Labour Cyber Attack- Comment

Jake Moore, Cybersecurity Specialist at ESET:

“In the run up to a general election, political parties become an even bigger target than usual. Attacks may not necessarily come from within the opposition, but more likely from someone trying to either raise awareness, or simply make noise. If this attack had been more successful, it could have had some rather embarrassing results, but it still stands as a warning to all political parties to raise their awareness and add even more robust multi-layered protection.

It is likely that all of the political parties will continue to be targeted during the campaign period, but members of these organisations must remember to stay vigilant, and not be so quick to click. Staff should receive regular cybersecurity training at a time like this, as if an attack was to get through and start exposing or encrypting data, it could have serious consequences beyond just network damage.”

 

(31)

Share

Home Office app for EU citizens easy to hack- Comment

Reports have surfaced stating that a smartphone app developed by the Home Office to help European citizens apply to live and work in the UK after Brexit has serious vulnerabilities that could allow hackers to steal phone numbers, addresses and passport details, according to researchers. So far more than 1m out of the estimated 3.5m EU citizens living in the UK have downloaded the EU Exit: ID Document Check app for Android smartphones.

Jonathan Knudsen, senior security strategist at Synopsys, commented “Anyone can stack one rock on top of another, which is fine if you want to make a pile of rocks. If you want to build a bridge, or a cathedral, you need more skills, better planning, and knowledge of physics, trigonometry, and materials. Similarly, anyone can write software. Making software that is secure and resilient (as all software should be) requires more skills, better planning, and more knowledge than just writing code in a text editor.

The cornerstone of real software engineering is a Secure Development Life Cycle, in which security is a primary consideration at every phase of design and implementation. Coupled with more testing and better testing, the SDLC is a process that helps organizations produce software that is safer, more secure, and more robust.

 

The Home Office’s intention to replace a cumbersome paper application with a smartphone app is laudatory, but the implementation has fallen short. Perhaps a top-to-bottom security-forward reworking of this app would produce both the desired functionality as well as the necessary safety and security for such a sensitive app.”

 

(34)

Share

Five emails you don’t want in your inbox

Phishing attacks are the most common form of cyber attack. Why? The simplicity of email gives cyber criminals an easy route in, allowing them to reach users directly with no defensive barriers, to mislead, harvest credentials and spread malicious elements.

All organisations think it won’t happen to them, but phishing isn’t a trap that only ensnares the gullible or those unacquainted with technology. Far from it. Gone are the days of poorly-worded, patently obvious attempts at scamming users out of their hard-earned cash. Some of today’s most sophisticated phishing attacks are almost indistinguishable from legitimate business communications – they’re well-written, thoroughly researched and establish a thread of communication with the victim before attempting to steal their credentials or bank balance.

Email is the single biggest attack vector used by adversaries who employ a plethora of advanced social engineering techniques to achieve their goal. Andy Pearch, Head of IA Services at CORVID, describes five common types of social engineering attack that no employee – from CISO to HR assistant – wants to see in their inbox.

1. Payment diversion fraud

Cyber criminals often masquerade as a supplier, requesting invoices are paid to alternative bank details. They can also pretend to be an employee, asking the HR department to pay their salary into a different account. Payment diversion fraud targets both businesses and individuals and the results can understandably be devastating.

There’s little point requesting someone to make a bank transfer or change payment details who isn’t authorised to do so – threat actors target finance and HR teams, who would expect to process payments and deal with changes to personal account details, so are more likely to comply with the fraudulent request.

2. CEO fraud

Impersonating a VIP – often the CEO – is big business for adversaries, knowing the recipient will often action the request straightaway. Threat actors research their executive target thoroughly to make sure their spoofed email is as convincing as possible, so it stands more chance of succeeding. They prey on users’ implicit trust of their seniors to coerce them into providing commercially sensitive information, personal information, or bank account details.

These deceitful requests often convey a sense of urgency, and imply the interaction can only be carried out via email – the victim therefore has no time to question the validity of the request, and is unable to call the CEO to confirm if it’s genuine.

3. Whaling

The opposite of CEO fraud, whaling targets senior executives rather than impersonating them. These targets are often the decision-makers in a business who have the authority to give the go-ahead on financial transactions and business decisions, without further levels of approval. These phishing attacks are thoroughly researched, containing personalised information about the company or individual, and are written in the company’s tone, adopting fluent business terminology that’s well-known to the VIP target.

4. Spear phishing

Perhaps the most widespread form of email-based cyber attack, spear phishing targets individuals and specific companies with links to credential harvesting sites or requests for confidential information, such as bank details and personal data. Attackers study their victim’s online presence to include specific information which adds credibility to their request, such as purporting to be from a streaming service the victim is subscribed to, or a supplier that is known to the target company.

5. Sextortion

Not all phishing attacks are subtle. A form of cyber blackmail, sextortion is when cyber criminals email their target claiming to have evidence of them committing X-rated acts or offences, and demanding payment to stop the criminals from sharing the evidence with their victim’s family or employer.

Attackers count on their victim being too embarrassed to tell anyone about the email (although they haven’t done anything wrong), because it’s a taboo subject most wouldn’t feel comfortable talking about with others. They often make the email sound like they’re doing their victim a favour in keeping the details to themselves. The victim may decide to pay up to stop embarrassing details about their private lives being made public, regardless of whether they’re true or not. Payments are usually demanded in Bitcoin so the transaction is untraceable, meaning the adversary cannot be identified.

But if the victim knows they’re innocent, why do these attacks still work? It’s all about credibility – attackers harvest email addresses and passwords from previous cyber attacks, which are available on the internet, and include them in their email to add credibility. If an attacker emails you claiming to know one of your passwords and includes it for proof, you’re more likely to believe the rest of the email is genuine.

Conclusion

These common types of social engineering attack cannot be ignored by any organisation – these threats are very real and won’t disappear anytime soon. Email security and threat protection can be transformed by the use of multiple sophisticated detection engines and threat intelligence sources; employees shouldn’t have to carry the weight of identifying these threats, essentially plugging the gaps in flawed cyber security strategies. Organisations need to treat email as the serious security risk that it is and begin to put appropriate measures in place.

Fraud detection and content checking in real time automatically highlight phishing and social engineering techniques, which removes the burden from users and instead leaves technology to do its job. Furthermore, technology enables potentially concerning emails – such as those attempting to harvest credentials, mislead users or spread malicious elements – to be automatically flagged, meaning employees can make quick, informed and confident decisions as to whether the email should be trusted.

With such sophisticated technology available and a growing threat landscape that shows no sign of slowing, it’s time for organisations to make a change and adequately protect themselves from incoming attacks.

(1112)

Share

Media giant Nikkei hit by BEC scam, losing $29 million- Comment

It has been reported that Japanese media company Nikkei Inc. is the latest organization to be hit by BEC scammers, costing the enterprise $29 million. The company confirmed last week that, in late September, an employee of its US subsidiary,“had transferred approximately 29 million United States dollars (approximately 3.2 billion Japanese Yen) of Nikkei America funds based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei.”

Full story here: https://www.helpnetsecurity.com/2019/11/05/nikkei-bec-scam/

Commenting on the news are the following cybersecurity professionals:

Martin Jartelius, CSO at Outpost24:

“To mitigate such a threat occurring, an excellent set of security processes need to be instilled:

  • Do not process financial transactions solely based on email.
  • Do not authorize transactions over certain amounts without verification from the one instructing on the transaction.
  • Do not authorize new recipients of any transactions without an approval process within the finance team.

The last step is one of the easier to implement, and it is one of the most efficient.

Adding a header “This email originate from outside the organization” to all emails not sent by an authenticated user from the internal email server further gives a degree of resilience, but the problem is soft – staff related – and the solution hence is also soft – implementation of soft controls. Human error is not a technical error, we can by technology empower employees to make more educated guesses, but the best control is one that catches when the human fail, which is the reason for the above recommendations.”

Felix Rosbach, product manager at comforte AG:

“Here we have yet another example of how easy it is to steal someone’s identity – given there are no countermeasures in place. The reason for this is simple: most hackers aren’t geniuses, but neither is the average employee. We’re only human after all. Sometimes we make mistakes. Sometimes we get complacent or distracted and, unfortunately, our tendency to slip up every once in a while leaves us open to exploitation. That’s why you always have to have the human element in mind when thinking about security.   So the question is: how do we protect our organization from the phishing scheme du jour?   With an increasing attack surface and an endless number of ways to get access to a company, the name of the game is sophisticated identity access management coupled with verification from an actual human. And last but not least, having solid data protection will act as a fail-safe to minimize the damage in the event of a breach.”

(43)

Share

New cyber deception lab helps MOD take the fight to network attackers

Cranfield University and the Defence Cyber School at the Defence Academy, Shrivenham, are working together to develop a national focal point for cyber deception and help the UK Ministry of Defence (MOD) better defend their networks in cyberspace.

The National Cyber Deception Laboratory (NCDL) aims to bring together practitioners and researchers across Government, academia and industry to facilitate research and provide guidance in the context of national security.

Cyber deception is likely to be one of the most significant growth areas in cybersecurity over the coming years. The evolution of the field within the UK military will allow network defenders to take a proactive approach by using military deception tradecraft to effectively defend against and manipulate the activities of attackers operating within their networks. This may involve confusing the enemy into taking steps that might expose their identity or sabotaging their attacks.

Darren Lawrence, Director of the NCDL, Senior Lecturer in Behavioural Science and Head of the Information Operations Group at Cranfield University said: “Military networks need a full spectrum military defence – existing civilian security approaches are simply not up to this task. Deception is all about creating errors in how our adversaries make sense of their world. It is about getting them to act in ways that suit our purposes, not theirs.

“We are delighted to be working with the Defence Cyber School on this initiative. Researching ways to shape attacker behaviour and deny them the freedom to operate within our networks will enable military cyber defence to move on to a more aggressive footing and deter future attacks.”

The NCDL will seek to deliver innovative and novel approaches to the development of cyber deception capabilities by connecting individuals and organisations across multiple sectors.

Air Commodore Tim Neal Hopes OBE, Head of MoD C4ISR and Cyber Jt User, said: “We live in a period of constant contest. A period where the UK is attacked through cyberspace on a daily basis. Defence, if it is to maintain operational effectiveness, must therefore defend its information, networks and cyber-dependent capabilities, against these perpetual attacks.

“Cyber Deception is a crucial element of cyber defence and I am therefore delighted to champion the creation of the National Cyber Deception Laboratory (NCDL) as part of that collective effort, and look forward to bringing the full force of the NCDL to help the UK MOD, and her allies, operate securely in the information age.”

The NCDL was launched at the first National Cyber Deception Symposium on 6 November. For more information about participating in or supporting NCDL activities, please contact info@cyberdeception.org.uk.

(35)

Share

Cyber-attack hits Utah wind and solar energy provider- Comment

It has been reported that sPower, a Utah-based renewable energy provider, is in the unenvied posture of holding two unwanted titles. First, the company is the first-ever US provider of solar and wind renewable energy to have been the victim of a cyber-attack. Second, the company is the first US power grid operator that is known to have lost connection with its power generation installations as a result of a cyberattack.

Commenting on this, Sam Curry, chief security officer at Cybereason, said With attackers breaching and disrupting left and right, to say that another “wake up call” has come is stating the obvious. Let’s get specific. The cyber-attack on sPower, the Utah-based solar and wind power utility, is specifically a lesson in anti-fragility and resilience. There’s very little public information here, so attribution isn’t really possible and the motivation of the attacker is unclear. However, it’s clear that a single piece of equipment was the single point of failure between the command center and the power generation machinery and mechanisms. If this had been step one in a more serious attack: followed up with sabotage, coordinated with other organisations being attacked or a number of other activities, the damage and impact could have been much worse. This isn’t a message for just sPower: everyone in the massively interconnected.

SmartGrid has to pursue being healthy in three key places:

 

1. Prevent “left of boom” and hunt opponents long before the “boom” of a breach.
2. Ensure that single points of failure are reduced and removed; redundancy is a virtue in business continuity and disaster recovery.
3. Work “right of boom” since with an active human opponent someone will always get through at some point to maintain availability and command and control. If you can weather the storm and preserve ownership of an environment, the public will be much, much safer. This is as true in SmartGrid as in any other part of critical infrastructure.”

(67)

Share