Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

FBI: BEC Losses Surged to $1.3bn in 2018

FBI: BEC Losses Surged to $1.3bn in 2018

The FBI dealt with cyber-attacks causing losses of over $2.7bn in 2018, nearly half of which were linked to Business Email Compromise (BEC) scams.

In total, there were over 20,000 victims of BEC/Email Account Compromise (EAC) last year, leading to losses of just under $1.3bn, the largest of any cybercrime type. The nearest to this were confidence fraud/romance scams ($362m) and investment cybercrime ($253m), according to the 2018 Internet Crime Report.

The FBI noted an increase in the number of gift card BEC scams, of the sort spotted by Agari recently. The security vendor claimed fraudsters are increasingly transferring their victims from email to mobile communications early on in the scam.

The largest group losing money to cyber-criminals was the over-60s ($649m), followed by the 50-59 age group ($495m). This could be partly explained by the continued prevalence of tech support scams which predominantly target the elderly. There were over 14,000 reported victims last year, linked to losses reaching almost $39m — a 161% increase from 2017.

Elsewhere, the number of reported ransomware victims dropped from 1783 to 1493 cases. However, the losses incurred by these victims rose from $2.3m to $3.6m. What’s more, these estimates don’t include lost business, wages, files, equipment, productivity or third-party remediation.

“In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents,” the report claimed.

Finally, the FBI also noted a strong surge in extortion-related attacks in 2018. The 51,000+ complaints it received accounted for losses of over $83m, a 242% increase on 2017 figures. These included DoS attacks, “hitman schemes,” sextortion, government impersonation schemes, loan schemes, and high-profile data breaches.

Source: Information Security Magazine

Online Thief Cracks Private Keys to Steal $54m in ETH

Online Thief Cracks Private Keys to Steal $54m in ETH

An individual or group of hackers have managed to amass over $54m in stolen digital currency by raiding digital wallets improperly secured with private keys, according to a new report.

Consultancy Independent Security Evaluators (ISE) claimed the “Blockchainbandit” had taken advantage of poorly implemented private keys to transfer nearly 38,000 in Ethereum (ETH) out of the targeted wallets to one under its control.

That was the figure as of January 13, 2018, but it may be many times greater today, the firm warned. In a test operation, it placed a dollar’s worth of ETH in a weak private key-derived wallet and saw it transferred out to the attacker within seconds.

In total, ISE claimed it was able to guess or duplicate 732 weak private keys in use on the Ethereum blockchain, highlighting a potential issue with key generation by developers.

The firm suggested that programming errors in the software generating these keys has made them easy to brute force.

It hypothesized that a 256-bit private key may have been truncated due to coding mistakes, meaning it’s insufficiently complex. Other possible errors suggested by the researchers included “error codes used as keys, memory reference issues, object confusion, stack corruption, heap corruption, or unchecked pre-compiled coding errors.”

It’s even possible that users were allowed to choose their own keys, it’s claimed.

“The bottom line is that a private key needs to be random, unique, and practically impossible to guess in a brute force attack,” argued ISE executive Partner, Ted Harrington.

ISE urged developers to use well-known libraries or platform-specific modules for random number generation; use a cryptographically secure pseudo-random number generator; audit code for truncated keys; and use multiple sources of entropy. It also claimed developers should review NIST guidelines on cryptographic random number generation.

Source: Information Security Magazine

European Parliament Approves Mass ID Database Plans

European Parliament Approves Mass ID Database Plans

The European Parliament has approved plans to boost physical security by implementing a mass identity database, although privacy concerns persist.

The Common Identity Repository (CIR) will centralize the personal information of nearly all non-EU citizens in the EU’s visa-free Schengen region. The latter covers the vast majority of the EU except for Ireland and the UK, as well as Bulgaria, Croatia, Cyprus, and Romania.

The data — which will include fingerprints, names, addresses, photos and other info — will be consolidated from five separate systems, including databases of asylum seekers, short-stay visa applicants, and those with previous criminal convictions in the EU.

The idea is that it will enhance security in the region by minimizing information gaps and silos, helping law enforcers track terrorists and serious criminals who may otherwise be able to slip across borders undetected. Data on an estimated 300 million non-EU and some EU citizens will be stored in the CIR, according to reports.

“Global law enforcement agencies and border control personnel have been sharing information about people for decades, if not centuries,” argued John Gunn, CMO at OneSpan.

“CIR is a very positive move that will simply make the methods more timely, efficient, and effective resulting in speedier cross-border travels with less hassle and in greater safety for all as those with evil intent are more easily identified and stopped.”

However, other have voiced concerns that there are not enough safeguards to protect individual freedoms, and that the database could be a major target for hackers. EU privacy advisory body the Article 29 Working Party (WP29) explained these at length in a document last year.

“Regarding the Common Identity Repository (CIR), the WP29 is of the view that the cross-matching of various sources for identification and consolidating them in a new common database for the purpose of overall identification poses an additional interference with the rights to privacy and data protection,” it said.

“The WP29 is not convinced of the necessity and proportionality to establish such a mixed-purpose identification database including biometric data. Whether identity fraud is in practice such an essential threat to the internal security of the Union as to justify the central registering of biometric identifiers of all bona fide [third country nationals] TCN travellers, migrants and asylum seekers is not yet sufficiently established in terms of proportionality and therefore remain an issue of major concern.”

Source: Information Security Magazine

Addiction Center Patients Exposed in Privacy Snafu

Addiction Center Patients Exposed in Privacy Snafu

A large trove of personally identifiable information (PII) has been leaked by an addiction treatment center after researchers found another unsecured Elasticsearch database online.

Justin Paine, who is also a director of trust and safety at Cloudflare, blogged about his findings late last week, claiming to have found the offending database via a simple Shodan search.

As the data trove required no authentication to access, he was able to scroll through the 1.45GB of information. Although there were nearly five million documents contained in the database, they related in the end to around 146,000 unique patients.

Paine traced them back to Pennsylvania-based addiction treatment center Steps to Recovery.

“A leak of PII related to 146,316 unique patients would be bad on any day. It's particularly bad when it is something as sensitive as a addiction rehab center. Given the stigma that surrounds addiction this is almost certainly not information the patients want easily accessible,” he argued.

“What could a malicious user do with this data? Based on the patient name it was simple to locate all medical procedures a specific person received, when they received those procedures, how much they were billed, and at which specific facility they received treatment.”

After a few cursory Google searches, he was also able to determine with “high confidence” a patient’s age, birthdate, address, previous addresses, family members’ names, their political affiliation, phone numbers and email addresses.

Despite contacting the firm about the privacy snafu at the end of March, Paine had received no response as of April 15 and there are concerns that it has still not notified patients about the risk of identity theft. However, a message he sent to the hosting provider was received and access to the database subsequently restricted.

It’s just the latest in a long line of incidents involving misconfigured Elasticsearch instances. One revealed in November last year exposed the PII of nearly 82 million Americans.

Source: Information Security Magazine

Cyber Readiness Worsens as Attacks Soar

Cyber Readiness Worsens as Attacks Soar

The number of organizations in Europe and the US that have been hit by a cyber-attack over the past year has soared to over three-fifths (61%), according to a new report from Hiscox.

The global insurer today released the results of its Hiscox Cyber Readiness Report 2019, which is compiled from interviews with over 5300 cybersecurity professionals in the US, UK, Belgium, France, Germany, Spain and the Netherlands.

It revealed a sharp increase in the number of firms suffering an attack, up from 45% in the 2018 report. In the UK, the figure rose from 40% to 55%.

There was also a rise in the number of small (from 33% to 47%) and medium-sized businesses (36% to 63%) reporting an attack, across the US and Europe.

Two-thirds of firms (65%) on average claimed to have been hit by supply chain cyber incidents.

Average losses were also up by 61%: from $229,000 last year to $369,000 this, a figure exceeding $700,000 for large firms versus just $162,000 in 2018.

Although cybersecurity spending went up by 24% over the past year to reach $1.45m, only 10% of responding organizations were classed as “experts” in terms of their cyber-readiness, with nearly three-quarters (74%) described as unprepared “novices.” Disappointingly, there was a sizeable drop in the number of large US and German firms achieving “expert” scores.

Hiscox cyber CEO, Gareth Wharton, argued that cyber-attacks have become “the unavoidable cost of doing business today.” 

‘This is the third Hiscox Cyber Readiness Report and, for the first time, a significant majority of firms report one or more cyber-attacks in the past 12 months. Where hackers formerly focused on larger companies, small and medium-sized firms now look equally vulnerable,” he explained.

“The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber-insurance policy.”

Source: Information Security Magazine

Singapore Responds to Recent Cybersecurity Attacks

Singapore Responds to Recent Cybersecurity Attacks

During a visit to San Francisco, Singapore foreign affairs minister Vivian Balakrishnan commented that the country cannot "go back to pen and paper. … If people lose confidence in the integrity and security of the system, then all these aspirations cannot be fulfilled."

The comments follow information coming into the open regarding data breaches, one of which affected 14,200 individuals diagnosed with HIV up to January 2013. In a statement by the police, it was confirmed that the information was "in the possession of an unauthorized person" and had been illegally disclosed online.

The statement went on to say that the information was in the possession of Mikhy K. Farrera Brochez, a male US citizen residing in Singapore between January 2008 and June 2016. He was convicted of fraud and drug-related offences in March 2017, sentenced to 28 months in prison and deported from Singapore. The fraud offences were in relation to Brochez lying about his HIV status to the Ministry of Manpower in order to obtain and maintain his employment pass.

According to Bloomberg, Balakrishnan said the government’s response to recent cybersecurity attacks and human leaks has to be one where "it’s completely open." It follows the first meeting of the Public Sector Data Security Review Committee, which was held on April 18, 2019, according to a government statement. 

Bloomberg reported that attendees of the meeting "reviewed past data incidents" and broad approaches to raise the bar of security. The committee will submit its final report to the prime minister by the end of November 2019. 

Singapore has been trying to position itself as a "Smart Nation," with initiatives focusing on digital identity, smart urban mobility and e-payments. However, the data breaches have made many people nervous, especially with the ambitions of artificial intelligence (AI) clear. 

“The ability to deploy AI in our respective fields should be commoditized,” Balarkrishman said. “We will be one of the earliest adopters of these new technologies.”

Source: Information Security Magazine

WannaCry "Hero" Pleads Guilty to Writing Malware in US Court

WannaCry "Hero" Pleads Guilty to Writing Malware in US Court

Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017. 

According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."

Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.

Kronos targeted banking information and was valued at $7,000 on the dark web

Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it. 

According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.

Source: Information Security Magazine

WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court

WannaCry 'Hero' Pleads Guilty to Writing Malware in US Court

Marcus Hutchins, also known as MalwareTech, has pleaded guilty in a US court to two counts of creating and spreading malware. The reverse-engineer is well known for his contribution to ending the WannaCry ransomware attacks in May 2017. 

According to Wisconsin court documents, Hutchins was charged in "10 counts of a superseding indictment." He pleaded guilty to counts one and two, saying that the US government would be able to prove that "between July 2012 and September 2016, [he] helped create and, in partnership with another, sell malicious computer code, aka malware, known as UPAS-Kit and Kronos."

Arrested in August 2017 at the Las Vegas airport by the FBI, Hutchins was accused of creating and spreading the banking Trojan Kronos, followed by additional charges in June 2018 relating to developing and distributing UPAS Kit, a "modular HTTP bot" designed to install on victims’ machines without alerting AV tools. He denied the former in 2017, making this a complete turnaround on his previous plea.

Kronos targeted banking information and was valued at $7,000 on the dark web

Hutchins made a public statement in response to reports of his plea: "As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

The WannaCry attacks took place in May 2017, with Telefonica being the first victim. The attacks happened worldwide, including the UK's National Health Service (NHS), and impacted more than 150 countries. Hutchins created a kill switch, which helped organizations globally stop the ransomware. He won an award for his contribution, as many cited the impact would have been worse without it. 

According to the Wisconsin court documents, Hutchins could face up to six years in prison and a $250,000 fine.

Source: Information Security Magazine

Password "123456" Used by 23.2 Million Users Worldwide

Password "123456" Used by 23.2 Million Users Worldwide

The National Cyber Security Centre (NCSC) expects 42% of Britain online users to lose money due to fraud, according to its first UK Cyber Survey

Released over the Easter weekend (April 21, 2019), the report also found that the most-used password from global cyber breaches was "123456," with "ashley" the most-used name as a password. The global password-risk list was published to disclose passwords already known to hackers.

Survey Findings from Poll, NCSC
Survey Findings from Poll, NCSC

The polling was independently carried out on behalf of NCSC, a part of GCHQ and the Department for Digital, Culture, Media and Sport (DCMS). The findings, as well as 100,000 passwords already known to have been breached by hackers, were released ahead of NCSC's CYBERUK 2019 conference, which will be taking place in Glasgow this week.  These will inform government policy and guidance offered to the public.

Ian Levy, NCSC technical director, said: “We understand that cybersecurity can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable.

“Password reuse is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band."

Survey Findings from Poll, NCSC
Survey Findings from Poll, NCSC

According to the NCSC's announcement, the list was created after breached usernames and passwords were collected and published by international web security expert Troy Hunt. The website allows people to check if they have an account that has been compromised in a data breach.

The report also found that the proportions of respondents who felt they would be a victim of cybercrime in the next two years range from 12% having information stolen and a ransom demanded to 42% who feel they will have money stolen that will later be reimbursed. Only 51% feel that apps being accessed without consent will have a big personal impact, while 91% feel having money stolen without reimbursement would have a big impact.

Other findings included: 

  • Only 15% know a great deal about how to protect themselves from harmful activity.
  • The most regular concern is money being stolen, with 42% feeling it will likely happen to them by 2021.
  • 89% use the internet to make online purchases, with 39% on a weekly basis.
  • One in three rely to some extent on friends and family for help on cybersecurity.
  • Young people are more likely to be privacy conscious and careful of what details they share online.
  • 70% always use PINs and passwords for smartphones and tablets.
Survey Findings from Poll, NCSC
Survey Findings from Poll, NCSC

Margot James, DMCS’ digital and creative industries minister, said, "Cybersecurity is a serious issue, but there are some simple actions everyone can take to better protect against hackers. We shouldn't make their lives easy, so choosing a strong and separate password for your email account is a great practical step. 

“Cyber-breaches can cause huge financial and emotional heartache through theft or loss of data, which we should all endeavor to prevent."

The NCSC‘s two-day CYBERUK 2019 conference will see 2,500 delegates come to Glasgow’s Scottish Exhibition Centre on April 24 and 25 for a range of speeches, workshops and interactive displays.

Source: Information Security Magazine

Mueller Report: Individuals Deleted Data During Investigation

Mueller Report: Individuals Deleted Data During Investigation

After two years of investigating, yesterday Robert S. Mueller III finally released his investigation, Report on the Investigation into Russian Interference in the 2016 Presidential Election. The 448-page report looks into Russian interference specifically but also into any individuals in the US that may have been involved. 

Appointed in May 2017 as Special Counsel to the investigation, Mueller found that Russia's interference in the 2016 election included social media activity, which related back to the Cambridge Analytica exposé in March 2018, and "a Russian intelligence service conducted computer-intrusion operations against entities, employees, and volunteers working on the Clinton Campaign and then released stolen documents."

"The Internet Research Agency (IRA) carried out the earliest Russian interference operations identified by the investigation – a social media campaign designed to provoke and amplify political and social discord in the United States," says the report. "The IRA was based in St. Petersburg, Russia, and received funding from Russian oligarch Yevgeniy Prigozhin and companies he controlled.

"At the same time that the IRA operation began to focus on supporting candidate Trump in early 2016, the Russian government employed a second form of interference: cyber intrusions (hacking) and releases of hacked materials damaging to the Clinton Campaign. The Russian intelligence service known as the Main Intelligence Directorate of the General Staff of the Russian Army (GRU) carried out these operations."

Interestingly, data loss was discussed in the report as "the Office" had learned that some of the individuals they had interviewed – including some associated with the Trump Campaign – had deleted relevant communications or communicated during the relevant period using encrypted applications. In some instances this hindered the investigation, according to Mueller. 

However, the report concludes, there isn't sufficient evidence to prove a crime had been committed in relation to the US election. 

"The Russian contacts consisted of business connections, offers of assistance to the campaign, invitations for candidate Trump and [Russian president Vladimir] Putin to meet in person, invitations for campaign officials and representatives of the Russian government to meet, and policy positions seeking improved US-Russian relations," says the report."While the investigation identified numerous links between individuals with ties to the Russian government and individuals associated with the Trump campaign, the evidence was not sufficient to support criminal charges."

It is also unclear what will happen next. According to BBC News, Attorney General William Barr is facing "heavy criticism" of his handling of the report's release, with some accusing him of misleading them with an earlier summary on whether President Trump obstructed justice. 

According to USA Today, the Kremlin hit back at Mueller's investigation: The report "does not present any reasonable proof at all that Russia allegedly meddled in the electoral process in the US," said Dmitry Peskov, spokesman for Russian president Vladimir Putin.

Source: Information Security Magazine