and third sectors. 

Judges are looking for projects that will trial innovative use cases and technical solutions to build the business case for investment in rural connectivity. Projects are expected to explore the capabilities of 5G to benefit rural communities and help demonstrate demand for 5G technologies from a variety of economic sectors and rural communities for 5G technologies.

Winning projects will be brought to life using £30m of funding supplied by the Department for Culture, Media and Sport (DCMS). This hefty chunk of change will come from the £200m of investment allocated to the 5G Testbeds and Trials Programme from the National Productivity Investment Fund (NPIF).

Digital secretary Nicky Morgan said: “In modern Britain people expect to be connected wherever they are. And so, we’re committed to securing widespread mobile coverage and must make sure we have the right planning laws to give the UK the best infrastructure to stay ahead.”

Entrants have until midday on October 25, 2019, to submit their applications. Shortlisted applicants will be notified by November 14 and invited for an interview. Applicants whose projects are given the green light will hear the good news by the end of December 2019. As Christmas presents go, that certainly beats the vest your gran gave you last year. 

A free-to-attend competition briefing event is being held at The Carriageworks in Leeds on September 12, 2019. 

5G offers mobile speeds 10 to 20 times faster than previous generations, making its potential impact on rural areas where signal is historically poor, significant. It remains to be seen whether rural communities will welcome the installation of the taller mobile phone masts needed to support the new technology. 

Source: Information Security Magazine

#OSSummit: Linux Continues to Pay the Price for CPU Hardware Vulnerabilities

#OSSummit: Linux Continues to Pay the Price for CPU Hardware Vulnerabilities

More than a year and a half ago, the world first learned of the Spectre and Meltdown attacks impacting Intel and other CPU vendors. The flood of somewhat related CPU hardware issues has continued since then as operating systems developers, including Linux kernel developers, have raced to keep pace with patching.

In a keynote at the Open Source Summit in San Diego, California on August 22, Greg Kroah-Hartman, who maintains the stable Linux kernel, outlined the many new CPU hardware security challenges that Linux developers have faced in the past year, that extend far beyond just the original Spectre and Meltdown issues.

Back in May 2019, researchers disclosed the MDS set of vulnerabilities impacting Intel and other CPU vendors. The MDS vulnerabilities include multiple specific issues carrying names such as RIDL, Fallout and Zombieload. Kroah-Hartman explained that the MDS issues are yet another class of Spectre and Meltdown related vulnerability found in CPUs.

“All these issues exploit how processors see in the future, so in order to go faster, you have to guess what’s going to happen next,” he explained.

With the MDS vulnerabilities, Kroah-Hartman said that an attacker could potentially read what someone else already did with a CPU and also cross virtual machine boundaries.

“With cloud computing, you’re running untrusted things on different virtual machines and you don’t know who else is running on your machine,” he warned. “This can be a real issue. I can read data from somebody else and somebody else can read your data, and that’s not a good thing.”

More recently, on August 7, researchers disclosed the SWAPGS flaw impacting Intel CPUs. Kroah-Hartman explained that Intel has documented in its patents how speculative execution works. Researchers and academics reading the patents have been going through the specification and have been able to find flaws, which is how SWAPGS was discovered.

“So now you have all these professors out there reading patents, there’s going to be more,” Kroah-Hartman said about CPU vulnerabilities.

From a Linux perspective, Kroah-Hartman said that in order to mitigate the various CPU vulnerabilities, the Linux kernel has had to do more work, flushing memory buffers to reduce risk among other activities. The additional controls that have been in place to mitigate the issues have also had a performance impact on Linux, that varies based on workload. Kroah-Hartman noted that the mitigations have led to a 15% performance impact for his workloads, which include reading email and building new Linux kernels.

With the MDS and SWAPGS issues, he commented that Intel has generally been pretty good about alerting Linux distributions, which is in stark contrast to the original Spectre and Meltdown issues, where communication was less than ideal. With the proper communication, Linux kernel developers are now able to get fixes into the kernel for Intel CPU security issues quickly, but it also mean that users need to stay on top of patching.

Kroah-Hartman said that, on average, there are 22 patches per day made to the stable Linux kernel branch, with all the patches being known bug fixes.

“The kernel community’s mantra is: a bug is a bug, is a bug,” he said. “We fix it, we push it out and we go.”

It's not always immediately clear whether a given bug fix is a security issue or not. He noted that there have been circumstances where it wasn’t known until months after a patch was integrated into Linux that it was in fact a security issue. Going a step further, Kroah-Hartman said that users should not rely on whether an issue has a Common Vulnerabilities and Exposures (CVE) identifier or not. A CVE is commonly associated to known vulnerabilities, but that’s not always a good indicator, according to Kroah-Hartman. He noted that only a small fraction of vulnerabilities in fact get unique CVE identifiers.

“The goal of the kernel is to paper over the bugs in hardware and make it look like a unified system to users,” he said. “The problem is when the hardware has bugs that breaks the model of how we thought things worked and you can’t really fix it, and we have to do things to work around this problem.”

Source: Information Security Magazine

Apple Fixes Jailbreak Bug For the Second Time

Apple Fixes Jailbreak Bug For the Second Time

Apple has released a new iOS security update designed to fix a jailbreak bug which it previously addressed and then accidentally rolled back.

The flaw itself, CVE-2019-8605, is a use-after-free vulnerability credited to Ned Williamson working on the Google Project Zero team.

The flaw, which could allow an attacker to execute arbitrary code with system privileges, was first reported to Apple by Williamson back in March. Some Apple users were apparently exploiting it to jailbreak their devices in order to run unsanctioned software on their kit.

Apple subsequently patched the bug with its 12.3 iOS version in May. However, earlier this month it unwittingly reintroduced the issue with version 12.4.

Security researcher Pwn20wnd released a free public jailbreak tool exploiting the issue.

Now the problem has been fixed for the second time thanks to the 12.4.1 update released by Apple on Monday. The Cupertino giant even thanked Pwn20wnd “for their assistance” in its update.

The patch doesn’t just mitigate the risk of users jailbreaking their iPhones and iPads. The vulnerability could also theoretically have been exploited by hackers to steal data from victims’ devices.   

Public jailbreaks are pretty rare, given that the community usually tries to keep any details secret so Apple doesn’t catch wind.

However, a Chinese security researcher in January released details of a remote jailbreak for iOS 12 on the iPhone X.

Alongside iOS 12.4.1, Apple released tvOS 12.4.1, watchOS 5.3.1 and macOS Mojave 10.14.6.

Source: Information Security Magazine

Hostinger Breach Prompts Reset of All User Passwords

Hostinger Breach Prompts Reset of All User Passwords

A data breach at web hosting company Hostinger has prompted the company to reset the passwords of all its customers. 

Hostinger, which operates from Kaunas, Lithuania, reset the passwords of 29 million customers in 178 countries as a precautionary security measure after the breach was detected on August 22, 2019. 

An intruder gained access to the company's internal system API, triggering an alert to be sent to Hostinger. The server broken into contained an authorization token, which was used to obtain further access and escalate privileges to Hostinger's RESTful API server, which was used to query information relating to clients and their accounts.

No financial information was accessed during the attack, but a database that contained hashed passwords, email addresses and client usernames was compromised. Up to 14 million accounts may have been affected.   

Hostinger encrypts client passwords by using a one-way mathematical function that changes whatever password a client has picked into a random sequence of characters. 

Customers of the web hosting company have been advised to pick strong passwords that are not in use anywhere else and to be wary of any unsolicited communications asking for personal information. 

To increase the security of client data, Hostinger has ditched the hashing algorithm SHA-1 in favor of using SHA-2, which is tougher for hackers to crack.  

The incident has been reported under Europe's General Data Protection Regulation. 

In a statement released on its blog, Hostinger said: "Following the incident, we have identified the origin of unauthorized access and have taken necessary measures to protect data about our Clients, including mandatory password reset for our Clients and systems within all of our infrastructure.

"Furthermore, we have assembled a team of internal and external forensics experts and data scientists to investigate the origin of the incident and increase security measures of all Hostinger operations. As required by law, we are already in contact with the authorities."

Hostinger assured clients that their financial data was safe. Since payments for Hostinger services are made through authorized and certified third-party payment providers, the company does not store card details or any other sensitive financial information on its servers.

Source: Information Security Magazine

Astronaut Accused of Committing Cybercrime in Space

Astronaut Accused of Committing Cybercrime in Space

NASA is reportedly investigating claims that one of its astronauts has become the first person to commit a crime while in space. 

U.S. Army Astronaut Lt. Col. Anne McClain allegedly accessed a bank account belonging to her estranged wife, Summer Worden, while on active duty at the International Space Station. 

A complaint was filed by Worden with the Federal Trade Commission (FTC) in relation to the alleged case of identity theft. A second complaint was then filed by Worden's parents with NASA's Office of Inspector General. 

No allegations have been made against McClain regarding the movement or removal of any funds from Worden's account. 

McClain and Worden, who filed for divorce in 2018 after four years of marriage, are currently in dispute over the custody of their 6-year-old son. It is alleged that McClain told NASA investigators that she logged into her estranged wife's bank account to check that it contained enough money to ensure the former couple's son was being adequately provided for. 

NASA has yet to respond to the allegations against McClain, stating only that "NASA does not comment on personal or personnel matters." 

In a statement, NASA described McClain as "one of NASA's top astronauts," who "did a great job on her most recent NASA mission aboard the International Space Station."

Rusty Hardin, McClain's lawyer, told The New York Times that McClain is coopering fully with the investigation and “strenuously denies that she did anything improper."

Addressing the allegations on Twitter, McClain posted the following message: "There’s unequivocally no truth to these claims. We’ve been going through a painful, personal separation that’s now unfortunately in the media. I appreciate the outpouring of support and will reserve comment until after the investigation. I have total confidence in the IG process."

McClain boarded the International Space Station in December 2018 and spent six months there in preparation for NASA's first women-only spacewalk. The spacewalk, which McClain was due to perform with fellow astronaut Christina H. Koch, was cancelled in March 2019 after NASA couldn’t provide both women with spacesuits that fit. 

Before joining NASA's astronaut corps in 2013, McClain was a helicopter pilot in the army and flew 216 combat missions in Iraq. McClain later served as battalion operations manager and Kiowa helicopter instructor pilot at Fort Rucker, Alabama. 

Source: Information Security Magazine

Over Half of Social Media Logins Are Fraudulent

Over Half of Social Media Logins Are Fraudulent

Social media sites like Facebook and Instagram have long been repositories for fake posts skillfully manipulated to present a rose-tinted version of users' lives to the digital world. 

A report released today by fraud remediators Arkose Labs revealed that it isn't just the content on social media that's giving off the foul reek of fakery. The Fraud & Abuse Report found that 53% of all logins on social media sites are fraudulent. 

The report, which analyzed more than 1.2 billion transactions made between April 1, 2019, and June 30, 2019, found that 11% of all online transactions, including account registrations, logins and payments, were actually cyber-attacks. 

Attacks were found to originate globally, in both wealthy countries and developing economies. The majority of fraud attacks came from the US, Russia, the Philippines, the UK and Indonesia. 

Interestingly, the attack mix varied across industries, with some spheres more likely to suffer human-driven cyber-attacks, while others were chiefly targeted by bots. 

The technology industry stood out as heavily targeted by human click-farms and sweatshops, with almost 43% of attacks driven by humans. However, it was the retail industry that saw the highest proportion of human culprits, with a 50/50 split between attacks driven by humans and bot-led assaults.

Cyber-criminals were found to use a two-pronged approach, sending humans to work on a target after large-scale automated attacks by bots proved unsuccessful.

Commenting on the report's findings, the VP of strategy at Arkose Labs, Vanita Pandey, said: "The sophistication of the bot attacks is increasing, and the merchant is getting bombarded with attacks from bots and humans at the same time.

"These criminals have unlimited technology and identities are widely available; the only limited resource is humans to hire to do the attacks."

Shockingly, 46% of all payment transactions for travel were found to be fraudulent, as were almost 10% of all login attempts on travel sites. 

Seasonality played a role in the results for the financial services industry, with a peak in the volume of attacks observed during high-traffic periods, like the US tax season. 

Indicating that peaks in the volume of attacks may be useful in helping to identify future breaches, Pandey stated: "We saw an increase in the number of attacks in what we later realized was the lead up to a big breach announcement."

Source: Information Security Magazine

Malicious Android App Makes Double Debut On Google Play

Malicious Android App Makes Double Debut On Google Play

Open-source Android spyware has appeared twice on Google Play.

Research conducted by ESET discovered the first known instance of spyware based on the open-source espionage tool AhMyth lurking within a radio app available on Google Play. The app in question is Radio Balouch, detected as Android/Spy.Agent.AOX.

On the surface Radio Balouch functions as an internet radio app dedicated to playing the music of the Baloch people, who inhabit Iran, Afghanistan and Pakistan. However, an investigation led by ESET researcher Lukas Stefanko found that the app had been created as a way to spy on people who downloaded it. 

While listeners were enthralled by the sounds of the suroz and the benju, the spyware hidden in the app went to work stealing contact information and harvesting files stored on the devices affected.  

ESET sent a report to Google detailing its discovery. Google's security team removed the malicious Radio Balouch app within 24 hours, but 10 days later it had been re-posted on Google Play by the original developer.

Stefanko said: “We also detected and reported the second instance of this malware, which was then swiftly removed. However, the fact that Google let the same developer post this evident malware to the store repeatedly is disturbing." 

The Radio Balouch app first appeared on Google Play on July 2. It returned on July 13 and was again swiftly removed. The app was installed by over 100 people each time it was posted on Google Play. 

Radio Balouch may be the first app containing open-source Android spyware to make it onto Google Play, but it's unlikely to be the last. Judging from how easily the app returned to Google Play after being removed, Google may wish to put in place some more stringent security measures. 

“Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may soon appear on Google Play,” said Stefanko. 

Radio Balouch may have ended its brief fling with Google Play, but it is still available on alternative app stores. 

ESET stated: "It has been promoted on a dedicated website, via Instagram, and YouTube. We have reported the malicious nature of the campaign to the respective service providers, but received no response.” 

Source: Information Security Magazine

US Makes 80 Arrests Over $46 Million Online Fraud

US Makes 80 Arrests Over $46 Million Online Fraud

US authorities have charged 80 members of a Nigerian-based crime ring in connection with online scams designed to swindle victims around the world out of $46 million.

A 145-page indictment lists 252 charges against the 80 suspects, who are mostly Nigerian nationals. Charges of aggravated identity theft, conspiracy to launder money and conspiracy to commit fraud have been brought against all of the accused.

Speaking at a press conference held earlier today, US attorney Nick Hanna described the fraud as "one of the largest cases of its kind in US history."

Nigerian-born Valentine Iro and Chukwudi Christogunus Igbokwe were named as co-conspirators who allegedly worked alongside people in Nigeria and in the US to dupe victims into transferring money overseas. 

Iro and Igbokwe, who were arrested in the US, are accused of fraudulently getting their mitts on $6 million as part of a larger conspiracy intended to bag a cool $46 million.  
 
The internet scams at the center of this case promised victims romance or riches in return for financial assistance. 

The case began when a single bank account aroused the suspicions of the FBI back in 2016. The investigation expanded to include numerous victims around the world.

One woman in Japan fell victim to the scammers after becoming a digital pen pal on an international social network. The woman, who is referred to in court papers as F.K., was fooled into thinking she had found love with a US Army captain stationed in Syria. 

Over the course of a fictitious 10-month online romance, F.K. sent daily messages to Cpt. Terry Garcia and $200,000 to help him smuggle diamonds out of the country. Neither Garcia nor the stash of diamonds turned out to be real.

F.K. was left heartbroken and virtually bankrupt after borrowing money from her friends, her sister and even her ex-husband.

F.K. and other victims in this case were tricked by sophisticated versions of the Nigerian prince scam, also known as the 419 scam after the criminal code used for fraud in Nigeria. 

Despite being almost as old as email, 419 scams are effective because they exploit vulnerabilities in humans. And they are likely to remain so unless technology can find a bug fix for greed or love.

Source: Information Security Magazine

#OSSUMMIT: Confidential Computing Consortium Takes Shape to Enable Secure Collaboration

#OSSUMMIT: Confidential Computing Consortium Takes Shape to Enable Secure Collaboration

At the Open Source Summit in San Diego, California on August 21, the Linux Foundation announced the formation of the Confidential Computing Consortium. Confidential computing is an approach using encrypted data that enables organizations to share and collaborate, while still maintaining privacy. Among the initial backers of the effort are Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom and Tencent.

“The context of confidential computing is that we can actually use the data encrypted while programs are working on it,” John Gossman, distinguished engineer at Microsoft, said during a keynote presentation announcing the new effort.

Initially there are three projects that are part of the Confidential Computing Consortium, with an expectation that more will be added over time. Microsoft has contributed its Open Enclave SDK, Red Hat is contributing the Enarx project for Trusted Execution Environments and Intel is contributing its Software Guard Extensions (SGX) software development kit.

Lorie Wigle, general manager, platform security product management at Intel, explained that Intel has had a capability built into some of its processors called software guard which essentially provides a hardware-based capability for protecting an area of memory.

“You can think of it as a trusted execution environment,” she said. “In that trusted execution environment, the hardware protection is there for both the data as well as the code.”

Wigle noted that as there is a move toward increasing use of artificial intelligence, people care about the privacy of data, but are also interested in protecting their own proprietary algorithms as well, since a lot of the time, that’s where the intellectual property resides.

While Inte’s SGX is a hardware level item, Microsoft’s Open Enclave SDK is designed to make it easier for users to get up and running with confidential computing. Gossman emphasized that the Open Enclave effort is all about making confidential computing accessible.

“This is middleware; it provides application portability and makes it easier to write applications that run across different devices and even into the cloud,” Gossman said.

The promise of confidential computing is already finding multiple use cases, according to Wigle. She said that, for example, collaboration is already happening with healthcare data, where sensitive data can be shared safely in a way that is helping to potentially unlock new innovations.

“We live in a world where a lot of times convenience and privacy are at tension with each other and this is a capability that has a promise of letting us have it all,” Wigle said. “However, we do need to cooperate with others to make that happen.”

Gossman explained that fundamentally what confidential computing can enable is transactions and collaboration between multiple parties that don’t necessarily entirely trust each other, yet still want to work with each other.

The overall promise of confidential computing could potentially be transformational in ways that aren’t yet known, which is one of the reasons why the Linux Foundation has helped to facilitate the creation of the new consortium.

“We're really excited about this effort,” said Jim Zemlin, executive director of the Linux Foundation. “We do think this is something that can improve security and privacy for all of us.”

Source: Information Security Magazine