Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the News Category

Sharp Spike in Attacks Targeting Company Email Accounts

Sharp Spike in Attacks Targeting Company Email Accounts

A new report by email and data security company Mimecast has revealed a staggering increase in the number of Business Email Compromise (BEC) cyber-attacks.

The quarterly Email Security Risk Assessment (ESRA) report, released today, found a 269% increase in the number of BEC attacks in quarter two of 2019, compared to the first quarter of the year. 

BEC attacks are sophisticated scams that typically target businesses working with foreign suppliers and businesses that regularly perform wire-transfer payments. Formerly known as Man-in-the-Email scams, these schemes compromise official business email accounts to conduct unauthorized funds transfers.

According to the FBI, there are five main types of BEC scams, all of which allow threat actors to commit email-based impersonation fraud using methods that evade many traditional email security systems.

The Bogus Invoice Scheme involves an attacker impersonating a company's supplier and requesting funds transfers to the attacker's bank account in payment of services rendered. An attacker committing CEO Fraud will pose as one of the company's most senior executives and send an email to the finance department requesting that money be transferred to an account they control.  

If the attack is an Account Compromise, an executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.

A Data Theft BEC attack targets employees in the HR and finance departments to fraudulently obtain personally identifiable information (PII) or tax statements of employees and executives, which can be sold on the dark web or used for future attacks.

Finally, threat actors can launch an Attorney Impersonation BEC attack, in which they pretend to be a lawyer or someone from a law firm in order to access confidential information.

A further finding of the ESRA report is that 28,783,892 spam emails, 28,808 malware attachments, and 28,726 dangerous files types were all missed by incumbent providers and delivered to users’ inboxes.

The sharp rise in BEC attacks identified by the report echoes the findings of the State of Email Security 2019 report, which revealed that 85% of the 1,025 global respondents experienced an impersonation attack in 2018, with 73% of those victims having experienced a direct business impact, like financial, data, or customer loss.

Source: Information Security Magazine

Industry Leaders Throw Weight Behind Interoperability Alliance

Industry Leaders Throw Weight Behind Interoperability Alliance

An industry initiative to allow data sharing and interoperability in the cybersecurity sector has won the support of 18 vendors.

The Open Cybersecurity Alliance (OCA), created by international consortium OASIS, will unite end users and organizations in an open cybersecurity ecosystem where products can share information, insights, orchestrated responses, and analytics. 

The OCA will strive to increase the cybersecurity value of existing products and discover new security insights by supporting commonly developed code and tooling and encouraging practices for interoperability and sharing data among cybersecurity tools.  

A key aim of the OCA will be to make it easier for different cybersecurity technologies to work together across the entire lifecycle of a threat. 

In a statement issued earlier today, the OCA wrote: "According to industry analyst firm, Enterprise Strategy Group, organizations use 25 to 49 different security tools from up to 10 vendors on average, each of which generates siloed data. 

"Connecting these tools and data requires complex integrations, taking away from time that could be spent hunting and responding to threats. To accelerate and optimize security for enterprise users, the OCA will develop protocols and standards which enable tools to work together and share information across vendors."

The alliance was spearheaded by IBM Security and McAfee and quickly attracted the support of Advanced Cyber Security CorpCorsaCrowdStrikeCyberArkCybereasonDFLabsEclecticIQElectric Power Research InstituteFortinetIndegyNew ContextReversingLabsSafeBreachSyncurityThreatQuotient, and Tufin.

At OCA's heart will be two technologies developed by its founding members. The first is McAfee's cybersecurity messaging format OpenDXL Standard Ontology. The second is STIX-Shifter, a search capability for all types of security products based on an IBM open source library. This useful tool can identify information in data repositories that relates to potential threats, pop it into a usable format, and share it with any enabled security tool. 

"Attackers maximize damage by sharing data with one another. Our best defense strategy is to share data too," said D.J. Long, vice president of business development at McAfee.

"Organizations will be able to seamlessly exchange data between products and tools from any provider that adopts the OCA project deliverables. We’re looking at the potential for unprecedented real-time security intelligence."

Source: Information Security Magazine

University to Create New Cybersecurity Approach Inspired by the Human Body

University to Create New Cybersecurity Approach Inspired by the Human Body

Researchers at the University of Arizona are developing a fresh approach to cybersecurity modeled on the human central nervous system. 

The new method, which is being created as part of the Partnership for Proactive Cybersecurity Training project, will aim to detect and neutralize cyber-threats in their earliest stages before they have a chance to do any serious damage. 

Inspiration for the project came from human biological responses; for example, how the body's immune system fights a virus and how a person will instinctively pull their fingers away from a burning hot surface before their brain has even received the message that the body is at risk of harm.

"I felt we could learn about how the body protects us by reacting to threats and maybe apply it to cyber by building a 'cyber immune system,'" said Salim Hariri, UA electrical and computer engineering professor and the project's principal investigator. 

"We're trying to build these abilities where, when somebody attacks your computer, these measures can detect the attack and act on it before you're even aware something is compromised."

In contrast with security methods that deal with cyber-threats in a reactive way, the new system being constructed is being designed to function proactively. The plan is to use artificial intelligence and machine learning to train machines to recognize cyber-threats on their own, as a doctor might recognize diseases from their symptoms. 

To stop the threats before they infect a network or device, researchers will also teach the machines how to recognize threats as they evolve and how to execute a wide range of cures. With an encyclopedia of remedies at their disposal, the machines will be able to search for the one that is most appropriate and automatically apply it to the threat. 

"An attacker can reach hundreds of thousands of devices in a fraction of a second, so we need our ability to detect threats and protect a system to work just as quickly," said Hariri. 

The National Nuclear Security Administration's Minority Serving Institution Partnership Program has awarded the project a $3 million grant to be paid over a three-year period. Under the terms of the grant, researchers will train students, especially underrepresented minorities, from the University of Arizona, Howard University, and Navajo Technical University as they work to develop new cybersecurity techniques.

Source: Information Security Magazine

#ACS19: Make Cyber a Business Risk for Management Adoption

#ACS19: Make Cyber a Business Risk for Management Adoption

Don’t treat cyber-risk any differently to any other risk to your business, as engagement with senior management continues to be a challenge.

Speaking at the ATM & Cybersecurity 2019 conference in London, Nina Paine, global head of cyber partnerships and government strategy, Standard Chartered, discussed the need to keep senior management engaged when creating and maintaining a cybersecurity culture internally.

Paine said that with growing teams there is a “race to keep pace against cyber-criminals and cyber-threat actors” and this means that security teams “cannot do it alone and it is incredibly important that we share knowledge and insights and key learnings with partners across the world.”

Paine said that people ask if a cybersecurity culture can be driven from the “top down or bottom up” and she said that it is probably both as “the tone from the top and senior executive engagement is the key differentiator.” She also said that cyber-leaders are clear on the strategic implications that cyber-risks represent, and this may be about metrics that the business has put in place.

One tone to adopt for senior executives is to stress that “cybersecurity is tremendously important to our customers.” Therefore, cybersecurity has to be treated as a business risk, “as we know the consequences of not doing so are stark.”

Paine also said that cyber-risk should be “normalized as part of enterprise risk management as a whole.”

So how cybersecurity can be part of the wider business discussion? This needs to be done with a trickle down through the business, and not just by having a technical team in a separate room, Paine advised. She said that at Standard Chartered, cybersecurity is treated as a principal risk type, and this means it is subjected to enterprise-wide risk management rules.

She added: “Whether you have got that or not, you have got some principles to think about within each function around challenges and assurance that are absolutely vital to all firms.”

Paine recommended setting up a layered effort to enable better adoption of culture, and one thing firms have done is to set up a senior executives’ safe space “where there are not stupid questions and everybody is a human.” She said that this forum can allow increased understanding of risks, as we “cannot simply rely on small groups of technical experts to keep our organization safe.”

She acknowledged that employee awareness can “sound pink and fluffy,” but you can make it a hard skill set and discipline through automated platforms. She said that as Standard Chartered was automating its awareness, this will enable training and results and learning to be better collected, adding an element of gamification.

To conclude, she pointed out that “what gets measured gets done” and recommended introducing security measurement tools, as well as publishing test scores to divisional heads, as that can drive cultural change in a business.

“I’d like to reiterate that cybersecurity risk and its management is very much a shared responsibility, and everyone from the board to the front line has a critical role to play,” she said. “Whilst an organization’s risk culture does have formal risk policies in it, there is also a really important people side.”

Source: Information Security Magazine

#ACS19: Police Chief’s Council Highlights Major Attacks and Threats to UK

#ACS19: Police Chief’s Council Highlights Major Attacks and Threats to UK

Speaking at the ATM & Cybersecurity 2019 conference in London, detective superintendent Andrew Gould, National Cybercrime Programme Lead, National Police Chief’s Council, detailed common attackers, attack tactics and the most common ways to prevent them from happening.

Saying that the main attack groups were “no great surprise,” he highlighted the hostile states as having different motives but having “really invested in their capabilities” which he said was the main challenge, as “if a hostile state comes after you as an organization they are probably going to get you” unless you have significantly invested in your protection. “For most people though, that is probably not going to be a significant concern.”

However, a rising threat is from organized crime, which he said has involved a blurring between a hostile state and organized crime, whether it is being franchised or “tasked out,” while there are organized crime groups who do this as a way to make money.

What has also been a major concern over the last couple of years is “more and more high-level sovereign state tools leaked out.” He explained that these may have been the preserve of American intelligence agencies, but are now in the wild and “available for anyone to download and use as part of criminal enterprise.”

As well at attacks such as more DDoS and Business Email Compromise, Gould also said that “the most common type of cyber-dependent crime, where computers are attacking computers” and affecting organizations, is ransomware. While he admitted that detections and infections are down, the trend is towards more targeted ransomware, and recommended businesses protect and test backups.

In terms of sophistication, Gould said that attackers are getting better in how they are targeting organizations, as one in five “are successful with spray and pay” techniques. “Actually a lot of criminals are investing time and effort in their targets, and we make it easy for them by putting our personal information online,” he added.

Moving on to the role of the police, he acknowledged that the attitude of the police toward cybercrime has changed over time; “we know there are millions of offences committed in the country each year, but only 25-26,000 of those get reported to Action Fraud.”

However, that has improved, Gould said, “and now we've got teams dealing with cyber-dependent crime like ransomware in every force in England and Wales, when 18 months ago nothing existed.” He continued that every incident is investigated and every victim is advised “to stop them being a victim again.”

He concluded by highlighting the most common mistakes that businesses make in dealing with cyber-incidents, which were:

  • No plan, nothing exercised
  • Unmapped and poorly understood networks and endpoints
  • Business negotiates with blackmailers
  • Slow to ask for police help (if at all)
  • Only communicate with police through lawyers
  • Media messaging does not consider secondary fraud
  • Ineffective back ups 

Join our webinar on 24th October where we will be discussing advanced attackers, and how to defend against automated attacks – register here


Source: Information Security Magazine

New Zealand Health Organization Discovers Multiple Hacks Dating Back Three Years

New Zealand Health Organization Discovers Multiple Hacks Dating Back Three Years

A health organization in New Zealand that was targeted in a global cyber-incident in August has uncovered evidence of earlier attacks dating back three years.

Tū Ora Compass Health took its server offline and strengthened its IT security following a cyber-attack on its website in August. On Saturday, the primary health organization (PHO) announced that an investigation by authorities, including the police, Ministry of Health, and the National Cyber Security Centre, has found evidence of multiple earlier attacks dating from 2016 to early 2019.

Martin Hefford, chief executive officer of Tū Ora Compass Health, said: "As stewards of people’s information, data security is of utmost importance to Tū Ora Compass Health. We are devastated that we weren’t able to keep people’s information safe. 

"While this was illegal and the work of cybercriminals, it was our responsibility to keep people’s data safe, and we’ve failed to do that."

Tū Ora holds information dating back to 2002 on approximately 1 million individuals from the greater Wellington, Wairarapa, and Manawatu regions. Tū Ora does not hold GP notes, which are held by individual medical centers.

The organization is one of 30 PHOs that collect data from medical centers, then analyze it to ensure patients are screened for diseases like cancer and receive treatment for chronic conditions, including diabetes.

"We don’t know the motive behind the attacks, and we cannot say for certain whether or not these have resulted in any patient information being accessed, but we have laid a formal complaint with police," said Hefford. "Experts say it is likely we will never know. However, we have to assume the worst, and that is why we are informing people."

New Zealand's director-general of health, Dr. Ashley Bloomfield, said: "We have been working with the Government Communications and Security Bureau's National Cyber Security Centre to investigate this intrusion and check if other PHOs and DHBs might be at risk.

"This work is ongoing, and we expect to have an initial assessment in the next two weeks. We are also commissioning further independent reviews of the security of PHO and DHB information systems."

Elad Shapira, head of research at Panorays, commented that the best way for hackers to reach sensitive and confidential information is often through third parties, who can access data but lack the adequate security to guard it. 

He said: "For this reason, assessing and continuously monitoring healthcare organizations' third-party security is critical."

Source: Information Security Magazine

Data of 92 Million Brazilians for Sale on Underground Auction Site

Data of 92 Million Brazilians for Sale on Underground Auction Site

The personal information of 92 million Brazilian citizens has been discovered for sale to the highest bidder on an underground forum auction. 

According to BleepingComputer, the auction is present on multiple dark web marketplaces that can only be accessed by paying a fee or via an invitation from someone who is already on the inside. 

The information is being sold as a 16GB database in SQL format and has a starting price of $15,000 and a step-up bid of $1,000. According to its seller, X4Crow, the records include names, dates of birth, taxpayer IDs, and some address details. 

A sample of the database, which was seen and verified as genuine by BleepingComputer, also contained information relating to gender and the names of individuals' mothers. 

The origin of the database is unclear, though the inclusion of the taxpayer IDs and the seller's claims that it contains the unique information of 92 million Brazilian citizens could indicate that it's a government database of the approximately 93 million Brazilians who are currently employed. 

In addition to offering the data for sale, X4Crow claims that they can retrieve data available in national identification documents, such as ID cards and driving licenses, together with phone numbers, email addresses, previous addresses, professions, education levels, and vehicles. And all they need to do it is the individual's full name, taxpayer ID, or phone number.  

Under Article 18 of the Brazilian General Data Protection Law ("Lei Geral de Proteção de Dados" or "LGDP"), consumers have rights relating to their data, and organizations need to ensure personal data is anonymized, redacted, or eliminated. Unfortunately, the law does not go into effect until August 15, 2020, a six-month extension from the previous February 2020 date.

Jonathan Deveaux, head of enterprise data protection with comforte AG, believes that in the future, companies may rely more on methods like tokenization to protect valuable consumer data. 

He said: "An emerging best practice among many technology leaders is to adopt a data-centric security approach, which protects personal data with anonymization technology like tokenization.

"Not only does tokenization allow organizations to meet compliance requirements and remain secure, but tokenization also allows organizations to securely embrace modern technology like hybrid or multi-cloud computing, which has been scrutinized as having major data security gaps."

Source: Information Security Magazine

Class-Action Lawsuit Filed Against CafePress Following Data Breach

Class-Action Lawsuit Filed Against CafePress Following Data Breach

Leading online gift shop CafePress is the target of a proposed national class-action lawsuit in the United States after allegedly failing to update its security software and taking months to inform customers of a data breach. 

The retailer was heavily criticized earlier this year for its poor cybersecurity and incident response after it emerged that 23 million customers had their personal data stolen in a breach that is thought to have occurred in February 2019.

Third-party consumer sites, including weleakinfo.com and haveibeenpwnd.com, were independently warning consumers of the breach as early as July 13, 2019, but the incident was not officially reported by CafePress to their customers until last week.

Data exposed by the breach included email addresses, names, physical addresses, phone numbers, and passwords stored as SHA-1 hashes. 

The suit has been filed by consumer-rights law firm FeganScott, which alleges that CafePress failed to employ best practices when alerting customers of the data breach. According to the complaint, CafePress’ first notifications appeared on its website on September 5, but the company did not directly notify its customers until October 2, 2019. 

"As galling as it is to know that a national retailer like CafePress failed in its duty to safeguard consumer information, it is reprehensible that they knew—or should have known—about the breach and failed to warn their customers that their credit card information and Social Security numbers could be for sale to the highest bidder on the dark web," said Beth Fegan, a founder of FeganScott.

It is further alleged that CafePress failed to offer adequate protection to its customers by neglecting to update security software that was widely known to be flawed. 

"CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the lynchpin of its data security," said Fegan. "Hackers and security experts know that SHA-1 has been useless in protecting data since about 2005. These days, SHA-1 is the digital equivalent of a picket fence when it comes to keeping the wolves from the sheep."

The suit, filed today in US District Court in Illinois, seeks to represent all US consumers who were impacted by the breach. Consumers who are interested in learning more about this class-action suit can contact cafepress@feganscott.com.

Source: Information Security Magazine

US and UK Sign Crime Data Sharing Agreement

US and UK Sign Crime Data Sharing Agreement

UK Home Secretary Priti Patel and US Attorney General William Barr have signed a bilateral agreement paving the way for UK and US law enforcement agencies to obtain data more quickly from electronic service providers operating in each jurisdiction.

According to Julian Hayes and Michael Drury at BCL Solicitors, this “will inevitably be one way traffic, expediting the UK’s acquisition of evidence from US tech giants such as Facebook, Google and Twitter in the fight against serious crime, including terrorism and child abuse.”

According to the FT, the deal will compel US technology companies including Facebook, Google and Twitter to hand over the content of emails, texts and direct messages to British law enforcement bodies, and require the same of UK companies holding information sought by US investigators.

It currently takes police and security services anything from six months to two years to request and access electronic data, under the “mutual legal assistance” treaty between the US and UK governments. “Under the new arrangements, a UK Judge can issue the police, SFO and other specified with an Overseas Production Order, bypassing cumbersome mutual legal assistance procedures and, in principle, obtaining electronically stored data from the US within just seven days,” Drury and Hayes said.

The treaty is based on the US CLOUD Act 2018 and the UK’s Crime (Overseas Production Orders) Act 2019. The agreement still requires ratification by the US Congress and is to be presented to Parliament.

While this has been welcomed by some organizations, including the NSPCC, which described the new arrangements as “a hugely important step forward,” the bilateral agreement has been criticized on the basis that it potentially erodes key rights. “The risk is that, in the rush to comply within tight time frames, tech companies might be required to hand over data to which law enforcement authorities have no right,” Drury and Hayes said. 

They also questioned whether service providers will be expected to scrutinize the order to ensure that legal and procedural requirements have been adhered to, and asked how the requirements of the new arrangements will be reconcilable with the service providers’ desire to provide encrypted services? 

Source: Information Security Magazine

‘The Cyberthreat Handbook’ Released, Documents ‘Who’s Who’ of Attackers

‘The Cyberthreat Handbook’ Released, Documents ‘Who’s Who’ of Attackers

Thales and Verint have announced the release of The Cyberthreat Handbook, a report designed to provide insights into the most significant groups of global cyber-attackers through detailed rating cards.

The two companies combined to carry out a year-long investigation into the current cyber-threat landscape, observing attack techniques, targeted sectors and attack motives.

The research details the activities of approximately 60 major groups of cyber-attackers throughout the world, discovering that almost half of the groups analyzed were state-sponsored, often aiming to steal sensitive data from targets of geopolitical interest.

Just over a quarter were named as ideologically-motivated hacktivists, followed by financially-driven cyber-criminals (20%) and cyber-terrorists (5%).

The Cyberthreat Handbook warned that all the world’s major economic, political and military powers are priority targets of cyber-attackers, and that the sectors most targeted are States and their defense capabilities, followed by the financial sector, energy and transportation.

It was also noted that a growing number of groups of attackers are now focusing on vulnerabilities in the supply chain, and in particular on smaller partners, suppliers and service providers that are used as Trojans to access major targets.

Marc Darmon, executive vice-president, secure communications and information systems, Thales, said: The Thales and Verint teams are immensely proud to release this report today as part of its technology and domain expertise cooperation. Unique in its breadth and depth, it is the culmination of many months of research, investigation and painstaking analysis and correlation of relevant data. As cyber-threats proliferate and evolve, cybersecurity clearly has a major role to play, particularly for critical infrastructure providers.”

Elad Sharon, president, Verint Cyber Intelligence Solutions, added: “This report generates unique insights and knowledge to cyber and security experts to mitigate and foresee cyber-attacks.”

Source: Information Security Magazine