Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

New ISF Paper Attempts to Demystify AI in Information Security

New ISF Paper Attempts to Demystify AI in Information Security

In a paper released today, the Information Security Forum is urging organizations to capitalize on the opportunities offered by artificial intelligence while taking sensible steps to reduce the risks posed by this still immature technology.  

Demystifying Artificial Intelligence in Information Security defines exactly what AI is, then lays out a realistic analysis of what it can do, and will be able to do soon, for both legitimate organizations and criminals.

While detailing AI's potential to significantly improve cyber-defenses, especially around early threat detection, ISF's research recognizes that the technology carries with it the disease as well as the cure. 

Researchers wrote: "No matter the function for which an organization uses AI, such systems and the information that supports them have inherent vulnerabilities and are at risk from both accidental and adversarial threats. Compromised AI systems make poor decisions and produce unexpected outcomes.

"Simultaneously, organizations are beginning to face sophisticated AI-enabled attacks—which have the potential to compromise information and cause severe business impact at a greater speed and scale than ever before."

According to researchers, companies that have already adopted AI while it's still in its baby feathers have enjoyed benefits that include being able to counter existing threats more easily. But, as threat actors nurture their own twisted versions of the new technology to maturity, this early advantage will shrink into nothingness. 

"An arms race is developing," said ISF's managing director, Steve Durbin. "AI tools and techniques that can be used in defense are also available to malicious actors including criminals, hacktivists, and state-sponsored groups. 

"Sooner rather than later these adversaries will find ways to use AI to create completely new threats such as intelligent malware—and at that point, defensive AI will not just be a 'nice to have.' It will be a necessity."

Asked how far away the world is from intelligent malware, ISF senior research analyst Richard Absalom told Infosecurity Magazine: "Back in January 2018, in our publication Threat Horizon 2020, we predicted that intelligent malware would emerge by 2020. I don’t think that prediction is far off but can’t be sure—I wouldn’t bet my house on it! 

"What we do know is that attackers can already use AI tools to identify vulnerabilities—although human hackers are still better at exploiting them. As soon as that intelligent malware emerges, AI tools will be required to spot anomalous activity on the network and identify well-hidden malware. 

"For example, social engineering attacks that use deepfake videos and automated vishing are likely to make it impossible for human eyes and ears to identify what is real and what is fake—it may be that intelligent systems will be required to analyze all types of digital communications to establish source and authenticity."

Asked if the benefits of AI will always outweigh the risks, Absalom said: "Yes—if (big IF) the risks are managed properly. AI promises some really exciting developments for information security. The risks are not insurmountable but do require serious thought and investment to manage."

Source: Information Security Magazine

Data of 250K Users of Sex Industry Website on Sale for $300

Data of 250K Users of Sex Industry Website on Sale for $300

A hacker has exploited a vulnerability on Dutch website Hookers.nl to appropriate the account details of all 250,000 users, which he is now offering for sale on the dark web.

The exposed data includes the email addresses, usernames, IP addresses, and passwords of sex workers and their clients. In a sample of the data viewed by Dutch news broadcaster NOS, the passwords were encrypted, but the email addresses—many of which included the actual names of the users—were fully legible.    

The hacker, an unknown man, expressed no guilt or regret over his actions, telling NOS: "Tens of thousands of websites are hacked every day. I'm not the devil. It's not a question of whether your website is hacked, but when."

According to NOS, while the hacker hasn't completed any sales of the data yet, it is available for purchase by any interested parties for a mere $300.

A moderator for Hookers.nl wrote: "Offering this information for sale is punishable by law, and if possible, we will take legal action. In addition, a report has been made to the Dutch data protection authority."

Hookers.nl is a popular website among sex workers and their clients, who use it to write reviews, exchange tips, and share their experiences of the sex industry. The website confirmed to NOS this morning that the breach had occurred and issued the assurance that all users would be notified.

The breach occurred as a result of a technical weakness in the vBulletin forum software, which was revealed a few weeks ago. The opportunistic hacker told NOS that he exploited the hole before the company behind the website, Midhold, plugged it with a patch on September 25. 

"It is of course not an account of your internet provider that leaked, maybe you don't want people to know that you have an account here. We are not happy with this," said Tom Lobermann, spokesperson for Midhold, which also operates Kinky.nl, Erotracks.nl, and Webcambordeel.nl.

A breach of this kind carries with it the threat of blackmail. Arda Gerkens of the Help Wanted foundation, who assists victims of sex-related abuse, said: "Membership in such a forum is certainly something someone can be extorted with. Some people are not secretive about their prostitution visit, but it is certain that when people use a nickname, they want to remain anonymous."

Hookers.nl has set up a forum page for users who want their accounts to be removed.

Source: Information Security Magazine

Verified Mark Certificate Issued to CNN

Verified Mark Certificate Issued to CNN

CNN has been issued a new digital certificate that uses logo verification to prove emails sent from a particular domain are genuine.

The certification of the American news channel with a Verified Mark Certificate by DigiCert, Inc. marks the first time a VMC has been issued for a domain that sends emails at scale. 

The news follows the announcement on September 4, 2019, that Entrust Datacard had become the first certification authority (CA) to issue a VMC. 

VMCs work by verifying the existence of a secure connection between a company domain and a particular sender-designated brand logo included within an email. 

The certificates are signed cryptographically with a trusted root, allowing mail applications to rely on the information the certificate contains. The organization is issued a VMC by a CA once the signature process has been completed.

Receiving their certificate has readied CNN for participation in upcoming pilots of the BIMI (Brand Indicators for Message Identification) standard, which is being developed by AuthIndicators Working Group. BIMI will allow domain owners to specify a logo that will appear in the inbox, alongside authenticated email messages sent from their domains. 

To work, BIMI requires both the email and the logo to be properly validated. The email must be authenticated through the Domain-based Message Authentication, Receiving & Conformance (DMARC) standard, with a policy of quarantine or reject; the logo itself will be validated by the VMC.

While Yahoo Mail is currently running a pilot of BIMI, Google is planning a BIMI pilot of its own in 2020.

VMCs are not currently in use in BIMI pilots, but they are expected to become a requirement because they are a scalable way to ensure that corporate logos are not used fraudulently. 

With widespread use of VMC, BIMI, and DMARC, companies will be able to amplify and protect their online presence through authenticated messages to consumers that are instantly recognizable by their known, protected brand marks.

"DigiCert is excited to work with CNN and members of the AuthIndicators Working Group to take this first step in demonstrating the feasibility and benefit of VMCs for global brands under the BIMI pilot program," said DigiCert chief of product Jeremy Rowley.

Source: Information Security Magazine

Coleen Rooney and Rebekah Vardy in Public Spat Over ‘Leaked Stories’

Coleen Rooney and Rebekah Vardy in Public Spat Over ‘Leaked Stories’

Reports emerged yesterday that Coleen Rooney, wife of professional footballer Wayne Rooney, publicly accused Rebekah Vardy, wife of footballer Jamie Vardy, of leaking personal information about her to tabloid newspaper The Sun. Vardy was quick to refute the claims.

In a lengthy social media post on October 9, Rooney wrote: “For a few years now someone I trusted to follow me on my personal Instagram account has been consistently informing THE SUN newspaper of my private posts and stories.”

She went on to claim that “there has been so much information given to them about me, my friends and my family – all without my permission or knowledge.”

In an attempt to find out who was responsible, Rooney explained how she blocked all users from viewing her Instagram stories, except for one person, and spent five months posting a series of false stories to see if they ended up being leaked to The Sun, which they eventually did.

“Now I know for certain which account/individual it’s come from,” Rooney continued. “I have saved and screenshotted all the original stories which clearly show just one person has viewed them. It’s………Rebekah Vardy’s account.”

In response, Vardy Tweeted to deny any knowing involvement in the issue, suggesting there could have been some sort of unaccounted for activity on her Instagram account which may have led to the leaks: “I never speak to anyone about this [personal stories and information] as various journalists have asked me to over the years can vouch for.

“Over the years various people have had access to my insta & just this week I found I was following people I didn’t know and have never followed myself.

“If you thought this was happening you could have told me & I could have changed my passwords to see if it stopped.”

Javvad Malik, security awareness advocate at KnowBe4, said: “The incident between Rooney and Vardy is a reminder that no matter what is put on the internet, even if one believes they have applied privacy and security controls, there is a chance it will be leaked either intentionally or unintentionally. This could be through a technological issue, or through someone acting maliciously. People, and especially celebrities, should be careful of what they post online.”

Vardy, in her defense, stated that multiple people had access to her accounts, Malik added. “While this may be true, the fact is that when someone has an account, they assume responsibility for it and actions taken by it. In particular for celebrities or people associated with celebrities, such as friends, agents or PR agencies, sharing credentials can be a bad idea, and could lead to long term consequences.”

Source: Information Security Magazine

Researchers Discover Spy Platform with GSM Fingerprinting

Researchers Discover Spy Platform with GSM Fingerprinting

Researchers at ESET have discovered several high-profile espionage attacks aimed at government and diplomatic entities in Eastern Europe.

According to the analysis, the attacks were conducted using a previously unreported cyber-espionage platform, which is notable for its modular architecture, along with two prominent features: the AT protocol used by one of its plugins for GSM fingerprinting, and Tor, which is employed for its network communications. Given these features, ESET researchers have named the platform Attor.

“The attackers who use Attor are focusing on diplomatic missions and governmental institutions,” said Zuzana Hromcová, ESET malware researcher. “These attacks, ongoing since at least 2013, are highly targeted at users of these Russian services, specifically those who are concerned about their privacy.”

ESET explained that Attor consists of a dispatcher and loadable plugins that rely on the dispatcher for implementing basic functionalities. The plugins are delivered by to the compromised computer as encrypted DLLs and are only fully recovered in memory. “As a result, without access to the dispatcher, it is difficult to obtain Attor’s plugins and to decrypt them,” added Hromcová.

The platform targets specific processes, including processes associated with Russian social networks and some encryption/digital signature utilities.

Among Attor’s capabilities implemented by its plugins, two stand out for their uncommon features: network communication and the fingerprinting of GSM devices.

Attor’s infrastructure for C&C communications spans four components – the dispatcher providing encryption functions and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication. “This mechanism makes it impossible to analyze Attor’s network communication unless all the pieces of the puzzle have been collected,” explained Hromcová.

“Fingerprinting a device can serve as a base for further data theft. If the attackers learn about the type of connected device, they can craft and deploy a customized plugin that would be able – using AT commands – to steal data from that device and make changes in it, including changing the device’s firmware,” concluded Hromcová.

Source: Information Security Magazine

Survey Reveals Widespread Ignorance Over Attack That Affects Most Companies

Survey Reveals Widespread Ignorance Over Attack That Affects Most Companies

According to a new research survey, 68% of IT security stakeholders aren't sure whether they've experienced a Pass the Hash attack, and 4% don't even know what this globally prevalent form of attack is. 

These almost fantastical findings, released today by One Identity, came from a survey of more than a thousand IT professionals conducted by Dimensional Research.

One Identity field strategist Dan Conrad told Infosecurity Magazine: "While 4% seems like a small percentage, that means nearly one in every 20 IT security professionals does not even know about a significant cyber-attack method. 

"As attacks that have such a large impact on organizations, it’s imperative that the security industry continues to emphasize the importance of understanding PtH attacks and the proper methods to combat them." 

In a PtH attack, a threat actor obtains privileged credentials by compromising an end user’s machine. The attacker then simulates an IT problem, which prompts a privileged account holder to log into an administrative system. When they do, the attacker stores their login credentials as a hash that can be extracted and used to access additional IT resources across the organization. 

This attack technique has been doing the rounds since the 1990s and was first reported by Paul Ashton on Bugtraq in 1997. Back then it consisted of a modified Samba SMB client that accepted user password hashes instead of cleartext passwords.

Among the survey’s most noteworthy findings is that 95% of respondents say that PtH attacks have a direct business impact on their organizations, with 70% reporting a direct impact on operational costs.

A large majority (87%) of survey respondents say they are already taking steps to prevent PtH attacks, but only 55% have implemented privileged password management. 

Microsoft issued guidance back in 2017 for companies to implement Active Directory Red Forest Design, aka Enhanced Security Administrative Environment (ESAE), to help prevent PtH attacks. The survey found that just a paltry 16% of small organizations and 31% of larger companies have followed this advice. 

Perhaps most shockingly, among the respondents that have not taken any steps at all to prevent a PtH attack, 85% have no plans to do so. 

Dan Conrad told Infosecurity Magazine: "As attacks that typically begin with a phishing email and could lead to a ransomware attack or sensitive data being accessed and stolen, the impact of a PtH attack can be widespread and severe. 

"With data breaches creating a significant time and financial burden on any organization, it’s imperative that businesses take these attacks seriously and put privileged access management strategies and protocols in place to defend themselves."

Source: Information Security Magazine

US University Offers First Ever Healthcare-Specific Cybersecurity Certification

US University Offers First Ever Healthcare-Specific Cybersecurity Certification

The McCombs School of Business at the University of Texas at Austin has launched America's first professional cybersecurity certificate program specifically geared toward protecting healthcare providers from cyber-attacks. 

The Leadership in Healthcare Privacy and Security Risk Management program has been launched by the school in a bid to help close the 1.8 million person gap that the 2017 Global Information Security Workforce Study predicted will hit the global cybersecurity workforce in 2022.

This unique certification course sprang forth from a collaboration between the school and the cybersecurity industry, healthcare organizations, and governmental agencies. It is endorsed by the Texas Hospital Association, cyber risk management and compliance solution provider Clearwater, and CynergisTek, Inc., a cybersecurity consulting firm dedicated to serving the information assurance needs of the healthcare industry.

"This unique leadership program will rapidly equip individuals with the knowledge, leadership skills, and problem-solving competencies needed to manage risk in healthcare environments," said a statement from the McCombs School of Business. 

Cross-sector experts in healthcare privacy and security and experienced healthcare technology educators are being brought in to teach the course, which will run for eight weeks starting in July 2020. Students will learn via practical, case-based simulations and hands-on exposure to current and future healthcare cybersecurity technologies.

The course, which has been developed to meet the needs of healthcare organizations, vendors, and governmental agencies, will be built around multiple thematic modules. Modules confirmed so far include "Processes to Ensure Organizational Safety and Security" and "Policies and Governance in Healthcare Entities."

To ensure that the curriculum keeps up with the ever-evolving cybersecurity threat landscape, the program will be shaped by ongoing feedback from members of the privacy and cybersecurity industries, and in the future by program graduates as well. 

With nearly 500 US healthcare organizations having been targeted by ransomware attacks since the start of the year, the need for a training program geared toward their protection is unequivocal.

Founder and executive chairman of Clearwater, Bob Chaput, who described the new certification as a "much-needed program," said: "While there’s a massive shortage of traditional technical cybersecurity talent in all industries, healthcare has been specifically challenged as one of our nation’s last industries to undergo significant digital transformation."

Source: Information Security Magazine

Number of Girls Applying for British Cybersecurity Courses Surges

Number of Girls Applying for British Cybersecurity Courses Surges

Britain's National Cyber Security Centre has reported a significant increase in the number of young women applying for cybersecurity courses.

According to new figures released yesterday, applications from girls for the NCSC's 2019 CyberFirst summer courses were up 47% compared to last year.  

Rather appropriately, the surge in female applicants for the free cybersecurity courses was announced on Ada Lovelace Day, an international celebration of women in science, technology, engineering, and math (STEM) held every year on the second Tuesday of October.

According to the figures, nearly 12,000 girls took part in the prestigious CyberFirst Girls Competition 2019. Also, the CyberFirst Defenders course, which introduces teenagers to how to build and protect small networks and personal devices, had 705 female participants. 

NCSC's cybersecurity courses, which are held at venues across the UK, have proved to be popular beyond just girls, with the center reporting a 29% rise in overall applications in 2019 compared to the year before. 

Working with training experts QA and education charity The Smallpeice Trust, the NCSC delivers a range of one-day and five-day courses for 11- to 17-year-olds each year. 

Participants are given the opportunity to encounter and explore everyday technology so they can build an understanding of how it works. They also attend lectures, learn through hands-on practical projects, and have the chance to hear presentations by guest speakers.  

Saskia, who attended the CyberFirst Futures course that took place in Cardiff, said: "I haven't had the opportunity to study computer science at school, but CyberFirst has encouraged me to consider the subject at University—I just wish the course was longer!"

As part of the NCSC's CyberFirst initiative, young people interested in studying cybersecurity at university can apply for an annual bursary of £4,000. They can also put themselves forward for three-year apprenticeships in the cybersecurity industry, which allow them to earn while they complete a recognized degree course. 

Chris Ensor, NCSC deputy director for growth, said: "We're delighted to see so many young people interested in finding out more about cybersecurity. The significant rise in female applications is especially pleasing, and something we want to see continue into the future.

"It's never been more important to increase and diversify the cybersecurity workforce and we're committed to nurturing the next generation of skilled experts and addressing the gender imbalance."

Source: Information Security Magazine

#DTXEurope: Hacking Not Always Malicious, Says ‘Samy’ MySpace Worm Creator

#DTXEurope: Hacking Not Always Malicious, Says ‘Samy’ MySpace Worm Creator

At Digital Transformation EXPO Europe Samy Kamkar, independent security researcher infamous for creating the ‘Samy’ Myspace computer worm that gained notoriety when it propagated across the social networking site in 2005, said that hacking exploits are not always malicious in nature, and are rather often imbedded in inquisitively and a determination to push boundaries.

“There is something super-intoxicating about being able to use some sort of tool and manipulate a system across the internet without knowing anything else about it,” he explained.

It is that capability that often inspires hackers and researchers to continually evolve and develop different attack methods, and explains why threats are not only constantly changing, but are also constantly harder to defend against, Kamkar argued. “Once there is no challenge, the fun is gone [for hackers].”

Kamkar likened hacking to “solving a puzzle” and “it’s always really fun to solve a puzzle – it feels good to get to the other side."

He said: “It’s as if somebody designed a maze; in a typical maze you can escape if you find the right path out. With computer hacking, it’s as if somebody designed a maze and then they blocked off all of the exits, but when you’re hacking, you’re still able to get to the other side.”

Source: Information Security Magazine

Twitter Admits Personal Contact Details Used by Advertising Systems

Twitter Admits Personal Contact Details Used by Advertising Systems

Twitter has admitted that personal contact information of users may have “inadvertently been used for advertising purposes.”

According to a statement published earlier, it discovered that when users provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have been the recipient of Twitter’s Tailored Audiences and Partner Audiences advertising system.

“Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g., email addresses or phone numbers they have compiled)” it explained, while Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.

The statement read: “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.”

It could not say “with certainty” how many people were impacted by this, but it clarified that no personal data was ever shared externally with partners, or any other third parties.

“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”

In an email to Infosecurity, Javvad Malik, security awareness advocate for KnowBe4, said that many companies have implemented two-step authentication for services via an SMS message to the users phone, as this protects accounts against attacks such as credential stuffing, where attackers can access accounts by having the password.

“However, with email address and phone numbers, advertisers are able to profile people more accurately across multiple services and target them with more accuracy,” he said. “It is unfortunate that Twitter allowed this to happen, as these details were only provided for security purposes.

“In light of this, and other similar revelations in the past, as well as the growing number of attacks such as SIM swap, which hijack users phone numbers, companies should make the strategic decision to move away from using a phone number as a primary means of authentication, and adopt more secure alternatives for multi-factor authentication.”

Stuart Sharp, VP of solution engineering at OneLogin, said that it would be up to the lawyers to decide whether or not Twitter's misuse of personal contact details broke the letter of the law, but “it certainly broke the spirit of GDPR.”

He said: “This type of activity will likely result in users removing their phone numbers from the site, which will ultimately affect the number of people using additional factors for authentication such as text verification, which is a massive step backwards for all those working hard to push MFA as a method of increasing security online. Ultimately, everyone will lose as Twitter accounts will be more vulnerable to malicious take-over.”

Source: Information Security Magazine