Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Atlanta Judge Pleads Not Guilty to Improper Access of County Network

Atlanta Judge Pleads Not Guilty to Improper Access of County Network

Superior Court judge Kathryn Schrader has pleaded not guilty to improperly accessing, altering, and removing data from the computer network of Gwinnett County, Georgia, located just northeast of Atlanta.  

The judge was indicted on September 18, along with convicted child molester and co-founder of Atlanta sci-fi convention DragonCon, Ed Kramer; private investigator T.J. Ward; and Frank Karic. 

The defendants are each charged with three counts of felony computer trespass, to which they all pleaded not guilty at their arraignment last Thursday. If convicted of all the charges against them, the defendants could each face a maximum of 45 years behind bars.

According to the Gwinnett Daily Post, Schrader hired private detective Ward to monitor her work computer when she became suspicious that it had been hacked by district attorney Danny Porter. 

It is alleged that Schrader gave Ward improper access to the network. Ward then brought in Karic, who was given improper access so he could install a WireShark monitoring device on Schrader's computer to discover if it had indeed been tampered with. 

Ward then hired former computer forensic analyst Kramer, who was also given improper access so that he could keep tabs on Schrader's computer once the installation was complete. 

According to newspaper the Atlanta Journal-Constitution, Danny Porter has vehemently denied the allegation that he hacked Schrader's computer. 

The details of the alleged offence came to light during a search of Kramer's home computer by police in relation to allegations that he had photographed a young child at a Lawrenceville, Georgia, doctor's office. Police reportedly found a folder labeled with Schrader's name on Kramer's computer. 

Since searching Kramer's computer, police have charged him with possession of child pornography. 

The indictment states that between February 7 and 26, all four defendants "did knowingly use a computer network without authority and with the intent to remove network traffic, data from the computer network of Gwinnett County, contrary to the laws of said state, the good order, peace and dignity thereof." 

Schrader has been a judge on Gwinnett's highest court since 2012, but since April, while the investigation into her alleged criminal activities has been ongoing, Porter has sidelined Schrader from hearing any criminal cases prosecuted by his office. 

The Georgia Bureau of Investigation launched the investigation into Schrader and the three men accused along with her; however, the case has now been handed over to the Prosecuting Attorney's Council of Georgia, which is prosecuting the case.

The next hearing in the case is scheduled for November 7.

Source: Information Security Magazine

Thoma Bravo Buys Sophos Group for $3.8bn

Thoma Bravo Buys Sophos Group for $3.8bn

A British manufacturer of cybersecurity products has been bought by American private equity firm Thoma Bravo for $3.8bn.

Thoma Bravo, which raised billions for its latest private equity fund this year, bought Imperva and another cybersecurity firm, Veracode, in late 2018. In a buyout deal announced earlier today, Thoma Bravo said that it will be adding Sophos Group to its fast-growing cybersecurity portfolio. 

Sophos manufactures antivirus and encryption products for an impressive list of customers that includes Under Armour IncFord Motor Co., and Toshiba Corp

Thoma Bravo already owns Sophos' close competitor Barracuda Networks, which made a name for itself managing data security over the cloud. 

Shares in Sophos were listed at 225 pence per share in 2015, but since then they have more than doubled to the 583 pence per share closing price recorded on Friday, October 11. 

In a statement released today, Sophos CEO Kris Hagerman said: "Sophos is actively driving the transition in next-generation cybersecurity solutions, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more. We continue to execute a highly effective and differentiated strategy, and we see this offer as a compelling validation of Sophos, its position in the industry and its progress."

Hagerman told news organization Reuters that his company was first approached by Thoma Bravo in June of this year.

"The (Sophos) board ultimately concluded that this offer and the acquisition can accelerate Sophos' progress in next-generation cybersecurity," Hagerman said.

Thoma Bravo is a leading private equity firm focused on the software- and technology-enabled services sector with more than $35bn in investor commitments. With a 40-year history, Thoma Bravo has acquired more than 200 software and technology companies representing more than $50bn of value.

In a statement released on Monday, Seth Boro, managing partner at Thoma Bravo, said: "The Acquisition fits with our strategy of investing in and growing software and technology businesses globally. 

"The global cybersecurity market is evolving rapidly, driven by significant technological innovation, as cyber threats to business increase in scope and complexity. Sophos has a market-leading product portfolio and we believe that, by applying Thoma Bravo's expertise, operational framework and experience, we can support the business and accelerate its evolution and growth."

Source: Information Security Magazine

Tactics of Supply-Chain Attack Group Exposed

Tactics of Supply-Chain Attack Group Exposed

Researchers have exposed the underhanded methods of a threat group responsible for unleashing a string of supply-chain attacks.

Winnti Group has been targeting the gaming industry for nearly a decade. Their preferred mode of attack is to compromise game developers, insert backdoors into a game’s build environment, and then have their malware distributed as legitimate software.

In April 2013, Kaspersky Lab reported that in 2011 Winnti had altered a video game to include a backdoor. Then, in March 2019, ESET published research proving that the threat group was responsible for compromising and adding a backdoor to two other games and a gaming platform. 

Gamers in Asia were the target in the most recent supply-chain attack, which researchers estimate affected "tens or hundreds of thousands" of people. Over half of the victims—55%—were located in Thailand. 

Following this publication, ESET continued its investigation to discover how organizations’ digital supply chains had been compromised to deliver malware in their applications. 

"Searching for a small piece of well-hidden code added to a sometimes huge, existing code base is like finding a needle in a haystack. However, we relied on behaviors and code similarity to help us spot the needle," says ESET researcher Marc-Étienne Léveillé.

The Winnti Group uses a packer in a backdoor dubbed PortReuse. In collaboration with Censys, ESET performed an internet-wide scan to try to identify one variant of the backdoor, as well as potential victims. 

Léveillé said: "Since we were intrigued by the unique packer used in the recent supply-chain attacks against the gaming industry in Asia, we went on the hunt to find out if it was used elsewhere. And it was." 

With their new research, ESET was able to warn one major mobile software and hardware manufacturer in Asia that they had been compromised with PortReuse. ESET also analyzed new variants of Shadowpad, another backdoor used by the Winnti Group, still being maintained and actively used by its operators.

Although Winnti is known principally for espionage, researchers discovered that the group was also using a botnet to min cryptocurrencies.

Léveillé said: "Perhaps they use the virtual money they mine to finance their other operations. Maybe they use it for renting servers and registering domain names. But at this point, we cannot exclude that they, or one of their subgroups, could be motivated by financial gain."

Source: Information Security Magazine

Stolen Cloud API Key to Blame for Imperva Breach

Stolen Cloud API Key to Blame for Imperva Breach

A security breach which led to the compromise of customer data at Imperva was caused by a stolen API key for one of its Amazon Web Services (AWS) accounts, the firm has revealed.

The firm was notified of the incident, which affected a subset of its Cloud WAF customers, by a third party at the end August.

Chief technology officer, Kunal Anand, explained in a blog post that the firm decided back in 2017 to migrate to the AWS Relational Database Service (RDS) in order to provide greater scale for its user database.

As part of this process the firm created a database snapshot for testing on September 15, 2017.

Separately, Imperva’s IT team created an internal compute instance containing an AWS administrative API key. Unfortunately, this server was left exposed and subsequently found by a hacker, who stole the all-important key and used it to access the database snapshot, exfiltrating the information in October 2018.

The stolen data included email addresses, hashed and salted passwords, API keys, and TLS keys — although Anand claimed to have found no evidence so far that it is being abused for malicious ends.

Imperva has since tightened its internal security, by ensuring new instances are created behind a VPN, unused and non-critical instances are decommissioned, and by putting monitoring and patching programs in place.

Other corrective actions taken include an increase in the frequency of infrastructure scanning, tighter access controls, and an increase in auditing of snapshot access.

At Imperva’s request, more than 13,000 customer passwords were changed and over 13,500 SSL certificates rotated following the breach, highlighting the scale of the incident. In addition, over 1400 API keys were regenerated, according to Anand.

Source: Information Security Magazine

Scottish Teens Charged With Met Police Hack

Scottish Teens Charged With Met Police Hack

Two Scottish teenagers have been arrested on suspicion of hacking and defacing a news platform used by London’s Metropolitan Police earlier this year.

An 18-year-old from Lossiemouth near Inverness and a 19-year-old from Glasgow were charged by Scottish police, according to the BBC.

The July attack compromised the Met’s Mynewsdesk platform and allowed the hackers to post a string of offensive and often bizarre messages to the police force’s Twitter feed, as well as emails sent to subscribers and a micro-site.

The Twitter account, which has over one million subscribers, was hijacked to post messages including: “F*** THE POLICE FREE DA GANG!!,” “what you gonna do phone the police?,” and “XEON IS THE BEST FIGHTER IN SCOTLAND.”

At the time, right-wing commentator Katie Hopkins jumped on the news to claim the police force had not only “lost control of London streets” but also "lost control of their Twitter account too.”

Shortly after, Donald Trump retweeted her comments to continue his spat with London mayor Sadiq Khan, claiming: “With the incompetent Mayor of London, you will never have safe streets.”

“Two men, aged 18 and 19, from the Lossiemouth and Glasgow areas respectively, have been arrested and charged in connection with unauthorized access and publication of content on the Metropolitan Police Service's news platform on Friday 19 July 2019,” a Police Scotland spokesperson told the British broadcaster.

“A report will be submitted to the Crown Office and Procurator Fiscal Service.”

It’s unclear how the account was remotely compromised, although the obvious culprit would be easy-to-guess or crack passwords.

At the time of the initial incident, security experts urged organizations to improve login security and for IT to communicate the implications of neglecting such processes to regular users who may be in charge of public-facing accounts.

Source: Information Security Magazine

Mississippi Shows Flagrant Disregard for Cybersecurity

Mississippi Shows Flagrant Disregard for Cybersecurity

An audit of Mississippi government institutions has revealed an alarming lack of compliance with standard cybersecurity practices and with the state's own enterprise security program.

A survey of 125 state agencies, boards, commissions, and universities conducted by the Office of the State Auditor (OSA) revealed that only 53 had a cybersecurity policy in place. Eleven reported having no security policy or disaster recovery plan whatsoever. 

The true number of completely unprepared government entities may well be higher, however, since 54 of the institutions surveyed didn't even bother to respond to the 59-question survey, despite the OSA being authorized to verify compliance. 

"Many state agencies are operating as if they are not required to comply with cybersecurity law, and many refused to respond to auditors' questions about their compliance," wrote state auditor Shad White in a data services division brief dated October 1, in which the research findings were revealed.

In Mississippi it's a legal requirement for state institutions to have a third party perform a security risk assessment at least once every three years. Despite this law, 22 of the government entities admitted that they hadn't conducted a security risk assessment in the last three years. 

Asked about how they stored and sent sensitive information, 38% of respondents said that they do not protect sensitive data with encryption. 

The OSA also found that just over half of the government agencies that responded to the survey were less than 75% compliant with the Mississippi Enterprise Security Program. 

White said: "State government cybersecurity is a serious issue for Mississippi taxpayers and citizens. Mississippians deserve to know their tax, income, health, or student information that resides on state government servers will not be hacked."

White called for leaders of agencies to question their IT professionals to make sure that their agency is compliant, and to "consider ways to go above and beyond to prevent cyber breaches." 

Leading by example, the Office of the State Auditor requires all its employees to go through training to spot phishing attempts and learn best practices for preventing security incidents. 

The OSA also partnered with the federal Department of Homeland Security and arranged for the DHS to perform a penetration test of the OSA's computer system to identify any vulnerabilities.

"I personally have seen screenshots of other states’ private data on the dark web, and we do not need Mississippians’ personal information leaking out in the same way. The time to act to prevent hacking is now," said White.

Source: Information Security Magazine

Most Americans Are Clueless About Private Browsing

Most Americans Are Clueless About Private Browsing

New research has found that only a quarter of Americans know that surfing the internet in private browsing mode only prevents other users of the same computer from seeing what you've been up to online.

A survey conducted in June by the Pew Research Center asked 4,272 adults living in the United States ten digital knowledge questions. When asked to identify the correct definition of private browsing, 24% of respondents got it wrong, and 49% admitted to being unsure. 

The overall findings of the research reveal that Americans’ understanding of technology-related issues varies greatly depending on the topic, term, or concept. While 67% knew that phishing scams can occur on social media, websites, email, or text messages, only 29% were in the know about WhatsApp and Instagram being owned by social media titan Facebook. 

Researchers wrote: "Just 28% of adults can identify an example of two-factor authentication—one of the most important ways experts say people can protect their personal information on sensitive accounts."

On average, survey respondents were able to correctly answer only four out of the ten questions they were asked. What caused the most confusion was when participants were asked to identify Twitter's co-founder and CEO, Jack Dorsey, from a picture.  

Interestingly, respondents were pretty savvy when it came to the commercial side of social media, with 59% recognizing that advertising is the largest source of revenue for most social media platforms. 

Most respondents were aware of what the kind of cookie that can't be dipped in milk is all about. While 27% said they were unsure what a cookie is for, 63% knew that they allow websites to track user visits and site activity.  

How much education an individual had obtained had an impact on the results. Adults with a bachelor’s or advanced degree answered a median of six questions correctly, compared with three answered by those who had, at most, a high school diploma.

Age, too, had an effect, with 18- to 29-year-olds correctly answering five out of 10 questions on average, while those aged 65 or older typically gave just three right answers.

Source: Information Security Magazine

US Homeland Security Wants to Subpoena ISPs to Hand Over Data

US Homeland Security Wants to Subpoena ISPs to Hand Over Data

The cybersecurity branch of the Department of Homeland Security has requested legal permission from Congress to demand data from internet services providers in a bid to prevent cyber-attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) has chosen National Cybersecurity Awareness Month to seek administrative subpoena authority, which will give it the power to compel ISPs to hand over information. 

Currently, when the DHS identifies cybersecurity weaknesses in the private sector, it can obtain only the IP addresses of vulnerable systems. If granted administrative subpoena authority, the DHS will have the power to require ISPs to turn over the contact details of the owners of the vulnerable systems.

The department's plan is to use this information to directly contact the owners and warn them about the vulnerabilities in their cybersecurity. 

CISA assistant director for cybersecurity and communications Jeanette Manfra said: "We can see a lot of industrial control systems or potential industrial control systems, in particular, that have potential vulnerable systems that are accessible from the public internet.

"Over many years, we have tried many methods to be able to contact these entities. The challenge is that the law actually prohibits an internet service provider from telling us who that customer might actually be."

Manfra said that while the DHS can often locate the vulnerable entity on its own with a spot of detective work, this process can take hours or even weeks, leaving the entity exposed to threat actors.

The logic of the request is easy to follow; however, it does raise some serious privacy concerns.  

"We're very aware of the concerns about overreach," said Manfra. "We have a long history of collecting similar types of data through voluntary programs and demonstrated ways of protecting that, as well to ensure that the information is used only for the purposes for which it was collected."

The proposal is currently being scrutinized by the House of Representatives and Senate Homeland Security panels. 

CISA was created in November last year with the mission to partner with both industry and government to understand and manage risks to America's critical infrastructure.

Source: Information Security Magazine

#SecTorCa: Finding a New Route to Solve Tomorrow’s Cyber-Attacks

#SecTorCa: Finding a New Route to Solve Tomorrow’s Cyber-Attacks

For modern security systems to succeed, it’s important for organizations to expect that security systems will fail. By expecting failure and planning for it, it’s possible to be more resilient and deliver better security outcomes, according to Solomon Sonya, assistant professor of computer science at the United States Air Force Academy.

Sonya delivered his message during a keynote at the SecTor security conference in Toronto, Canada on October 10, where he emphasized the need for employing what is known as a Byzantine Failure approach, rather than relying on a detection-only approach for IT security attacks. The Byzantine Failure approach in computer science is all about understanding that failure is something that will happen and as such, a strategy needs to be put in place for the eventuality.

“Tomorrow’s attacks will be worse than today’s,” Sonya said. “Malware continues to increase in sophistication, prevalence and proliferation across the enterprise.”

Malware has changed over the past two decades, but the basic approach employed by many organizations has not, in Sonya’s opinion. He noted that a key challenge is the fact that many of today’s security paradigms are predicated on a false belief that detection is key to success. Sonya detailed how malware has changed from the early days of SQL Slammer in 2003 to the modern threats of ransomware and fileless attacks. A key part of malware’s evolution is how it has become increasingly sophisticated and difficult to always detect or immediately block.

“Some people will argue that attacks won’t happen tomorrow because AI will better protect us,” Sonya said. “AI is good, but it’s not sufficient.”

Rather, Sonya emphasized that what is needed is for organizations to identify the weakness in systems and networks. With the weak links identified, Sonya said it’s important to understand what should be done to actually secure the assets and data that are critical to the organization.

“So if you look at the attack surface from a Byzantine perspective, you start by taking the system that you want to protect, you draw a circle around it and you say which failures can lead to compromise,” Sonya explained.

What ‘Right’ Looks Like

Rather than relying on existing approaches and expecting to be able to detect incursions, Sonya suggested that organizations should “take the road less travelled” and instead of just buying a product, invest the time to understand and discover what can fail and lead to exploitation.

For Sonya, the ‘right’ approach also involves making use of Software Defined Network (SDN) technology, to segment networks and reduce the potential impact of a failure. While detecting threats alone isn’t a winning strategy, he emphasized that having actionable threat intelligence is a valuable component.

“Many vendors will say they have threat intelligence, but what they actually provide is just data,” he argued. “Intelligence is useful only in order to help us get some kind of action and actually make a decision based on the intelligence.”

Looking beyond just basic passwords, Sonya suggested that organizations consider new forms of secure access protection systems that can validate users based on activity as well as other attributes. Additionally, there is a need for organizations to rethink how Digital Loss Prevention (DLP) technologies are used and deployed. In his view, DLP needs to be deployed in a stack for data at rest and in motion, such that if data is lost or stolen, it can’t be used by an attacker.

To conclude, Sonya noted that security professionals need to constantly question the security paradigm, be curious and explore the possibilities that an unconventional attack might introduce into an organization.

“In our scheme of protecting machines, our initial response should not rely on detection, because if we wait until we detect, it could be too late,” Sonya said.

Source: Information Security Magazine

BAE Systems Pilots Tech to Support Child Protection Agencies

BAE Systems Pilots Tech to Support Child Protection Agencies

BAE Systems has announced details of a technology pilot aimed at supporting child protection agencies. The initial project, run in partnership with Gloucestershire Constabulary Police Force, seeks to improve speed and accuracy for identifying potentially vulnerable children.

BAE Systems has adapted technology normally used to protect and safeguard businesses against fraudulent activity, to quickly and accurately bring together data relating to an individual and reveal the full picture of a vulnerable child’s reported issues.

As well as creating a faster, more efficient process for identifying and sharing key indicators of potentially harmful situations, it also allowed child protection practitioners to delve into more incidents, in more detail and implement urgent care plans where needed. The successful pilot achieved results 10-times faster than under existing processes, solving the challenge of sharing data, linking it together, analysing it and identifying what further investigation is required.

Ravi Gogna, principal consultant at BAE Systems Applied Intelligence, said: “After the tragic case of Baby P, we identified the need to overcome the data problem and adapted our existing technology and data science techniques, which helps banks and insurers tackle fraud, to amalgamate key historic pieces of data across agencies. This provided child protection officers with access to a more in-depth and comprehensive data profile of each child in the quickest possible time.”

The challenge is that we are looking for red flag events – such as a child self-harming or coming into A&E with multiple broken bones, she added. “We have an opportunity to help improve the way the child protection system identifies risk, by bringing together all the information about a child and quickly giving a holistic view of what is happening.”

The UK’s current system makes use of Multi-Agency Safeguarding Hubs (MASHs), which aim to provide a single point of contact for all safeguarding concerns regarding children and young people. 

However, the NSPCC currently estimates that one in 10 children in the UK has suffered some form of abuse or neglect, and the figure continues to grow. With resources continually stretched due to the ever-rising number of cases of neglect in Britain, the current manual processes are becoming strained, with the potential to miss vulnerable children.

“The pilot proves that, with increased information, we have a greater chance of intervening early and preventing catastrophic events from happening down the line,” said Kath Davis, head of the Child Protection Unit, Gloucestershire Constabulary. “To work with people from a completely different sector sheds a whole new light on things. Things that we thought were impossible, became possible.” 

Source: Information Security Magazine