Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Microsoft: 44 Million User Passwords Have Been Breached

Microsoft: 44 Million User Passwords Have Been Breached

Tens of millions of Microsoft customers are using log-ins that have previously been breached, putting themselves and their organization at risk of account takeover, the computing giant has revealed.

In a study running from January to March 2019, Microsoft’s threat research team checked over three billion credentials known to have been stolen by hackers, using third-party sources such as law enforcement and public databases.

It found a match for over 44 million Microsoft Services Accounts, used primarily by consumers, and AzureAD accounts, which is more worrying for businesses.

“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” it explained.

“Given the frequency of passwords being reused by multiple individuals, it is critical to back your password with some form of strong credential. Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture.”

Microsoft claimed that 99.9% of identity attacks can be mitigated by turning on MFA.

The advice is especially important in the context of ongoing credential stuffing attacks. A report from Akamai earlier this year claimed that such attacks are costing the average EMEA firm on average $4 million annually in app downtime, lost customers and extra IT support.

Attacks have already struck far and wide this year, affecting organizations such as TfL, OkCupid, TurboTax and many more.

A 2018 study of around 30 million users found that password reuse was common among over half (52%), while nearly a third (30%) of modified passwords were easy to crack within just 10 guesses.

A Google poll of 3000 computer users released earlier this year found that just a third (35%) use a different password for all accounts, and only a quarter (24%) use a password manager.

Source: Information Security Magazine

US Family Loses Life Savings in Money Mule Email Scam

US Family Loses Life Savings in Money Mule Email Scam

The Federal Bureau of Investigation has issued a warning after a family from Oregon lost their life savings in a business email compromise scam involving money mules.

Aaron Cole and his wife decided to move into a bigger house after welcoming two children into their family. The couple sold their existing home, and the title company told them they would be in touch soon with instructions for making the down payment on their new house. 

Aaron's wife received an email on December 4, 2018, from what appeared to be the title company and sent $122,850 to the account number provided in the message. A few days later, Aaron received a phone call from the title company to inform him it was time to wire the down payment.

An FBI spokesperson said: "The Coles had been the victims of a business email compromise scam and had wired their money to a criminal who had spoofed the title company’s email address and sent them fake wire instructions. Their down payment had been funneled into one account and then broken up and sent to four other banks."

After falling victim to the scam, the Cole family was left in a situation where they couldn't make the down payment on their new house and had fewer than three weeks to vacate their current home. 

"When this happened, I couldn’t come up with the words to tell my wife," said Aaron Cole.

"The equity in the house was our way to move forward. I put myself back 15 years."

Generously, the title company stepped in and offered to cover their down payment in exchange for the Cole family's help in highlighting the problem of business email compromise. 

Last year, the FBI’s Internet Crime Complaint Center (IC3) received more than 20,000 complaints from victims of business email compromise alone. These victims reported losses of more than $1.2bn. 

The cyber-criminals who stole from the Coles were assisted by the actions of money mules—people who knowingly or unwittingly transfer funds on behalf of, or at the direction of, someone else. 

Yesterday the FBI issued an advisory to the general public to be wary of any unsolicited emails or other communications containing a job offer promising easy money or a request to open a bank account in another person’s name or in the name of a business created by someone else. 

Extreme caution was also advised to anyone who receives an electronic request for money from a loved one.

Source: Information Security Magazine

Data Breach at Nebraska Medicine an Inside Job

Data Breach at Nebraska Medicine an Inside Job

Nebraska Medicine has suffered a data breach after an employee accessed patients' medical records for almost three months without authorization or even the thinnest sliver of a legitimate reason. 

A routine audit of the medical record system conducted in October of this year revealed the gross violation of patient privacy, which occurred over the summer of 2019. 

The employee took their first digital stroll through patients' records on July 11. The unauthorized access then continued until October 1, when the audit was carried out. 

After discovering what was going on, Nebraska Medicine took steps to prevent any further unauthorized access from occurring. A particularly effective step was the organization's decision to fire the employee in question the day after the privacy violation was detected. 

Patients whose data had been compromised were notified by letter. Information accessed by the now former Nebraska Medicine employee included names, birth dates, addresses, medical record numbers, Social Security numbers, driver’s license numbers, clinical information, lab imagery, and notes from physicians.

In a statement released on Tuesday, Nebraska Medicine said: "Once Nebraska Medicine became aware of the incident, our staff took action to investigate, prevent further improper access, and to notify affected patients. We have no reason to believe the information accessed has been or will be misused.

"In cases where the Social Security number or driver’s license was accessible, we are offering credit monitoring for a full year, at no cost to the affected patients."

In a letter sent to patients affected by the breach, privacy officer Debra Bishop apologized for the breach and offered assurance that steps had been taken to prevent a similar incident from happening.

Bishop wrote: "This individual no longer works for Nebraska Medicine and no longer has access to Nebraska Medicine systems. To help prevent something like this from happening again, we are continuing to regularly audit our electronic medical record system for potential unauthorized activity, and are retraining staff about appropriate access of patient information."

Nebraska Medicine operates two major hospitals and 40 outpatient clinics in the Omaha area and has an international reputation for providing bone marrow and stem cell transplantation services. In 2006, Nebraska Medicine performed the first "frozen elephant trunk" heart procedure, otherwise known as open stent grafting, in the United States.

Source: Information Security Magazine

Vulnerabilities Discovered in VPN Used by NASA

Vulnerabilities Discovered in VPN Used by NASA

A virtual private network (VPN) used by NASA, Shell, and BT has been found to have multiple vulnerabilities. 

Weaknesses in the Aviatrix VPN were detected by Immersive Labs researcher and content engineer Alex Seymour on October 7, 2019. 

The multiple local privilege escalation vulnerabilities Seymour discovered would have allowed an attacker who already had access to a machine to escalate privileges and achieve anything they wanted. With the extra level of privileges, the attacker would have been able to dive into files, folders, and network services that the user would not previously have been able to access.

The discovery comes just two months after the National Security Agency (NSA) and National Security Council (NSC) both issued warnings regarding state-sponsored attacks aimed at exploiting vulnerabilities in VPNs.

Alex Seymour said: "Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it. 

"People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry."

Aviatrix took swift action to address the issue, releasing a patch, v2.4.10 on November 4.

"Users should install the new patch as soon as possible to ensure there is no exploitation in the wild," said Seymour 

A spokesperson for Immersive Labs said that Aviatrix has been responsive and open to discussion after the vulnerabilities were disclosed and had taken on board advice on how to resolve the issue.

"The changes made to resolve the issue were timely and well implemented. They have kept communication open throughout the disclosure process, remaining positive and showing that they take the security of their customers and product seriously," said the Immersive Labs spokesperson. 

Seymour's suspicions were aroused when he noticed a wordy outpouring after firing up the Aviatrix VPN on a Linux machine. The last two lines of script indicated that two local web servers were started when the VPN was launched.

Weak file permissions set on the installation directory on Linux and FreeBSD made it possible to modify shell scripts that are executed when a VPN connection is established and terminated. When the back-end service executed the "OpenVPN" command, the script was executed with elevated privileges.

Source: Information Security Magazine

Lib Dems, Labour and SNP 'Ahead' on Election Security

Lib Dems, Labour and SNP 'Ahead' on Election Security

Security researchers are warning UK voters to be on their guard after revealing that most of the country’s political parties still don’t have best practice email security measures in place to mitigate fraud risks.

RedSift analyzed the UK’s main 13 political parties ahead of a tense General Election on December 12, in which the direction of the country could finally be decided after three years of Brexit-related uncertainty.

It found that just three, the Liberal Democrats, Labour and the Scottish National Party (SNP), had a valid DMARC policy. The Domain-based Message Authentication, Reporting and Conformance protocol (DMARC) is recommended by security experts as a key function to help prevent phishing and other spoof email attempts.

While it’s best used in combination with other layered security measures, DMARC does help to guarantee the legitimacy of the sender, which is why the UK government mandated its use for departments back in 2016, with the US following two years later.

According to RedSift’s research, the Conservative Party, the Brexit Party and many others are exposing voters to potentially fraudulent email communications.

“This insight into political party cybersecurity is particularly concerning given that the National Cyber Security Centre, an organization that’s part of the UK government, mandated back in 2016 that all government bodies should implement DMARC so all email traffic can be monitored for malicious activity,” argued RedSift co-founder, Randal Pinto. “It’s a sorry state of affairs that three years on, voters still can’t be sure whether political pledges and requests for support are originating from credible candidates.”

Even the three parties that currently have valid DMARC policies in place can do more. They need to upgrade to a p=reject policy so phishing emails don’t end up being received by prospective voters.

The Conservative Party has already caused widespread anger for doctoring footage of opposition candidates on Brexit and changing its official Twitter feed during a televised debate to pose as an official fact-checking source.

“Confidence in politics has taken a dive recently,” argued Pinto. “The Conservative’s ‘factcheckUK’ Twitter scandal hurt the party’s credibility, damaging public trust — akin to the method scammers deploy each time they impersonate emails to elicit action.”

Source: Information Security Magazine

China’s Great Cannon Fires on Hong Kong Protesters

China’s Great Cannon Fires on Hong Kong Protesters

A Chinese government-backed DDoS operation has been resurrected to disrupt pro-democracy supporters in Hong Kong, according to AT&T Cybersecurity.

The firm revealed in a new blog post yesterday that it spotted activity from the so-called “Great Cannon” starting on August 31, with the most recent DDoS attempts coming on November 25.

Specifically, it was observed trying to take offline the LIHKG website, which is used by Hong Kongers to share info and plan protests across the Special Administrative Region (SAR) of China wracked by unrest over the past few months.

The Great Cannon works by intercepting traffic from websites hosted in China and inserting malicious JavaScript in legitimate analytics scripts, thereby forcing users’ machines to covertly make requests against targeted sites.

The code not only attempts to repeatedly request the LIHKG home page but also multiple sites and memes that appear on the forum, so as to blend in with normal traffic, according to Chris Doman of AT&T Cybersecurity’s Alien Vault business.

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code that we won’t discuss here,” he explained.

“Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

The tool itself first came to prominence around four years ago when it was used to target anti-censorship organization Greatfire.org. The researchers that revealed the cannon for the first time claimed it was co-located with China’s notorious Great Firewall censorship infrastructure.

Global anger spread after the Great Cannon was then turned on developer site Github, which at the time hosted anti-censorship tools.

Researchers warned that the same tool could very easily be repurposed to deliver malware rather than DDoS attacks.

Source: Information Security Magazine

Festive Virtual Hacker Conference Returns

Festive Virtual Hacker Conference Returns

A free holiday-themed cybersecurity conference set in a virtual North Pole is scheduled to take place for the second year running. 

KringleCon 2019 invites hackers and cybersecurity professionals from across the globe to hear expert speakers, watch educational demos, share tips, and test their skills in a cyber-battle. 

The conference, which will begin next week, was created by global cybersecurity training and certification provider SANS Institute

An extensive line-up of speakers includes IBM Security’s Stephanie Carruthers, Black Hills Information Security’s John Strand, Ian Coldwater from Heroku/Salesforce, Dave Kennedy from TrustedSec, and Lesley Carhart from Dragos.

Immediately following the conference, SANS will host its annual Holiday Hack Challenge. This year’s capture-the-flag (CTF) event will include new offensive and defensive challenges featuring machine learning and a variety of other cutting-edge technologies.

The Holiday Hack Challenge offers a series of awards and valuable educational prizes, ranging from SANS OnDemand courses to NetWars Continuous subscriptions. Challenges begin at a fun level, then progressively become more difficult until they reach a level that will really test the mettle of those who participate.

“There are many unique elements to this conference, and it starts with an overarching storyline,” explains Ed Skoudis, director of SANS Cyber Ranges and Team-Based Training and creator of KringleCon.

“A nefarious villain tries to hack the conference to cause it to be cancelled. Last year, the evil hacker locked up Santa’s castle and held conference attendees inside the castle. This year’s theme will be equally thrilling. The addition of offensive and defensive machine learning challenges is especially exciting, as we believe this to be the first time that machine learning is used in a CTF event.”

Last year's KringleCon included 51 different presentations that were given on YouTube. 

Previous holiday hacking challenges laid on by SANS include the 2015 event Gnome in Your Home, which was based around the children's book Elf on the Shelf. The book tells the story of how Santa is fed information on which children are naughty and nice via a spy network of elves who watch children in their own homes. 

The challenge took the form of a quest-style video game, complete with 8-bit Christmas music, in which participants had to work out what the internet-connected gnomes were really up to. 

Source: Information Security Magazine

Jamaica to Create a National Cybersecurity Policy in 2020

Jamaica to Create a National Cybersecurity Policy in 2020

Jamaica has announced plans to develop a national cybersecurity policy in 2020.

According to the Jamaica Observer, the plan to create a strategy to protect the island country's citizens from cybercrime was announced by Jamaica's minister of national security, Dr. Horace Chang, yesterday. 

Speaking at a Cybersecurity and Cybercrime Workshop for Latin America and the Caribbean at the Hilton Resort and Spa in St. James, Chang said that the government will "be seeking to ensure that the entire government service has a reliable and robust cyber-platform on which to operate and deliver quality and safe online service."

Chang added that the creation of the cyber-safe platform will be achieved through the work of agencies such as e-Gov Jamaica. 

The minister went on to describe how the National Identification System (NIDS) Bill, passed into law in November of 2017, will act to further strengthen the country's cybersecurity framework. 

Under the new law, each citizen of Jamaica will be provided with a randomized nine-digit National Identification Number (NIN), which they will have for life, and a multipurpose National Identification Card (NIC). Rollout of the system began in January 2019. 

Chang said that the National Identification System will support "the modernization of our information and communications technology (ICT) infrastructure" and pave the way for the introduction of a multilayered technology security system that will offer protection against cyber-threats.

The Jamaican government is currently in the process of finalizing a Data Protection Bill, which Chang said will play a critical role in defending the country's cybersecurity. 

"This bill will provide a much-needed framework and guidelines for securing and protecting our people's data," said Chang. "It will also strengthen, even further, Jamaica's overall cybersecurity infrastructure."

The bill requires that data collected must be accurate and should only be obtained for specific lawful purposes, with the consent of the individual. It stipulates that data gathered may not be further used or processed in any way incompatible with the original purpose and must not be held for longer than is necessary to fulfill that original purpose.

Chang also emphasized the importance of partnerships, such as the collaboration between the Jamaica Cyber-Incident Response Team (CIRT) and the Organization of American States (OAS) Inter-American Committee against Terrorism (CICTE), in protecting Jamaica's citizens.

Source: Information Security Magazine

Artificial Fingerprint Ring Could Combat Biometric Data Theft

Artificial Fingerprint Ring Could Combat Biometric Data Theft

A cybersecurity company has teamed up with a 3D accessory designer to produce a ring that could tackle the issue of what to do if your biometric data is stolen. 

The attractive and wearable piece of jewelry features a synthetic fingerprint that can be used to unlock phones, make payments, or even access a home or office. 

Unlike the actual fingerprint of a living human, which can never be replaced if lost, the artificial biometric identifier can be erased and substituted with a new version in the event of an identity theft. 

The ring represents the collaborative efforts of cybersecurity firm Kaspersky, Swedish designer Benjamin Waye, and creative agency Archetype.

“By combining the elements of art and technology, the ring makes the person wearing it stand out from the crowd as a visionary,” said the ring's designer, Waye.

“It is a different approach to how we wear jewelry. Usually, it is much more practical. Not only is it considered beautiful, but it has been designed with the aim of helping to solve a quite serious problem in today’s modern life. It helps preserve our uniqueness in a world where everything could otherwise be copied.”

In 2015, the Office of Personnel Management (OPM) hack in the United States caused 5.6 million fingerprints to be leaked. More recently, the fingerprints of over 1 million people were discovered on a publicly accessible database used by the UK Metropolitan police, defense contractors, and banks. That is in addition to multiple examples where researchers have demonstrated proof-of-concept schemes that allow human fingerprints to be stolen with the help of digital cameras and other widely available tools.

“While the ring is just one of the possible ways to tackle the current cybersecurity problems related to biometrics, this is certainly not a silver bullet,” said Marco Preuss, director of the global research and analysis team at Kaspersky, Europe. 

“A real solution will involve creating measures and technologies that would guarantee the protection of people’s unique identities. Such a solution is yet to be developed, and the current situation surrounding the safety of biometrics is not where it needs to be."

Although the ring is a proof-of-concept piece, it paves the way for further discussion on securing biometric data.

Source: Information Security Magazine

#BHEU: Consider Adversarial Thinking, Ask If the Tool Works

#BHEU: Consider Adversarial Thinking, Ask If the Tool Works

Delivering the opening keynote at Black Hat Europe, offensive security engineer Amanda Rousseau talked about the move from a defensive to offensive role, and how narrow that has made our thinking.

In the first part of her talk, she said that we have become too immersed in using tools, and do not look underneath them to understand how they work.

She said that security is “filled with tools” and we are told that it is best practice to use them, but we rarely understand how they work and why it works in a certain way, so we don’t trust them.

“Why are we not pushing ourselves to look beyond the surface?” she asked, saying in one instance a tool she “was forced to use was not able to perform, so I wrote my own script and my co-workers thought I was crazy.”

Rousseau said that she was tired of the “color spectrum” of cybersecurity, as we have covered black and white hats, and red and blue teams, when in reality, everyone is on the same side, and recommended using adversarial thinking for defense and everything in between. “Fundamental skills are applicable to both sides: if you can pivot, you have adversarial foundations.”

Looking at blue teaming, she said that there is an assumption that tools and functions work in the way that they are intended, but “how many things work within bounds?” On the red team side, the problem is leaving blind spots and too many people not having experience of writing detections to communicate the changes that need to be made.

She went on to call this a “lack of follow through” and there is too much of an attitude of “not my problem” and “the blue team can figure it out,” when better collaboration and follow through for remediation can help on both sides.

Asking how improvements can be made, Rousseau said that we have “dived so deep it is hard to pivot to something else” and too many people have tunnel vision on one area of focus.

“Never mind the color spectrum, we’re all in this to make everyone’s lives better,” she said.

Source: Information Security Magazine