Three United Nations offices hacked

As reported by Computing, according to a confidential internal report, leaked to The New Humanitarian, the United Nations was hacked via a Microsoft SharePoint vulnerability last year, with 20 administrative accounts compromised and malware implanted on 40 servers. Furthermore, the UN chose to cover-up the attack, which has been described as “sophisticated”, rather than publicly disclosing it.
Jake Moore, Cybersecurity Expert at ESET:
“I believe no one should be covering up attacks in any way, shape or form. We have learnt that being open and honest about cyberattacks can in fact help the brands and organisations in the wake of these hacks and help build stronger defences going forward. 
Owning up to a data breach or vulnerability usually brings the cyber security industry together, and can provide help and support. It also helps other organisations who may be at risk with similar vulnerabilities. Although it is yet to be seen how this attack was carried out, there is a lot to be learnt within the industry about reporting breaches, and hopefully over the next few years we will start to see a more honest approach.”

(41)

Share

Zoom vulnerability would have allowed hackers to eavesdrop on calls- Comment

It has been reported that security flaws have been found in videoconferencing platform Zoom that would have allowed a potential hacker to join a video meeting uninvited and listen in, potentially accessing any files or information shared during the meeting. While Zoom has addressed the issue, the report raises deeper concerns about the safety of videoconferencing apps that require access to microphones and cameras.

Commenting on this. Jonathan Knudsen, senior security strategist at Synopsys, said “When running an online meeting, make sure you can identify all users who have joined. If you expect that any part of the meeting is information you want to keep confidential, use the password feature to protect the meeting from casual intruders. Meeting recordings should be protected with similar vigilance. For example, recording files should not be placed on unauthenticated servers, and any links to streaming recordings should be protected by some form of authentication.”

(63)

Share

Thousands of Instagram passwords exposed by social media boosting service- Comment

It has been reported that Social Captain, a Instagram-boosting service, has exposed thousands of Instagram passwords. A website bug allowed anyone access to any Social Captain user’s profile without having to log in — simply plugging in a user’s unique account ID into the company’s web address would grant access to their Social Captain account — and their Instagram login credentials.

Commenting on this, Stuart Sharp, VP of solution engineering at OneLogin:

“It is disappointing that in 2020 we are still seeing service providers failing to follow even the most basic steps to secure their customers’ data. The vast majority of websites should never need to store a user’s password (instead they are stored as a one-way, non-reversable hash). The Social Captain use case is special — they need the user’s clear-text password to log into their customer’s account. Given the sensitive nature of this architecture, it is all the more surprising that they failed to encrypt users’ passwords by default — and it appears that they continue to store these passwords in the clear. Service providers have a duty of care to their users to follow security best practices — discovery of a vulnerability like this should prompt a service provider to go back to the drawing board and have a radical rethink their approach to security.”

(31)

Share

Government plans new laws for smart gadgets

According to BBC News, the UK government is developing laws that would require manufacturers to ensure their smart gadgets cannot be hacked and exploited via the internet. This is in the face of concerns that many internet-enabled devices lack basic security features. Under the proposed laws, manufacturers would have to:

  • ensure all internet-enabled devices had a unique password
  • provide a public point of contact so anyone could report a vulnerability
  • state the minimum length of time a device would receive security updates

Jake Moore, Cybersecurity Expert at ESET:

“Confidence in the security of smart devices should come as standard so this new proposal can’t come soon enough. Long has there been a standoff between security professionals and manufacturers battling it out over the protection of customers and their gadgets, so if the government muscle in on the action it could just be the answer we have been fighting for.

 Unique passwords are more important than most people tend to realise, so this simple yet effective ‘security by design’ move will add an instant layer of protection without the user having to think. Security doesn’t have to be difficult, but it is far more successful when the user is obliged to protected themselves by design. However, this is no doubt the end of the matter as cyber security is a never-ending battle against persistent threat actors. If this new law is constantly monitored and updated, this could be an extremely positive movement in the right direction.”

 

(33)

Share

Severe Vulnerabilities Discovered in GE Medical Devices- Comment

It has been reported that the US Cybersecurity and Infrastructure Agency (CISA) has issued an advisory for six high-severity security vulnerabilities in patient monitoring devices. These flaws could allow an attacker to make changes at the software level of a device and in doing so interfere with its functionality, render it unusable, change alarm settings, or expose personal health information.

Commenting on this, Jonathan Knudsen, senior security strategist at Synopsys, said Software is the critical infrastructure that is the foundation for nearly everything else in the modern world. In healthcare, vulnerabilities in software can expose devices and systems to attack or misuse, which ultimately could have adverse effects on patient health. Reducing risk is a matter of finding and fixing vulnerabilities. The way this happened with MDhex was that security researchers located vulnerabilities in existing products. The researchers did the right thing by discreetly notifying the manufacturer, allowing time for a coordinated disclosure to the public. 

While security research is an important component of improving the overall state of the industry, it is not the most efficient way to keep risk low while building products. The best way to stamp out vulnerabilities is to find them as soon as possible by using a secure development life cycle (SDLC). At every stage of product development, vulnerabilities are identified and eradicated. 

In the design phase, this takes the form of using threat modelling and other techniques to identify design vulnerabilities and the security controls that are necessary to reduce the risk of the system. During implementation, developers can use source code analysis tools to identify vulnerabilities as they are writing source code. Likewise, a software composition analysis tool can be used to manage the security and license compliance risks of the supply chain of open source components used in assembling the system. Traditional functional software testing must be augmented with fuzz testing and interactive application testing. Manual testing, such as that performed by security researchers, can be useful as another way to search for vulnerabilities, but automated tools should be used as much as possible first. 

Security is a part of every phase of the SDLC. The resulting software products are safer, more secure, and more robust, which means they present lower risk for the builder and its customers. A proactive approach to software security results in lower risk and lower costs in the long run.”

(89)

Share

Failure is Not an Option: Realize the Potential of Data Science From Swiss Re, AmFam, and Blue Cross and Blue Shield

With 90% of carriers actively investing in new data projects, project failure is not an option.

Artificial intelligence (AI) and machine learning (ML) have become mainstays in the insurance industry, equipping insurance companies with tools that can help them to become more efficient and profitable than ever before. But with the stakes so high, carrier executives are immobilized – the volume of cutting-edge data sources has exploded and the vast majority won’t implement a project if they’re not sure of its success.

On (date), Insurance Nexus will host a webinar with Vineet Bansal, SVP, Chief Technology Officer, Swiss Re; Mingju Sun, Director of Data Science Engineering, AmFam; and Michael Y. Xiao, Divisional VP Enterprise Data Science, Blue Cross and Blue Shield. This webinar will highlight the relationship between data science and successful project management, helping insurance companies to identify areas for growth and enhanced efficiency.

Sign up for this webinar to get actionable insight to develop strategy for your organization. You’ll learn how to:

  • Unlock the power of data science to ensure long-term project success: Learn how to identify the key steps to success for data science projects in a world of regular failure. Build the right strategy and ensure data science projects result in successful production and implementation.

 

  • Embed AI across the enterprise and beyond models to impact: Discover how to build an effective and agile data ecosystem to support AI and advanced analytics application across business objectives. Foster coalitions across the enterprise to ensure the success of AI.

 

  • Deploy predictive analytics to gain a strategic advantage: Go beyond predictive analytics. Use more accurate models to optimize pricing in real-time, at the point of sale and achieve a competitive advantage.

 

  • Apply emerging technology to the insurance industry: Identify current and future technological trends. See how new technology can help you achieve ROI and improve existing processes.

 

Don’t miss out on the ultimate opportunity to incorporate data science, artificial intelligence and machine learning into your everyday business capabilities — sign up for the webinar today. You’ll receive a free recording of the webinar, even if you can’t attend.

This webinar is being run in association with the upcoming Insurance AI and Innovative Tech USA Summit 2020, an event by Insurance Nexus, a Reuters Events Company. Expecting more than 500 attendees from across the North American insurance ecosystem, the Insurance AI and Innovative Tech USA Summit brings senior innovation and business unit executives to uncover the rewards of embedding technologies such as AI, IoT, blockchain and automation to create valuable, relevant insurance products and services and seamless experiences through the power of tech-enhanced operations. For more information, please visit the website or get in touch with a member of the Insurance Nexus team.

Contact:

Ira Sopic

Project Director

Insurance Nexus

T: + 44 (0) 207 422 4363

T: +1 800 814 3459 ext 4363

E: ira.sopic@insurancenexus.com

(23)

Share

Twitter and Facebook accounts for 15 NFL teams hacked

As reported by BBC News, more than a dozen teams in the US National Football League have had their social media accounts hacked. The teams included the San Francisco 49ers and Kansas City Chiefs, who will compete in the Super Bowl Championship on 2 February. The hacking group OurMine took responsibility for the attack, which said it was to show internet security was “still low” and had to be improved.
Jake Moore, Cybersecurity Specialist at ESET:
“Yet again, we are seeing that social media accounts owned by famous people are still highly targeted and users need to be aware of the simple procedures to help better protect their accounts. Criminal hackers use extremely clever methods to gain entry to online accounts, but this risk can be mitigated if the right actions are taken.
If there is one app everyone should download (particularly celebrities and other highly targeted people), it would be an authenticator app. This is one of the best ways to quickly increase security to online accounts and you don’t have to be a cyber security professional to set it up either. Once connected to the account, only that device will be allowed access to it, meaning that even if one’s password is compromised, the account still shouldn’t be able to be hacked. Then, it is worth revoking access to your account from other third-party platforms which do not offer this form of two factor authentication.”

(42)

Share

Avast antivirus subsidiary sells highly sensitive web browsing data to many world leading companies- Comment

It has been reported that an antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world’s biggest companies, a joint investigation by Motherboard and PCMag has found. The Avast division charged with selling the data is Jumpshot, a company subsidiary that’s been offering access to user traffic from 100 million devices, including PCs and phones. In return, clients—from big brands to e-commerce providers—can learn what consumers are buying and where, whether it be from a Google or Amazon search, an ad from a news article, or a post on Instagram.

The data collected is so granular that clients can view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.

Commenting on this, Sam Curry, chief security officer at Cybereason, said “Antivirus companies who get into the practice of data brokering cease to be security companies, in my opinion, and should defend themselves with clear, transparent language and should remove conflicts of interest or they are spyware luring in customers with benefits that are misleading and frankly disgusting. I hope that Avast is proved innocent for the industry’s sake, but if it’s not, I reject them as a security company until they resolve this and make amends, transparently.

Avast is in a position of trust and is supposed to be protecting from not just the black and white world of malware, but also from the shades of grey of adware and spyware. The term PUP or “potentially unwanted program” is a bit of a cop-out: there’s nothing potentially unwanted about these programs, as the vast majority of them are collecting data and putting it to use in ways that we as online citizens wouldn’t want.

 

The reason for the PUP euphemism is that the manufactures of many spyware programs have legal departments that frighten antivirus makers and threaten to embroil them in expensive court cases and legal battles in civil court. The cry from the manufacturers of this nasty shady-ware is that the EULA (End User License Agreement) discloses that data might be re-used or re-sold. That isn’t good enough, though, and it’s especially not good enough from a company that is supposed to help us sort the black from the white and to parse the grey in between. By analogy, the police protect us from harm. You can hire a bodyguard to also protect you from harm in a private contract, but how do you feel when the police ask you for some direct funding for the same? How do you feel when the police perhaps also tell criminals about your whereabouts?

 

So now we come to the antivirus industry. From the big names to the small, we are uniformly supposed to be above this. We are the watchers who are supposed to spot the spyware and the PUPs and make the calls, and to never, ever fall into that grey zone. It’s corrupt, and hiding behind a EULA won’t do it. What’s required is informed, strong consent: any company providing any security benefit and in a position of trust that is selling information had better have used less than 10 words to alert the user clearly, gotten consent and be open to their users being directly asked if they knew this was a contractual agreement. It’s not OK to bury permission in a 200-page EULA, written passive voice run-on sentences in all caps. No one reads that.

 

It’s also not OK to go against a company’s explicit, public privacy statements. Time will tell and the truth will come out when companies cross this line. I will leave it to the lawyers to decide what subsidiaries of Avast said or did, what the EULA’s disclosed or not and whether they are within the bounds of their agreements with their customers.”

 

(52)

Share

UK cyber security legislation ‘crying out for reform’, new report finds

A new report released by the Criminal Law Reform Now Network (CLRNN) – a collaboration between academics, practitioners and other legal experts – finds the Computer Misuse Act 1990 (CMA) is “crying out for reform”.

The CMA criminalises individuals who attempt to access or modify data on a computer without authorisation. This often involves cyber-attacks like malware or ransomware attacks which seek to disrupt services, obtain information illegally or extort individuals or businesses.

But the CLRNN report, ‘Reforming the Computer Misuse Act’, details how the CMA is in fact compromising the UK’s cyber resilience by preventing cyber security professionals from carrying out threat intelligence research against cyber criminals and geo-political threat actors, leaving the UK’s critical national infrastructure at increased risk.

It also restricts journalists and academics from researching cyber threats in the public interest.

Barrister Simon McKay, a civil liberties and human rights law practitioner, member of CLRNN and project lead for the report, commented: “The Computer Misuse Act is crying out for reform. It needs to be future- and technology-proofed to ensure it can meet the challenges of protecting the embedded internet-based culture we all live in and depend on. This report delivers a blueprint for the government to use and develop to make the law more effective in policing and prosecuting cybercrime.”

The reports’ recommendations include:

  • A range of measures to better tailor existing offences in line with the UK’s international obligations and other modern legal systems, including new corporate offences.
  • New public interest defences to untie the hands of cyber threat intelligence professionals, academics and journalists to provide better protections against cyber-attacks and misuse, while ensuring consistency with overlapping offences within the Data Protection Act 2018.
  • A set of new targeted guidance for prosecutors, including the prosecution of young defendants, and calls for greater transparency regarding the use of PREVENT programmes by police.
  • The creation of new sentencing guidelines, and provides detail on their formation and function.

Dr John Child, Senior Lecturer in Criminal Law at the Birmingham Law School and co-director of CLRNN, says: “The legal case for reform of the Computer Misuse Act 1990 is overwhelming. Experts from academia, legal practice and industry have collaborated to identify the best route to ensure proper penalties are enforced to enable prosecution of  hackers and companies who benefit from their activities, whilst permitting responsible cyber security experts to do their job without fear of prosecution.”

Ollie Whitehouse, Global CTO at NCC Group and spokesperson for the CyberUp campaign, commented on the release of the report: “This report shines a welcome light on the UK’s outdated cyber security crime laws, which leave the cyber industry tackling one of the biggest threats facing our national security within a regime drawn up 30 years ago – when less than 0.5% of the world’s population had access to the internet.

“The government needs to take urgent action by updating and upgrading the Computer Misuse Act so our nation’s cyber defenders no longer have to act with one hand tied behind their backs, paralysed by the fear of being prosecuted for doing their jobs.

“In today’s uncertain international climate, the ability of cyber criminals and geo-political threat actors to disrupt our technology systems will only continue to grow. We must seize the opportunity to develop 21st century to allow the industry to flourish and make the country safer and more secure.”

The report Reforming the Computer Misuse Act 1990 is also available online

(42)

Share

Hackers Acting in Turkey’s Interests Believed to Be Behind Recent Cyber Attacks- Comment

It has been reported that sweeping cyberattacks targeting governments and other organisations in Europe and the Middle East are believed to be the work of hackers acting in the interests of the Turkish government, three senior Western security officials said. The hackers have attacked at least 30 organisations, including government ministries, embassies and security services as well as companies and other groups. Victims have included Cypriot and Greek government email services and the Iraqi government’s national security advisor, the records show. The attacks involve intercepting internet traffic to victim websites, potentially enabling hackers to obtain illicit access to the networks of government bodies and other organisations. According to two British officials and one U.S. official, the activity bears the hallmarks of a state-backed cyber espionage operation conducted to advance Turkish interests.

 

Commenting on this, Sam Curry, chief security officer at Cybereason, said It should come as no surprise that Turkey and other countries are carrying out targeted attacks against foreign powers for political and economic reasons. The Turkish government didn’t recently wake up and decide to carry out a sophisticated number of attacks against other nations.

 

It’s important not to play the speculation game, but believe it or not Turkey is a major player in the cyber arena and has been for years. What this newest discovery does is reinforce how complex the world of espionage, cyber crime and nation-state hacking is. Turkey has offensive and defensive cyber capabilities and, while not a superpower, it is a player in the geopolitical landscape and, by extension, of the cyber landscape.

 

Hacking between Turkey, the US and other nations, is just an extension of politics by other means, to paraphrase Clausewitz. Turkey’s offensive campaigns are likely yielding significant results and we can expect more of the same in the months ahead. What we might not know in the short or long term is what responses are being carried out by governments that have been victimised.”

(40)

Share