Entire US school district shutdown due to ransomware attack- Comment

It has been reported that a ransomware attack hitting Las Cruces Public Schools has forced the district to shut down the entire computer system to contain the infection. Exchanging information with schools is impaired as email and other forms of computer-based communication is no longer possible at this moment. The district activated the crisis response team and is working to restore critical services. It is unclear at this point how long the systems will be down.

Full story here: https://www.bleepingcomputer.com/news/security/ransomware-attack-causes-school-district-wide-shutdown/

Commenting on the story is Javvad Malik, security awareness advocate at KnowBe4:

In recent months, we’ve seen an increase in ransomware attacks which have been targeting specific sectors such as schools and government departments. This is a shrewd move by criminals who know that these are vital services that cannot afford prolonged outages, and can access funds to pay ransom if need be. 

It is vitally important for organisations to develop robust plans to prevent ransomware, and have effective recovery controls to bring systems back online in the event that ransomware does infect systems. In many cases, phishing remains one of the main root causes for ransomware, so it’s important that companies, in addition to technical controls, educate staff and all users on the dangers of phishing, and how to spot and report suspicious emails. 

 

Only through a coordinated and comprehensive strategy can companies expect to stem the ongoing tide of security threats.”

 

(59)

Share

2,000 Georgia websites hacked in cyber-attacks- Comment

It has been reported that some 2,000 websites in Georgia, including those of the president, courts, and media were hacked in a massive cyber-attack today. They displayed a photo of Georgia’s exiled former president Mikheil Saakashvili with an inscription “I’ll be back!”

Interpress said the website for Georgia’s general jurisdiction courts as well as websites of a number of government agencies, NGOs and media outlets were also hit by cyber-attacks. The attack also affected servers of Georgia’s two major broadcasters, Maestro and Imedi TV, temporarily sending the television stations off the air.

Commenting on this, Jonathan Knudsen, senior security strategist at Synopsys, said The cyber-attacks in Georgia demonstrate once again the shaky infrastructure upon which so much of our world is built. We use software to do business, to run government, and to communicate. Software is critical infrastructure, but the functionality we’ve assembled has far outpaced our ability to make it secure and resilient. Such a coordinated, widespread attack almost certainly is the work of another nation state, and is likely intended to promote the attacker’s geopolitical agenda.

 

“While defence against a well-resourced tsunami of attacks is very challenging, the entire software ecosystem is evolving to a state where mounting such attacks will become increasingly difficult. Organisations worldwide are understanding that a security-first approach to software development, and a growing awareness of the complex supply chain of software is helping to make software that is safer, more secure, and more resilient.”

 

(40)

Share

American Cancer Society’s online store infected with credit card stealing malware- Comment

News broke yesterday evening that The American Cancer Society’s online store has become the latest victim of credit card stealing malware. A security researcher found the malware on the organisation’s store website, buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page. The attackers, known as Magecart, use their stolen credit card numbers to sell on the dark web or use the numbers for committing fraud.

Commenting on this, Sam Curry, chief security officer at Cybereason, said The hackers have a machine that is ready to grind up identities, and they will point it at the industries, countries, and organisations that give them the fastest path to the most money with the least cost and risk. Not-for-profit organisations often have the least resources for support functions, like security, and in the old days of hacking were considered inappropriate targets. Once upon a time, hackers didn’t attack “muggles,” to borrow from JK Rowling’s Harry Potter lexicon. Not so anymore with the almighty dollar dominating the dark side. Everyone can have vulnerabilities and weaknesses, but the American Cancer Society breach should be a wake-up call to everyone: if you aren’t improving your security posture and hygiene constantly, it’s a question of when, not if, the great credit card fraud machinery of organised cybercrime comes for you.”

Jonathan Knudsen, senior security strategist at Synopsys, added “The sabotage of the American Cancer Society shows that no organisation is immune from challenges of cybersecurity. Every organisation has something of value. Cybersecurity is all about finding the balance between that value and the effort required to steal or attack it. The goal is to make the cost of an attack greater than the value that can be stolen. Cyber-attacks are particularly popular because the risks are low, the level of effort is often low, and rewards are high. The best thing defenders can do is ratchet up the level of effort for an attack to the point where potential attackers turn their attention elsewhere.”

(80)

Share

UniCredit unveils data breach involving 3 million Italian clients- Comment

According to reports, UniCredit has uncovered a data breach involving the personal records of 3 million domestic clients, it said on Monday, the third security incident at Italy’s top bank in recent years.

Commenting on this, Rosemary O’Neill, director – customer delivery at NuData Security, a Mastercard company, said “All customer information is valuable to fraudsters, even if it doesn’t include financial information such as bank account details or credit and debit card numbers. Personal information, combined with other user data from other breaches and social media, builds a complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Every hack has a snowball effect that far outlasts the initial breach.

The bank has been taking steps to improve its security since its previous breaches, but bad actors still found a gap they capitalised for this last attack. It is positive to know that the institution is working fast on a new business plan by early December that hopefully includes technologies that protect from a broader range of attacks. However, they should also work on improving their user verification framework to prevent this breach from affecting their existing customers through account takeover attacks.

 

“We must change the current equation of “breach = fraud” by changing how companies think about online user verification; the key is to make the stolen data valueless. Companies can use technologies that detect when a user account is taken over by an impostor with the stolen credentials. Most of the time, the data is used on automated attacks that good bot-detection can detect, but a portion of the attacks still happen manually, making it challenging for companies to discern who is behind the device. This is why technologies that look at inherent user patterns like passive biometrics are providing confidence after a breach happens. If a customer has the right information but is behaving unusually, passive biometrics and behavioural technologies can detect this, thwarting the fraud attempt. The balance of power will return to customer protection when more companies implement such technologies.”

 

Jelle Wieringa, technical evangelist at KnowBe4, added “The incident at UniCredit shows that spending money alone isn’t enough to safeguard an organization from data breaches. After the breach in 2016, the bank invested an additional Euro 2.4bn in its security. That is an awful lot of money to spend only to find out it wasn’t enough to stop the bad guys from getting in and stealing information. Now there  isn’t very much known about the way the breach took place, but there is still a lesson which can be learned from this. Even at this early stage.

“Spending money in itself isn’t enough. You need to spend it wisely. Especially in cybersecurity, where the amount of ways an attacker can get to you are huge and budgets for an average organization are finite. Spend it where it will matter most, where you get the best bang for your buck (or in this case Euro..). Around 91% of all successful data breach hes happen through the use of Social Engineering. They manipulate the human to gain entry to what they want. This is by far more than any other type of attack. This means that if you want to spend your money wisely, think about securing the human factor of your organization. You still need to spend money on a solid perimeter defense, and a up-to-date monitoring system such as a a SIEM. But forgetting about the human factor is like locking all the doors on your house, but leaving all the windows wide open.

“And the most efficient way to safeguard the human factor is by training them what is wrong and how they can make smarter security decisions. teach them, through proper security awareness training, to recognize when someone is trying to get confidential information from them. Also, teach users the value of information. In this instance, a file from 2015 was stolen. Under GDPR, itt still counts as a data breach, since probably most of the data in their is still valid. People tend to forget the value of data over time. especially if they are confronted with large amounts of it every day. information fatigue is a real thing. In this case, training the users the value of data wouldn’t have been enough. They would take it in, and forget it after a while. That is why User Awareness training should always be a continuous process. This way, we keep the things that matter top of mind.”

(66)

Share

Sixth June Fashion Site Hacked to Steal Credit Cards- Comment

It has been reported that French fashion online store Sixth June is offering shoppers more than the latest in apparel as the site was infected with code that steals payment card info at checkout. These types of scripts as MageCart because they initially targeted sites using the Magento e-commerce platform. They are also called e-skimmers because they collect data from a card when it is used for online purchases. Similar to the physical skimmers copying card data when used at an ATM to withdraw cash, an e-skimmer reads and stores the info from the checkout page and sends it to the attacker.

Commenting on this, Yossi Naar, Co-founder and Chief Visionary Officer at Cybereason, said “The Sixth June breach is a stark reminder that no matter how much money organisations throw at security awareness training, improving their overall hygiene and strengthening their IT systems, they will suffer data breaches. In an attempt to at least level the playing field, companies need to immediately pay more attention to post-breach detection and mitigation and assume they will be breached and start protecting their data accordingly. A few simple steps include encrypting all data that is deemed sensitive, limiting employee access to networks and reducing large collections of data in widely accessible systems.

“Often times, enterprises treat their networks like their homes, which naturally are a lot less secure than your average IT network. In my home, I wouldn’t worry about someone stealing my wallet or valuables and walking out the front door. But I wouldn’t leave the wallet or valuable on a chair at an airport. Overall, our actions change when our perception of our environment changes and our understanding of how much trust we put into it. The same applies to detection- I expect airports to have cameras watching everything and every movement- but not inside my home. So if we think of our network as our protected home, we ignore some basic security that should exist there – such as activity monitoring. The post-breach mindset means that we need to start thinking of enterprise networks less like our home and more like airports.”

 

(43)

Share

The Growing DDoS Landscape

By Anthony Webb, EMEA Vice President at A10 Networks

A new wave of DDoS attacks on South Africa’s internet service provider has highlighted that these attacks continue to grow in frequency, intensity and sophistication. A10 Networks’ recent report on the Q2 2019: The State of DDoS Weapons has shed more light on the loud, distributed nature of DDoS attacks and the key trends that enterprises can learn from in adopting a successful defence.

IoT: A Hotbed for DDoS Botnets

A10 Networks has previously written that IoT devices and DDoS attacks are a perfect match. With the explosion of the Internet of Things (growing at a rate of 127 connected devices per second and accelerating), attackers target vulnerable connected devices and have even begun to develop a new strain of malware named Silex- a strain just for IoT devices. Silex affected 1650 devices in over an hour and wiped the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017.

The report has highlighted the top-three IoT binary dropped by malware families – two of the three belonged to Mirai – with the Netherlands, UK, USA, Germany and Russia being the top five hosting malware droppers.

The New IoT Threat

A new threat has emerged due to industry-wide adoption of technology with weak security: the UDP implementation of the Constrained Application Protocol (CoAP). This new threat does not have anything to do with Mirai or malware, but its impact has enabled millions of IoT devices to become weaponised as reflected amplification cannons. CoAP is a machine-to-machine (M2M) management protocol, deployed on IoT devices supporting applications such as smart energy and building automation. CoAP is a protocol implemented for both TCP and UDP and does not require authentication to reply with a large response to a small request. A10 identified over 500,000 vulnerable IoT devices with an average response size of 749 bytes. The report also highlights that 98% of CoAP threats originate from China and Russia, with the capability to amplify by 35x.

On the Horizon: 5G

Ericsson recently predicted that the number of IoT devices with cellular connection will reach 4.1 billion by 2024. 5G, with its higher data speeds and lower latency, will be the primary driver behind this rapid expansion. Whilst this is great news in an open dynamic world, the downside is that we will also see an increase in the DDoS weaponry available to attackers.

We have seen mobile carriers hosting DDoS weapons skyrocket over the last six months. Companies such as T-Mobile, Guangdong Mobile and China Mobile have been guilty of amplifying attacks. With 5G, intelligent automation aided by machine learning and AI will become essential to detecting and mitigating threats. IoT devices by Linux are already the target of a new strain of malware which is predominantly dedicated to running DDoS attacks.

Amplified Attack

Amplified reflection attacks exploit the connectionless nature of the UDP protocol with spoofed requests to misconfigured open servers on the internet. Attackers send volumes of small requests with the spoofed victim’s IP address to exposed servers, which are targeted because they’re configured with services that can amplify the attack. These attacks have resulted in record-breaking volumetric attacks, such as the 1.3 Tbps Memcached-based GitHub attack in 2018, and account for many DDoS attacks.

Battling the landscape

Every quarter, the findings of our DDoS attack research point to one thing: the need for increased security. Sophisticated DDoS weapons intelligence, combined with real-time threat detection and automated signature extraction, will allow organisations to defend against even the most massive multi-vector DDoS attacks, no matter where they originate. Actionable DDoS weapons intelligence enables a proactive approach to DDoS defences by creating blacklists based on current and accurate feeds of IP addresses of DDoS botnets and available vulnerable servers commonly used for DDoS attacks. With DDoS attacks not going away, it’s time for organisations to match their attackers’ sophistication with a stronger defence, especially as new technology like IoT and 5G gains momentum.

(368)

Share

Committee orders complete redrafting of Biometric Bills as privacy safeguards are deemed inadequate- Comment

The Joint Committee on Intelligence and Security has declined to recommend the passage of Australia’s pair of Biometric Bills, with a bipartisan agreement being reached that the privacy safeguards are not sufficient in their current form.The committee has instead requested the Identity-matching Services Bill 2019 be completely redrafted, ZDNet reported.

Commenting on the news, Robert Meyers, Compliance and Privacy Professional at One Identity, stated:

Australia is in an interesting situation with wanting greater inter-agency data sharing and expanding their privacy foundations. Recently, the country has made a large push for additional privacy impact assessments (for both government and business) while working up their new regulations. Breach notification improvements were one of the noted areas where improvement was required by many privacy professionals. It caused them to step back and really review their privacy risk management and notification standards.

Pulling back and rewriting these new regulations to include greater privacy and breach notification controls is a great step for them to take on these new laws. This is especially important with regard to building a privacy foundation in Australia. Currently, they are falling behind on privacy, and the government knows it. This could be the first step towards moving from being a follower in the privacy world, forward towards becoming a privacy leader.

(41)

Share

VIPRE: Think before you click

Think before you click

From regulatory compliance to safeguarding Intellectual Property (IP), companies are increasingly concerned about the risk of inadvertent data loss as a result of employee mistakes. And for good reason: with so much communication reliant upon email, human error is now the primary cause of data breaches. Indeed, growing numbers of organisations have introduced a ‘one strike’ policy; accidentally sending an email to the wrong person, or adding an incorrect attachment, has become a sackable offence.

While understandable, to a degree, this is hardly a supportive strategy. Humans make mistakes – and stressed, tired employees will make even more mistakes. Adding the pressure of losing your job, is potentially counterproductive. Employees already spend almost two days of each working week reading, deleting, responding to and creating emails – what they need is a way to avoid mistakes, a chance to check before they send. Andrea Babbs, Head of Sales, VIPRE SafeSend, explains how a simple second check for users will help to keep personal and sensitive data more protected with a layered approach.

Employee Threat

Business reliance on email is creating a very significant cyber security risk – and not simply due to the increasing volume and sophistication of phishing attacks. Email is the number one threat vector in organisations and the cause of nearly all data breaches, as confirmed by the Identity Theft Resource Center. It will come as no surprise to those who have experienced the stress and fear of mistakenly sending an email to the wrong person, or adding the wrong attachment, that the Center’s March 2019 breach report cited employee error as the number one cause of data breach or leakage.

Given the sheer volume of email, mistakes are inevitable. According to McKinsey, the average worker today spends nearly a third of their working week on email. Employees are increasingly trusted with company-sensitive information, assets, and intellectual property. Many are permitted to make financial transactions – often without requiring any further approval. Given the data protection requirements now in place, not only GDPR but also industry specific regulation as well as internal compliance, organisations clearly require robust processes to mitigate the risk of inadvertent data loss.

But is a strategy that simply imposes stringent penalties – including dismissal – on employees for mis-sent emails without providing any form of support going to foster a positive culture? What employees require is a way to better manage email, with a chance for potential mistakes to be flagged before an individual hits send.

Imposing Control

While businesses now recognise that any employee, at any time, is a cyber security threat, few recognise that there is a solution that can add a layer of employee security awareness. Businesses can help employees avoid simple mistakes, such as misaddressed emails, by providing a simple safety check. Essentially, before any email in Microsoft Outlook is sent, the user gets a chance to confirm both the identity of the addressee(s) and, if relevant, any attachments. Certain domains – such as the company and/or parent company – can be added to an allow list, if the business is happy for users to email internally without checking. Or the solution can be deployed on a department by department, even user by user basis. A business may not want HR to be able to mistakenly send sensitive personal information to anyone internally and therefore require a confirmation for all emails. Similarly with financial data, even marketing data at certain times – such as in the run up to a highly sensitive new product launch.

In addition to confirming the validity of email addresses and attachment(s), the technology can also check for key words within the email. Each business will have its own requirements – in addition to common terms such as confidential or private, or regular expressions to cover broader terms such as credit card numbers or National Insurance numbers, a company may opt to set key product ingredient names as key words to prevent data loss. Any emails – including attachments – containing these key words will be flagged, requiring an additional confirmation before they are sent, and providing users a chance to double check whether the data should be shared with the recipient(s).

Reinforcing Good Practice

This simple chance to check before you send provides an essential opportunity to minimise accidental data loss, whilst reinforcing compliance credentials. Accidentally CCing a customer rather than the similarly named colleague will be avoided because the customer’s domain name will not be on the allow list and therefore automatically highlighted. Appending a confidential marketing document to an email, rather than a product list, will be flagged. And with a full audit trail, the IT security team has full visibility of the emailing decisions made by employees.

This is key: rather than an overtly punitive approach, companies can reinforce a security culture, building on education and training with a valuable tool that helps individuals avoid the common email mistakes that are inevitable when people are rushing, tired or stressed. It provides an essential ‘pause’ moment, enabling individuals to feel confident that emails have been sent to the right people and with the right attachments.

Indeed, in addition to providing a vital protection against email mistakes, this approach can also help users spot phishing attacks – such as the email that purports to come from inside the company, but actually has a cleverly disguised similar domain name. If an employee responds to an email from V1PRE, for example, as opposed to VIPRE, thinking it genuinely comes from inside the business, the technology will automatically flag that email when it identifies that it is not an allowed domain, enabling the user to cancel send and avoid falling for the phishing attack.

Conclusion

Accidental data leakage is a significant yet apparently inevitable risk when business communication is so reliant upon email – with serious implications of reputational damage, IP loss, compliance breach and the associated financial costs. When it comes to minimising such errors, user education is important. Email culture is essential. But there is only so much humans can do.

Providing a technology that alerts users when they are potentially about to make a mistake – either by sending an email to the wrong person or sharing potentially sensitive information about the organisation, its customers or employees – not only minimises errors, it helps to create a better email culture. The premise is not to add time or delay in the day to day management of email; it is about fostering an attitude of awareness and care in an area where a mistake is easily made.

By enabling users to make an informed decision about the nature and legitimacy of their email before acting on it, organisations can now mitigate against this high risk area, while reinforcing compliance credentials.

(85)

Share

Bedside Hotel Robot Hacked to Stream In-Room Video- Comment

It has been reported that a Japanese hotel called “Henn na” was recently hacked. What makes the situation so unique however is that the hotel chain uses robots in place of human staff. Researchers were able to hack these robots in order to spy on the hotel guests. Some experts are warning that this goes far beyond just exploiting the privacy of guests, suggesting that this data paired with emerging technology such as AI and ML can aid in the increase of deep fakes and identity theft.

Commenting on this, Tim Mackey, Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center), said Emerging technologies are often characterised by priority placed on time to market over security. In this case, threat models around the potential compromise of the electronic valets should include a review of both the privacy as well as the potential for the devices to perform unintended tasks. With limited human oversight, review of how accurately a device completed its assigned task needs to be prioritized where such review also includes an understanding of the potential for misuse of the device.”

(50)

Share

“BriansClub” Hack Rescues 26M Stolen Cards- Comment

Security researcher Brian Krebs posted  that “BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone. All of the card data stolen from BriansClub was shared with multiple sources who work closely with financial institutions to identify and monitor or reissue cards that show up for sale in the cybercrime underground.

Commenting on this, Tim Mackey, Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center), said “Whether you’re running a global enterprise, a startup, small business or a shop for stolen data there are several truths in cybersecurity. First, the attackers define the rules of the attack and the best you can do is defend against their actions. Second, the only data ever taken is data available for the taking. When designing your data collection and storage procedures, it’s critical to look at all data operations through the lens of what would happen if there was absolutely nothing preventing your biggest competitor or worst enemy from downloading that data. Is all the data appropriately encrypted? Are all access attempts audited? Is modification controlled? For these questions, and many more, the next question becomes one of “How” and it’s how you approach these questions and their answers which distinguishes a successful cybersecurity initiative from one likely to make the news for the wrong reasons.”

(84)

Share