Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Group FaceTime Disabled While Apple Works on Fix

Group FaceTime Disabled While Apple Works on Fix

A flaw in Apple’s FaceTime app allows users to spy on each other, which has resulted in a Twitter-storm of tweets encouraging iPhone users to disable FaceTime while Apple works on a fix.

Infosecurity contacted Apple, but the company has not responded with comment. According to Apple’s system status page, FaceTime is experiencing an ongoing issue, which one Twitter user demonstrated in a live video. The vulnerability reportedly is impacting OS devices running iOS 12.1 or later, which began on January 28, 2019, at 10:16 pm. As a result, the group FaceTime feature is temporarily unavailable.

Additionally, given the widespread popularity of Apple’s iPhone, New York’s governor, Andrew Cuomo, has issued a consumer alert warning the public that the vulnerability allows other users to receive audio from the device being called, even before the call is answered. 

"The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk," Governor Cuomo said in the alert. "In New York, we take consumer rights very seriously and I am deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes. In light of this bug, I advise New Yorkers to disable their FaceTime app until a fix is made available, and I urge Apple to release the fix without delay."

To disable FaceTime, go to settings, and scroll down to FaceTime. Click on the slide to the app off (the slide will no longer be green).

“This bug illustrates the privacy issues caused by surrounding ourselves with devices containing cameras and microphones. Phones, tablets, laptops, smart TVs, and smart speakers contain microphones that can be listening to you at any point,” said Amit Sethi, senior principal consultant at Synopsys.

“If the software on the devices is not malicious and doesn’t contain bugs like this, the microphones should only be on at times you expect. While security controls like permissions and app store reviews are in place, these are not perfect. The problem is that users don’t know when these devices are listening, as most modern devices don’t have an indicator like a LED that turns on whenever the camera and/or microphone is on.

"This is simply the price we pay for the convenience and features that these Internet-connected devices provide. If you need to be 100% certain that you aren’t being recorded, don’t have any Internet-connected devices with microphones or cameras around.”

Source: Information Security Magazine

UK Government Pledges Security Skills and R&D Funding

UK Government Pledges Security Skills and R&D Funding

The UK government has pledged more money to address the IT security skills crisis and improve hardware and IoT security, although details on the latter are vague.

An announcement made on Data Protection Day yesterday claimed the UK plans to be a world leader in “designing out” cyber-threats, by funding R&D into more secure-by-design hardware and chips.

The £70m investment will be made through the Industrial Strategy Challenge Fund and backed by further investment from industry, although there were no further details.

An additional £30m will be made available for the Ensuring the Security of Digital Technology at the Periphery program, to improve IoT security.

“We want the UK to be a safer place to live and work online. We’re moving the burden away from consumers to manufacturers, so strong cybersecurity is built into the design of products,” said digital minister, Margot James.

“This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber-attacks.”

The announcement was greeted with skepticism in some quarters.

“The announcement that the UK will become a leader in cybersecurity resulting from a small investment in research is highly unlikely as hardware and research alone is not going to solve cybersecurity threats,” argued Joseph Carson, chief security scientist at Thycotic.

“The solution to reducing cybersecurity threats is a balance between both technology and people. If we are really going to reduce the threats then it needs to start with an investment in education along with a strong investment in technology that is simple, easy to use and does not require highly skilled workforce to use it.”

The government also pledged £500,000 as part of the next round of the Cyber Skills Immediate Impact Fund.

The money is designed to help improve diversity and reduce skills shortfalls in the information security sector.

Projects set to receive the funding include Crucial Academy, which aims to retrain veterans: focusing on women, neurodiverse and BAME individuals. Also on the list are the QA: Cyber Software Academy for Women and BluescreenIT’s HACKED program, which helps to train candidates with special needs, from disadvantaged backgrounds, and those classed as neurodiverse.

Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK, welcomed the pledge for more funding.

“With cyber-criminals becoming more creative and savvy in their approach to cyber-attacks, a cybersecurity team which lacks diversity is more likely to leave a company vulnerable to attacks,” she argued.

“Different groups of people bring a variety of ideas and ways of thinking, which means that a more diverse and inclusive cybersecurity team will be key in facilitating a broader range of ideas and perspectives about how to prevent an attack from taking place.”

Source: Information Security Magazine

US Turns Up Heat on Huawei with 23-Count Indictments

US Turns Up Heat on Huawei with 23-Count Indictments

The US Department of Justice has unsealed charges against Huawei and its CFO covering separate alleged conspiracies to break sanctions on Iran and to steal trade secrets from T-Mobile USA.

The charges were widely expected, but will do nothing to warm relations between the world’s superpowers at a time of growing tension over trade and cyber-espionage.

The first, 13-count indictment charges Huawei, affiliates Huawei Device USA and Skycom, and CFO Meng Wanzhou, also the daughter of founder Ren Zhengfei.

She is charged with bank fraud, wire fraud, and conspiracies to commit bank and wire fraud, while Huawei and Skycom are charged with: bank fraud and conspiracy to commit bank fraud, wire fraud and conspiracy to commit wire fraud, violations of the International Emergency Economic Powers Act (IEEPA) and conspiracy to violate IEEPA, and conspiracy to commit money laundering.

Prosecutors allege that the company had been lying about its relationship with a company in Iran (Skycom) since 2007, claiming that it was not a Huawei affiliate. It’s also alleged that as part of this deception, Meng made a presentation to an executive of one of Huawei’s major banking partners repeatedly making the false claims.

It’s alleged that one bank cleared over $100m worth of Skycom-related transactions through the US between 2010 and 2014.

The lies are said to have extended to Huawei providing false information to Congress on its activities in Iran and obstructing justice last year by moving witnesses with knowledge of the affair back to China, as well as “concealing and destroying” evidence.

The second, 10-count indictment charges Huawei with a conspiracy to steal trade secrets, attempted theft of trade secrets, seven counts of wire fraud, and one count of obstruction of justice.

It relates to an attempt to steal IP from then-partner T-Mobile related to its phone-testing robot “Tappy.” Engineers are said to have violated non-disclosure agreements by taking photos of the equipment and in one case stealing a piece of the device during a tour of the T-Mobile lab.

When T-Mobile threatened to sue, Huawei is said to have produced a report falsely claiming the theft was the work of “rogue actors” inside the company.

However, the indictment alleges that this was actually a long-running, company-wide effort that began in 2012. Prosecutors claim to have an internal company announcement that the firm offered bonuses to employees able to steal info from other companies, to be submitted via an encrypted email address.

A federal jury has already sided with T-Mobile in a 2017 civil case.

The rhetoric in the statements provided by the US side reflect the geopolitical nature of the cases.

“These charges lay bare Huawei’s alleged blatant disregard for the laws of our country and standard global business practices,” said FBI director Christopher Wray. “Companies like Huawei pose a dual threat to both our economic and national security, and the magnitude of these charges make clear just how seriously the FBI takes this threat.”

Huawei has denied the allegations.

Source: Information Security Magazine

Fileless Infection Steals Creds with Bank Trojan

Fileless Infection Steals Creds with Bank Trojan

A new variant of the password-stealing Ursnif bank Trojan has been found in the wild delivering fileless infections while remaining undetected, according to Cisco Talos Intelligence.

In a blog post, researchers wrote that the banking Trojan employs "fileless persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop.”

Researchers received an alert containing a malicious VBA macro coming from a Microsoft Word document that asked users to enable macros. Once enabled, PowerShell is executed and then another PowerShell command downloads the Ursnif malware.

Registry data is then created for the next stage of execution in which the command executes PowerShell using Windows Management Instrumentation Command-line (WMIC). Among the APIs imported from kernel32 were GetCurrentProcess, VirtualAllocEx, GetCurrentThreadID, QueueUserAPC, OpenThread and SleepEx, according to the blog.

Though researchers identified a list of files dropped, they also noted, “Filenames are hardcoded in the first PowerShell command executed, and vary by sample. This means that these indicators aren't necessarily malicious on their own as filenames might collide with benign ones. If found with other indicators, it's likely a Ursnif infection.”

An extensive list of malicious documents and C2 server domains were also listed among the indicators of compromise.

"This is just the latest example of how antivirus and signature-based security tools are easily bypassed by creative hackers. There are hundreds of sophisticated hacker tools readily available that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized,” said Ray DeMeo, co-founder and COO, Virsec.

“We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure."

Source: Information Security Magazine

Illinois Supreme Court Upholds Consumer Privacy Rights

Illinois Supreme Court Upholds Consumer Privacy Rights

In a landmark ruling of the Rosenbach v. Six Flags Entertainment Corp. case, the Illinois Supreme Court on January 25, 2019, decided to hold that consumers can sue for violations of their privacy under the state’s biometric privacy law, a decision that will likely have broad impact and open the door for consumers to file more lawsuits, according to Justin Kay, a partner at Drinker Biddle & Reath.

The case concerned a 14-year-old boy who visited a Six Flags park on a school field trip. Before receiving his season pass and gaining access to the park, the boy was asked to scan his thumb into a biometric data capture system. In her complaint, the mother of the boy said neither she nor her son were informed of the purpose and length of term for which his fingerprint had been collected. Because neither of them had signed a release for the taking of the biometric information, the suit claimed that Six Flags was in violation of the state of Illinois’ Biometric Privacy Information Act.

“The issue for the court to decide in Rosenbach was whether the Illinois Biometric Information Privacy Act would be a 'gotcha' statute, based on the failure of businesses to use magic words when using technology that incorporates biometrics,” said Kay. “With their ruling today, it is.”

The court concluded, “We hold that the questions of law certified by the circuit court must be answered in the affirmative. Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an 'aggrieved' person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act. The judgment of the appellate court is therefore reversed, and the cause is remanded to the circuit court for further proceedings.”

As a result of the ruling, Kay predicts there will be a push for an amendment to the statute. “Efforts were made several years ago to amend the statute after the first spate of lawsuits against tech companies like Facebook related to facial recognition software, but those efforts failed. Last February, bills were again introduced in both the Illinois House and Senate to rein in the scope of the Illinois law, but they did not advance.

“Just as the Illinois statute served as a model for many of those proposals and was cited by legislators, the Supreme Court’s interpretation here is likely to have an impact on how those laws are drafted.”

Source: Information Security Magazine

Password Reuse Likely Cause of Dailymotion Attack

Password Reuse Likely Cause of Dailymotion Attack

Complying with General Data Privacy Regulations (GDPR), video-sharing platform Dailymotion disclosed to France's Commission Nationale de l'Informatique et des Libertés (CNIL) on Friday that it suffered a credential-stuffing attack.

“The attack consists in 'guessing' the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion,” the disclosure said.

According to the disclosure, the attack was detected by the company's technical team and as of the January 25 announcement was still ongoing. Infosecurity contacted Dailymotion, and a company spokesperson said, “We consider that the attack has now stopped. We are not making further comment or discussing specific details, for obvious reasons.”

Given the rise of information-stealing malware, passwords and personally identifiable information are almost guaranteed to be exposed in increasingly sophisticated and frequent data breaches, according to Scott Clements, CEO, OneSpan.

“It’s more important than ever to secure and protect the entire digital customer journey, and the data captured within, by taking a layered approach to security. This helps capture and analyze multiple complementary authentication factors and correlational data to establish trusted identities, devices and transactions. This is how we help our global banking customers – by making it harder for cyber-criminals to capture data and commit fraud.”

Still, many consumers have yet to start using multi-factor authentication (MFA) to log into websites. Instead, they are more often than not reusing a few static passwords across multiple websites, said Michael Magrath, director, global regulations and standards, OneSpan.

“Given the vast number of password-related breaches over the past few years, the convenient yet insecure reuse of static passwords exposes individuals to the credential-stuffing attack used in this case.  Consumers should always use MFA, where available, to add an additional layer of security to protect their privacy.”

Source: Information Security Magazine

Most IT Pros Share and Reuse Passwords: Report

Most IT Pros Share and Reuse Passwords: Report

Nearly two-thirds (63%) of IT professionals are more concerned about data privacy and security than they were two years ago, but their poor online practices continue to drive cyber-risk, according to a new study published on the EU’s Data Protection Day.

Also known as Data Privacy Day in North America, the awareness-raising event was originally slated for January 28 13 years ago as this was the date that the Council of Europe’s data protection convention (Convention 108) was opened to signature.

However, while most of the respondents to Yubico’s study — who were IT and information security pros in the US, UK, Germany and France — said they were increasingly concerned about privacy, bad habits persist.

Some 69% admitted they had shared passwords with colleagues, and over half (51%) reuse an average of five passwords across business and personal accounts. Over half (55%) don’t use two-factor authentication at work and 67% do not use it for personal accounts.

These findings are especially concerning given that IT professionals should theoretically be leading by example in organizations and society at large by following best practices in security and privacy. They also hold the keys to privileged corporate accounts and so represent a major target for hackers.

Even more concerning is the fact that 51% of those polled said they’d suffered a phishing attack at home and 44% at work, but over half (57%) of these claimed it didn’t affect their password behavior.

Thanks to the GDPR, consumers and organizations around the world are becoming more privacy-aware. Google was recently fined €50m in France in the first major investigation by regulators, with experts predicting many more will follow for both privacy and security infractions.

Aside from the 'stick' of regulatory fines, the likes of the ICO are hoping that the 'carrot' of improved transparency, operational efficiency, competitive differentiation and security, will encourage organizations to get compliant.

A Cisco study of over 3000 global security and privacy professionals released last week claimed that only 37% of GDPR-ready companies experienced a data breach costing more than $500,000, versus 64% of the least GDPR-ready firms.

In addition, those investing in GDPR compliance experienced shorter delays due to privacy concerns in selling to existing customers: 3.4 weeks as opposed to 5.4 weeks for the least GDPR-ready organizations.

UK firms were among the leaders globally, with 69% claiming to be GDPR-ready, compared to just 42% in China and 45% percent in Japan.

Source: Information Security Magazine

ICO Warns UK to Prepare for Brexit "No Deal" Data Flows

ICO Warns UK to Prepare for Brexit "No Deal" Data Flows

The UK’s privacy regulator has warned businesses to prepare now for a potential Brexit 'no deal,' claiming they may have to put in place standard contractual clauses to ensure unhindered data flows.

With Theresa May’s government still refusing to rule out the prospect of allowing the country to exit the EU without a deal, businesses should get to planning their response, argued information commissioner, Elizabeth Denham.

Although London will allow personal data flowing from the UK to European Economic Area (EEA) countries unhindered, the same will not be true of data coming into the UK, meaning businesses should start by mapping data flows.

“You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of ‘no deal’,” said Denham.

“It is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists.”

Even companies transferring data to and from parent organizations in Europe will need to put in place additional measures, with standard contractual clauses mentioned several times in the blog post.

“There are many mechanisms companies can use to legitimize the transfer of personal data with the EEA and standard contractual clauses is one of those. We have produced an online tool to help organisations put contract terms in place providing the lawful basis for the data transfers. Companies that need to act would also benefit from Leaving the EU – six steps to take guidance for more information,” said Denham.

“You know your organization best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist but it can take time to put those arrangements in place.”

Companies expecting an “adequacy” decision to be made on exit day to ensure unhindered data flows will also be disappointed, said Denham.

Negotiations to secure this will take “many months” and can only begin once the UK has left the EU, so alternative arrangements like standard contractual clauses will need to be put in place in the meantime.

The complexity, extra cost and effort required for firms to replace existing rules and frameworks is a microcosm of the Brexit process in general, which one former WTO boss described as being “as difficult as removing an egg from an omelette.”

Source: Information Security Magazine

Consumers Terrified After Hackers Worm into Nests

Consumers Terrified After Hackers Worm into Nests

Multiple consumers have reported being terrified after hackers infiltrated the Nest cameras in their homes, with one malicious actor making claims of a North Korean missile threat, according to CBS News.

California resident Laura Lyons reported that malicious actors gained control of her Nest security camera, which belted out a terrifying emergency alert warning them to find shelter because three missiles from North Korea were headed to the US.

Another family in South King County, Washington, reported a hacker gained access to their Nest security camera and verbally assaulted the mother and children, according to K5 News.

What consumers might not understand, though, is that it’s not vulnerabilities that are causing this. “It is the reuse of existing passwords that have already been exposed in previous attacks,” said Laurence Pitt, security strategy director, Juniper Networks.

“If people want to keep these important devices safe, they need to use strong and unique passwords at a minimum, and make the investment in a password management tool (1Password, my favorite, or LastPass, for example). This can help to create strong passwords and then stores them in a safe place so that there’s no need to try and remember them all,” Pitt said.

In a prepared statement shared with Infosecurity, Nest confirmed that there indeed was no vulnerability or breach.These recent reports are based on customers using compromised passwords [exposed through breaches on other websites]. In nearly all cases, two-factor verification eliminates this type of the security risk.

“We take security in the home extremely seriously, and we’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.”

News of the hacks has raised questions about who is responsible for the security of in-home connected devices. “Consumers will need to rethink how much of a security risk they’re willing to take in exchange for the convenience of a connected device, appliance, or car,” said Pat Ciavolella, digital security and operations director for The Media Trust.

"The problem with consumers, as I see it, is understanding the security vs. convenience trade-off.  It's a tough choice for companies to make: potentially frustrate a customer by forcing them to do a password reset or allowing the customer to have convenience at the expense of their privacy and/or security,” said Lisa Plaggemier, chief evangelist, InfoSec Institute.

“Consumers are very quick, it seems, to choose convenience. Even when consumers exhibit bad security habits that make them vulnerable (in this case, using the same password on multiple accounts), when something goes wrong, the consumer blames the device provider.

“Bottom line: If more companies would adopt the measures Google is putting in place (forcing password resets, and preventing breached credentials from being reused), I think consumers would start to accept it as 'normal' instead of an inconvenience.”

Source: Information Security Magazine

More Money, More Worries About Cyber Risk

More Money, More Worries About Cyber Risk

Executives at financial services companies are increasingly concerned about risks, but as technology becomes more integrated in managing financials, more executives say that cybersecurity is increasingly becoming the most important type of risk, according to a new Deloitte survey, Global Risk Management Survey, 11th Edition.

When asked which risk types would grow in importance over the next two years, 67% of financial services executives named cybersecurity, according to the report, up from 41% in 2016.

Despite identifying the increased risk from cyber, approximately half of the respondents said their companies are extremely effective or very effective at managing this risk. When looked at in different categories, 58% of respondents said rated their organizations as effective at managing disruptive attacks, 57% for financial losses or fraud, 54% for cybersecurity risks from customers and loss of sensitive data, and 53% for destructive attacks.

When asked about managing risks from nation-state attacks, though, only 37% of financial services executives felt their institutions were effective.

Still, the study reflected a continued growth in cybersecurity risk awareness, with only 31% of respondents saying it is a challenge to "get the businesses to understand their role in cybersecurity risk," down from 47%.

The concerns are not unwarranted, particularly given the news that more than 24 million banking and financial records were left exposed. Protecting the financial services sector from increasing cybersecurity risks is one reason banks, fintech companies, data aggregators and others have joined a nonprofit by FS-ISAC with the goal of creating and supporting a unified API standard that allows consumers and businesses to share data with greater confidence and control.

“Balancing financial innovation with the critical need for data security is one of the main reasons we created the Financial Data Exchange (FDX),” said Don Cardinal, managing director of FDX. “This is the first time the industry has come together to fund a single standard that secures financial data sharing.”

Source: Information Security Magazine