Displaying items by tag: cybercrime

Equifax breach the latest in troubling hacking trend

Written on Wednesday, 20 September 2017 08:55

Large digital security breaches are a common occurrence in the corporate world today. The latest breach, experienced by consumer credit reporting agency Equifax, follows a trend of troubling hacks that have played out across the globe this year. It seems adversaries will stop at nothing to evolve their threats, move with even more speed, and find new ways to widen their operational space.

Equifax chief executive Richard Smith said his company “will make changes” after a massive security breach in July that may have exposed the data of up to 143 million people, he said in an opinion piece in USA Today on September 12. Smith said the company first learned of the breach on July 29, but didn’t go public with the information for six weeks because “we thought the intrusion was limited.”

Smith described the hack as the “most humbling moment” in the company’s 118-year history. Founded in 1899 and based in Atlanta, Georgia, it is the oldest of the three largest American credit agencies along with Experian and TransUnion. “We are devoting extraordinary resources to make sure this kind of incident doesn’t happen again,” Smith wrote, promising to “make changes and continue to strengthen our defenses against cyber crimes.”

The company has been highly scrutinized for its handling of the data breach, which compromised the personal information of as many as 143 million Americans. Residents in the United Kingdom and Canada were also impacted. After detecting the breach, Equifax waited six weeks before it notified the public in early September. Rather than informing people whose data had been compromised, the company set up a website that wasn’t ready for days.

Yahoo experienced similar scrutiny when it dealt with massive data breaches. The company announced in September 2016 that hackers in 2014 had stolen data from more than 500 million of its users’ accounts. Yahoo then announced in December 2016 another breach dating back to 2013 in which over a billion users had their data stolen. The US Securities and Exchange Commission opened an investigation into whether Yahoo should have informed investors sooner about the breaches.

To make up for its failure to protect users’ data, Equifax, which rakes in around US$ 3.1 billion in annual revenue, offered free credit monitoring services to its customers. But the company was criticized for requiring those who enrolled for the offer to waive their right to sue the company. Soon enough, Equifax backtracked on the requirement, allowing customers to sue the company if they sent it in writing within 30 days.

Nevertheless, Equifax has been forthcoming about the wider issue of cybersecurity and the need for change. Smith acknowledged some of the company’s problems in his article, admitting that consumers and media have raised “legitimate concerns” about the services Equifax offered and the operations of its call center and website. “We accept the criticism and we are working to address a range of issues,” he said.

Smith said the company is now committed to doing everything it can to support those affected by the breach. “Our team is focused on this effort and we are engaged around the clock in responding to millions of inquiries from consumers,” he said. Equifax has warned, however, that credit card numbers of around 209,000 people have been exposed, in addition to “personal identifying information” on roughly 182,000 customers involved in credit report disputes.  

Prior to Equifax’s data breach, Time Warner-owned US TV network HBO was the latest major corporation to fall victim to hackers. HBO confirmed on July 31 that a whopping 1.5 terabytes of material had been stolen – a significantly larger amount than the 200 gigabytes stolen from Sony Pictures in 2014. Similar to Equifax’s breach, HBO’s hackers obtained potentially sensitive information, including employee data and even access to internal corporate emails.

The string of corporate hacks this year, including the global “WannaCry” ransomware attack in May and the subsequent “Petya” attack in late June, represent a chilling trend taking place all over the globe, in which cyber hackers are finding more avenues to infiltrate even the most seemingly protected organizations, by findingnew ways to widen their operational space.

An ever-evolving threat

Hackers today have more tools at their disposal than ever before. They also have a keen sense of when to use each one for maximum effect. In Cisco’s Annual Cybersecurity Report 2017, it explains how the explosive growth of mobile endpoints and online traffic work in favor of cyber hackers. Adversaries have more space in which to operate, the report claims, and more choices of targets and approaches.

It may not be possible to stop all attacks, the report says, but you can minimize both the risk and the impact of threats by “constraining your adversaries’ operational space and, thus, their ability to compromise assets.” Cisco suggests that companies should simplify their collection of security tools by integrating them into an automated architecture to streamline the process of detecting and mitigating threats. That leaves companies with more time to address more complex and persistent ones.  

According to Cisco’s 2017 Security Capabilities Benchmark Study, organizations that have not yet suffered a security breach may believe their networks are safe. This confidence is probably misplaced, the report says, considering that 49 percent of the security professionals surveyed said their organizations have had to manage public scrutiny following a security breach.

Take Yahoo for instance: Following the shocking revelation that 1.5 billion of its users accounts were hacked on two separate occasions, the company was forced to slash the price of its core internet business in the sale to US telecom giant Verizon by $350 million. Yahoo is also in the midst of lawsuits related to the way the hacks were handled. In an effort to diffuse the situation and make up for damage to its reputation, Yahoo announced that it would not award CEO Marissa Mayer a cash bonus for 2016.

The Cisco study found that nearly a quarter of the organizations that have suffered an attack lost business opportunities, and four in ten said those losses were substantial. One in five organizations lost customers due to an attack, and nearly 30 percent lost revenue. When breaches occur, operations and finance were the functions most likely to be affected (36 percent and 30 percent, respectively), followed by brand reputation and customer retention (both at 26 percent).

The report once again emphasizes the importance of companies focusing their resources on reducing their adversaries’ operational space if they want to avoid the aforementioned consequences. As a result, attackers will find it difficult to gain access to valuable enterprise resources and to conduct their activities without being detected. Automation, the report says, is essential to achieving this goal.

Automation helps companies to understand what normal activity is in the network environment, so they can focus their resources on more significant threats. Simplifying security operations, the report says, is the most effective way of eliminating adversaries’ unconstrained operational space. Unfortunately, most organizations are using more than five solutions from more than five vendors, according to the study, creating a complex web of technology, which can be a recipe for less, not more, protection.

Published in Featured

Kaspersky Lab researchers have detected new malware designed to steal the credentials of online banking customers. Earlier versions of the new malware, called NukeBot, were known to the security industry as TinyNuke, but lacked the features necessary to launch attacks. The latest versions however, are fully operable, and contain code to target the users of specific banks.

Although the appearance of a malware family in the wild is not unusual, the fact that criminals have a ready-to-attack version of the Trojan, means that soon they may initiate a wide-scale malicious campaign, to infect multiple users, Kaspersky claims. As an early warning to its customers and other users, Kaspersky Lab has published a brief analysis of the malware.

NukeBot is a “banking Trojan”. Upon infection it “injects” malicious code into the webpage of an online banking service displayed in a victim’s browser and then steals user data, spoofs their credentials, and more. According to Kaspersky Lab researchers, there are already a number of compiled samples of this Trojan in the wild – shared on underground hacking forums. Most of these are rough, barely operational malware drafts; however, the company’s experts have managed to identify some that pose a real threat.

Around 5% of all samples found by Kaspersky Lab were NukeBot’s new ‘combat versions’, which have improved source codes and attacking capacities. Among other things these versions contain injections – specific pieces of code, which mimic parts of user interface of real online banking services. Based on the analysis of injections, Kaspersky Lab experts believe the main targets of the new version of NukeBot are users of several French and US banks.

In addition, Kaspersky Lab researchers managed to detect several NukeBot modifications that didn’t have web injection functionality, and were designed to steal mail client and browser passwords. This means that developers of new versions may aim to widen the functionality of this malware family.

“While criminals behind recent versions of this malware currently are not actively distributing NukeBot, this may, and likely will, change very soon. We’ve already seen this before with some other malware families: after a short testing period of a ready-to-attack malware, criminals start distributing it widely through infected websites, spam and phishing,” said Sergey Yunakovsky, security expert at Kaspersky Lab.

“So far we have seen NukeBot versions which are ready to attack the customers of at least six banks located in France and the US, however this list of targets looks like only the beginning,” Sergey added. “The goal of our brief research is to warn the banking community and online banking customers about a potentially emerging threat. We urge interested parties to use the results of our research in order to protect themselves from this threat in advance.”

Published in Finance

Each year, Verizon issues its Data Breach Investigations Report (DBIR), providing a view into the current world of cybercrime. The report discusses what you need to know about the latest threats and tips for how to help protect yourself from becoming a victim of cybercrime.

As cybercriminals continue to change their approaches, cyber-espionage and ransomware attacks continue to rise. The report outlines how cyber-espionage cases originate from phishing emails, while ransomware involves a type of malware and aims to extort money from its victims.

The report highlights how people are still falling for phishing, the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and indirectly money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

This year’s DBIR found that around 1 in 14 users were tricked into following a link or opening an attachment—and a quarter of those went on to be duped more than once. In addition, 80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.

The report adds that pretexting is on the rise, which is predominantly targeted at financial department employees – the ones who hold the keys to money transfers. Email was the top communication vector, accounting for 88 percent of financial pretexting incidents, with phone communications in second place with just under 10 percent. Furthermore, smaller organizations are also a target 61 percent of victims analyzed were businesses with fewer than 1,000 employees.

How can you help prevent from becoming a victim? The report advises people to stay vigilant; keep data access on a “need to know” basis; protect sensitive data by encrypting it (translating it into a private code) that can only be unlocked with a secret password; and adding an extra layer of security by using two steps to verify your identity – such as a password and a text message.

In its 10th year, the DBIR compiles data from 65 organizations across the world and continues to be one of the industry’s most respected sources of information. The report includes analysis of 42,068 incidents and 1,935 breaches from 84 countries.

Cisco and IBM join forces to tackle cybercrime

Written on Monday, 05 June 2017 10:37

Cisco and IBM Security have announced they are working together to address the growing global threat of cybercrime. In a new collaboration, Cisco and IBM Security will work closely together across products, services and threat intelligence for the benefit of customers.

Cisco security solutions will integrate with IBM’s QRadar to protect organizations across networks, endpoints and cloud. Customers will also benefit from the scale of IBM Global Services support of Cisco products in their Managed Security Service Provider (MSSP) offerings.

The collaboration also establishes a new relationship between the IBM X-Force and Cisco Talos security research teams, who will begin collaborating on threat intelligence research and coordinating on major cybersecurity incidents.

One of the core issues impacting security teams is the proliferation of security tools that do not communicate or integrate. A recent Cisco survey of 3,000 chief security officers found that 65 percent of their organizations use between six and 50 different security products. Managing such complexity is challenging over-stretched security teams and can lead to potential gaps in security.

The Cisco and IBM Security relationship is focused on helping organizations reduce the time required to detect and mitigate threats, offering organizations integrated tools to help them automate a threat response with greater speed and accuracy.

“In cybersecurity, taking a data-driven approach is the only way to stay ahead of the threats impacting your business,” said Bill Heinrich, Chief Information Security Director, BNSF Railway. “Cisco and IBM working together greatly increases our team’s ability to focus on stopping threats versus making disconnected systems work with each other. This more open and collaborative approach is an important step for the industry and our ability to defend ourselves against cybercrime.”

Integrating threat defenses across networks and cloud

The cost of data breaches to enterprises continues to rise. In 2016, the Ponemon Institute found for companies surveyed the cost was at its highest ever at $4 million - up 29 percent over the past three years.

A slow response can also impact the cost of a breach –incidents that took longer than 30 days to contain cost $1 million more than those contained within 30 days. These rising costs make visibility into threats, and blocking them quickly, central to an integrated threat defense approach. 

The combination of Cisco’s best-of-breed security offerings and its architectural approach, integrated with IBM’s Cognitive Security Operations Platform, will help customers secure their organizations more effectively from the network to the endpoint to the cloud.

As part of the collaboration, Cisco will build new applications for IBM’s QRadar security analytics platform. The first two new applications will be designed to help security teams understand and respond to advanced threats and will be available on the IBM Security App Exchange.

These will enhance user experience, and help clients identify and remediate incidents more effectively when working with Cisco’s Next-Generation Firewall (NGFW), Next-Generation Intrusion Protection System (NGIPS) and Advanced Malware Protection (AMP) and Threat Grid.

In addition, IBM’s Resilient Incident Response Platform (IRP) will integrate with Cisco’s Threat Grid to provide security teams with insights needed to respond to incidents faster. For example, analysts in the IRP can look up indicators of compromise with Cisco Threat Grid's threat intelligence, or detonate suspected malware with its sandbox technology. This enables security teams to gain valuable incident data in the moment of response.

“Cisco’s architectural approach to security allows organizations to see a threat once, and stop it everywhere. By combining Cisco’s comprehensive security portfolio with IBM Security’s operations and response platform, Cisco and IBM bring best-of-breed products and solutions across the network, endpoint and cloud, paired with advanced analytics and orchestration capabilities,” said David Ulevitch, SVP and general manager, Cisco Security.  

Threat intelligence and managed services

IBM X-Force and Cisco Talos research teams will collaborate on security research aimed at addressing the most challenging cybersecurity problems facing mutual customers by connecting their leading experts. For joint customers, IBM will deliver an integration between X-Force Exchange and Cisco’s Threat Grid. This integration greatly expands the historical and real-time threat intelligence that security analysts can correlate for deeper insights. 

For example, Cisco and IBM recently shared threat intelligence as part of the recent WannaCry ransomware attacks. The teams coordinated their response and researchers exchanged insights into how the malware was spreading. They continue to collaborate on the investigation to ensure joint customers, and the industry have the most relevant information.

Through this expanded collaboration, IBM’s Managed Security Services team, which manages security for over 3,700 customers globally, will work with Cisco to deliver new services aimed at further reducing complexity. One of the first offerings is designed for the growing hybrid cloud market. As enterprise customers migrate security infrastructure to public and private cloud providers, IBM Security will provide Managed Security Services in support of Cisco security platforms in leading public cloud services.

On March 7 2017, WikiLeaks began its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency. The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virginia.

The technology industry has been scrambling to understand the implications of the alleged CIA hacking arsenal described in the WikiLeaks documents, which is said to be capable of spying on phones and other connected devices – even end-to-end encrypted applications like WhatsApp.

Major technology firms, such as Apple and Samsung, have responded to the revelations saying they are looking closely at the released documents. Apple said in a release, "While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue to work rapidly to rapidly address any identified vulnerabilities."

Samsung responded publicly to the revelations, saying: "We are aware of the report in question and are urgently looking into the matter." Meanwhile, Microsoft said it is "aware of the report" and is "looking into it".

Some analysts, however, doubt the severity of the leaked documents, especially because they have not been confirmed as authentic yet. The 2013 revelations from former US national security contractor Edward Snowden, who revealed mass surveillance tools used by the National Security Agency, are seen by some as more controversial.

Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force — its own substantial fleet of hackers, says a WikiLeaks release.

The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities.

By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5,000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware.

Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.

In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons, says the WikiLeaks release.

"These are targeted mechanisms; they can't be used for bulk intelligence," said Joseph Hall, a technologist with the Center for Democracy and Technology, a digital rights organization. "It means they can't attack things in the middle and the core of the network, they have to go to the endpoints, and that's actually a nice thing. You have to be more precise about who you are targeting."

But the report raises serious concerns about the US government's promise to disclose security flaws to technology firms under a so-called "vulnerabilities equities process." The pledge suggests that "security flaws should get back to the companies so they can get fixed, and not languish for years," said Hall.

The leaked documents by WikiLeaks indicates that the CIA has tools that could turn smart TVs into listening devices, bypass popular encryption apps such as WhatsApp, and potentially control connected automobiles. The documents suggest CIA tools have targeted iPhones, Android systems which is what US President Donald Trump's personal phone uses, and also popular Microsoft software.

Open Whisper Systems, the company that developed the technology for the communications tool Signal, said the CIA documents showed its encryption works. The WikiLeaks report "is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption," the group said in a tweet. Other encryption experts agreed.

In a blog post, Steve Bellovin, a Columbia University computer science researcher, said the existence of these hacking tools is "a testimonial to the strength of the encryption." He said it's "hard or impossible to break, so the CIA is resorting to expensive, targeted attacks."

Other experts suggest that the hacks are simply a method of the CIA to trick people into installing their software. "Snowden revealed how the NSA was surveilling all Americans," said Robert Graham, a researcher with Errata Security.

"Nothing like that appears in the CIA dump. It's all legitimate spy stuff (assuming you think spying on foreign adversaries is legitimate)."

Bruce Schneier, chief technology officer at IBM Resilient and a frequent critic of government surveillance, said on his blog: "There is absolutely nothing illegal in the contents of any of this stuff. It's exactly what you'd expect the CIA to be doing in cyberspace."

Published in Government

Russia’s interior ministry recently said nine individuals has been detained who are alleged to be part of a cybercrime organization accused of stealing some $17 million from bank accounts.

A nationwide search was implemented to find the 50-strong hacker group in Russia. An operation was launched by the FSB security agency last year, to track down the hackers that pilfered more than one billion rubles ($16.8 million) since 2013, according to a statement.

“Nine individuals suspected of participating in hacking attacks were detained on January 25,” said ministry spokesperson Irina Volk. One of the individuals was reportedly placed under arrest. In total, 27 member and organizers are being investigated, with 19 of them now under arrest, said the ministry.

According to reports, the latest arrests are connected to a case against legendary hacking collective ‘Lurk’ that was targeted by law enforcement agencies last year. Russian cybersecurity firm Kaspersky said the group was reportedly suspected of stealing some three billion rubles from commercial organizations including banks.

Russian hacking is in the global spotlight following the country’s alleged involvement in cyber-attacks targeting the US presidential election campaign. However, experts say the vast majority of cybercrime is not politically motivated but financial.

What’s more, the FSB itself is currently involved in a scandal that has seen at least two of its cybersecurity experts arrested for treason linked to the United States, according to a lawyer involved in the case. The treason case saw the arrest of Ruslan Stoyanov – the head of Kaspersky’s cybersecurity unit that probed ‘Lurk’.

Published in Government

A panel of experts assembled by the George Washington University Center for Cyber and Homeland Security said on October 31 that the U.S. government and private sector should have stronger measures in place to strike back against hackers and to counter cyber-attacks, aimed at stealing sensitive information and disrupting computer networks.

The experts said policies should be put in place that allow “active defense” measures that deter hackers, rather than “hacking back” to disable systems used by hackers and more-or-less stooping to their level. Some of the solutions raised by the experts included measures including taking down “botnets” that disrupt cyberspace, freeing data from “ransomware” hackers and “rescue missions” to recover stolen data, AFP reported.

The report reads, "The time for action on the issue of active defense is long overdue, and the private sector will continue to be exposed to theft, exfiltration of data, and other attacks in the absence of a robust deterrent. When private sector companies have a capability to engage in active defense measures, they are building such a deterrent, which will reduce risks to these companies, protect the privacy and integrity of their data, and decrease the risks of economic and societal harm from large-scale cyber-attacks."

On October 7, the U.S. government formally accused Russia of trying to “interfere” with the American presidential election, and promised to respond at an undisclosed time and place. Adding to the already tense relations between the two nations, a joint statement from the Department of Homeland Security and Office of the Director of National Intelligence was the first formal statement made by Washington, accusing Moscow of cyber attacks to gain political advantage. It represents a tense time for the U.S. and its battle against cybercrime.

Many believe that U.S. policymakers are moving too slowly with a “dynamic” threat from cyberspace, according to former national intelligence director and task force co-chair, Dennis Blair. "We are shooting so far behind the rabbit that we will only hit it if the rabbit makes another lap and comes back to where it was," he told a conference presenting the report.

However, the panel did not recommend hacking back "because we don't want the cure to be worse than the disease," project co-director, Frank Cilluffo said. But "there are certain steps companies can take" to repel and deter cyber-attacks, he added, advocating the establishment of a legal framework for them.

The threat facing the U.S. regarding cybercrime is well-understood, but some of the solutions to counter it have been controversial. Task force co-chair, Nuala O’Connor, president of the Center for Democracy & Technology, said many of the recommendations go too far such as inviting companies to gain unauthorized access to outside computer networks.

"I believe these types of measures should remain unlawful," she wrote, adding that it remains difficult to be sure of cyberattacks' sources. "The risks of collateral damage to innocent internet users, to data security, and to national security that can result from overly aggressive defensive efforts needs to be better accounted for."

Published in Government

Four new vulnerability exploits were discovered recently on over 900 million Android smartphones, with Qualcomm chipsets found to be the root cause of the issue, according to research by Check Point, a firm dedicated to providing people with protection against digital threats. Qualcomm was notified by the researchers about the issue earlier this year, and responded by making patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.

Researchers from Check Point detected the vulnerabilities affecting all Android devices running a specific Qualcomm chipset. Since the vulnerabilities are found in the software drivers Qualcomm ships with its chipsets, and since said drivers are pre-installed on devices straight out of the factory, they can only be fixed by installing a patch from the distributor or operator.

According to Check Point, the vulnerabilities, known as QuadRooter, can give attackers complete control of devices and unrestricted access to sensitive, personal and enterprise data which may be stored on the device. Check Point presented the results of its research at hacking and information security conference Defcon.

"Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape," said Adam Donenfeld, Senior Security Researcher, Check Point. "However, Google is not alone in the struggle to keep Android safe. Qualcomm, a supplier of 80 percent of the chipsets in the Android ecosystem, has almost as much effect on Android's security as Google. With this in mind, we decided to examine Qualcomm's code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices.”

Qualcomm responded to the issues discovered by Check Point by releasing patches on Code Aurora, for users to protect their devices from the vulnerabilities. The website highlights security vulnerabilities in QulC-authored KGSL Linux Graphics Module and in IPC router kernel module. The vulnerabilities were detected on all Android releases from CAF using the Linux kernel, commonly used worldwide in devices.

Qualcomm Innovation Center (QuIC) openly acknowledges Check Point on the Code Aurora patch pages, giving thanks to Adam Donenfeld from Check Point Software Technologies “for reporting the related issues and working with QuIC to help improve device security.”

“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI),” said Qualcomm in a press statement. “We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.  The patches were also posted on Code Aurora. QTI continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities.”

It’s not the first time Qualcomm has faced controversy surrounding its products. In October last year, rumors surfaced that Qualcomm was experiencing overheating issues with its Snapdragon 820 processor. The company also faced criticism over the overheating issues plaguing the previous Snapdragon 810. Several companies that had made plans to use the 810 processor in premium smartphones had to seek ways of getting around the heating issue themselves, or opt for other processors altogether. Qualcomm denied accusations surrounding the 820.

"The rumors circulating in the media regarding Snapdragon 820 performance are false,” said the company at the time. “The Snapdragon 820 improves on all IP blocks and is fabricated in the second generation of the 14nm process technology. It is meeting all of our specifications, but more importantly it is satisfying the thermal and performance specifications from our OEMs.”

Published in Telecom Vendors