Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

US Girl Scouts Launch First National Cybersecurity Challenge

US Girl Scouts Launch First National Cybersecurity Challenge

Girls across the United States of America will take part in the country's first ever National Girl Scouts Cyber Challenge tomorrow. 

Over 3,000 girls have signed up to practice their cybersecurity skills by solving a hypothetical ransomware attack on a moon base. Participants will form an incident response team that must find out who hacked the system and how they did it.

The adrenaline-filled simulation will incorporate both “plugged” stations that will require the girls to utilize traditional coding and hacking skills on laptops and tablets, as well as “unplugged” stations where they must solve written codes. 

The exciting event will allow girls to gain first-hand experience of how coding and cybersecurity are applied in the real world. No prior cybersecurity experience is necessary to take part, as organizers hope to inspire girls who haven't ever tried their hand at cybersecurity to give it a go and see if they like it. 

The challenge is being piloted at participating councils in Georgia, Colorado, Maryland, Texas, California, Arizona, Alabama, Ohio, Massachusetts, and Florida. If it proves successful, Girl Scouts of the USA (GSUSA) plans to roll the event out to all 111 of their councils.  

Presenting the challenge is US defense contractor Raytheon, which in November 2018 committed to a multi-year partnership with GSUSA to encourage girls to pursue computer science careers. Last year, with Raytheon's support, GSUSA launched its first ever national computer science program for middle and high school girls.

A spokesperson for Raytheon said: "Our future needs innovators, engineers and cybersecurity experts and we're finding them right here in today's Girl Scouts. They are cracking cyber challenges while fulfilling their potential. 

"Thanks to events like the Girl Scouts Cyber Challenge brought to you by Raytheon, more girls are seeing themselves as tomorrow’s innovators, engineers, cybersecurity experts and tech leaders."

A spokesperson for GSUSA said: "Raytheon is collaborating with Girl Scouts to help close the gender gap in STEM fields by helping prepare girls to pursue careers in fields like cybersecurity, computer science, artificial intelligence, and robotics. 

"Together, Raytheon and Girl Scouts are reaching girls during formative school years, where research shows peer pressure can sometimes deter girls from pursing their interest in STEM." 

Source: Information Security Magazine

Italians Rocked by Ransomware

Italians Rocked by Ransomware

Italy is experiencing a rash of ransomware attacks that play dark German rock music while encrypting victims' files. 

The musical ransomware, called FTCode, was detected by security analysts at AppRiver in malicious email campaigns directed at Italian Office 365 customers. 

Targeted inboxes have received emails with malicious content posing as resumes, invoices, or documents scans. The emails include a Visual Basic script (.vbs) file that downloads and blasts out Rammstein hits while encrypting files on the victim's computer. 

"The .vbs file initially launches PowerShell to download and play an mp3 file from archive.org. At first glance, we suspected it was just a renamed file extension for malware, a common practice to help evade some network gateways. However, we were amused to find it launches a Rammstein song mix," wrote AppRiver researchers.

As victims are treated to rousing renditions of "Du Hast" and "Engel," the script reaches out to a different domain to pull down a Jasper malware loader. This .vbs file enables threat actors to load additional malware of their choosing.

Once the files on the user's computer have been encrypted, a note is left on the victim's desktop, directing the user to download, install, and visit an onion site for further instructions. 

In an attempt to establish trust with the user and show that decryption is actually possible, the onion site offers the visitor a chance to test file decryption with one file before they pay the full ransom. 

The cost of the ransom is set at $500 if paid within the first three days, after which it rapidly increases to $25,000. 

David Pickett, security analyst at AppRiver, warned users not to take risks on links sent by strangers and to be particularly wary of any content that asks to be enabled. 

He said: "Users should be vigilant to never click on or open unsolicited links or documents, especially with file types they aren’t familiar with, such as script files (.vbs, .js, .ps1, .bat, etc.).  

"Any Office file that, once opened, urges the user to Enable Content or Enable Editing should be treated with the utmost caution and verified from the sender out of band before doing so. If the file is malicious, enabling content or editing disables Microsoft’s protected view and can allow a malicious payload contained within to execute."  

Source: Information Security Magazine

Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Baltimore Doubles Up on Cyber-Insurance Following Ransomware Attack

Five months on from a ransomware attack that brought the city to its knees, Baltimore has purchased cyber-insurance for the first time.

On May 7, Baltimore became the second US city to fall victim to a new strain of ransomware called RobbinHood. The attack took all the city's servers offline with the exception of essential services. As a result, real estate transactions were suspended, water billing was disrupted, and city employees were unable to access key documents and email. 

While Baltimore's mayor, Bernard C. "Jack" Young, won praise for not paying hackers the $76,000 ransom they demanded to decrypt the files affected by the attack, the city now faces a massive recovery bill. So far, the attack is estimated to have cost the city $18m in direct costs and lost or delayed revenue, and the figure is expected to rise. 

In a bid to protect itself from future threats, on Wednesday Baltimore approved not one but two cyber-insurance policies, each of which offers $10m in liability coverage and has a $1m deductible. 

After a competitive bidding process involving 17 different carriers, Baltimore opted to purchase a plan from Chubb Insurance costing $500,103 in premiums and a second plan from AXA XL Insurance for $335,000. Each policy will provide the city with coverage against cyber-attacks for a period of one year. 

Lester Davis, a spokesman for Mayor Young, said: "The city is going to reassess every year. They will have to go through this process again when the terms are nearing maturity."

Mayor Young said that having cyber-insurance did not dictate how Baltimore would respond to future cyber-attacks. 

Asked whether the city was more likely to pay hackers now that it had coverage, Young said: "I would talk to my team and decide that way."

Frank Johnson, who was Baltimore's chief information officer at the time of the attack, stepped down permanently from the role earlier this month after being placed on unpaid leave in September. Todd Carter, who was acting as interim CIO for the city, has now taken on the CIO position full time. 

Source: Information Security Magazine

UK Government Announces Major New Cybersecurity Partnerships

UK Government Announces Major New Cybersecurity Partnerships

The UK government has revealed it is working with chip-maker Arm on a £36m initiative to make more secure processors.

Although details are few and far between at this stage, the government claimed that the project could help to protect more UK businesses from remote cyber-attacks and breaches, while boosting new business opportunities and productivity.

According to the government’s own data, around 60% of mid-sized and 61% of large businesses in the UK have suffered a cyber-attack or breach over the past year.

The Arm tie-up is part of the government’s Digital Security by Design initiative, also backed by Microsoft and Google.

"Achieving truly robust security for a world of a trillion connected devices requires a radical shift in how technology companies approach cyber-threats. Research into new ways of building inherently more cyber-resilient chip platforms is critical,” explained Arm chief architect, Richard Grisenthwaite.

“Our first step is to create prototype hardware, the Morello Board, as a real-world test platform for prototype architecture developed by Arm that uses the University of Cambridge’s CHERI protection model. It will enable industry and academic partners to assess the security benefits of foundational new technologies we’re making significant investments in.”

Alongside this push, the government announced a further £18m through its Strategic Priorities Fund, designed to help tackle online fraud, privacy abuses and misinformation online.

The government also announced six new “prosperity partnerships” — a £40m project designed to bring public and private sector bodies together with academia to develop emerging technologies. On board so far are Jaguar Land Rover, Eli Lilly and Company, Toshiba Research Europe, Microsoft, M Squared Lasers, Siemens and Nikon.

The first partnership, announced today, is between Toshiba Research Europe, University of Bristol, GCHQ and Roke Manor Research and will aim to develop more resilient wireless networks to tackle financial extortion, terrorism and destructive attacks.

“Secure Wireless Agile Networks (SWAN) and the wider Prosperity Partnership initiatives bring together a cadre of engineers from industry, government and academia with invaluable commercial insights and in-depth technical skills capable of delivering holistic solutions for a productive, healthy, resilient and connected nation,” said professor Mark Beach of the University of Bristol.

"This UKRI scheme uniquely brings together partnerships who are ideally positioned to deliver technology for the wider benefits of society."

Source: Information Security Magazine

New US Privacy Bill Would Intro Jail Time for CEOs

New US Privacy Bill Would Intro Jail Time for CEOs

A US senator has introduced a new privacy bill which he claims goes further than the EU’s GDPR, introducing prison sentences for culpable CEOs.

Introduced by Ron Wyden, the Mind Your Own Business Act would create a national “Do Not Track” system enabling consumers to stop companies from tracking them online, selling or sharing their data, or targeting ads based on personal information.

Like the GDPR, it would issue maximum fines of up to 4% of annual revenue to non-compliant firms, but unlike the EU law, could also levy 10-20 year criminal sentences for executives who knowingly lie to the FTC.

“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government,” Wyden said.

“I spent the past year listening to experts and strengthening the protections in my bill. It is based on three basic ideas: consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information.”

Other provisions in the bill include: the levying of new tax penalties on CEOs who lie about privacy protections; a requirement for firms to conduct privacy assessments on the algorithms that process consumer data; and the establishing of new privacy and cybersecurity standards.

However, it’s unlikely the legislation will become law. In the meantime, states are enacting their pwn privacy laws, with California leading the way.

Source: Information Security Magazine

A New Strain of Malware Is Terrorizing Docker Hosts

A New Strain of Malware Is Terrorizing Docker Hosts

For the first time in history, researchers have discovered a crypto-jacking worm that spreads via unsecured Docker hosts. 

Researchers at Unit 42 said that the new strain of malware has spread to more than 2,000 Docker hosts by using containers in the Docker Engine (Community Edition).

The new worm has been named Graboid after the fictional subterranean sandworms that made a fairly poor show of hunting humans in nineties flick Tremors. Just like its onscreen predecessors, the Graboid is quick but relatively incompetent. 

Graboid is designed to work in a randomized way that researchers said holds no obvious benefits. The malware carries out both worm-spreading and crypto-jacking inside containers, picking three targets at each iteration.

Researchers wrote: "It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target. This procedure leads to a very random mining behavior. 

"If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts." 

Graboid doesn't hang around for long, mining cryptocurrency Monero for an average of just over four minutes before picking new vulnerable hosts to target. The worm works by gaining an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host. 

Researchers warned that Graboid's nip could potentially turn into a powerful bite and advised organizations to safeguard their Docker hosts. 

Researchers wrote: "While this crypto-jacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored." 

Tim Erlin, VP, product management and strategy at Tripwire, advised developers to tackle security sooner rather than later. 

He said: "DevOps tends to favor velocity over security, but when you have to stop what you’re doing to address an incident like this, you’re losing the velocity gains you might have experienced by leaving security out of the DevOps lifecycle. Addressing security through incident response is the most expensive method to employ."

Source: Information Security Magazine

Imposter Emails Plague Healthcare Industry

Imposter Emails Plague Healthcare Industry

A study looking at cyber-attacks on the healthcare industry has found that 95% of targeted companies encounter emails spoofing their own trusted domain. 

To create the Protecting Patients, Providers, and Payers 2019 Healthcare Threat Report, cybersecurity company Proofpoint analyzed nearly a year’s worth of cyber-attacks against care providers, pharmaceutical/life sciences organizations, and health insurers.

Hundreds of millions of malicious emails later, it was clear to researchers that cyber-criminals were not just attacking infrastructure, but were also using email to directly target people.

Analyzing data spanning the second quarter of 2018 to the first quarter of 2019, researchers found that at each healthcare organization attacked, an average of 65 staff members were targeted. 

Researchers observed a preference for certain keywords in the spoof emails attackers sent when attempting to con money or information out of the patients and business partners of healthcare organizations. When sending emails designed to look like they came from a healthcare provider, criminals commonly used the words "payment," "request," and "urgent" in the subject line.

Healthcare organizations targeted by impostor emails received 43 messages of this type in Q1 2019—a 300% jump from a year ago and more than five times the volume in Q1 2017. Not a single organization analyzed in the study saw a decrease in impostor attacks over that period, and more than half were attacked more often in Q1 2019 than they were in Q1 2017. 

The average impostor attack spoofed 15 healthcare staff members on average across multiple messages. 

According to researchers, threat actors were adept at knowing just what to put in an email to spur healthcare staff into transferring money or sharing sensitive information.

Researchers wrote: "Attackers have grown skilled at researching their targets and using social engineering to exploit human nature. Some lures are just too well researched, expertly crafted, and psychologically potent to resist every time.

"Social engineering works because it taps into the way the human brain works. It uses deep-rooted impulses—such as fear, desire, obedience, and empathy—and turns them against you. And it hijacks your normal thought process to spur you to act on attackers’ behalf."

Morning was the attackers' favorite time to strike, with the largest volume of imposter email sent between 7 a.m. and 1 p.m. in the time zone of the targeted organization. 

Source: Information Security Magazine

Recruitment Sites Expose Personal Data of 250k Jobseekers

Recruitment Sites Expose Personal Data of 250k Jobseekers

The personal details of 250,000 American and British jobs seekers have been exposed after two online recruitment companies failed to set their cloud storage folders as private. 

Names, addresses, contact information, and career histories were compromised as a result of the oversight by US jobs board Authentic Jobs and UK retail and restaurant jobs app Sonic Jobs.

Each company stored the resumes of hopeful job applicants in cloud storage folders known as buckets. The buckets were provided by the world's biggest cloud service, Amazon Web Services (AWS), which stores data in servers connected to the internet.

Applicants' data was exposed when both companies set the privacy settings on their buckets to public instead of private. This error meant that the resume of someone who applied for a job could be viewed and also downloaded by anyone who knew the location of the buckets.

Authentic Jobs, whose client list includes accounting firm EY and newspaper the New York Times, made at least 221,130 resumes publicly accessible. A further 29,202 resumes were exposed by app Sonic Jobs, which international hotel chains Marriott and InterContinental often use to recruit new staff. 

According to Sky News, which revealed the bucket-related breaches yesterday, the total number of resumes exposed may be higher. 

After being warned of the exposure by Sky News, both companies changed their bucket settings to private. 

"We take security and privacy very seriously and are looking into how this happened," Authentic Jobs said in an email.

Security researcher Gareth Llwellyn, who discovered the bucket breaches, said: "By finding and closing these buckets we can protect people who placed their trust in these businesses and—hopefully—start drawing attention to the dangers of storing personal data in a woefully insecure manner."

Authentic and Sonic will now join Verizon, Dow Jones, GoDaddy, and WWE on a growing list of organizations that have exposed data via publicly configured AWS buckets. 

Llewellyn said that the onus is on companies to ensure the data that they store in the cloud is being stored safely.  

"Just because they leveraged a service like AWS, or even outsourced to a third party entirely, doesn't preclude them from ensuring the data entrusted to them is safe," he said.

Source: Information Security Magazine

Rogue Mobile App Fraud Soars 191% in 2019

Rogue Mobile App Fraud Soars 191% in 2019

Global fraud attacks soared by 63% from the second half of 2018 to the first six months of this year, with fake mobile applications a growing source of malicious activity, according to RSA Security.

The firm’s Quarterly Fraud Report for Q2 2019 is a useful snapshot of current trends based on detections by the vendor.

Phishing, including vishing and smishing, continues to be the biggest source of fraud — representing over a third (37%) of attacks in Q2, with attacks climbing 6% from 2H 2018 to 1H 2019.

Canada, Spain and India were the top three countries targeted by phishing, accounting for 61% of total attack volume.

However, it is attacks via rogue mobile applications that present the fastest-growing threat, soaring 191% over the same period. These attacks, which involve the spoofing of brands to trick users, now account for 29% of the total.

Elsewhere, there were also significant increases in detections of financial malware (up 80%) and social media attacks (37%).

In the e-commerce space, RSA noted that 57% of fraud transaction value in Q2 2019 came from a new device but trusted account. In online banking 88% of payment fraud attempts originated from the same combination: trusted account and new device. That is a significant increase from Q1 figures of just 20%.

This highlights the continuing popularity of account takeovers as a highly successful threat vector, RSA said.

Daniel Cohen, director of the Fraud and Risk Intelligence Unit at RSA Security, argued that digital transformation is introducing new risks that organizations must manage.

“From one-click payment buttons to mobile apps from our favorite retailers, spending our money has never been easier. However, while the growth of digital might be good for our busy schedules, it has also opened up numerous new avenues for fraudsters,” he added.

“The fact that fraud via fake mobile applications tripled in the first half of 2019 is testament to how perpetrators will constantly seek out weak points by exploiting consumers’ growing trust in mobile apps.”

Banks need to layer up protection, while consumers must play their part by understanding the tell-tale signs of phishing and taking time out to verify application publishers before downloading, Cohen advised.

Source: Information Security Magazine

World’s Largest Child Exploitation Site Shut After Bitcoin Analysis

World’s Largest Child Exploitation Site Shut After Bitcoin Analysis

Global investigators have traced Bitcoin payments to locate and shutdown the dark web’s largest child exploitation website, arrest hundreds of users and rescue dozens of abused children, according to unsealed court documents.

On March 5 2018, agents from Homeland Security Investigations (HIS), Internal Revenue Service, Criminal Investigation (IRS-CI), the UK’s National Crime Agency (NCA) and Korean National Police arrested Jong Woo Son, 23, for operating the Welcome to Video site, according to the indictment.

The raid led to the seizure of round 8TB of child exploitation videos, and the arrest of over 300 alleged users of the site, believed to be the largest of its kind in terms of material stored. They hailed from the US, UK, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia, and have all been charged.

Some 23 children were also rescued from abuse by users of the site in the US, UK and Spain.

The vital intelligence behind the successful operation was generated by technology which enabled investigators to trace Bitcoin payments made by users of the site — each of whom had a unique cryptocurrency address assigned on registering an account, in order to buy videos.

The site is said to have had capacity for at least one million such addresses.

Investigators used a product known as Chainalysis Reactor to analyze the flow of digital funds to and from the site, via Bitcoin exchanges.

“Because exchanges typically perform Know Your Customer (KYC) processes, many were able to provide copies of identification, addresses, and other relevant transactions associated with those accounts,” explained Chainalysis.

“While in many cases the information supplied by the exchanges was enough to identify WTV users, in other cases IRS-CI was able to combine the account information with open source intelligence and standard investigative techniques to identify users.”

The firm was also able to break down regionally-specific information for investigators to enable global arrests, it said.

Son is already serving time in South Korea where he was convicted of charges relating to the dark web site.

Source: Information Security Magazine