Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

VFEmail Suffers Catastrophic Attack, All Data Lost

VFEmail Suffers Catastrophic Attack, All Data Lost

A major cyber-attack has hit email provider VFEmail in what the company is calling a "catastrophic attack," which has destroyed all data in the US, including backups.

The company issued an alert via its website and social media accounts on February 11, 2019, warning, “At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost.”

In an update, VFEmail owner Rick Romero wrote that new email was being delivered and that efforts were being made to recover what user data could be salvaged. Romero also noted that the malicious actor was last identified as aktv@94.155.49.9.

In one tweet, VFEmail said, “Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.”

These types of attacks are rare and highly destructive. “The devastating attack on VFEmail is a strong reminder to enterprises that a single keystroke or attack can destroy thousands of workloads and take down a business," said Balaji Parimi, CEO, CloudKnox Security.

“Attacks of this magnitude – where the goal is simply to attack and destroy – are well within the power of attackers who gain access to infrastructure. Enterprises need to do a better job of mitigating the threat of over-privileged identities, and that begins with gaining an understanding of which identities have access to the types of privileges that can destroy their business and limiting those privileges to properly trained, security-conscious personnel.”

That an attacker was able to pull off this attack also raises questions about the company’s disaster recovery plans, as this attack left VFEmail and some of its customers without access to their information.

“What disaster recovery strategy was in place and why wasn't data backed up into cold storage, thus making it unavailable to attackers?” asked Fausto Oliveira, principal security architect at Acceptto. “If they had a strategy in place, they should be able to recover at least a substantial part of their customers data.”

Source: Information Security Magazine

SMBs Believe Attack Will Kill Their Company

SMBs Believe Attack Will Kill Their Company

Just under half of a surveyed set of British small to medium-sized businesses (SMBs) believe that a cyber-attack would put them out of business.

The survey of 501 IT decision makers by Webroot found that 48% have suffered a cyber-attack or data breach in their lifetime, with over one in seven saying this happened more than once. The same number also believed that the cases negatively impacted relationships with partners, with almost a quarter (22%) admitting they are no longer a supplier as a result.

One example of a company going out of business was Code Spaces, which was forced to close down after a wiper attack deleted its files as part of a larger DDoS attack in 2014. Then, Code Spaces claimed it “will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility." 

In an email to Infosecurity, Ed Tucker, CISO and co-founder of Email Auth, Byte and Human Firewall, said that companies of all sizes suffer from attacks, some of which are successful, but rarely have we seen anyone actually go under from such.

“It smarts of hyperbolic fear mongering” he said. “When assessing risk, you must consider impact and thus consequence to the business. Is there any evidence to back this claim where cyber-attacks have actually resulted in the closure of a business to the extent that this is a tangible consequence? The simple answer is no. Most business have it in them to recover. A clear ability to plan; to respond and recover is a must for any organization. 

“Closure is a possibility, but using current evidence of successful cyber-attacks then it would be a remote, rather than likely consequence.”

Nearly two-thirds of respondents (64%) said that being smaller enables their business to react more quickly to industry or political change than larger enterprises.

Paul Barnes, senior director of product strategy at Webroot, said: “SMBs can no longer consider themselves too small to be targets. They need to use their nimble size to their advantage by quickly identifying risks and educating everyone in the business of how to mitigate those risks, because people will always be the first line of defense.

“Working with the right cybersecurity partner or managed service provider (MSP) to develop the right strategy for their size will allow smaller businesses to prioritize the activities that matter most and help them grow.”

Source: Information Security Magazine

#TEISS19: Brute Force Won’t Change Peoples' Behaviors, You Must ‘Modify’ Their Beliefs

#TEISS19: Brute Force Won’t Change Peoples' Behaviors, You Must ‘Modify’ Their Beliefs

Speaking at The European Information Security Summit 2019 in London, Adam Anderson, CSO and founder, Hook Security, explored behavioral psychology and how IT security leaders can effect changes in behaviors to improve security buy-in from the C-suite.

Anderson said that you “can’t change [people’s] behaviors with just brute force efforts, you have to modify their beliefs to get to behavioral change.”

When it comes to beliefs about security that C-level execs typically hold, he pointed to the following:

  • “Security slows down my project”
  • “Security is going to kill my budget”
  • “Security doesn’t understand what I’m trying to do so it can’t advise me effectively, I most likely don’t need as much as they think I do”

Anderson argued that these beliefs are damaging to a company’s security efforts and the challenge for security leaders is to change them. However, he argued that the number one cybersecurity risk facing the world is the “nerd’s inability to write a business case that the CFO will fund.

“Technology is not a problem,” he added. “All of us [IT security leaders] are very, very smart and have a very solid idea of what kind of technology we need to lay down on top of various security controls or risks. What we fail at is communicating that to anyone that has the power to do something about it.”

So, to rise to that challenge, Anderson said that IT security leaders must stop overusing compliance and fear-mongering language and change their own approach to communicating to C-level execs to ultimately gain the buy-in they need.

Firstly, security leaders must understand their target by finding out who the CIO reports to.

They must also remember that they are not the “hero” or the star of the story: the business is the star and “your job is to advise it, and you do that by changing your words.” IT leaders do not “own” risk, they advise on it; they do not “enforce” compliance, they align it; and they do not “inflict” business, they enable it.

Anderson concluded by saying that by changing the damaging security beliefs of the C-suite, you will “help them avoid the horrible consequences of their decisions.”

Source: Information Security Magazine

#TEISS19: Quantifying Security Posture is Key to Mitigating Risk

#TEISS19: Quantifying Security Posture is Key to Mitigating Risk

“The security discussion starts with risk, but what has become very apparent at the board level is that most don’t really understand what’s in front of them.”

These were the words of Ali Neil, director international security, Verizon, speaking at The European Information Security Summit 2019 in London. Neil said that quantifying security posture is key to mitigating risk, and “we need a means of measurement” for proving that value to business leaders.

Neil presented a ‘360º Risk Visibility’ assessment of the security industry that highlighted the following:

  1. In 70% of attacks where we know the motive for the attack there is a secondary victim
  2. Traditional risk evaluation is often done through point in time engagements
  3. Supply chain audit is increasingly burdensome, diverse in method and costly
  4. Security programs must be programs of continuous improvement and their budgets and efficacy validated
  5. Risk evaluation in M&A activity is an increasing factor and workload
  6. Strategic, operational and tactical intelligence needs to be decoupled and provided to the right business user
  7. Organizations and service providers need a dynamic tool to measure the efficacy of their security strategy

He therefore suggested a framework of what is needed in order to do an effective risk measurement of where an organization sits in the market.

The first step of that framework is rating: using data from public sources on the internet, where external risk vectors are identified and evaluated to provide a risk rating.

The second is an external risk view, contextualized: external risk vectors data is augmented with the DBIR's three pattern data and dark web analytics for an enhanced external rating.

Third is an internal view from endpoint and infrastructure: a refined security posture rating through an internal scan for malware, unwanted programs and dual usage tools within your endpoints and infrastructure.

The fourth step is a culture and process view: an in-depth, onsite assessment of the security culture, processes, policies and governance within an organization.

Lastly is a security posture rating: an aggregated rating across all levels providing a 360º view of a company’s cyber-risk posture.

Source: Information Security Magazine

AWS Issues Alert for Multiple Container Systems

AWS Issues Alert for Multiple Container Systems

A security issue that affects several open source container management systems, including Amazon Linux and Amazon Elastic Container Service, has been disclosed by AWS.

The vulnerabilities (CVE-2019-5736) were reportedly discovered by security researchers Adam Iwaniuk, Borys Poplawski and Aleksa Sarai and would allow an attacker with minimal user interaction to “overwrite the host runc binary and thus gain root-level code execution on the host.”

Also among the affected AWS containers are the service for Kubernetes (Amazon EKS), Fargate, IoT Greengrass, Batch, Elastic Beanstalk, Cloud 9, SageMaker, RoboMaker and Deep Learning AMI. In its security issue notice published 11 February, AWS said that no customer action is required for those containers not on the list.

Though blocked when correctly using user namespaces, the vulnerability is not blocked by the default AppArmor policy or the default SELinux policy of Fedora [++], according to Sarai.

A common type of container exploit, this vulnerability is known as a host breakout attack, according to Praveen Jain, chief technology officer at Cavirin. “That these still occur, and will continue to occur, is all the more reason to ensure you have the people, processes and technical controls in place to identify and immediately remediate these types of vulnerabilities with a goal of securing their cyber posture.”

If malicious actors were to leverage this vulnerability, Sarai said they could create a new container using attacker-controlled images or attach to an existing container to which the attacker had previous write access.

“This is the first major container vulnerability we have seen in a while and it further enforces the need for visibility of your hosts and containers both in the cloud and traditional data centers using docker and other containers,” said Dan Hubbard, chief product officer at Lacework.

“Security here starts with deep visibility into who is installing containers and what are their behaviors and, of course, timely patching.”

Source: Information Security Magazine

Data Privacy Top of Mind for 2020 Candidates

Data Privacy Top of Mind for 2020 Candidates

More candidates announced that they are throwing their hats into the 2020 presidential race, with one of the latest declarations coming from Sen. Amy Klobuchar, who promises to focus on data privacy regulations.

After posing the rhetorical question of what she would do as President, Klobuchar said she would protect consumer privacy.

“We need to put some digital rules of the road into law when it comes to privacy,” Klobuchar said in her announcement on 10 February, according to TwinCities.com.

“For too long the big tech companies have been telling you: ‘Don’t worry! We’ve got your back!’ while your identities in fact are being stolen and your data is mined. Our laws need to be as sophisticated as the people who are breaking them. We must revamp our nation’s cybersecurity and guarantee net neutrality.”

In addition to her promise to put forth legislation to protect consumer data from being misused by tech giants, Klobuchar also spoke of her support for net neutrality as an imperative to ensure that every household is able to be connected to the internet by 2020.

As the campaign trail gets underway, candidates can expect to be the target of malicious online activity from trolls to bots that spread misinformation, another reason why Klobuchar is driven to move data privacy regulations forward in the US.

In an interview with NPR today, Kelly Jones, news intelligence journalist at Storyful, said, “I think that the idea of automation or suspicious accounts is going to be an ongoing theme through the election. Obviously, the idea of memeing is going to be a theme because these people who are posting this content are creating these images to cause political discourse. And, in fact, one poster we saw on a fringe network claimed that they memed Trump into presidency.”

Source: Information Security Magazine

OkCupid Users Victims of Credential Stuffing

OkCupid Users Victims of Credential Stuffing

Love is in the air this week, but cyber-criminals are reportedly targeting user accounts on dating sites like OkCupid ahead of Valentine’s Day. Multiple news outlets have reported that OkCupid users say their accounts have been hacked, which the company says is likely the result of credential stuffing.

“There has been no security breach at OkCupid. All websites constantly experience account takeover attempts and there haven't been any increases in account takeovers on OkCupid. There's no story here,” a spokesperson shared in a statement.

According to the website's Help page, “Account takeovers…happen because people have accessed your login information. That can happen in a few ways. The simplest, of course, is using a password that's easy to guess. Another option is because of a breach on another site. If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach.”

Given that 2018 was a record-breaking year for the number of compromised records exposed in data breaches, it’s likely that hackers are able to purchase user credentials on the dark web; however, if a malicious actor attempts an account takeover by using stolen credentials, two-factor authentication (2FA) can stop them from gaining access. OkCupid does not use 2FA.

“With so many consumer apps available, it is more important than ever for people to be extra diligent about how they manage their personal access to data since consumer-facing breaches can potentially expose the enterprise as well,” said Juliette Rizkallah, chief marketing officer at SailPoint. “More hackers are using credential stuffing techniques in which they take advantage of users who are not following password best practices so that they can breach multiple accounts, including business applications, by the same user.”

While people can’t go back in time to protect what data may have been compromised, they can use this as an opportunity to get familiar with password management best practices to avoid being targeted by a credential stuffing hack. Some simple measures that people can easily implement right now include using a unique password for every application or account, and making sure the password is long and more complex – the longer and more complex the password, the safer it will be. After all, protecting identity is key to the safety of your own personal data but also to the security of sensitive company data and files, too.”

Consumers are often the weakest link, which is true even when it comes to protecting their own privacy. “Passwords are frequently reused across sites and legacy endpoint protection often doesn’t pick up certain malicious tools such as keyloggers,” said Terence Jackson, chief information security officer at Thycotic.

“This highlights the need for consumers to practice better cyber hygiene, for example using a password manager, avoiding risky sites and applications and maybe even avoiding services that don’t offer MFA.  It’s also likely that some of the OkCupid users were phished and willingly handed over access to their accounts as phishing attacks have gotten more sophisticated and prevalent.”

Source: Information Security Magazine

Senators Urge Security Audit of Foreign VPNs

Senators Urge Security Audit of Foreign VPNs

Two US senators have called for an urgent investigation into whether foreign-owned Virtual Private Networks (VPNs) represent a risk to national security.

Ron Wyden and Marco Rubio signed a joint letter to the director of the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency (CISA), Christopher Krebs.

It points to the popularity of mobile data-saving and VPN apps, many of which have been downloaded millions of times by Americans despite being made by companies “in countries that do not share American interests or values.”

“Because these foreign apps transmit users’ web browsing data to servers located in or controlled by countries that have an interest in targeting US government employees, their use raises the risk that user data will be surveilled by those foreign governments,” the letter continued.

In fact, they claimed, the US has already recognized these risks, by banning federal use of Kaspersky Lab products for fear of the influence of the Kremlin, and urging that Chinese telecommunications companies be locked out of competing for major infrastructure projects in the US.

“In light of these concerns we urge you to conduct a threat assessment on the national security risks associated with the continued use by US government employees of VPNs, mobile data proxies and other similar apps that are vulnerable to foreign government surveillance,” the letter concluded.

“If you determine that these services pose a threat to US national security, we further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers.”

A study of the 30 most downloaded apps in the UK and US last year by Top10VPN found over half (59%) had links to mainland China.

“We found a few apps that explicitly stated that users’ internet activity was logged, which we have never seen anywhere else with VPNs. VPN policies usually state that they never ever log data,” explained head of research, Simon Migliano, at the time.

“We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy.”

Source: Information Security Magazine

China Gives Police New Powers to Snoop on Foreign Firms

China Gives Police New Powers to Snoop on Foreign Firms

Security experts have warned foreign firms operating in China that new laws may give the authorities more power to spy on and censor them.

Issued in November last year were updates to the country’s infamous 2017 Cybersecurity Law, dubbed: Regulations on Internet Security Supervision and Inspection by Public Security Organs.

They give the Ministry of Public Security (MPS) sweeping new powers to conduct remote pen testing and on-site inspections of any company with five or more internet-connected computers, which means virtually every foreign firm operating in the country today, according to Recorded Future.

The MPS is allowed to copy user information and check for vulnerabilities, if necessary using third-party “cybersecurity service agencies” to help them — which will increase the risk of vulnerability discovery and data leaks, the vendor argued.

The law also give the MPS the authority to audit firms for prohibited content, effectively enabling it to act as censor under the auspices of cybersecurity.

“Since the scope of inspections is not limited in these new regulations, Article 16 may also empower MPS officers to access parts of the company’s enterprise not even related to or within territorial China,” the report warned. “The implications for unlimited remote inspections on the networks of international corporations could be far-reaching and create significant risk for customers and international operations.”

The MPS is also under no obligation to notify an organization when it is under inspection or of the results of that inspection.

The updates to the law come on top of wide-reaching powers granted to the Ministry of State Security (MSS) under the original Cybersecurity Law to conduct ‘national security reviews’ of various firms — the results of which it could use to conduct espionage operations.

Recorded Future urged foreign firms in China to prioritize vulnerability scanning and patch management to prevent state inspectors from “easily gaining unwanted access or escalating privileges.”

“Recorded Future recommends that all international corporations operating in China take measures to evaluate their technology footprint within the country, their evacuation and government relations policies, and their system architecture to minimize the impact of the law and effectively address the worst-case scenario if subjected to an MPS inspection,” it added.

“Altering company system architecture to keep connections between Chinese and international operations as segmented as possible is important to prevent inspections from spilling into corporate networks or databases with no connection to territorial China. Further, keeping one’s employees safe and informed of the inspections should remain a top priority for companies operating within the country.”

Source: Information Security Magazine

Australian Parliament Suffers Cyber-Hack Attempt

Australian Parliament Suffers Cyber-Hack Attempt

News has surfaced of an attempted cyber-attack on the Australian government.

As reported by the BBC, authorities in Australia are said to be investigating an effort that was made to hack into its parliament computer network.

It is believed that information was not accessed and that the passwords of politicians were reset as a precaution.

Australian Prime Minister Scott Morrison has thus far declined to comment on the incident in detail and further information on the supposed attack remains scarce, although it has been suggested by local cybersecurity experts that a foreign state was likely behind it.

Senator for Western Australia Jordon Steele-Johntook to Twitter to state “Parliament House had a cybersecurity data breach last night. ALL passwords were reset.”

He added: “We’re supposed to have faith that unprecedented, internet-breaking powers will be safe from cyber-threats.”

Alvin Rodrigues, security strategist, APAC and Sam Ghebranious, senior regional director, ANZ, Forcepoint, said: “Reports emerging today that the Australian Parliament’s computer network has been hacked are deeply concerning – and yet not surprising. The government should be lauded for their efforts to quickly identify the breach and take precautionary steps to avert any leakage of data. While investigations into the attack are still underway, the precaution taken – resetting passwords – suggests that nefarious actors may be looking to steal the digital identities/credentials of approved users, so as to operate within the parliamentary computer network without being identified.”

Source: Information Security Magazine