72 per cent of the UK fear theft of their personal data from company hacks

Almost three quarters of the nation fear their personal details will be stolen EVERY TIME they hand over bank details and email addresses to companies, it has emerged. Two thirds are concerned that their data may have been stolen without their knowledge.

The general distrust of organisations and web-based stores emerged in a study of 2,000 adults, which also revealed around one in five have already had their personal data stolen. Almost a third of these victims had been left out of pocket as a result. It also emerged 65 per cent of those who had their data stolen as a result of a company hack worry that their data could still be used maliciously.

Commissioned by cybersecurity company, BullGuard, the research found the typical adult believes their personal details are held by 40 businesses on average.

Paul Lipman, CEO at BullGuard said: “As the results show, the way companies use data really is a huge concern for customers.

“This has particular relevance in the wake of the Dixons Carphone hack in which millions of customer records have been compromised.

“And clearly these worries are justified because the number of people who are victims of identity fraud is worryingly high.

“While the emphasis should be on companies preventing fraud, realistically we as customers have to be vigilant and careful about who we give out our data to.”

Among those polled, the most concerning repercussions of a company being hacked are identity fraud (71 per cent), theft of their credit card details (69 per cent) and stolen bank details (64 per cent).

The research also found just under half of respondents have even stopped or avoided using a particular site or service because they don’t trust that company to protect their personal data.

One of the reasons for this could be that 48 per cent don’t believe businesses do enough to protect their customers’ personal data.

A further 45 per cent think companies do not consider security to be a priority in the slightest.

In fact, most of those polled by BullGuard – an incredible 85 per cent – believe companies put profits before the security of customers.

Amid this, almost one fifth do not believe potentially huge fines of up to £20 million imposed by the Information Commissioners Office are significant enough.

Of those who have had their personal data compromised, one in five said they had to contact the company to inform them – rather than being informed of the breach.

Astonishingly, firms that did make contact after their customers’ data was compromised took 11 days on average to finally get in touch.

A third didn’t feel the company involved was helpful in dealing with the problem when they made contact. And, forty per cent of those said the communication was ‘unsympathetic’ or ‘blunt’.

Shockingly around 80 per cent believe companies have been hacked – but have covered it up.

The BullGuard research also found five per cent have even had their kids accounts hacked. And a quarter know someone who has had their details stolen or misused.

Paul Lipman, CEO at BullGuard added: “The response from companies to data breaches simply is not good enough as far as customers are concerned.

“They want to be reassured and want to see quick and decisive action – but this is not the experience of many of those polled. It’s really important companies accept their responsibilities in protecting customer data.

“Despite the recent introduction of GDPR in which customer data is supposed to be securely locked down by law, people are still clearly concerned about their personal data being stolen and compromised.”



Cofense finds sustained increase in phishing lures targeting UK users imitating HMRC, Lloyds Bank and HSBC

Since this April, Cofense Intelligence™ has observed a sustained increase in the financially motivated targeting of UK-based users with phishing lures imitating HMRC, Lloyds Bank, and HSBC. The most common final payloads delivered by these campaigns are designed to compromise victims’ financial accounts and provide illicit access to financial information. This surge in targeting almost certainly represents a stage in the “whack-a-mole” strategy long employed by threat actors: expand campaigns against a segment of the vast vulnerable attack surface until those users catch on to the threat, then move to the next target.

Trickbot, Pony, and Loki Bot comprised the majority of final payloads delivered in the distinct campaigns analysed. While the appearance of authenticity of the phishing emails differs among the campaigns, indicating that different groups of threat actor, these types of malware are almost certainly leveraged for similar objectives — to provide threat actors with financial information and access to accounts to facilitate theft.

Aaron Higbee, CTO and cofounder at Cofense comments:

“Financially themed phishing scams give threat actors a number advantages when it comes to compromising security. Internet users pay attention because banks and tax authorities play an official role in our day-to-day lives and their services often incur costs.  What’s more, the type of information these institutions need can be sensitive, from username and passwords to information regarding an account, it feels much more acceptable for a financial institution to be requesting such information than another type of company.  By adding additional, local relevance – for example the UK tax authority and two of the most prominent banks in the country – malicious emails can easily be mistaken for legitimate correspondence. In these cases, threat actors are using social engineering within phishing attacks to still target a very large number of potential victims.

“With many of the phishing campaigns targeting corporate accounts, businesses need to equip their employees to be as resilient as possible to this type of attack.  Encouraging employees to report suspicious emails, to think twice about if an email is unsolicited and be extra cautious where financial details are concerned, is the first step to reducing susceptibility and building resiliency. What’s more, by reporting emails, the IT team is also quickly able to gather threat intelligence and begin the response process. As multiple threat actors continue to use similar techniques to deliver a multitude of malware variations, no technology can guarantee prevention. However, by making employees as security savvy as possible, companies have a constantly improving threat detector within their cybersecurity infrastructure.”



Millions at risk from Dixons Carphone data breach – Cofense comments

Dixons Carphone has announced the unauthorised access to 5.9 million cards in one of its processing systems. An additional 1.2 million non-financial personal records were also compromised.

Aaron Higbee, CTO and cofounder at Cofense (previously PhishMe) comments:

“The breach suffered by Dixons Carphone is no doubt a concern for all those whose data is held within the company and particularly for those with non-EU issued cards that were not protected by chip and pin. What will be especially interesting in this investigation, however, is what security really looked like for a company that had already been fined for its inadequate security and had recently undergone a merger.’

“The IT infrastructure within any company can be complex and with the rise in cloud services, shadow IT is undoubtedly on the increase, but this is often worsened when a merger has taken place.  In terms of security, a lack of visibility and control over IT is a huge problem; you can’t secure what you don’t know exists, particularly if you rely on plug-in security solutions.

“Consequently, security defence needs to evolve and improve as the business grows and as threats change. The only way to do this effectively is to deploy a business’s most adaptable and intelligent resource – its employees.  With a human defence shield identifying suspicious activity, reporting it in a way that is simple and yet gives the security team all it needs to triage against other incidents, cyber intelligence can be generated to be then fed back into the business to make those first line responders even more effective.  Only time will tell if Dixons Carphone had this sort of security infrastructure in place.”



An Up to Date Cyber Security ‘Super Guide’ to Help Businesses

This is a repost. You can find the original source of this article at: https://www.fidusinfosec.com/ultimate-cyber-security-guide-for-businesses/ 


For today’s executives, senior managers, and entrepreneurs, the online world offers amazing opportunities to connect with new customers, open up in brand new markets, and empower their employees to innovate and to reach their full potential. A lot of what happens in business today is, quite frankly, unimaginable to the generations of executives, senior managers, and entrepreneurs that came before us.

Equally unimaginable to them would be the threat posed by cybercriminals to their businesses and their customers’ personal information.

This is a typical example. Carole Gratzmuller, CEO of medium-sized French company Etna Industrie, came back from a trip to discover that, under her instruction, her accountant had transferred £100,000s out of the company business account. The problem was – she gave no such instruction.

Speaking to the BBC, Ms Gratzmuller stated that “My accountant was called on Friday morning…Someone said: ‘You’re going to get an email from the president, and she’s going to give you instructions to conduct a very confidential transaction and you’re going to have to respond to whatever instructions she gives you’.”

Her accountant then received an email, apparently from Ms Gratzmuller’s account, telling her that Etna Industrie was buying a company in Cyprus.

The fraudsters put the accountant under an enormous amount of pressure in a very short space of time. She was first contacted at 9am which was followed in quick succession by ten emails and four more phone calls. In under three hours, the accountant tried to wire £372,000 to the cybercriminals’ bank accounts. The bank stopped three of the four transactions but £74,400 was still lost.

Credit: BBC

What happened to Ms Gratzmuller and her accountant is known as CEO fraud. £32m has been reported lost by British companies to similar operations, according to the City of London Police’s National Fraud Intelligence Bureau.

Glaswegian Feezan Hameed was sent to prison for 11 years for his part in a similar scam which cost businesses and consumers £113m, according to the Guardian. Pitman Blackstock Solicitors were taken for £2,260,625.89 after one of Hameed’s accomplices phoned up pretending to be Peter from Lloyds Bank. Another firm lost £750,000 the same way.

But CEO is only one threat of many you need to be concerned about…


The nature of the threat changes all the time however there are a few types of cybercrime scams that you should always be on the lookout for.


Email is 60 years old and it’s never been a secure technology since it was first launched to the public and to businesses. You can forge all sorts with email – including the manipulation of the “from email” and “from line” to make it look like a message was sent by someone else. Email spoofing was one of the techniques used when Ms Gratzmuller’s accountant was fooled by the cybercriminals.

Credit: Krebs on Security

Email spoofing, or phishing, is very successful. There has been a 65% growth in phishing over the last twelve months, according to PhishMe with 76% of all businesses stating that they had been targeted, reports Wombat.

The Webroot Threat Report stated that over 1.5m new phishing sites are created each month. What is a phishing scam? Let’s say that your company has an Amazon account. A phishing email purporting to be from Amazon is sent to you or one of your staff. It points to a fake Amazon site which has been put up with the sole purpose of discovering your corporate username and password.

Phishing attacks mainly occur by email but fraudsters also often use the telephone to perpetuate their scam.


Cybercriminals will often try to change the information held by government-related bodies, suppliers, and financial institutions about companies. The main reason for this is that they want to be able to set up new credit accounts for your business. They use these new credit accounts to purchase products which are then delivered to their address and not to yours. They get the goods, you get the bill. Others will take out loans or credit cards in your company name after successfully stealing your corporate identity.


A denial of service attack (sometimes called a DDOS) describes a situation where cybercriminals have control over a very large number of internet-connected devices which try to log onto your website at the same time. The sheer volume of requests will “crash” your website meaning that normal customers are unable to log on.

Towergate Insurance reports that 16% of UK firms have been the target of a DDOS attack. It’s big business – Forbes ran a story in April 2018 stating that the world largest “DDOS-For-Hire” business had been taken down after it had launched 6 million separate attacks on companies.


Threats from software come in three different forms – piracy, inherent vulnerabilities, and deprecation.

Deprecation is when a manufacturer stops providing updates for their software or for their software plug-ins. Microsoft stopped updating a plug-in called Silverlight back in 2014 – Silverlight was a streaming media plug-in which allowed you to listen to music or watch videos.CVE Details have listed 18 different security vulnerabilities in this plug-in which could leave your business at risk if not immediately addressed.

Sometimes, software you download to your IT system may have built-in vulnerabilities – Adobe Flash Player being perhaps the most famous example. CVE Details have listed over 1,000 problems with Adobe Flash Player – this is the main reason Apple don’t allow Flash Player to work on their platforms.

Buying pirated software is still surprisingly commonplace and the decision to do so is motivated by price. Pirated software works by disabling many of the security features inherent in a program – such as reporting back to the software vendor to check that this is a legitimate copy. Disabling the in-built security of a program is risky anyway but this risk is doubly compounded by the fact that many pirates choose to hide malware in their version of the software. And on the subject of malware…

Malware and viruses

Malware causes chaos with business computer systems. Malware is software that has been written with the specific purpose of damaging in some way a computer, a server, or a computer network.

Malware may:

  • slow down or crash your computer,
  • change your computer settings,
  • perform surveillance on your users (even sending back keystrokes and screenshots)
  • turn your computer into a spam-sending “dumb” terminal
  • threaten to destroy the data on your computer if you don’t pay a ransom
  • install a backdoor onto your computer allowing unauthorised users to install programs on your machines and network without your knowledge
  • interrupt your network’s connection to the internet
  • modify or delete your files

According to GData Software, a new malware program is created every 4.2 seconds.


Emerging threats that businesses are facing include:

  • data diddling (altering data on a computer system without authorisation)
  • password attacks (systematic remote attempts to hack into your system by high-speed automated password guessing)
  • man-in-the-middle attack (pretending to be someone else during an online exchange by intercepting an ongoing communication)
  • salami-slicing (small individual financial frauds repeated again and again)
  • internet-of-things hacking (breaking into a system through a weak point like a web cam or an onboard car computer)
  • cyber extortion (theft of sensitive or commercial valuable data which is then used to extort a ransom under threat of sale of the information to a competitor)


Cybercriminals are after your company data. But what can they do with it? They can:

  • manipulate your sales database to determine who your most affluent customers are to then sell that information on in the black market. The value of your data is at its highest in the first few days after it is stolen
  • steal any unencrypted debit or credit card information
  • use any details they find on an individual or a company which could then be used to change the information held by government or other authorities to take out loans or open credit card accounts
  • copy the usernames and passwords used on the websites of companies from which you buy online
  • steal commercially sensitive and valuable data (for example, that research and development project you might be working on)
  • discover the names of employees, managers, and board members in order to spoof their email details with the intention of committing fraud (for example, the CEO fraud mentioned earlier in this article or conveyancing fraud where a scammer will pose as a solicitor and then instruct you to transfer your house deposit money into their bank account)

Fidus Information security works with clients in the finance, B2B, technology, insurance, industrial, Government, education, online, public services, legal, and accounting sectors. Each one of these organisations stores valuable personal data on their IT systems that someone else wants.

Data, in the hands of a person who knows what they’re doing with it, has a tremendous market value. It doesn’t matter what line of business you’re in – the data that you have on the companies and people who buy goods and services from you will be worth a great deal to someone with dishonest intentions. And those people are as likely to be your employees as they are a hacker from the other side of the world.


Cybersecurity within a company or organisation are the steps that it takes to minimise the risk of becoming a victim of cybercrime. For the most effective protection, you need your cybersecurity plan to include and involve both your systems and your people.


There are three main risks to your business if you are cybersecure – reputational, financial, and legal.

The reputational damage you could suffer as the result of a data breach caused by a lack of a coherent cybersecurity policy could be catastrophic. 46% of UK businessessuffered a serious data loss or breach in 2016. 60% of SMEs close permanently following a data breach or an incidence of data theft within 6 months.

Would your customers ever be able to trust you again? Would you trust a company whose lack of cybersecurity compromised your financial situation or put you at risk of identity theft? The chances are that most people would want to put their business with someone else.

There is also a significant legal threat to your business. The number of claims for data privacy breaches has been rising in recent years as has the level of compensation awarded, according to Brabners Solicitors. Claimants now can successfully sue if there was no financial loss but that the breach caused personal distress.

William Egglestone of Brabners Solicitors believes that “there is speculation surrounding the potential for large-scale ‘class action’ style claims where data security breaches affect a large number of individuals…A collective action regime may be rolled out or extended to cover data protection, whereby all affected individuals are automatically part of the ‘class’ of people bringing the action unless they choose to opt out.”


On May 25th 2018, the General Data Protection Regulations (GDPR) came into force. The GDPR replace the Data Protection Act (1998) in the UK and they will have force of law in all 28 EU countries. When Britain leaves the EU, the GDPR will be enshrined into English and Scottish law.

If your business is attacked and it suffers a data loss, the GDPR will require that you not only inform the Information Commissioner’s Office (ICO) but also every single individual whose “rights and freedoms”  may have been affected by the breach. Once you become aware of the breach, you must do all this within 72 hours (if feasible). If you fail to notify either the ICO or the individuals affected, this can “result in a significant fine up to 10 million euros or 2 percent of your global turnover. This fine can be combined with the ICO’s other corrective powers under Article 58.”

So, what we know is that one big data breach could result in a loss of customer confidence and trust, a class action law suit bought by those people who were affected by the breach (even if there was no monetary loss on their part), an ICO inspection of your IT system and your overall cybersecurity system, and a crippling fine if you do not report the breach to the ICO and the users in good time.

As William Egglestone of Brabners Solicitors put it, “(t)he GDPR represents a tipping of the balance of data protection law, favouring the protection of the individual over the commercial needs of businesses”.

So how do you get ready for it?


As a business owner, a board level member, or a senior manager, becoming cybersecure as a organisation requires a proactive and positive decision from the very top, followed by a plan for everyone involved to follow, and a determination to see it through.

You can be cybersecure within weeks. First, understand what it is that you need to do to become cybersecure and GDPR-compliant.

Make sure that there is someone who is leading the discussion at the highest level in your business and that that person has a decent base level of knowledge in computer security and database management. If there is no such person within your company, please appoint an outside specialist without delay to sit in on the meetings.

Once a plan is in place, agree a timescale over which the work is done, setting out certain benchmarks that need to be achieved within a certain time. Hold additional board meetings to make sure that targets are being met and the required outcomes are being achieved.

At the same time, start preparing training materials for staff so that they will be aware of what they need to look out for. After all, a serious threat to the viability of the business caused by a catastrophic data breach is as much of a threat to their livelihood as it is yours.


Your internal computer network may have developed into what it is today over tens or hundreds of small incremental steps over a long time. Everything that is installed on it and everything it connects to presents a potential vulnerability.

Plan to make your IT network as simple as possible. Only have on it or connected to it what it needs to function. Make an inventory of every piece of software and every software plug-in that is on the network or on individual terminals. Get rid of the programs you don’t need. If there are programs you are still using that the software provider has deprecated, look for a replacement program where updates are still offered by the vendor.

If you do not have one installed already, consider a firewall – this protects your network constantly detecting attempts to get into your system from outside.

Use the cloud to back-up your data frequently. Remember the NHS Wannacry attack which threatened to wipe computers and networks if a ransom was not paid? That attack affected hundreds of thousands of businesses, organisations, and individuals around the world. If you use a cloud back-up, everything your business needs to function is safely stored and retrievable from your cloud provider.


The GDPR requires that you collect and hold all personal data for “legitimate, explicit and specified” reasons. You must process personal data “fairly, lawfully, and transparently” and you must only keep data with is “relevant” and “adequate” for that processing.

Decide on the data you absolutely need for each customer on a departmental level. Only give operatives access to the information they need to assist a customer, not information they don’t. In 2014, a Ponemon Institute survey of 2,300 US and European employees discovered that 71% of respondents believed that they were “granted excessive access to company data they should not be able to see”. The GDPR has been designed to stop this from happening and allowing employees to see more information on a person than they need to do their job will be an offence under the regulations.


Encryption programs scramble your data so that it’s unreadable and unusable to anyone who doesn’t have the “key” to decrypt it.

If members of staff communicate by email internally or with the outside, it’s easy to secure the contents of your email using encryption programs which mean that, even if your staff member’s email was intercepted, the hacker could not read it.

When your network is backing up company data to the cloud, please make it part of your plan that encryption is used on these uploads.


Many companies deploy an Intrusion Detection System (IDS) as part of the cybersecurity policy. What this does is to examine your WiFi, your host-based systems, and your IT network as a whole for unusual behaviour and for signs of a known attack.

An IDS alerts you when there are large and unexpected outbound transfers of large amounts of data – a strong sign of a security breach or a theft in progress. The system will inform you of which user’s terminal the transfer originated from.

Many IDS systems are now run with machine learning and artificial intelligence approaches built in. It will start to learn how your network and all the terminals attached to it use data. In the early days of the deployment of your IDS system, you will receive some false positives indicating that an attack or breach is underway when it is not. However, as the systems continue to monitor data usage, it will report far fewer incidents as time goes on particularly with the additional information inputted by your users telling the system that an incident was not an attack when it indicated it wasn’t you.

You will also need to make your WiFi connections as secure as possible. This is particularly so in the light that Belgian researchers “broker” the WPA2 protocol used by the vast majority of WiFi connections (according to the Guardian). The author of the report, Mathy Vanhoef, told the paper that “Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted…This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.

The use of secure passwords to access your computer network or your cloud back-up will stop many attacks. For those that it does not stop, the method of encryption you use will prevent a cybercriminal from accessing the contents of sensitive files.

Despite the fact that the encryption will prevent any real damage being caused in the case of an individual file interception, the real value of strong passwords is in preventing a dishonest and unauthorised user from using the techniques he or she uses to hack into your system to grant themselves administrator rights. If a cybercriminal managers to authorise themselves as an administrator, your entire system, encryption of not, is in danger of being controlled completely by someone who has malicious intent.


The way that your staff use the internet and their email will need to be controlled and monitored as part of your approach to corporate cybersecurity. You should make clear to your employees what the company policy is for the types of website that are acceptable and unacceptable to visit (you may want to have a separate list for staff on breaks).

Your staff may be asked to download attachments from an email they receive or from a website. Put together a list of authorised programs, apps, or functions that can be installed on a user’s terminal. Make sure that you have an anti-virus and anti-malware service running on each terminal and on the network which informs users of a potentially dangerous download – if such a message pops up, train your staff about the person they need to report this to before deciding on a course of action.

Users may also upload files via email and to internet sites. Let your staff know what they can upload and what’s forbidden (product schematics and diagrams, customer databases, sales payment details, and so on).

Make clear beyond doubt what you consider sensitive company intellectual and database property to be and insist that, prior to uploading or transferring to someone else (even within your company), your employee gets the necessary authorisation to do so.


Be certain to make your mobile devices (including smartphones and tablets) as secure as possible by using strong passwords for access to the use of encryption when a device which is outside the office wants to access or manipulate data on your internal network or your cloud services. For laptop computers, it is easy to find and install downloads that will encrypt a hard drive in case the laptop is lost or stolen.

There has been a growing trend towards a “Bring Your Own Device” (BYOD) culture in many companies and organisations. There is inherent risk to storing company data on property which is not owned by your company and many cybersecurity experts would strongly caution you about the wisdom of a BYOD policy. If you already have a BYOD policy and you want to keep it, or you’re thinking about introducing it into your company, make sure that the data on an employee’s device is encrypted and that, when connecting to your network or cloud, all communications are encrypted too.


Do you allow staff to download sensitive company data onto a CD-ROM or a memory stick? Many cybersecurity experts do not think that allowing removable media on your system will assist you in protecting your data and the distribution of your data. This is because one of the most vulnerable areas of cybersecurity policy comes from…


Sometimes the biggest threats come from rogue employees. Data theft is occurring more and more from British companies. The number of cases which reached the High Court in the UK increased by 25% in one year. In the Telegraph, Felix Dodd, senior solicitor at commercial law firm EMW stated that “the figure is rising rapidly as data theft becomes easier to carry out.”

“Businesses most at risk are those in the technology or financial services sectors, where staff members can steal proprietary algorithms, as well as those that are heavily reliant on client relationships such as recruitment or estate agents.”

Mr Dodd also stated that many companies now ban their staff from sending work emails to their personal accounts and some disable functionality on their employees’ smartphones to prevent unauthorised data transfer.

Malicious insider attacks, whether stealing trade secrets or company data, are on average far more costly than outside attacks. Internal threats can often be severely overlooked especially in rapidly growing organizations with no systems in place to prevent them.


Once you have reached the end of your company plan to make your systems cybersecure, now it’s the time to make your people cybersecure.

Take care to communicate with staff on an ongoing basis things they should look out for. Reward and incentivise staff who are proactive in helping the company.

It may be worth doing regular testing to look for gaps in knowledge in individual employees. Where those gaps exist, you should introduce top-up training for those staff members.



Drone Forensics Gets a Boost With New Data on NIST Website

How do you extract forensic data from an aerial drone? Very carefully.

Aerial drones might someday deliver online purchases to your home. But in some prisons, drone delivery is already a thing. Drones have been spotted flying drugs cell phones and other contraband over prison walls, and in several cases, drug traffickers have used drones to ferry narcotics across the border.

If those drones are captured, investigators will try to extract data from them that might point to a suspect. But there are many types of drones, each with its own quirks, and that can make data extraction tricky. It would help if investigators could instantly conjure another drone of the same type to practice on first, and while that may not be possible, they can now do the next best thing: download a “forensic image” of that type of drone.

A forensic image is a complete data extraction from a digital device, and NIST maintains a repository of images made from personal computers, mobile phones, tablets, hard drives and other storage media. The images in NIST’s Computer Forensic Reference Datasets, or CFReDS, contain simulated digital evidence and are available to download for free. Recently, NIST opened a new section of CFReDS dedicated to drones, where forensic experts can find images of 14 popular makes and models, a number that is expected to grow to 30 by December 2018.

“The drone images will allow investigators to do a dry run before working on high-profile cases,” said Barbara Guttman, manager of digital forensic research at NIST. “You don’t want to practice on evidence.”

The drone images were created by VTO Labs, a Colorado-based digital forensics and cybersecurity firm. NIST added the images to CFReDS because that website is well-known within the digital forensics community. “Listing the drone images there is the fastest way to get them out to experts in the field,” Guttman said.

Work on the drone images began in May of last year, when VTO Labs received a contract from the Department of Homeland Security’s (DHS) Science and Technology Directorate.

“When we proposed this project, there was little existing research in this space,” said Steve Watson, chief technology officer at VTO. The drone research was needed not only to combat drug smuggling, but also to allow officials to respond more quickly should a drone ever be used as a weapon inside the United States.

For each make and model of drone he studied for this DHS-funded project, Watson purchased three and flew them until they accumulated a baseline of data. He then extracted data from one while leaving it intact. He disassembled a second and extracted data from its circuit board and onboard cameras. With the third, he removed all the chips and extracted data from them directly. He also disassembled and extracted data from the pilot controls and other remotely connected devices.

“The forensic images contain all the 1s and 0s we recovered from each model,” Watson said. The images were created using industry standard data formats so that investigators can connect to them using forensic software tools and inspect their contents. The images for each model also come with step-by-step, photo-illustrated teardown instructions.

Watson was able to retrieve serial numbers, flight paths, launch and landing locations, photos and videos. On one model, he found a database that stores a user’s credit card information.

Investigators can use the images to practice recovering data, including deleted files. Universities and forensic labs can use them for training, proficiency testing and research. And application developers can use the images to test their software. “If you’re writing tools for drone forensics, you need a lot of drones to test them on,” Guttman said.

A description of the drone images and instructions for accessing them are available on the new drones section of the CFReDS website.



Cofense launches new cloud security service, CloudSeeker, to address security risks around shadow IT

Cofensehas announced its new free cloud discovery utility –  CloudSeeker. The tool helps organisations understand what SaaS applications are in use by an organisation – sanctioned or not – and allows them to identify configured cloud services. CloudSeeker can shine a light on which cloud properties an attacker may impersonate to increase authenticity of phishing attacks.

CloudSeeker is a tool that a network defender can use to determine if their corporate domain has been used to configure SaaS applications. The corporate domain is entered into CloudSeeker and that domain is tested across a catalogue of common SaaS applications. The results of that query delivers the visibility into the cloud services configured for a corporate domain, highlighting applications that are in use but may not have been provisioned with IT’s knowledge. Output is placed into a file that can be compared against future scans to identify changes.

“With Gartner observing shadow IT amounts to between 30 and 40 percent of total IT spend, it highlights just how in the dark enterprises can be to the types of business emails their staff will be receiving and a large portion of this will be dominated by SaaS providers,” said Aaron Higbee, co-founder and CTO of Cofense. “CEO fraud or Business Email Compromise (BEC) is a very real threat that typically targets members in finance.  But attackers can easily repurpose the technique creating realistic phishing sites targeting HR, IT, Engineering, Support, etc… masquerading as cloud tools the organisation actually uses.”

It only takes a few guesses as to what shadow IT may be in use and a fraudulent login page on what appears to be a SaaS website for a cybercriminal to convince an employee to hand over their log in details or click a compromised link that grants the hacker access to the corporate network.

“CloudSeeker shines a light on shadow IT and counters the security risk it presents by seamlessly fitting into an organisation’s broader security ecosystem. By offering this free solution to businesses, we are levelling up the playing field between attackers and would-be victims. After all, putting up a good defence requires a strong offense, critical to this is knowing where the threats are in the first place,” concludes Higbee.

Cofense CloudSeeker is the first free cloud security tool of its kind that performs this service without collecting any personally identifiable information, requires no credentials to operate and complements Cofense’s Human Phishing Defence Solution. As part of this, Cofense PhishMe and Cofense Reporter turn all employees into a human phishing defence, and Cofense Triage and Cofense Intelligence strengthen the organisation’s ability to quickly identify and respond to phishing attacks in progress.



DHS Releases Its Cybersecurity Strategy

The U.S. Department of Homeland Security (DHS or Department) has released its Cybersecurity Strategy and an associated Fact Sheet. According to DHS, “the strategy outlines a guiding framework for the Department and the homeland security enterprise to manage growing national cybersecurity risks.” The DHS Cyber Strategy document was mandated by the 2017 National Defense Authorization Act (NDAA). In April, the White House submitted a classified cyber policy report to select congressional committees, outlining aspects of a broader U.S. government approach to cyber. This broader document has yet to be released.

DHS Secretary Nielsen stated that “DHS is rethinking its approach by adopting a more comprehensive cybersecurity strategy. In an age of brand-name breaches, we must think beyond the defense of specific assets—and confront systemic risks that affect everyone from tech giants to homeowners.” To address these risks, “a core guiding principle underlying the DHS strategy approach is collaboration across the cybersecurity community, including with our partners in the federal government, state and local governments, industry, and the international community.”

DHS’s role in national cybersecurity policy is becoming increasingly important. Likewise, the Department is increasing its engagement with and expectations for the private sector. At a Department level, DHS interfaces with most (and regulates some) U.S.-based “Critical Infrastructure” owners and operators, facilitates information sharing programs, publishes vulnerability alerts, and assists with incident response. Various DHS divisions and agencies are closely involved in digital forensics, domestic and international law enforcement investigations, and cybersecurity policy more broadly.

DHS Cybersecurity Strategy

The DHS Strategy sets out five foundational “pillars” and seven cybersecurity “goals.” These are:

  • Pillar I – Risk Identification
    • Goal 1: Assess Evolving Cybersecurity Risks. We will understand the evolving national cybersecurity risk posture to inform and prioritize risk management activities.
  • Pillar II – Vulnerability Reduction
    • Goal 2: Protect Federal Government Information Systems. We will reduce vulnerabilities of federal agencies to ensure they achieve an adequate level of cybersecurity.
    • Goal 3: Protect Critical Infrastructure. We will partner with key stakeholders to ensure that national cybersecurity risks are adequately managed.
  • Pillar III – Threat Reduction
    • Goal 4: Prevent and Disrupt Criminal Use of Cyberspace. We will reduce cyber threats by countering transnational criminal organizations and sophisticated cyber criminals.
  • Pillar IV – Consequence Mitigation
    • Goal 5: Respond Effectively to Cyber Incidents. We will minimize consequences from potentially significant cyber incidents through coordinated community-wide response efforts.
  • Pillar V – Enable Cybersecurity Outcomes
    • Goal 6: Strengthen the Security and Reliability of the Cyber Ecosystem. We will support policies and activities that enable improved global cybersecurity risk management.
    • Goal 7: Improve Management of DHS Cybersecurity Activities. We will execute our departmental cybersecurity efforts in an integrated and prioritized way.

Key Takeaways for the Private Sector

Increased Private Sector Engagement and Expectations. In its vision statement, the Strategy outlines broader engagement with the private sector. By 2023, DHS will “foster a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.” One of the Department’s core “guiding principles” is collaboration with key stakeholders. “The growth and development of the Internet has been primarily driven by the private sector and the security of cyberspace is an inherently cross-cutting challenge. To accomplish our cybersecurity goals, we must work in a collaborative manner across our Components and with other federal and nonfederal partners.”

Under Pillar II Goal 3, the Department cites its authority to “engage broadly with federal and nonfederal entities to collaboratively address cybersecurity risks.” “DHS must partner with key stakeholders, including … the private sector, to drive better cybersecurity by promoting the development and adoption of best practices and international standards, by providing services like risk assessments and other technical offerings, and by improving engagement efforts to advance cybersecurity risk management efforts.” And DHS “must deepen technical collaboration across all the sectors and with other key nonfederal entities on risk mitigation efforts.”

DHS may also rely on its regulatory authorities in some sectors. In order to prevent the disruption of essential services from cyber incidents, “DHS must … smartly leverage its regulatory authorities in tailored ways, and engage with other agencies to ensure that their policies and efforts are informed by cybersecurity risks and aligned to national objectives to address critical cybersecurity gaps.” The Department also aims to improve its “outreach to critical infrastructure owners and operators, service providers, and other key enablers of risk management activity.”

Connected Devices and IoT. The document outlines the cyber threat environment underscoring that technological advances have increased the risk surface, specifically addressing Internet-connected devices and the Internet of Things (IoT). “Substantial growth in Internet access, use of Internet-enabled devices, and the availability of high speed information technology systems and large datasets have facilitated productivity, efficiencies, and capabilities across all major industries. The proliferation of technology also presents new cybersecurity challenges and leads to significant national risks. More than 20 billion devices are expected to be connected to the Internet by 2020. The risks introduced by the growing number and variety of such devices are substantial.” DHS emphasizes the need to mitigate potential risks of connected devices’ software and hardware components and seeks to expand its work mitigating supply chain risks, as discussed in more detail below.

Enhanced Information Sharing. A primary objective of the Strategy is for DHS to “build on and expand automated mechanisms to receive, analyze, and share cyber threat indicators, defensive measures, and other cybersecurity information with critical infrastructure and other key stakeholders.” The Department recognizes the need to improve its analytic capabilities and enhance the quantity and quality of information shared to increase the value of information sharing programs. “We must identify and address barriers to sharing information with the U.S. Government.”DHS also acknowledges the need “to rapidly declassify cyber threat[s] and associated contextual information” to enhance its information sharing efforts.

A More Global Approach. DHS recognizes that no one entity or nation can address cybersecurity on its own, noting that, “[r]obust international engagement and collaboration is required to accomplish our national cybersecurity goals. DHS must engage internationally to manage global cyber risks, respond to worldwide incidents, and disrupt growing transnational cyber threats as well as encourage other nations and foreign entities to adopt the policies necessary to create an open, interoperable, secure, and reliable Internet.”

Closer Sector Relationships and Heightened Incident Reporting. DHS states that it “plays a unique role” in responding to “significant cyber incidents in close coordination with the Department of Justice and other federal agencies. In our role as asset responder, DHS must enhance capabilities to protect entities from additional harm following an incident, reduce the risk to others, safeguard sensitive personal and business information, and coordinate responses to significant incidents. As part of the law enforcement community, DHS must investigate incidents and be prepared to identify and counteract immediate cyber threats.”

With this role in mind, the Department seeks to increase voluntary incident reporting and victim notification by building trusted relationships. “DHS must encourage the reporting of incidents, and work with other incident responders to develop consistent processes for notifying potential victims of cyber incidents.” According to DHS, “[e]ncouraging a culture of reporting, notification, and information sharing will increase the security and resilience of critical infrastructure, help prevent, counter, and disrupt illicit cyber actors, and enable the government to assess and potentially manage responses to incidents of unknown severity.”

Fostering More Resilient Networks and Securing the Supply Chain. DHS seeks to shift the “status quo” to improve security and resiliency. Noting that nearly all cyber incidents “involve exploitation of vulnerabilities or misconfigurations in software or hardware,” DHS notes that “network operators are also increasingly dependent on vendors of commercial off-the-shelf products or integrators of commercially available products, and lack the capability to effectively manage supply chain risks.” DHS states that “continued globalization of the information technology supply chain and shifting of information and services to cloud or other shared infrastructure introduces additional risks. As Internet-connected and other new technologies rapidly proliferate, the number of attack vectors also increases. Developers and manufacturers of many internet-of-things and other consumer devices are frequently motivated by speed to market rather than strong security. Even specialized technologies, like medical devices and industrial control systems, remain susceptible to compromise.”

To foster greater security, “DHS must partner with information technology, communications, cybersecurity services, and other communities to incentivize security and enable cybersecurity outcomes such as minimizing vulnerabilities and addressing supply chain risks … and encourage improved security for cloud infrastructure and throughout the life-cycle of internet-of-things devices and emerging technologies.” To do this, DHS plans to leverage its security expertise and support relevant standards-setting efforts.


The DHS Cybersecurity Strategy presents a vision for an expanding role of the Department in cyberspace. Core objectives include increased engagement and collaboration with and from critical infrastructure operators. There is a particular emphasis on partnering with network operators and connected-device manufacturers and developers to minimize vulnerabilities and address risk.



BT Joins Forces with EUROPOL to Build a Safer Cyber Space

BT has signed a Memorandum of Understanding (MoU) with Europol to share knowledge about major cyber threats and attacks, as the two organisations reinforce their efforts to create a safer cyber space for citizens, businesses and governments.

The agreement, which was signed at Europol’s Headquarters in The Hague in the Netherlands, provides a framework for BT and Europol to exchange threat intelligence data as well as information relating to cyber security trends, technical expertise and industry best practice.

Steven Wilson, Head of Business, European Cybercrime Centre (EC3), said: “The signing of this Memorandum of Understanding between Europol and BT will improve our capabilities and increase our effectiveness in preventing, prosecuting and disrupting cybercrime. Working co-operation of this type between Europol and industry is the most effective way in which we can hope to secure cyberspace for European citizens and businesses. I am confident that the high level of expertise that BT bring will result in a significant benefit to our Europe wide investigations.”

Kevin Brown, VP, BT Security Threat Intelligence, said: “As one of the world’s largest cyber security businesses, we at BT have long held the view that co-ordinated, cross border collaboration is key to stemming the global cyber-crime epidemic. “We’re working with other law enforcement agencies in a similar vein to better share cyber security intelligence, expertise and best practice to help them expose and take action against the organised gangs of cyber criminals lurking in the dark corners of the web. The signing of today’s accord with Europol sees BT take another significant step forward in making the internet a safer place for consumers, businesses and public sector bodies in the UK, Europe and beyond.”

BT is committed to sharing its threat intelligence data with industry partners and law enforcement agencies such as Europol in a secure and trusted way, as a means of better protecting UK and global customers from the rapidly expanding cyber-crime industry. Earlier this year, it became the first telecommunications provider in the world to start sharing information about malicious software and websites on a large scale with other ISPs via a free online portal – the Malware Information Sharing Platform (MISP). Since the platform was launched, BT’s worldwide team of more than 2,500 cyber security experts have so far helped to identify and shared the details of more than 200,000 malicious domains. The recipients of BT’s threat intelligence data have then able to take the appropriate course of action to protect their customers and stakeholders against the specific threats identified.

Europol created the European Cybercrime Centre (EC3) in 2013 to strengthen the law enforcement response to cybercrime in the EU in a bid to better protect EU citizens, businesses and governments from online crime. It also operates the Joint Cybercrime Action Taskforce (J-CAT), which aims to drive intelligence led, co-ordinated action against key cybercrime threats and targets by facilitating the joint identification, prioritisation, preparation and initiation of cross-border investigations and operations by its partners.



EU budget: €181 million to strengthen the fight against fraud affecting the EU budget

For the next long-term EU budget 2021-2027, the Commission proposes to make €181
million available to support Member States’ efforts to fight fraud, corruption and other
irregularities affecting the EU budget.

The new EU Anti-Fraud Programme will finance targeted training and the exchange of
information and best practice between anti-fraud enforcers across Europe. It will also
provide support for investigative activities through the purchase of technical equipment
used in detecting and investigating fraud, as well as facilitate access to secure information

“The new EU Anti-Fraud Programme will make a tangible contribution to boosting the fight against
fraud and corruption to the detriment of the EU budget. Reinforcing cooperation between Member
States enforcers and providing them with state of the art investigative tools can make all the difference
in identifying fraudsters, stopping smugglers, or preventing corruption in procurement procedures” said
GüntherH. Oettinger, European Commissioner for Budget and Human Resources.

The new Programme will replace the Hercule III Programme which has already had a positive impact
on the fight against fraud affecting the EU budget at national and local level in recent years. Examples
of successful projects include the funding of digital forensic equipment that has proven essential in
allowing French customs stay ahead of the game in customs operations targeting smuggling and the
evasion of VAT duties in 2016.

The funds to be made available under the new EU Anti-Fraud Programme will finance similar projects,
as well as training and expert conferences that will foster information exchange and transnational
cooperation. The Programme will also support the joint investigative efforts of Member States’ customs
authorities, since such joint operations are key in dismantling criminal networks operating across
borders. The Programme is expected to bring significant added-value by complementing and
supporting national efforts to counter fraud and corruption.

In addition to activities previously funded under the Hercule III Programme, the new EU Anti-Fraud
Programme will provide support for operational and investigative activities, including through the
provision of secure IT systems, and facilitate irregularity reporting by Member States and risk
management at national level. The Programme will be managed and implemented by the European
Anti-Fraud Office, OLAF.

This proposal related to the new EU Anti-Fraud Programme is part of the Commission’s proposal for
the next long-term EU budget adopted by the Commission on 2 May 2018.

The action to safeguard the Union’s financial interests through the new reinforced and streamlined
funding programme, forms part of a wider approach pursuing the same objective. The next long-term
EU budget will be implemented against the background of significant changes in the legislative and
institutional framework for the protection of the Union’s financial interests.

Next steps

A swift agreement on the overall long-term EU budget and its sectoral proposals is essential to ensure
that EU funds start delivering results on the ground as soon as possible.
Delays similar to the ones experienced at the beginning of the current 2014-2020 budgetary period
would mean that important investigative and forensic equipment could not be bought and less support
would be available for Member States enforcers. This would have a negative impact on the fight
against fraud, at the expense of EU taxpayers.

An agreement on the next long-term budget in 2019 would provide for a seamless transition between
the current long-term budget (2014-2020) and the new one and would ensure predictability and
continuity of funding to the benefit of all.




Atlantic Council’s Digital Forensic Research Lab Partners with Facebook to Combat Disinformation in Democratic Elections

The Atlantic Council’s Digital Forensic Research Lab (@DFRLab) announced a partnership with Facebook to independently monitor disinformation and other vulnerabilities in elections around the world. The effort is part of an initiative to help provide credible research about the role of social media in elections, as well as democracy more generally.

The Digital Forensic Research Lab is launching a partnership with Facebook to support the world’s largest community in its efforts to strengthen democracy – aiming to ensure that tools designed to bring us closer together aren’t used to instead drive us further apart,” said Atlantic Council President and CEO Fred Kempe. “Through the innovative work of the Digital Forensic Research Lab, we are building a digital solidarity movement, a community driven by a shared commitment to protect democracy and advance truth across the globe. This partnership is a crucial step towards forging digital resilience.

As the dangers that disinformation in the social media landscape poses to democracy have become increasingly apparent, Facebook is taking measures to remove fake accounts, increase transparency in advertising, reduce the spread of false news and disinformation, and combat foreign interference in elections on its platform. Another important step is Facebook’s efforts to facilitate independent and objective research on social media’s impact on elections, more generally.

Facebook is investing heavily to prevent our service from being abused during elections. That includes more actively working with outside experts, governments and other companies because we know that we can’t solve these challenges on our own,” said Katie Harbath, Facebook’s Global Politics and Government Director. “This partnership will help our security, policy and product teams get real-time insights and updates on emerging threats and disinformation campaigns from around the world. It will also increase the number of ‘eyes and ears’ we have working to spot potential abuse on our service – enabling us to more effectively identify gaps in our systems, preempt obstacles, and ensure that Facebook plays a positive role during elections all around the world.

The Atlantic Council and Facebook’s partnership will promote and supplement @DFRLab’s existing #ElectionWatch efforts and allow for greater capacity building with journalists and civil society to incorporate similar methods into their own work.

The @DFRLab is at the forefront of open source research with a focus on governance, technology, security, and where each intersect. By publishing what it can prove, or disprove, in real-time, the @DFRLab is creating a new model of research and education adapted for impact, as well as building a global network of #DigitalSherlocks. The @DFRLab remains committed to identifying, exposing, and explaining disinformation where and when it exists.

More details about the partnership are available from @DFRLab and Facebook.