Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for the News Category

Met Facial Recognition Comes in for More Criticism

Met Facial Recognition Comes in for More Criticism

The Metropolitan Police force has been ‘trialing’ its controversial facial recognition cameras again and the latest deployment resulted in just one individual being charged.

The capital’s police have been using these cameras for several years but FOI responses from several forces sent to rights group Big Brother Watch last year revealed the technology is 98-100% inaccurate.

The latest two-day deployment in the Essex town of Romford last week resulted in the arrest of a 35-year-old on suspicion of breach of a molestation order, for which he subsequently received 11 weeks behind bars.

The press release issued by the Met notes a handful of other arrests during the operation, although none of the individuals were charged and these arrests were not due to individuals being detected by the facial recognition software against a pre-defined list of suspects.

In fact, the deployment caused controversy when one man tried to cover his face whilst passing a camera.

According to Big Brother Watch, whose representatives were on-site: “He protested that there was no reason to be stopped as he was surrounded by police, and when he got annoyed he was fined £90 for a supposed public order offence.”

Green Party member of the House of Lords, Jenny Jones, tweeted that she is writing to the Met police commissioner to raise her concerns about the operation.

Big Brother Watch and Jones have mounted a legal challenge to the use of the technology, which is being used in the absence of any formal legal framework to protect innocent citizens’ privacy.

The Met was criticized in December for running a similar operation in central London, claiming that anyone who declined to be scanned wouldn’t be viewed as suspicious — which seems to contradict the approach taken in Romford.

Although it claimed the operation was well publicized, reports suggested the opposite was true, right down to the use of cameras attached to unmarked vans.

Source: Information Security Magazine

Phishers Use Google Translate to Boost Success

Phishers Use Google Translate to Boost Success

Researchers have warned users of a new phishing technique which uses Google Translate to add authenticity to scams.

Akamai security researcher Larry Cashdollar explained in a blog post that he was targeted by this tactic early in the new year, receiving an email telling him his Google account had been accessed from a new Windows device.

Clicking through on the attached link would bring victims to a fake Google log-in page, with the malicious domain loaded through Google Translate.

“Using Google Translate does a number of things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses,” Cashdollar warned.

“However, while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google's older login portal), it fails completely when viewed from a computer.”

This is because on a full computer screen, users can see the true malicious domain more clearly.

However, if a user falls for the scam, they will not only have their Google log-ins harvested but then be taken to a spoofed Facebook mobile log-in page.

“It isn't every day that you see a phishing attack leverage Google Translate as a means of adding legitimacy and obfuscation on a mobile device, but it's highly uncommon to see such an attack target two brands in the same session,” said Cashdollar.

“One interesting side note relates to the person driving these attacks, or at the least the author of the Facebook landing page — they linked it to their actual Facebook account, which is where the victim will land should they fall for the scam.”

He urged users to be more suspicious of unsolicited messages, especially if viewing them on their mobile device, and consider whether the author is trying to create a sense of urgency, fear, or authority to persuade the recipient to click.

Source: Information Security Magazine

Android Users Exposed to Remote Hack via PNG File

Android Users Exposed to Remote Hack via PNG File

Android users could be remotely hacked simply by viewing a legitimate-looking PNG image, Google has warned in its latest security update.

The Android Security Bulletin for February lists 42 vulnerabilities in the Google mobile operating system, 11 of which are critical.

“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” it warned.

“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”

Although there are no reports of users being actively targeted in the wild via this vulnerability, this could change as the window for individual ecosystem vendors to issue patches can run into several weeks or even months.

“Vulnerabilities like these bring to light the disparate update strategies across Android phones,” explained Tripwire VP, Tim Erlin. “While those on Google devices will receive timely security fixes, other manufacturers may wait months to protect users from attackers. Of course, users have to actually apply updates to protect themselves."

Simon Wiseman, CTO at Deep Secure, explained the criticality of the flaw.

“It means your web browser can fetch a crafted image from a website and the attacker now is in control of your browser and its environment. That means it has access to your stored passwords and you’ve given away access to all the secure sites you visit,” he said.

“The same goes for your email client — the attacker has control of your mailbox so can intercept your mail, perfect for harvesting password resets, and generate mail on your behalf, ideal for propagating the attack within your organization.”

He recommended users search for updates daily and erase all passwords from their mobile browsers as an extra precaution.

Source: Information Security Magazine

Ransomware Sees Further Decline, Banking Trojan Use Steps Up

Ransomware Sees Further Decline, Banking Trojan Use Steps Up

Ransomware accounted for one tenth of 1% of all malicious email content in Q4, according to a new threat report from Proofpoint.

It’s Q4 threat report found that banking trojans accounted for 56% of all malicious payloads in email in Q4, while remote access trojans (RATs) accounted for 8.4%. Proofpoint claimed that this marked a “significant change” for RATs, as in previous years they were rarely used by attackers.

The report stated that email remains the top vector for malware distribution and phishing, while email fraud, also known as business email compromise (BEC), continues to grow rapidly. 

Ransomware message volumes dropped significantly from Q2 to Q4 “suggesting that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale.”

Speaking to the Risky Business podcast in November, Sherrod DeGrippo, Proofpoint’s director of threat research and detection, said that ransomware “has basically evaporated” after it was in the headlines for many months.

“I probably attribute that to the fact that cryptocurrency is so difficult for the average consumer to use, and what we’ve seen instead is, back to cryptocurrency, they are bolting on crypto-miners to just about everything: commodity banking trojans, commodity RATs and keyloggers and pretty basic crimeware stuff,” she said.

“We’re starting to see banking trojans have crypto-miners bolted on to them so they steal the money from the traditional bank account and then leave the crypto-miner behind.”

In an email to Infosecurity, Ed Tucker, CISO and co-founder of Email Auth, Byte and Human Firewall, said that this research highlights that ransomware is actually less of a prevalent threat both to the individual and business, and criminals know that trojans work.

“They have been thoroughly road tested with a widespread user base to great reward,” he explained. “Ransomware still has an issue in terms of the duped user needing a certain amount of literacy in payment terms in order to make this as financially successful as its trojan cousin.”

During Q4 of 2018, Proofpoint observed over twice as many URL messages as attachment messages. “For the entire year, malicious URLs appeared over three-times as often as messages with malicious attachments, suggesting that the pendulum may be swinging back toward attachments as it tends to do periodically,” the report claimed.

It also claimed that banking trojans, stealers and downloaders together accounted for over 90% of all initial payloads in Q4. In particular, the Emotet banking trojan, which was described by US-CERT as “among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors” was named as the main threat.

Emotet uses PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC as a disguise, and initial infection occurs when a user opens or clicks the malicious download link, PDF or macro-enabled Microsoft Word document included in the email.

Proofpoint said: “Taken together, Emotet, Panda Banker, and Ursnif comprised almost 97% of observed banking trojans in Q4.”

Tucker added: “Research such as this, more than ever, emphasizes that businesses should use evidence-based risk approaches from which to make informed decisions. This naturally incorporates a clear view of an actual threat, albeit in most cases that threat will be widespread and sporadic.

“Ransomware has been, and remains, just another factor within the overall risk management framework regardless of the hysteria that has surrounded it.”

Infosecurity’s Online Summit will take place on March 26-27, with live sessions including “The Death of Ransomware: Long Live Other Malware” and “How To: Phish Your Employees.” Registration is now open, and CPE credits are offered for the 14 sessions across the two days.

Source: Information Security Magazine

Algeria Ranked ‘Least Cyber-Secure’ Country in the World, Japan ‘Most Cyber-Secure’

Algeria Ranked ‘Least Cyber-Secure’ Country in the World, Japan ‘Most Cyber-Secure’

A new study from Comparitech has named Algeria the ‘least cyber-secure’ nation in the world, whilst Japan has been ranked the ‘most cyber-secure.’

The information, tools and comparisons provider studied 60 countries to gauge their ability to meet seven key criteria:

  • The percentage of mobiles infected with malware
  • The percentage of computers infected with malware
  • The number of financial malware attacks
  • The percentage of telnet attacks (by originating country)
  • The percentage of attacks by crypto-miners
  • The best-prepared countries for cyber-attacks
  • The countries with the most up-to-date legislation

In a blog post on its website, Comparitech explained that, for each criterion, countries were given a point based on where they ranked between the highest-ranking and lowest-ranking countries. Countries with the least cyber-secure scores were given 100 points, while countries with the most cyber-secure scores were allocated zero points. All of the countries in between these two scores received a score on a percentile basis, depending on where they ranked.

Comparitech was quick to point out that it found huge variances in a number of the categories and that there was no country that came ‘top of the class’ across the board. However, “there were some countries that lacked significantly in a variety of areas and others who outperformed the majority of countries,” the company said.

“So with that in mind, we’ve created rankings for these 60 countries, from the least cyber-safe to the most cyber-safe,” Comparitech added.

Algeria was deemed the least overall cyber-secure country, being the highest-ranking nation for lack of legislation and computer malware rates, and also receiving a high score in the categories for mobile malware and preparation for cyber-attacks

Algeria was followed by Indonesia and Vietnam as the second and third least cyber-secure nations, with Tanzania and Uzbekistan ranked fourth and fifth least cyber-secure, respectively.

Conversely, countries that performed well overall in Comparitech’s research were Japan (which was ranked the most cyber-secure country in the world, scoring “incredibly low” across the majority of categories), France, Canada, Denmark and the United States. The United Kingdom was ranked the eighth most cyber-secure nation.

Speaking to Infosecurity, Paul Bischoff, privacy advocate at Comparitech, said the report findings are evidence that, generally, developed countries have better cybersecurity than developing ones.

“The reason might be because people in developing countries are less experienced with the internet and the devices they use to access it. They have less awareness of cybersecurity threats, while ISPs and online companies are not as well prepared for cyber-attacks as their counterparts in developed nations. As internet adoption ramps up, security lags behind. A New York Times report states that hackers use developing countries as test beds for new malware.”

However, there were a few surprising results to come out of the research, he added. “I was surprised to see that Germany suffered the highest number of financial malware attacks, which bucks the trend of developed nations being more cyber-secure than undeveloped ones – 3% of users in Germany were targeted by financial malware.”

Source: Information Security Magazine

Scammers Use Gmail ‘Dot Account’ Feature to Scale Fraud

Scammers Use Gmail ‘Dot Account’ Feature to Scale Fraud

Cyber-criminals are taking advantage of a little-known feature in Gmail to escalate their scam operations more efficiently, according to new research from Agari.

The email security vendor claimed in a blog post that the problem stems from what it describes as “dot accounts.”

This relates to a decision by Google to allow Gmail users to own “all dotted versions” of their address.

In the example given by Agari senior threat researcher, Ronnie Tokazowski, if a user registers a domain as ‘badguy007[at]’ they could then use multiple versions of that same address, placing the dot in different places before the @, such as ‘b.a.d.g.u.y.007[at]’ and ‘bad.guy.007[at]’ and ‘[at]’

“While all dot variants of a Gmail account direct all email to the same inbox, a vast majority of the rest of the internet treats each variant as a distinctly separate email address, associated with a unique separate account and identity,” he continued.  

“For example, if I sign up for a Netflix account using the email address badguy007[at] and then again with b.adg.uy007[at], Netflix — like most other online services — would think that these are two different accounts linked to two different people.  This is where, and how, cyber-criminals are able to take advantage.”

Fraudsters are therefore able to create multiple accounts with a single provider that all direct back to one email inbox, making their scams quicker and easier to scale and manage.

Agari said it recently spotted email scammers using Gmail ‘dot accounts’ to carry out widespread fraud.

They submitted 48 credit card applications at four US financial institutions, with at least $65,000 in fraudulent credit approved.

They also: filed 13 fraudulent tax returns, submitted 12 change of address requests with the US Postal Service, submitted 11 fraudulent Social Security benefit applications, applied for unemployment benefits under nine identities in a single US state and submitted applications for FEMA disaster assistance under three identities.

“In total, the group used 56 different dot variants of a single Gmail email address to register accounts on websites used for fraudulent purposes,” said Tokazowski.

He warned that scammers could also make use of the fact that @gmail and @googlemail addresses are routed to the same inbox, potentially doubling the permutations they have on offer.

Organizations were urged to check for excessive use of dots in newly created accounts to help mitigate this risk.

Source: Information Security Magazine

China’s MSS Targeted Major European MSP: Report

China’s MSS Targeted Major European MSP: Report

Security researchers have discovered another Chinese state-sponsored APT campaign, this time targeting a major European MSP with the likely intent of stealing IP from its customers.

Recorded Future and Rapid7 claimed in a new co-authored report that the notorious APT10 group, linked to China’s fearsome Ministry of State Security (MSS), was responsible for the campaign, running between November 2017 and September 2018.

It is said to have targeted Norwegian provider Visma, which has 850,000 customers around the globe, as well as a multi-national clothing giant and a US law firm with strong experience in IP law and clients in pharma, tech, automotive and other sectors.

The initial entry point in all three cases was stolen Citrix/LogMeIn credentials, enabling remote network access.

“The attackers then enumerated access and conducted privilege escalation on the victim networks, utilizing DLL sideloading techniques documented in a US-CERT alert on APT10 to deliver malware,” the report continued.

“During the Visma intrusion, APT10 deployed their Trochilus malware with command and control (C2) communications encrypted using both RC4 and Salsa20 streaming ciphers rather than the typically observed RC4 variant. On the two other victim networks, the attackers deployed a unique version of the UPPERCUT (ANEL) backdoor, known to have only been used by APT10.”

Visma data was compressed using WinRAR and exfiltrated to a Dropbox account using the cURL for Windows command-line tool. The same account was used to store data from the other breaches.

The MSS has been previously blamed for Operation Cloud Hopper, a major multi-year campaign targeting MSPs around the world which resulted in the indictment of two suspected state hackers late last year.

“Unfortunately, this is the type of nefarious behavior we witness regularly, but there are steps organizations can take to combat these issues. For example, we recommend implementing two-factor authentication for everything,” advised Rapid7 principal MDR analyts, Eoin Miller.

“Additionally, strengthening the reviews of authentication attempts against low cost VPN providers or 'out of the norm' networks or countries for an individual user is equally important. Organizations should also consider implementing extremely strict application white-listing on sensitive systems."

Source: Information Security Magazine

South African Utility Suffers Double Security Blow

South African Utility Suffers Double Security Blow

South Africa’s largest electricity supplier has come under fire for apparently ignoring a serious leak of customer data.

Eskom, which claims to transmit and distribute 95% of the electricity used in the country, was called out earlier this week on Twitter by a frustrated security researcher.

“You don't respond to several disclosure emails, email from journalistic entities, or twitter DMs, but how about a public tweet?” said Devin Stokes. “This is going on for weeks here. You need to remove this data from the public view!”

The leaked data appears to include customer details including account IDs, meter information and payment details.

Only the last four digits of card numbers are visible, as are CVV numbers: certainly enough to launch convincing phishing attacks and follow-on fraud.

Unfortunately for the energy giant, which also claims to provide 45% of the electricity used in Africa, it also appears to have been hit with a seemingly unrelated malware infection.

Twitter user @sS55752750 claimed that one of the company’s user's machines was infected with a trojan, adding that “all her credentials were stolen.”

Although the utility firm initially claimed that the email address provided was “not a valid Eskom email address,” it subsequently changed its position.

“This has been investigated and the necessary actions have been taken. Thank you for bringing it to our attention,” the firm tweeted on Wednesday.

It remains to be seen what action is being taken to address the exposed database.

Paul Edon, senior director at Tripwire, argued that a company the size of Eskom should have better visibility into its systems and take a more proactive approach to security.

“There is a tendency for boardroom executives to operate with a reactive mindset, and although understandable, since attacks are difficult to visualize until they happen, it is still unacceptable,” he added. “With cybersecurity, it is critical that organizations get the basics right. Continuously monitoring the security of their infrastructure can go a long way towards preventing a successful attack or reducing the impact.”

Source: Information Security Magazine

Disconnect Between Consumers & Businesses as Companies Capitalize on Customer Data

Disconnect Between Consumers & Businesses as Companies Capitalize on Customer Data

There is a growing disconnect between how companies capitalize on customer data and how consumers expect their data to be used, a new report from RSA Security has discovered.

The firm polled more than 6000 individuals across France, Germany, the United Kingdom and United States to explore the nuances of ethical data use and consumer perceptions of data privacy, compiling its findings into The RSA Data Privacy & Security Survey 2019.

Fewer than half (48%) of respondents believed there are ethical ways that companies can use their data, whilst 57% said they blame companies above anyone else, even a hacker, in the event of a data incident.

What’s more, whilst a focus on personalized consumer experiences is often considered a means to increase user activity and purchasing, the majority of those polled were against companies using their data to create a personalized experience if it compromised their privacy. As little as 17% of respondents felt tailored ads were ethical and just 24% thought personalization to create tailored newsfeeds was ethical. 

“With a growing number of high-profile data breaches, questions around the ethical use of data and privacy missteps, consumers increasingly want to know how their data is being collected, managed and shared,” said Nigel Ng, vice-president of international, RSA. “Now is the time for organizations to evaluate their growing digital risks, doubling down on customer privacy and security. Today’s leaders must be vigilant about transforming their cybersecurity postures to manage today’s digital risks in a way that ensures consumer trust and confidence in their business.”

Source: Information Security Magazine

Bank IT Manager Gets 10 Years for ATM Exploit

Bank IT Manager Gets 10 Years for ATM Exploit

An IT developer at a Chinese bank has been jailed for over a decade after exploiting a vulnerability in its systems to withdraw more than $1m from ATMs.

Qin Qisheng, 43, was a manager in Huaxia Bank’s technology development center in Beijing who spotted that a glitch in the lender’s core OS meant cash withdrawals around midnight weren’t recorded.

He subsequently tested his theory, deliberately hiding his activity as he did so, making withdrawals of 5,000-20,000 yuan ($740-3000) from a test bank account.

After doing so for over a year without telling his superiors, he had built a small fortune of over seven million yuan ($1m) in his own bank account, investing some funds in the stock market.

However, his luck ran out after the unusual activity in the test account was spotted at a branch in Hebei.

Amazingly, however, the bank wanted police to drop the case, believing Qin’s excuse that he was merely pen-testing.

“Qin Qisheng said that the matter was complicated and involved lots of work … he believed the bank would not pay attention even if he reported it,” a representative said in court, according to the South China Morning Post.

“We think this reason for not reporting is legitimate.”

Although Qin returned all the money he stole from the bank, it wasn’t enough to save him from a 10-and-a-half year jail sentence. This is the final appeal ruling of the Beijing Intermediate People's Court, upholding a December conviction.

“On the one hand, [the bank] said that the accused’s behavior was in violation of the rules. On the other hand he said that he could conduct relevant tests. This is self-contradictory,” the judge is reported to have said.

Source: Information Security Magazine