Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

House Releases Cybersecurity Strategy Report

House Releases Cybersecurity Strategy Report

The House Energy and Commerce Committee released the comprehensive Cybersecurity Strategy Report, in which it identified procedures to both address and prevent cybersecurity incidents.

In the report, the committee identified six key concepts and priorities, noting, “The identification of these principles shaped the subcommittee’s approach to cybersecurity and guided subsequent work. As each of these concepts emerged, the subcommittee began exploring and analyzing possible strategies for addressing them.”

In addition to recognizing that there will always be unknowns and that it’s impossible to protect what you don’t know you have, the committee also realized that software is no longer written but assembled. As a result, there must be a common cybersecurity language, which was the fourth concept. The remaining two concepts stated, “Digital assets age faster and less predictably than physical ones. Cybersecurity takes a 'whole-of-society' approach.”

In attempting to answer the question, "If traditional IT strategies have proven ineffective, what can organizations do to better strengthen their cybersecurity capabilities?," identifying these six concepts led the committee to outline six priorities, which are:

  • Priority 1: The widespread adoption of coordinated disclosure programs.

  • Priority 2: The implementation of software bills of materials across connected technologies.

  • Priority 3: The support and stability of the open-source software ecosystem.

  • Priority 4: The health of the Common Vulnerabilities and Exposures (CVE) program.

  • Priority 5: The implementation of supported lifetimes strategies for technologies.

  • Priority 6: The strengthening of the public–private partnership model.

“Cybersecurity has become a priority for all Americans – from government and military leaders and corporate executives to small-business owners and everyday families,” said Rep. Greg Walden of Oregon, according to KTVZ.com. “That’s why we must take steps to strengthen our ability to confront the threats facing the internet and connected technologies that we are increasingly dependent on.

"This latest report outlines a strategy that, based on the significant body of work the Energy and Commerce Committee has already completed, would elevate cybersecurity capabilities across all sectors. We’ve had real bipartisan success in pursuing several of these policies at the committee, and I look forward to working across the aisle in the upcoming session of Congress to continue this vital work.”

Source: Information Security Magazine

Privacy a Key Concern for Telecoms and Consumers

Privacy a Key Concern for Telecoms and Consumers

Two recently published surveys about the telecom industry revealed that privacy as it relates to security and the internet of things (IoT) has become a top concern for both businesses and consumers.

Allot Telco's security trends report for 2018’s third quarter found that 50% of consumers polled were concerned about loss of privacy or a cyber-attack. Additionally, 72% of the consumers surveyed stated that they were willing to pay a monthly fee, averaging at $5.26, for an IoT security service, and 16% of those who would buy security services would make that investment in their internet service providers (ISPs).

More than 1,200 consumers across 10 different countries participated in the survey, which found that "to improve the security posture of homes and connected devices, the following must occur: Security at the device level must improve and security must be delivered at the network level."

Similar sentiments were mirrored in the recent 2018 Annual Industry Survey, published by Telecoms.com, which showed that 75% of the 1,500 executives from global telecom industries who participated in the survey said that privacy was the key concern of consumers living in a highly connected smart home, followed by identity theft, fraud and vandalism through hacking into connected devices.

Further, 90% of all respondents thought consumers would be willing to pay for smart-home cybersecurity service. Nearly three-quarters (74%) thought consumers would be happy to pay up to $10 a month.

“Over half of the respondents identified four different types of security solutions – DNS blacklisting/firewalls, IP/domain blacklisting, antivirus solutions, and deep packet inspection. Service providers need security capabilities that are high performance and multilayered. They should adopt targeted measures to secure every potential vulnerability, including the data center, control plane, and applications,” the report said.

According to the report, in view of these concerns industry professionals are planning to actively deliver IoT security services. To that end, 56% of respondents saw IoT as an important driver to expand their service portfolio and 46% saw it as significant channel to deliver new revenues.

Source: Information Security Magazine

DanaBot Trojan Expands Beyond Banking

DanaBot Trojan Expands Beyond Banking

Banking Trojan DanaBot has reportedly resurfaced with some new tricks. According to malware analysts at ESET, the Trojan has evolved beyond banking and is now being used to send spam directly to a victim’s inbox.

Researchers found that by injecting JavaScript code into specific pages of web-based email services, the malware sends malicious email responses to actual messages in the victim’s inbox. Additionally, the decoy PDF attached to these emails contains a malicious VBS file.

“Its operators have recently been experimenting with cunning email-address-harvesting and spam-sending features, capable of misusing webmail accounts of existing victims for further malware distribution,” ESET wrote.

In large part, the attacks have been targeting victims whose emails contain the substring “pec,” found in Italy-specific “certified electronic mail” addresses, according to ESET. Roundcube, Horde and Open-Xchange, as well as mail.yahoo.com, mail.google.com, mail.one.com and outlook.live.com, are included among the list of targeted email servers.

"Previously the DanaBot focused on mainly harvesting banking credentials by a similar means to the new threat, essentially by compromising the Bank’s Web Portal,” said Will LaSala, director, security solutions and security evangelist at OneSpan. “It would steal usernames and passwords. The new functionality seems as if they are focusing on just harvesting email addresses, from all sorts of different companies. The change in direction of the DanaBot shows that attacks that what started in banking is moving beyond banking."

Other high-profile attacks have been efforts to steal private information that can then be sold on the black market. "This private information is valuable," said LaSala, "because it helps criminals open new accounts and appear legitimate. The more private information that is stolen, the more difficult it will be for organizations to protect themselves from fraudulent accounts. Changes like those to well known malware showcase the fact that all forms of internet communication need to be protected and companies should be vigilant in patching security holes as soon as they can."

Source: Information Security Magazine

Nearly 70% of UK Firms Hit by a Cyber-Attack in 2018

Nearly 70% of UK Firms Hit by a Cyber-Attack in 2018

Over two-thirds of UK firms have fallen victim to a cyber-attack over the past year, with many claiming they don’t get enough guidance from the government on how to combat threats, according to RedSeal.

The security vendor polled over 500 UK IT professionals from mainly SMBs to better understand their cyber-resilience levels.

Some 68% claimed to have suffered at least one attack over the past 12 months, with 67% of these saying it had resulted in financial loss, over a third (37%) in customer attrition, and over a fifth (43%) in damage to their corporate reputation.

Nearly a third (31%) said the government doesn’t provide enough support on cybersecurity, despite the best efforts of the National Cyber Security Centre, which was set up two years ago with that mission in mind.

It has provided detailed advice for organizations in specific critical infrastructure sectors on how to comply with the new NIS Directive, for example, as well as implementing two-factor authentication and other crucial best practices, Cyber Aware advice for small businesses, and Cyber Essentials resources to encourage firms to get accredited with the baseline security standard.

Still, the RedSeal findings seem to show security shortcomings among many organizations. A significant minority (19%) said they had no incident response plan in place while nearly two-thirds (65%) of IT pros polled said they thought senior managers should pay more attention to cybersecurity in 2019.

The former is a serious issue given that both the GDPR and NIS Directive demand organizations have an effective plan in place should they suffer a successful attack.

Part of the challenge here is corporate culture and organization: just 30% of UK firms have a board member responsible for security, according to government figures.

Security bosses could help to break down the silos between their function and the boardroom by talking not in terms of cyber risk but business risk.

The RedSeal report’s findings are somewhat at odds with the government’s own report into cyber threat levels facing firms. Released earlier this year, it revealed that just 43% of companies had suffered a breach or attack over the previous 12 months.

Source: Information Security Magazine

Europol Touts Dark Web Win After Counterfeit Crack Down

Europol Touts Dark Web Win After Counterfeit Crack Down

Europol is celebrating after a major crackdown on suspected online buyers of counterfeit money which has seen hundreds detained.

The police group claimed its latest operation stemmed from an arrest of a print shop owner in Austria in June this year.

The man was found to have been making counterfeit 10, 20, and 50 euro banknotes and selling them via several dark web marketplaces.

However, he’d failed to keep key information hidden from the investigating officers, meaning they were able to identify the email addresses of the alleged buyers, who had purchased an estimated 10,000 banknotes.

A subsequent operation took place beginning November 19, with the majority of arrests made between December 3-6, according to Europol.

Nearly 300 houses were searched in 13 countries, with 235 suspects detained.

Police are also said to have seized 1500 counterfeit notes, drugs, weapons including guns, nunchaku, knives and blades, computers, mobile phones, Bitcoin and hardware for mining digital currency. In Germany, police even found two marijuana-growing facilities, while in France law enforcers discovered another counterfeiting print facility and a third marijuana farm.

“This joint effort highlights that complete anonymity on the internet and the darknet doesn’t exist,” said Europol deputy director of operations, Wil van Gemert.

“When you engage in illegal activity online, be prepared to have police knocking on your door sooner or later. Europol will continue to assist member states in their efforts of protecting the euro against counterfeiting, both in the real world as in the virtual one.”

The news follows an announcement last month that Europol had managed to shut down more than 33,000 websites selling counterfeit and stolen products, including pharmaceuticals, TV shows and electronics.

Police were also able to arrest 12 suspects and freeze over €1m in several bank accounts.

Despite van Gemert’s assertion, however, it is usually traditional police work offline that enables them to disrupt dark web traders. The vast majority remain at large and the marketplaces themselves up and running.

Source: Information Security Magazine

DarkVishnya Attacks Target Eastern European Banks

DarkVishnya Attacks Target Eastern European Banks

A series of cyber-robbery attacks have been targeting financial organizations in Eastern Europe, according to new research from Kaspersky Lab.

Researchers found that the series of attacks, dubbed DarkVishnya, have affected at least eight banks in the region, with estimated losses running into the tens of millions of dollars.

Based on data collected through Kaspersky Lab’s incident response observations in 2017 and 2018, researchers noted that in each attack, bad actors managed to smuggle an unknown and attacker-controlled device into a company building and directly connect it to the company’s local network.

The attackers were reportedly using one of three different types of devices, including a laptop, a Raspberry Pi (a single-board computer the size of a credit card) or a Bash Bunny (a specially designed tool for automating and conducting USB attacks). According to a press release, some of these devices are equipped with a GPRS, 3G or LTE modem, which the attackers use to remotely access the corporate network of the financial organization.

After establishing a connection, the threat actors try to gain access to the web servers so that they can steal the data they need to run remote desktop protocol (RDP) on a selected computer. If successful, they can then seize funds or data.

A fileless attack, the method also leveraged the use of Impacket, winexesvc.exe or psexec.exe remote execution toolkits. During the final stage of the attack, the criminals used remote control software to maintain their control over the infected computer.

“Over the past year and a half, we’ve been observing a completely new type of attacks on banks, quite sophisticated and complex in terms of detection,” said Sergey Golovanov, security expert at Kaspersky Lab, in the press release.

“The entry point to the corporate network remained unknown for a long time, since it could be located in any office in any region. These unknown devices, smuggled in and hidden by intruders, could not be found remotely. Additionally, the threat actor used legitimate utilities, which complicated the incident response even more.”

Source: Information Security Magazine

GDPR Implementation Slow but Improving

GDPR Implementation Slow but Improving

According to the EU GDPR (General Data Protection Regulation) Implementation Review Survey conducted by IT Governance, six months after the GDPR went into effect, the majority of organizations are failing to implement the mandatory regulations.

The study included 210 responses from participating organizations ranging in size from fewer than 10 to more than 1,001 employees from across industries. Participants were asked how far along they were in achieving GDPR compliance, and only 29% said they had implemented all of the necessary change.

Despite 59% of respondents stating that they are aware of the changes to data subject access requests (DSAR), only 29% actually have an adoption plan in place to address these changes, even though data subjects are able to file complaints that could result in fines if their DSAR is incorrectly managed.

Although respondents said they understood the ways in which the GDPR applies to their organizations, many expressed a lack of confidence in fully understanding how to implement changes. When asked whether they had completed implementation of the changes, 46.9% said yes while 45% had only partially implemented any changes. In addition, 5% responded no.

One area in which organizations have focused attention is with data flow audits, with 75% of respondents reporting that they have conducted these audits in some capacity. As part of a GDPR compliance project, organizations need to map their data and information flows in order to assess their privacy risks, according to an IT Governance press release.

“It is discouraging to see so many organizations understanding the GDPR and its applicability to their businesses but failing to comply. May 25 should have been the wakeup call, but it’s not too late to begin your compliance journey. The time is now,” commented Alan Calder, founder and executive chairman of IT Governance.

The GDPR has been in effect since May 25, 2018, and the regulations apply to all organizations that monitor the behavior of or offer goods and services to EU residents, regardless of the organization’s geographical location or where it processes data.

While there is room for improvement when it comes to implementing changes, research published by BitSight found that “a steady decrease in security performance across all regions of the globe, organizations within continental Europe actually improved their security performance over the last year.

“Some of the areas that organizations have improved on include the implementation of stronger controls to reduce Internet exposed services (open ports). These improvements align well with the lead-up to the implementation of GDPR, and continue after the effective date.”

Source: Information Security Magazine

Researchers Take an AI Approach to Text CAPTCHAs

Researchers Take an AI Approach to Text CAPTCHAs

Researchers at Lancaster University in the UK and Northwest University and Peking University in China have found a way to get around CAPTCHA security with new artificial intelligence, according to research published in a paper titled Yet Another Text Captcha Solver: A Generative Adversarial Network Based Approach.

The research findings were presented at the ACM Conference on Computer and Communications Security (CCS) 2018 in Toronto.

“Text-based captchas are extensively used to distinguish humans from automated computer programs,” researchers wrote. “While numerous alternatives to text-based captchas have been proposed, many websites and applications still use text-based captchas as a security and authentication mechanism. These include the majority of the top-50 popular websites ranked by alexa.com as of April 2018, including Google, Microsoft, Baidu, and many others.”

Researchers asserted that their approach to an effective text CAPTCHA solver requires far fewer real CAPTCHAs but result in better performance. “We evaluate our approach by applying it to 33 captcha schemes, including 11 schemes that are currently being used by 32 of the top-50 popular websites including Microsoft, Wikipedia, eBay and Google. Our approach is the most capable attack on text captchas seen to date.”

Their approach consists of four steps, beginning with CAPTCHA synthesis, followed by preprocessing, training the base solver and fine-tuning the base solver.

“What makes some CAPTCHAs raise above these sophisticated attacks are not the CAPTCHAs or challenges themselves, but the risk assessment behind the challenge,” said Shane Martin, software consultant of customer success at NuData Security, a Mastercard company.

“If an attacker used this method to solve CAPTCHA challenges that are built on top of enhanced security solutions such as behavioral biometrics technology, the risk assessment would recognize that an automated system was completing the challenge and would then increase the challenge complexity until the challenge could not be solved. This is why it’s important to avoid CAPTCHAs as standalone products and have them as an interdiction that appears after an accurate risk assessment.”

Source: Information Security Magazine

Two-Fifths of Firms Have Suffered "BPC" Attacks

Two-Fifths of Firms Have Suffered "BPC" Attacks

Over two-fifths of organizations have fallen victim to a so-called Business Process Compromise (BPC) attack, despite widespread ignorance from senior execs about the threat, according to Trend Micro.

The security giant polled over 1100 IT decision makers responsible for security across the UK, US, Germany, Spain, Italy, Sweden, Finland, France, Netherlands, Poland, Belgium and the Czech Republic.

It found that 43% had been impacted by a BPC: a type of highly targeted attack in which hackers look to manipulate an organization’s unique business processes to their own ends.

They typically involve an initial compromise followed by plenty of lateral movement inside the victim organization to conduct reconnaissance on security gaps and internal processes.

Perhaps the most famous case of a BPC to date was the attack on Bangladesh Bank where hackers installed multiple layers of malware into the bank’s IT systems to exploit the communications process between the bank and SWIFT. A total of $81m was lost, although the figure could have been much higher if an eagle-eyed employee had not spotted a spelling error on a transfer.

Vice president of security research, Rik Ferguson, claimed cyber-criminals are increasingly playing the long game for greater reward.

“In a BPC attack, they could be lurking in a company’s infrastructure for months or years, monitoring processes and building up a detailed picture of how it operates. From there they can insert themselves into critical processes, undetected and without human interaction,” he explained.

“For example, they might re-route valuable goods to a new address, or change printer settings to steal confidential information — as was the case in the well-known Bangladeshi Bank heist.”

The good news is that security teams are aware of the threat, with 72% claiming that BPC is a priority for their cyber strategy. However, half (50%) of management teams don’t know what a BPC attack is or how it could impact the organization, Trend Micro warned.

Source: Information Security Magazine

Aussie Surveillance Law Imperils Secure Comms

Aussie Surveillance Law Imperils Secure Comms

Australia has followed the UK in passing its own draconian surveillance laws which could force technology providers to engineer de facto backdoors into their end-to-end encryption products.

The opposition Labor Party stood aside at the eleventh hour to let the bill pass, on the understanding that its amendments would be passed in the new year, something the government now says it will only “consider.”  

As is the norm, the government had argued that law enforcers and security services needed to be able to access specific communications to fight serious crime and protect national security.

“This ensures that our national security and law enforcement agencies have the modern tools they need, with appropriate authority and oversight, to access the encrypted conversations of those who seek to do us harm,” attorney-general, Christian Porter is reported to have said.

On the other side, experts warn that any attempt to introduce vulnerabilities into such systems would ultimately undermine security for the majority of law-abiding citizens, especially as it’s likely to be done in secret.

“This could have a devastating knock-on effect around the world. Creating a backdoor for law enforcement will never assure that no-one else will be able to access the database or files, and criminals will learn to exploit these vulnerabilities,” said ESET security expert, Jake Moore.

“If you break the fundamental way that encryption works, you risk breaking the internet and eradicating any trust and security."

According to the Electronic Frontier Foundation (EFF), the Australian Assistance and Access Act can be seen as an attempt to mimic the controversial UK Investigatory Powers Act (IPA).

“Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers, to re-engineer software and hardware under their control, so that it can be used to spy on their users,” explained EFF international director, Danny O’Brien.

“Engineers can be penalized for refusing to comply with fines and face prison; in Australia, even counseling a technologist to oppose these orders is a crime.”

The UK’s GCHQ is already looking to wield its powers to demand that messaging providers allow government snoopers to be secretly added to conversations so they can eavesdrop. It’s described not as an encryption backdoor but a “virtual crocodile clip” — although the plan was described as "absolute madness" by Edward Snowden as destroying trust in the privacy of online services.

Already, the UK government has warned parliament that GCHQ is evolving the way it snoops on targets under the IPA. Bulk “equipment interference” (EI) — also know as bulk hacking of devices — was originally intended to be limited to overseas “discovery” operations only: the exception rather than the rule.

However, in a letter this week, security minister, Ben Wallace, admitted that GCHQ will need to “conduct a higher proportion of ongoing overseas focused operational activity using the bulk EI regime than was originally envisaged.”

The reason, it appears, is the growing use of end-to-end encrypted communications.

“The communications environment has continued to evolve, particularly in terms of the range of hardware devices and software applications which need to be targeted,” the letter noted.

“In addition, the deployment of less traditional devices, and usage of these technologies by individuals of interest has advanced significantly.”

Source: Information Security Magazine