Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Privacy a Top Concern in 'Biometric Exit'

Privacy a Top Concern in 'Biometric Exit'

Despite bipartisan concerns over privacy, most airlines reportedly support the use of facial recognition, and the US Customs and Border Patrol (CBP) has implemented facial recognition in 17 international airports, including Atlanta, New York City, Boston, San Jose, Chicago, and two airports in Houston, according to American Military News

Largely controversial because of privacy concerns, the facial recognition program will reportedly be in place across the country's top 20 airports by 2020, according to documents obtained earlier this month by BuzzFeedNews.

Intended to supplant the long-existing, time-consuming process of paper checking, the use of a cloud-based facial biometric matching service is touted as more secure and efficient. "CBP is solving a security challenge by adding a convenience for travelers. By partnering with airports and airlines to provide a secure stand-alone system that works quickly and reliably, which they will integrate into their boarding process, CBP does not have to rebuild everything from the ground up as we drive innovation across the travel experience,” a CBP spokesperson told American Military News.

At the forefront of the opposition is the Electronic Privacy Information Center (EPIC), which said that under the Biometric Exit program "CBP would create exit records for passengers and retain them in CBP's Advance Passenger Information System ("APIS"). CBP officers would take a photo of the passenger and match it to a photo in the flight-specific galleries in the Automated Targeting System ("ATS") consisting of compilations of photos from the Automated Biometric Identification System ("IDENT"), the Department of State's Consolidated Consular Database, and U.S. Citizen and Immigration Service's Computer Linked Adjudication Information Management System ("CLAIM 3").

"Photos of U.S. citizens could be retained until their identities were confirmed, and the photos of non-U.S. citizens could be retained for up to fifteen years in the DVS system in ATS."

While supporters point to enhanced passenger convenience through the use of biometrics, it is not only EPIC that has raised some privacy concerns. "Convenience versus privacy will be one of the biggest issues that the US will grapple with over the next few years," said Ryan Wilk, VP of customer success for NuData Security, a Mastercard company.

"For airports, sporting events and brick-and-mortar stores, facial recognition would be convenient and easy to move people through at a faster pace. Facial recognition combined with passive biometrics can provide a quick and easy way of identifying people. However, transparency of the process, how data is stored and removed and what it is being used for are all procedures that will have to be hammered out to protect people’s privacy.”

Source: Information Security Magazine

Orgs Grapple with Pros and Cons of Remote Workers

Orgs Grapple with Pros and Cons of Remote Workers

Despite the growing number of employees that work remotely, security professionals fear that remote workers pose risks to the enterprise, according to a new study published by OpenVPN.

An overwhelming majority (90%) of survey respondents said that remote workers are a security risk to the organization, according to the report Remote Work Is the Future – But Is Your Organization Ready for It? The report’s findings are based on a survey of 250 IT leaders, from the manager level through the C-suite.

Still, 92% of respondents agreed that the benefits of remote work outweigh the security risks. “For employees, it provides greater efficiency and lower stress levels: 82% of telecommuters reported less stress and 30% said it allowed them to accomplish more work in less time,” the report said. In addition, companies reportedly save an average of $11,000 per year per remote employee.

Despite the fact that 93% of organizations have a remote work security policy in place and 90% of organizations offer security training for remote workers, more than a third (36%) of companies have experienced a security incident due to a remote worker. That more than one in three organizations have suffered a security incident because of a remote worker is somewhat alarming when considering that nearly 70% of employees globally now work remotely at least once a week, the report said.

Of those who have suffered a security incident, 68% experienced it within the last year, yet the survey shows that nearly a quarter of organizations (24%) haven’t updated their remote work security policy in the same time frame.

While less than half (49%) of IT leaders said they only somewhat agreed that remote employees adhere to the organization’s remote work policies, the results vary depending on the role of the respondent. “Executives are particularly concerned about the risk remote workers pose, as nearly three-quarters (73 percent) of VP and C-suite IT leaders believe remote workers pose a greater risk than onsite employees, compared to 48 percent of IT managers and 45 percent of IT directors,” the study found.

Source: Information Security Magazine

Medtronic Flaws Could Let Hackers Control Devices

Medtronic Flaws Could Let Hackers Control Devices

Life-saving medical devices such as pacemakers are vulnerable to attacks that could leave them under the control of a hacker, according to security alerts from both the Department of Homeland Security (DHS) and the US Food & Drug Administration (FDA).

The FDA’s March 21 security alert warned caregivers and patients who use Medtronic cardiac implantable cardioverter defibrillators (ICDs) or cardiac resynchronization therapy defibrillators (CRT-Ds) to treat patients with heart failure or rhythm problems that a critical security vulnerability in the devices exists because they do not use encryption, authentication or authorization.

“The FDA has confirmed that these vulnerabilities, if exploited, could allow an unauthorized individual (for example, someone other than the patient’s physician) to access and potentially manipulate an implantable device, home monitor, or clinic programmer.”

If the vulnerabilities were exploited, criminals could use radio communications to take control of the medical devices while the devices are inside a person. According to Medical Advisory ICSMA-19-080-01, an attacker would need to have an RF device, such as a monitor, programmer, or software-defined radio, that is “capable of transmitting or receiving Conexus telemetry communication…[and in] adjacent short-range access to the affected products.” Additionally, the RF functionality would need to be active.

“Medical device manufacturers who aren’t engaging in real security or, in this case, even basic security practices, should probably have their FDA approvals revoked,” said HackerOne's head of IT Aaron Zander.

“Unlike a kids' toy or a car where a recall is as simple as sending something back in the mail or driving it back to the dealership, an embedded device, one literally embedded in you, isn’t meant to come out and be replaced regularly. The surgery to replace this with a ‘better’ or ‘safer’ version in itself is dangerous and comes with life-threatening repercussions. On top of that, not everyone had a choice on which type of device they would receive. People didn’t spend months hunting for the ‘perfect pacemaker with all the features,’” Zander said.  

“It’s what the hospital and their doctors thought was right at the moment the patient needed it. Not every piece of hardware can be upgraded to have its software handle more secure communications, and we’re seeing the side effects. The fact that there are more stringent controls on the software that doctors use to send each other instant messages than there are on the software that goes into a pacemaker shows that the medical device field needs to advance in terms of both regulation and security. The repercussions of not acting now are deadly.”

Source: Information Security Magazine

US Government Leaks PII of 2m+ Disaster Survivors

US Government Leaks PII of 2m+ Disaster Survivors

A US government agency responsible for disaster relief has accidentally leaked the personal data of millions of disaster survivors with a third-party contractor, it has revealed.

The Federal Emergency Management Agency (FEMA) sits within the Department of Homeland Security to help US citizens before, during and after disasters.

It announced on Friday that the privacy leak affected the personally identifiable information (PII) of disaster survivors using the Transitional Sheltering Assistance program.

The agency admitted that it “provided more information than was necessary” to the contractor, potentially exposing those details to the risk of loss or theft by malicious third-parties and insiders.

It claimed not to have found any evidence so far of this data being compromised.

“Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” the statement continued.

“FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”

According to reports, 2.3 million disaster survivors were affected, including victims of hurricanes Harvey, Irma and Maria and the 2017 California wildfires.

Personal details shared with the contractor apparently included home addresses and bank account information.

The news is particularly embarrassing for the DHS, given its lead role in coordinating cybersecurity efforts across federal government departments.

The department was slammed by government inspectors back in May 2018, after they found it did not practice what it preached in terms of risk management.

Specifically, 64 systems “lacked valid authority to operate, and components did not remediate security weaknesses” in a timely manner, according to the OIG.

Source: Information Security Magazine

Most UK Retailers See Increase in Cyber-Attacks

Most UK Retailers See Increase in Cyber-Attacks

The majority of UK retailers are seeing an increase in cyber-attacks, prompting them to spend more on security, according to the latest survey from the British Retail Consortium (BRC).

The industry body’s 2019 Retail Crime Survey covers the period of April 2017 to March 2018 and includes the responses of retailers which generate a third of the market’s total revenue.

It found that almost 80% of respondents had seen an increase in cyber-attacks, with spending on cybersecurity rising by 17% since the previous annual report to reach around £162m for the industry last year.

Phishing was viewed as a high-risk cybercrime by the largest number of respondents (80%) followed by data theft (50%). Denial of service, whaling and web-based attacks also garnered between 40-50% of respondents.

Clare Gardiner, director of engagement at the National Cyber Security Centre, lauded the GCHQ body’s outreach efforts, which has resulted in a jointly produced BRC Cyber Security Toolkit.

“Cyber-attacks can have a huge impact, but to help potential victims pro-actively defend themselves we have published a range of easy-to-implement guidance on our website,” she added.

“Organizations can also share threat intelligence in a confidential way through the NCSC’s online Cyber Information Sharing Partnership (CiSP), which increases awareness to dangers and reduces the impact on UK businesses.”

Retailers are a major target for cyber-criminals as they often store large volumes of customer PII and financial data, and customers can also be a lucrative target for follow-on fraud.

Some 60% of European retailers claimed to have seen an increase in fraud from 2017 to 2018, according to a report from Adyen last November.

Most recently, retailers have been forced to combat another menace, digital skimming code on their payment pages designed to covertly lift card details as they’re entered in by customers.

Groups using this Magecart code have compromised hundreds of e-commerce sites, possibly more.

In the US, Point of Sale malware is still the biggest cyber-threat for retailers as EMV migration continues to lag, according to a Trustwave 2018 report.

Source: Information Security Magazine

Virtualized Calls a Top Threat for ATO Attacks

Virtualized Calls a Top Threat for ATO Attacks

According to the 2019 State of the Call Center Authentication report from TRUSTID, a Neustar company, one of the most exploited areas in a company’s security chain is the call center.

Companies may be investing more in their cybersecurity defenses, but fraudsters are evolving in their tactics. As such, they’ve discovered that by targeting call centers, they can easily obtain personally identifying information (PII), which is likely one reason the report found that call center professionals are increasingly the target of fraudsters employing social engineering in an attempt to takeover (ATO) customer accounts.

In fact, 51% of respondents that work in the financial services industry identified the phone channel as the top threat for ATOs. At 32%, spoofed calls lagged behind criminal activity reportedly coming through virtualized calls, which 40% of respondents said they saw more of this year.

“Virtualization (e.g., web-based calling services (Skype), Google Project Fi (routed through T-Mobile or U.S. Cellular), or a business PBX) is the biggest threat vector to call centers today. The calls are authentic, unique and legitimate. Their signaling data and call certificates are correct and will pass by technology designed to detect spoofing attempts,” the report said.

“Virtualization frees criminals from the need to imitate specific callers’ numbers. They just have to reach an agent from a number that is legitimate but unrelated to a customer’s record.”

An overwhelming majority (72%) of call center representatives believe that if calls were authenticated before answered, the number of ATO attacks could be diminished without impacting the customer’s experience.

“Our data also suggest that they are eager for change. 46% of call center leaders were ‘very’ or ‘somewhat’ dissatisfied with their current caller authentication method(s), a 50% increase since 2018.”

When comparing survey results year-over-year, the number of companies planning to implement multifactor authentication has doubled. “As more breached personal information enables more account takeover through the phone channel in the year ahead, we expect more call center leaders to advocate for a completely new multi-factor authentication strategy.”

Source: Information Security Magazine

New Variant of AZORult Trojan Written in C++

New Variant of AZORult Trojan Written in C++

After analyzing several previously unknown malicious files that were detected earlier this month, Kaspersky Lab determined the files were a new version of a data stealer known as the AZORult Trojan. Because the files are written in C++, and not Delphi, researchers have dubbed the variant AZORult++.

According to researchers, this latest version is potentially more dangerous than earlier variants. In addition to amassing data – including credentials, browser history and cookies – and distributing it to command-and-control (C&C) servers, AZORult++ can also establish a remote desktop connection by creating a new user account and discreetly adding it to the administrators’ group.

The data stealer is reportedly used most often to target victims in Russia and India, according to analysis. “AZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing,” wrote Alexander Eremin.

AZORult++ does not have loader functionality or support for stealing saved passwords. Though the C++ version has been deemed deficient when compared to its predecessors, it does have some of the same signatures recognized in the Delphi-based version.

“Like AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What’s more, this key we had already encountered in various modifications of version 3.3,” Eremin wrote.

“Despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop,” Eremin said.

Because the variant has undergone several changes to functionality, researchers believe that this data stealer is still in development, and that we can expect to see an expansion of its functionality and attempts to widen its distribution.

Source: Information Security Magazine

Zero-Day WordPress Plugin Exploited in the Wild

Zero-Day WordPress Plugin Exploited in the Wild

A WordPress zero-day in the Easy WP SMTP plugin is actively being exploited in the wild, according to NinTechNet.

The plug-in allows site owners using WordPress to both configure and send outgoing emails through an SMTP server, preventing messages from landing in the recipient’s junk folder. By exploiting what is categorized as a critical vulnerability, hackers reportedly gained administrative access and were able to alter content on WordPress websites.

In the proof-of-concept (PoC), NinTechNet researcher Jerome Bruandet said he used “swpsmtp_import_settings to upload a file that will contain a malicious serialized payload that will enable users registration (users_can_register) and set the user default role (default_role) to 'administrator' in the database.”

With the largest market share among all content management systems (CMSs), WordPress is used by one-third of all websites, according to Web Technology Surveys (w3techs).

“Because of its sheer dominance in the CMS space along with the presence of many WordPress plugins, WordPress sites are a ripe target for cyber-criminals. In this case, the Easy WP SMTP plugin has over 300,000 active installations and despite the availability of a patch for it, there are reports that attackers continue to target sites running the vulnerable plugin,” said Satnam Narang, senior research engineer at Tenable.

“The vulnerability exists in version 1.3.9 of the plugin, so users running older versions of the plugin are not vulnerable. However, all users, especially those using 1.3.9, should update to the latest version of the plugin, 1.3.9.1, as soon as possible."

This latest exploit also evidences the importance of vetting plugins to ensure they are up to date and executing only authorized tasks, according to Brandon Chen, digital security and operations manager of The Media Trust.

“Removing them when they’re no longer needed [is] part of protecting users from identity and financial theft. Each plugin represents at least a few attack surfaces, because the code that enables the plugin to function is coming from at least one vendor, who is likely bringing in outsourced code. Every plugin you introduce into your digital environment introduces third parties you may or may not know – and chances are, you don’t know most of them.”

Source: Information Security Magazine

UK E-commerce Fraud Soars 27% in 2018

UK E-commerce Fraud Soars 27% in 2018

UK e-commerce fraud hit nearly £400m in 2018, accounting for the vast majority (78%) of all card not present (CNP) fraud and fueled by an ongoing epidemic in data breaches and social engineering, according to UK Finance.

The banking industry group’s annual roundup, Fraud the Facts 2019, claimed that £393 million of e-commerce fraud amounted to 59% of total card fraud and represented a 27% increase on 2017 figures.

“Data compromise, including through data hacks at third parties such as retailers, is a major driver of these fraud losses, with criminals using the stolen card details to make purchases online,” the report noted.

“There were several high-profile data breaches occurring in 2018, with significant brands affected, alongside a number of lower-level incidents. The data stolen from a breach can be used for months or even years after the incident. Criminals also use the publicity around data breaches as an opportunity to trick people into revealing financial information.”

UK Finance also claimed the increase came as a result of phishing emails and scam text messages as well as social media scams advertising the sale of discounted ‘goods.’

“When a customer goes to buy the product, the criminal uses their card details to purchase the item from a legitimate source and then keeps the payment from the customer,” it claimed.

CNP fraud — which includes phone and mail order as well as internet-based scams — accounted for 76% of the total losses last year, versus 61% in 2009. It rose 24% from 2017-18 to top £506m, with over two million cases recorded — a 47% increase from 2017.

Authorized push payment (APP) scams are also growing fast. They soared 90% in volume and 50% in value to reach £354m in losses last year, although this could be down in part to more UK Finance members reporting APP fraud.

“Criminals’ use of social engineering tactics through deception and impersonation scams is a key driver of authorized push payment scams,” the report claimed.

“Typically, this involves the criminal posing as a genuine individual or organization and contacting the victim using a range of methods including via the telephone, email and text message. Criminals also use social media to approach victims, using adverts for goods and investments which never materialize once the payment has been made.”

APP fraud also hit businesses, which accounted for nearly 36% of total losses.

Source: Information Security Magazine

Researchers Raise Privacy Alarm Over Medicine Apps

Researchers Raise Privacy Alarm Over Medicine Apps

Researchers have raised serious privacy concerns over the use of medical apps in the Google Play store after noting that the majority share user data with third parties.

Published in The BMJ this week, the study led by University of Toronto researchers identified 24 top-rated “medicines related” apps on the Android marketplace in the UK, US, Canada and Australia.

They simulated real-world use of the apps in the lab via four dummy scripts.

“To identify privacy leaks, one source of user data was modified and deviations in the resulting traffic observed,” the research explained.

The paper found that 79% of those apps studied shared user data with 55 unique entities. Nearly two-thirds of these (67%) “related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.”

A further third (33%) of these unique entities provided cloud and other related IT infrastructure services.

The paper warned that the functionality gained from these apps may not be enough to compensate the privacy lost by users.

“Sharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent,” it concluded.

“Privacy regulation should emphasize the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.”

Tripwire director of security research and development, Lamar Bailey, argued that data collected by health apps could also be at risk of theft by cyber-criminals.

“Although it is well known and documented that apps use customers’ data as a currency, it is particularly troubling when that data includes sensitive information such as medical records and health metrics,” he added.

“It is paramount that these apps clearly state in their registration process if they plan to divulge their customers’ information to third parties, so that subscribers are able to opt out. All too often these terms on usage are buried in the user agreement and the only way to opt out is to not use the app."

Source: Information Security Magazine