now browsing by tag
The COVID-19 pandemic has become a sobering experience in many ways. We are witnessing firsthand the negative impact that a fragmented national public health system has on our safety, health and economy.
Social isolation has become a stark reality and necessity for people around the globe, including here in the United States. While social distancing has become the operational approach to slow down the spread of the COVID-19 virus (or at least flatten the infection curve), this isolation has ripple effects across other components of our lives. A vast number of people will telecommute and work from home. Schools at the K-12 and university levels are instructing students to stay away from campus and suspending face-to-face teaching. Faculty are moving all classes online. The entertainment and sports industries are canceling events and premiers, and restaurants and bars are closing. Major studios are rushing to push content to streaming services; the list will continue.
While these responses are prudent, the result is that more of our daily routines are dependent on the internet, internet technologies and telecommunications. This strategy to move to the online cyber and virtual realm, at least in the interim, is happening with no real thought about the cybersecurity implications.
Historically, cybercriminals have used crises to increase criminal activity and scams related to stealing personally identifiable information, as well as financial and personal health Information to defraud victims. Foreign actors have spread disinformation and attempted to disrupt recovery operations as a means of causing more chaos. The same thing is happening and will continue to happen with the COVID-19 crisis.
We already see cyberattacks against the U.S. Health and Human Services Department, and similar attacks in Europe. Scammers are sending fake emails and setting up fake COVID-19 health information websites, trying to phish user IDs and passwords. Other scammers are pretending to raise money to assist with replacement lunch programs for students or the isolated elderly. No one should be surprised to see a jump in cyber-criminal activity, as these people are opportunistic. We find ourselves in the perfect storm for cyberattacks.
Increased cyberattacks are not the only ripple effect we could see. The telecommunications and mobile network operators’ critical infrastructure must absorb an exponential increase in demand, with little or no ramp-up time. Similar to the public health system, these industries are fragmented and equally unprepared or capable across companies and regions. Internet and mobile network operators will find their resources pushed to the maximum.
We need only to look at recent natural disasters such as floods and tornadoes to see how fragile this infrastructure is. The ability to communicate either via email or mobile phone with emergency services, loved ones or the media to get information disseminated is essential during a crisis and the ensuing recovery period.
Social isolation will put a significant burden on the telecommunications and mobile network infrastructure. We will now have millions of people working from home using local or regional providers to connect to company networks. K-12 and university students are trying to resume their studies online using e-learning, placing more burden on networks and the infrastructure. People will increase their use of streaming media for news and entertainment purposes, including on their mobile devices.
This increased demand will also not follow the regular demand cycles, at least in the foreseeable future — school time, the typical workday and leisure activities no longer have rigid schedules; they will be somewhat blended together. This lack of regular routines could potentially magnify the demand and further negatively impact bandwidth and availability.
We must understand that with our increased dependence on technology and cyber, there are increased risks that we need to be aware of and plan for. Governments, businesses and schools need to provide some direction and advice to the general public on how to follow not only appropriate “anti-COVID-19 hygiene” but also “cybersecurity hygiene.”
Since networks will now be extended to homes during this time, similar cybersecurity policies, practices and standards that someone would adhere to if they were physically sitting at work or school need to apply.
We may also need to consider metering our online behavior to essential activities such as those related to our work, education or critical communications, or at the very least following the more regular rhythm of the day — routine work or school hours.
We will learn many lessons from the COVID-19 pandemic, and the cost will be high in terms of lives and the economy. Hopefully, when we come out on the other side of this crisis, we will also have a better understanding of how to protect our critical infrastructures and the real risks of living even deeper in cyberspace.
Dr. Marcus Rogers is a professor and executive director of cybersecurity programs at Purdue University; he has over 25 years of experience in public- and private-sector consulting in the area of information technology security, and has consulted for the military, law enforcement and for some of the largest financial and health care providers in the world.
The post #cyberfraud | #cybercriminals | Could fighting coronavirus compromise cybersecurity? appeared first on National Cyber Security.
View full post on National Cyber Security
Super Tuesday goes off (mostly) without a hitch.
Super Tuesday in the US proceeded without any evidence of hacking or significant disinformation, according to the Washington Post. A senior official at the Cybersecurity and Infrastructure Security Agency (CISA) told the press that US law enforcement and intelligence agencies didn’t see any noteworthy malicious activity, ABC News reports. There was a spate of robocalls in Texas that instructed Democrats to vote on Wednesday, but the CISA official noted that these types of calls are common on election days.
Some states did encounter technical glitches with voting machines and election websites. State-run polling location websites for Texas and Minnesota temporarily went down due to heavy traffic, Nextgov says. Los Angeles County in California experienced voting machine shutdowns that resulted in very long wait times, the Los Angeles Times reports. CISA said none of these issues were attributed to malicious activity.
General Paul Nakasone, director of US Cyber Command and NSA, told Congress on Wednesday that his “top priority is a safe and secure election that is free from foreign influence,” according to The Hill. General Nakasone said the government coordination during the 2018 midterms looked “like a pickup game” compared to what he saw this past Super Tuesday. He added that adversaries are still using social media platforms to conduct influence operations, but said “we are ready for them.”
Prior to Super Tuesday, the heads of eight US government agencies (DOS, DOJ, DOD, DHS, ODNI, FBI, NSA, and CISA) released a joint statement warning foreign adversaries not to interfere with US elections, saying “We continue to make it clear to foreign actors that any effort to undermine our democratic processes will be met with sharp consequences.”
Chinese security company calls out CIA for cyberespionage.
Chinese security firm Qihoo 360 published a report asserting that the US Central Intelligence Agency conducted an eleven-year espionage campaign against organizations in China and around the world. The content of the report isn’t new or surprising. For the most part, it lays out information that was already known from the Vault 7 files, although ZDNet points out that the targets of the alleged operation weren’t previously known.
Most observers believe the timing of the report is more significant than its contents. Qihoo 360 generally publishes useful and detailed reports on malware campaigns and APT activity, but Forbes and others see this particular report as the Chinese government’s response to the US Justice Department’s recent indictment of Chinese military hackers.
TA505 targets South Korea.
CyberScoop reports that the financially motivated threat group TA505 largely concentrated its efforts against South Korean organizations in 2019. According to researchers at South Korea’s Financial Security Institute, the group has been distributing the FlawedAmmyy Trojan via spearphishing emails tailored to South Korean recipients. The researchers say the threat actor has also been deploying the Clop and Locky ransomware strains. In one case, the group appeared to use the Rapid ransomware, which TA505 hasn’t been known to use in the past, although the researchers suspect the Rapid incident was “a one-time attack because it did not use valid digital signatures and custom packers commonly found in malwares distributed by the TA505 Threat Group.”
DoppelPaymer begins publishing stolen data.
Colorado-based manufacturing company Visser Precision disclosed to TechCrunch that it had sustained a cyberattack, which Brett Callow at Emsisoft concluded was a DoppelPaymer ransomware infection that was preceded by data theft. Visser’s customers include SpaceX, Tesla, Boeing, and Lockheed Martin, and the ransomware operators have apparently stolen files related to contracts with these companies. Some of the stolen files have been publicly posted to a website set up by DoppelPaymer’s operators. Callow told Forbes and other outlets that DoppelPaymer’s proprietors have been exfiltrating and selling data from their victims for some time now, but they’ve only just begun publishing those data as an extortionary tactic.
DoppelPaymer’s operators gave BleepingComputer the rundown on their preferred method for exfiltrating their victims’ data. As the crooks move laterally within a compromised network, they seek out cloud backup credentials. They then download these backups to their own servers, explaining that there’s “No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to ‘data breach detection software.’” After this, they delete the backups from the victim’s cloud service and begin encrypting the data on the victim’s servers.
Coronavirus phishbait and disinformation.
COVID-19 continues to be widely used as phishbait, the Wall Street Journal reports. Proofpoint and other security companies have observed a significant spike in coronavirus-themed phishing emails and scams since the end of January. Proofpoint’s senior director of threat research Sherrod DeGrippo told the Journal that the global nature of the subject lends itself well to widespread phishing campaigns, describing it as “social engineering at scale, based on a fear.”
Disinformation and misinformation are also coming into play. Lea Gabrielle, the coordinator of the US State Department’s Global Engagement Center, told Congress on Thursday that Russia had used “swarms of online, false personas” to spread disinformation about the coronavirus, the Washington Post reports. The Post also obtained a report from the Global Engagement Center that said the Center had identified around two million tweets pushing hoaxes and conspiracies about the virus between January 20th and February 10th, some of which displayed “evidence of inauthentic and coordinated activity.” Gabrielle didn’t mention this report in her testimony, and the report didn’t mention Russia, so it’s not clear if the activities are related.
Russian President Putin said on Wednesday that Russia itself was being targeted by a wave of fake news seeking to spread fear about the coronavirus, according to Reuters. Group-IB said on Monday that it had identified a voice message concerning a coronavirus outbreak in Moscow being widely shared by bots on the Russian social media service VK. The Russian cybersecurity firm states, “We strongly urge the general public to stay vigilant about unverified sources distributing such fake claims and follow the recommendations of the World Health Organization to prevent coronavirus infection.”
Let’s Encrypt revokes three million certificates.
Let’s Encrypt on Wednesday revoked three million certificates after it identified a bug in the way its code checked Certificate Authority Authorization (CAA) records, the Register reports. Naked Security explains that certificate-issuing organizations are required to check a domain’s CAA record every time they issue a new certificate for that domain, in order to prevent fraud. Some organizations have a different Let’s Encrypt certificate for each of their domains, and the company conveniently allows them to renew all of these domains at once. When this happened, however, instead of iterating through the list of domains and checking the CAA record of each one, Let’s Encrypt’s Go code would repeatedly check the record of just one of the domains in the list (Jacob Hoffman-Andrews from the EFF noted that this is a common mistake in Go programming). As a result, Let’s Encrypt had to revoke the certificates of every domain whose CAA record hadn’t been properly checked.
Let’s Encrypt has advice for affected customers here.
Cisco is developing patches to address the Kr00k vulnerability in Broadcom and Cypress chips, which can allow an unauthenticated attacker to intercept and decrypt certain Wi-Fi data frames, ZDNet reports. Multiple Cisco products use Broadcom chips, and Cisco notes that “There are no workarounds that address this vulnerability.”
Crime and punishment.
The US Department of Justice has indicted Charles K. Edwards, former Acting Inspector General for the US Department of Homeland Security, for allegedly “stealing confidential and proprietary software from DHS Office of Inspector General (OIG), along with sensitive government databases containing personal identifying information (PII) of DHS and USPS employees, so that Edwards’s company, Delta Business Solutions, could later sell an enhanced version of DHS-OIG’s software to the Office of Inspector General for the U.S. Department of Agriculture at a profit.” The Justice Department maintains that Edwards continued this scheme even after resigning from the DHS-OIG, with the help of a former subordinate, Murali Yamazula Venkata, who was also charged in the indictment. Edwards allegedly hired “software developers in India for the purpose of developing his commercial alternative of DHS-OIG’s software.”
Reuters reports that the Swiss government has filed a criminal complaint “against persons unknown” over reports that the Switzerland-headquartered encryption company Crypto AG was secretly owned by the US CIA and Germany’s BND. The Swiss attorney general’s office on Sunday said it “has received a criminal complaint by the State Secretariat for Economic Affairs (SECO) dated Feb. 2, 2020 regarding possible violations of export control law.”
Computing reports that London’s Metropolitan Police stopped and questioned five people after they were incorrectly identified by the police force’s facial recognition technology. The Register notes that according to a small sample of the Met’s own data, the force’s facial recognition software has an inaccuracy rate of 87.5%.
Huawei has pleaded not guilty to US charges of racketeering and fraud, according to Reuters.
Courts and torts.
Axios notes that the US Federal Communications Commission has disclosed the proposed size of the fines it plans to impose on the four major US wireless carriers over their sale of customer location data to third parties. T-Mobile faces a $91.6 million fine, AT&T is looking at $57.2 million, Verizon, $48.3 million, and Sprint, $12.2 million. The FCC stated that “The size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.” The Wall Street Journal says T-Mobile plans to challenge the FCC’s proposed fine.
Brussels Airlines is suing a Flemish man who fraudulently used an app designed for airline employees to obtain three tickets to New York, the Brussels Times reports. The man bought the tickets through the app, then cancelled the purchase and received a refund. He then manipulated the URLs of the tickets so that they were still valid. The airline is seeking the price of the tickets plus an extra €1,000 for the cost of securing their system. The man’s lawyer contests this extra charge, according to HLN, arguing that “my client told Brussels Airlines exactly where their weaknesses were, so they should be grateful for that.”
Policies, procurements, and agency equities.
US Senators Lindsey Graham (Republican of South Carolina), Richard Blumenthal (Democrat of Connecticut), Josh Hawley (Republican of Missouri), and Dianne Feinstein (Democrat of California) introduced the EARN IT Act on Thursday. The bill would set up a government commission that would define best practices for tech companies to fight child sex abuse material online. If companies refuse to comply with these best practices, they could lose immunity provided by Section 230 of the Communications Decency Act, which holds that, for the most part, tech companies can’t be held liable for content hosted on their platforms as long as the companies take appropriate action when they come across illegal content. According to Politico, the bill currently has the support of four Republicans and six Democrats in the Senate.
Most observers, including WIRED, see the EARN IT Act as the US Justice Department’s long-anticipated attempt to compel companies to build ways for law enforcement to gain access to encrypted communications. Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, told the CyberWire that the Act is a “way of coming up with best practices that would tell providers, you would be risking your immunity under Section 230 if you did not adopt best practices that basically require walking away from privacy and security protective measures that those platforms have implemented, such as end-to-end encryption.” Pfefferkorn summarizes the ways in which the proposal that was introduced Thursday differs from an earlier draft of the bill, concluding that “It’s still a sprawling mess that would take a roomful of lawyers and policy wonks, with many different kinds of expertise, to issue-spot everything that’s weird or problematic with it.”
Members of the Cyberspace Solarium Commission (CSC) on Tuesday previewed some recommendations in their report due to be released next week. First, the CSC strongly advocates for the use of paper ballots due to the importance of trust in the voting process. Second, the CSC will recommend that a fifth member be added to the US Election Assistance Commission (EAC), who will focus solely on issues of election security. The EAC is currently made up of two Republicans and two Democrats, which often leads to gridlock. The CSC believes adding another member to address the non-partisan issue of election security can help get the wheels moving, at least in this area. A third recommendation is civic education, particularly around disinformation.
Germany’s BSI has instructed local government institutions not to pay the ransom if they suffer a ransomware attack, BleepingComputer reports.
Fortunes of commerce.
Maersk is laying off 150 employees from its command-and-control center in the UK, the Register reports. These employees were largely responsible for Maersk’s recovery from the NotPetya attack in 2017.
The Cyber Security Agency of Singapore (CSA) will oversee a Cyber Talent initiative that will contact more than 20,000 people for potential talent-spotting for cybersecurity jobs, the Straits Times reports.
Mergers and acquisitions.
Xerox is moving forward with its attempted takeover of HP, the Wall Street Journal reports. The company is offering HP’s shareholders $24.00 per share. HP maintains that it’s open to a potential combination, but argues that Xerox’s offer is too low.
Professional services firm Accenture has purchased UK-based cyber defense consultancy Context Information Security from Babcock International Group for an undisclosed amount.
UK-based semiconductor maker Arm has sold its cybersecurity unit Trustonic to London-based private equity firm EMK Capital for an undisclosed amount, the Telegraph reports.
Northern Ireland-based network intelligence and security company Titan IC has been acquired by Sunnyvale, California-based Mellanox Technologies, a company that provides interconnect products for servers and storage. The Irish News notes that Mellanox itself is being acquired by Santa Clara, California-based Nvidia for $6.8 billion.
Thoma Bravo has completed its acquisition of British cybersecurity firm Sophos for $3.9 billion. The deal took Sophos private, and the company’s stock is no longer being traded on the London Stock Exchange.
Investments and exits.
Santa Clara, California-based network-level security company Ordr has received additional Series B funding from Mayo Clinic and Kaiser Permanente. The company didn’t disclose the exact amount of the new funding, but said it has “now raised approximately $50 million.”
Virginia-based software security company RunSafe Security has secured $3.5 million in a Series A funding round led by Lockheed Martin Ventures and NextGen Venture Partners.
Pleasanton, California-based smart security camera company Deep Sentinel has received investments from Nationwide and other undisclosed investors that have brought its Series A round up to $24 million, though the exact amount invested by Nationwide wasn’t disclosed, VentureBeat reports.
The post #cyberfraud | #cybercriminals | The Week that Was, 3.7.20 appeared first on National Cyber Security.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | How Veterans Affairs CISO Approaches Risk, Recruiting Talent and Proving Cyber’s Business Value
Paul Cunningham sees some similarities between his first stint in government service—flying helicopters as a lieutenant commander for the U.S. Navy—and his current role as chief information security officer at the Veterans Affairs Department.
“Risk management—from the aviation and cybersecurity perspectives—are pretty important,” Cunningham told Nextgov, speaking from his office at VA’s headquarters in Washington, D.C. “You want to drive down risk to as close to zero as you can.”
At an enterprise as large as VA, eliminating risk entirely is impossible because it’s simply too big. VA currently employs some 404,000 people across 170 hospitals, 1,200 clinics and 130 cemeteries across more than 25,000 acres of property. VA manages the largest medical network in the country—providing care to approximately 10 million veterans annually—and each year processes about $120 billion in financial transactions. VA’s Office of Information Technology alone is comprised of several thousand federal IT professionals, managing programs and overseeing networks across the country.
“If we were a private-sector company, we’d be in the Fortune 10 or Fortune 5, on par with companies like that,” Cunningham said. “We’ve got to start thinking like a business in those kinds of numbers alone. We want to show cyber has a business value.”
That’s where risk management comes into play. In government, you want to spend the money you’re budgeted, and a common sense approach to risk management helps a CISO determine where best to obligate funding.
“If we have one more dollar to spend, do we spend it on training employees on phishing scams or invest it in our firewall?” Cunningham said. In IT security decision-making, Cunningham said you first acknowledge risk and either accept it at face value, attempt to mitigate that risk or add value to the accepted risk. Decisions on whether to implement new technologies like artificial intelligence or internet-of-things medical devices, are weighed against other factors, such as total cost of ownership, security risks and potential returns on investment.
Cunningham became VA’s CISO in January 2019, having served in the same capacity at the Energy Department for 7 years and more than a year as a branch director for the U.S. Immigrations and Customs Enforcement. The stakes at VA are high, he said, because millions of veterans depend on the agency for health care, support, small business loans, education services, disability benefits and other services. Cunningham, a veteran himself—along with approximately 60% of VA OIT’s staff—said veterans sacrificed a lot to earth those rights and services, and their experience receiving those services should be as seamless as possible.
Yet delivering quality, timely services to veterans requires a bit of a balancing act. VA, like all agencies, has to comply with numerous federal laws, regulations—and as of late—an increasing number of binding operational directives from the Homeland Security Department. Cunningham called DHS “first among many” in terms of cybersecurity partner agencies across civilian government. It’s at this three-way intersection of compliance, cybersecurity and customer experience where Cunningham really earns his paychecks.
“When I look at it, it’s the balance of how quick we can serve veterans and reduce their burden, but what are the things we have to do to meet our federal requirements and what makes sound sense,” Cunningham said. “We still do compliance chasing, but we’re putting measures and metrics on priorities. Our job is to service the veterans. If we’re not looking at that first, then we’re probably missing the mark.”
For all the talk of silos in government, VA’s executives work closely with each other and meet often. In matters of IT and cybersecurity, the CIO and deputy CIO steer the rudders, while C-suite executives meet at least weekly to address governance matters on issues like architecture, finance, requirements and acquisition. The governance board meetings also serve as a time to get buy-in on potential solutions, and for executives to address big-mission items.
The biggest right now is VA’s transition to a new electronic health records system designed to be interoperable with the Pentagon’s electronic health records system. The multibillion-dollar Cerner Millennium platform, originally scheduled for a March launch, was delayed last month to July after clinicians asked to be trained on a full version of the system.
Cunningham said VA wants to learn from the challenges the Defense Department experienced rolling out their health records system “to help us slingshot” to their own successful rollout. While executives from both agencies are partnering together to ensure interoperability between both systems, Cunningham said the partnership will extend into the digital realm, sharing threat indicators and having the “full force of DOD protecting our network as well.”
On the horizon, Cunningham foresees the government’s tech workforce challenge as a major obstacle. Technology, he said, “is moving faster than the budget cycle can support,” and it is becoming increasingly difficult to recruit tech talent to the government ranks. Data from the Office of Personnel Management suggests VA is among the most challenged agencies when it comes to recruiting young tech talent. There may be no singular solution to this challenge, but Cunningham said increased partnership with the private sector—creating a sort of revolving door where techies move in and out of government with relative ease—may improve the government’s outlook.
“We’ve got to look at where we can partner with the private sector, for them to train people who can feed our machine and our people can feed back out in a more porous manner, so people don’t feel like they’re taking a big hit,” Cunningham said, noting the salary discrepancy between private and public sectors. “If you’re young and want hands-on experience, getting in the federal space is one way to do it.”
Cunningham also stressed the importance of role-based cyber training. Every employee, Cunningham said, has to be trained to be cyber and privacy warriors, but a standard one-size-fits-all cyber training isn’t enough. Employees require training relevant to their specific duties, and VA organizes a variety of summits and campaigns to “keep it at the forefront.”
“We’re trying to teach them habits that empower them without distracting from their jobs,” Cunningham said.
For aspiring CISOs, Cunningham recommends rounding out those resumes. A variety of career experiences is typically better suited for a CISO role than someone who has been in a singular role, Cunningham said. Further, while technical chops are great, they are not necessarily required for a policy-heavy role.
“For someone who wants to be a CISO, go read a job description and see what you can’t answer well, and then move your career to fill in those voids,” Cunningham said.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | Department of Parliamentary Services gives itself cyber tick of approval
The Australian Department of Parliamentary Services (DPS) has self-assessed that everything is mostly fine with its infrastructure, following a leaked report that everything was not.
Last month, the ABC reported that an internal audit written by KPMG had given many elements of DPS the lowest cyber maturity rating possible.
At Senate Estimates on Monday morning, DPS secretary Rob Stefanik said the leaked report was a draft prepared after the advisory giant had completed its “preliminary field work”.
“It wasn’t until a process of validation and verification that a lot of the information presented in that draft was simply found to be incorrect and the final report that they had produced, which had an implementation plan in it, in July 2019, did not have the statements in it that the original draft did.”
Stefanik said that instead of receiving the “ad hoc” rating — the lowest possible rating on a scale that ranges from ad hoc to developing, to managing, to embedded as the highest rating — the department bagged a “managing” rating in 85 of 88 criteria, with the remaining three being scored as “developing”.
Labor Senator Kimberley Kitching asked to what extent the department was able to self-assess its cyber maturity.
“It’s entirely self-assessment,” Stefanik replied.
Senate President Scott Ryan said the final report would not be released, and senators could take their concerns to the private Senate Standing Committee on Appropriations, Staffing, and Security.
“It is not appropriate to release that report because it contains information that could be used to weaken our cybersecurity,” he said.
“We have more lengthy discussions on these matters in a non-public forum to which all senators are entitled to attend and, having consulted officials, both in the Department of the Senate and in DPS, it is the view that that committee, which has a specific mandate regarding information technology in its terms of reference, is the appropriate place to discuss matters that should not be drawn to public attention or exposed to public.”
In earlier remarks, Ryan said public sector networks were targeted across a four-day period in October.
“During this period, the investment that DPS made in cybersecurity has paid dividends,” Ryan said.
“Our cybersecurity operation centre was able to leverage information from partners to be well prepared in advance of the campaign, and protective controls in place, blocked many attempts to inject malware into the environment.”
The attackers also went after parliamentary staff on their personal email addresses in an attempt to gain access to the parliamentary network.
“I’m pleased to report that there was a high degree of co-operation by users during this period, combined with the maturing cybersecurity defences that have been put in place. They both ensured that the parliamentary environment was protected from this attack,” the Senate President said.
“This is one example of many cases on a daily basis where parliament is targeted by malicious actors.”
The parliamentary network and Australia’s political parties were not successfully defended during an attack in February 2019.
For eight days, the attacker described as a state actor was able to remain on the network.
“While I do not propose to discuss operational security matters in detail, I can state that a small number of users visited a legitimate external website that had been compromised,” Ryan said at the time.
“This caused malware to be injected into the Parliamentary Computing Network.”
The incident highlighted the awful password practices present with Australia’s parliament.
Parliament House hack report reveals poor password practices
It took eight days to flush February’s cyber attackers from Australia’s parliamentary network. A procedure to authenticate staff asking to reset their boss’ passwords only came another week later.
Ransomware infection takes some police car laptops offline in Georgia
Ransomware infection impacted police car laptops for the Georgia State Patrol, Georgia Capitol Police, and the Georgia Motor Carrier Compliance Division.
Department of Parliamentary Services says February attack was ‘detected early’
The department admitted it has work to do on fighting external threats.
Australian government computing network reset following security ‘incident’
Department of Parliamentary Services says there is no evidence to suggest data has been taken or accessed, or that the incident is part of a plan to influence electoral processes.
Cybercriminals flooding the web with coronavirus-themed spam and malware (TechRepublic)
Hackers have expanded their exploitation of the outbreak fears with hundreds of scams and operations.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | Beware! Fraudsters can empty your PF account; know how to save from scam
Online scams have been increased these days. Many complaints have been filed about the illegal money transactions and several bank accounts have been hacked by hackers. It’s an alert for employees who have Employees’ Provident Fund (EPF) saving account as fraudsters can target your account too.
A recent case has come to light where a 68-year-old, retired man named Rajendra Khanna just saved himself from paying Rs 20,000 to a fraudster.
Know how scammer can empty your account:
According to the reports in Moneycontrol, the old man received a call from an unknown number who claimed himself an employee of the Employees’ Provident Fund Organisation (EPFO). He asked Khanna about his personal details like mobile number, Aadhaar number, Permanent account number (PAN), email id, last employment details and universal account number (UAN), etc. Khanna thought the man is the staff of EPFO and hence, he gave all details he asked on a phone call.
Report also said that the fraudster told Khanna that since he had worked between 1990 and 2019, therefore, he is eligible to get a benefit of Rs 80,000 from the EPFO. The scammer continued saying that EPFO has decided to give some benefits to the unclaimed corpus with randomly selected EPFO subscribers. He also trapped Khanna by making false promises that to claim this amount he need to transfer Rs 20,000 as a commission to a particular bank account and get Rs 80,000 credited to his bank account later without hassles.
All efforts of the scammer go in waste when Khanna decided to cross-check him by visiting the official website of the EPFO after putting his call on hold. After visiting the official website, Khanna found a pop-up message with an alert that said, “EPFO never asks you to share your personal details such as Aadhaar / PAN / UAN over the phone. Also, EPFO never calls any member/subscriber to deposit any amount in any bank account for processing an unclaimed amount. Please do not respond to such fake calls.”
After reading the notice, Khanna immediately disconnected the call. Later, the fraudster was unreachable when Khanna tried to contact him again for the fraud explanation.
These days scammers are targeting EPFO subscribers by making false promises so as to transfer one balance in the PF account to a fraud bank account.
In case, you get any such call then immediately rushed to the cyber-police department in your area and lodge a first information report (FIR) report. Also, notify EPFO about the same to keep their eyes on the account if unauthorized activity happening in your PF account.
Due to the increasing use of digital payment and social media, online scams have been increased. What one can do to save himself/herself from such traps, just beware of such fake calls and never give any personal details to an anonymous person.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | WhatsApp is under attack and you should be aware of this growing risk
Along with WhatsApp, other firms being targeted in these scams include PayPal, Facebook, Microsoft and Netflix.
If you are concerned about these types of online attacks then the UK’s National Cyber Security Center has some good advice for consumers.
Here’s their top tips for avoiding phishing scams online.
• Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor. Others will try and create official-looking emails by including logos and graphics. Is the design (and quality) what would you’d expect from a large organisation?
• Is it addressed to you by name, or does it refer to ‘valued customer’, or ‘friend’, or ‘colleague’? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | These Are The Most Rampant Windows And Mac Malware Threats For 2020: Here’s What That Means
Seven weeks into 2020, and we are deep into the season for cybersecurity reporting. You can expect a wide range of summaries of the threat landscape from 2019 and forecasts as to what to expect this year. As threat actors from China, Russia, Iran and North Korea continue to probe network and system security around the world, we also have the rising threat of ever more sophisticated malware hitting individuals and the companies they work for, all fuelled by the scourge of social engineering to make every malicious campaign more dangerous and more likely to hit its mark.
BlackBerry Cylance has published its “2020 Threat Report” today, February 19, and its theme is the blurring lines between state actors and the criminal networks that develop their own exploits or lease “malware as a service,” pushing threats out via email and messaging campaigns, targeting industries or territories. This year, 2020, will be seminal in the world of threat reporting and defense—IoT’s acceleration is a game changer in cyber, with the emergence of a vast array of endpoints and the adoption of faster networking and pervasive “always connected” services.
The challenge with IoT is the limited control of the security layers within those endpoints—it’s all very well having smart lightbulbs, smart toys and smart fridges. But if every connected technology you allow into your home is given your WiFi code and a connection to the internet, then it is near impossible to assure yourself of the security of those devices. Current best practice—however impractical that sounds—is to air-gap the networks in your home: trusted devices—your phones, computers and tablets, and then everything else. If one family of devices can’t see the other, then you are much better protected from malicious actors exploiting casual vulnerabilities.
I have warned on this before, and the market now needs the makers of networking equipment to develop simple one-click multiple networking options, so we can introduce the concept of a separated IoT network and core network into all our homes—something akin to the guest networks we now have but never use on our routers, but simpler, more of a default, and therefore better used.
According to Cylance’s Eric Milam, the geopolitical climate will also “influence attacks” this year. There are two points behind this. First, mass market campaigns from state-sponsored threat actors in Iran and North Korea, from organized groups in Russia and China, and from criminal networks leveraging the same techniques, targeting individuals at “targeted scale.” And, second, as nation-states find ever more devious ways to exploit network defenses, those same tools and techniques ultimately find their way into the wider threat market.
The real threats haven’t changed much: Phishing attacks, ranging from the most basic spoofs to more sophisticated and socially engineered targeting; headline-grabbing ransomware and virus epidemics; the blurring between nation-state and criminal lines, accompanied by various flavors of government warnings. And then, of course, we have the online execution of crimes that would otherwise take place in the physical world—non-payment and non-delivery, romance scams, harassment, extortion, identity theft, all manner of financial and investment fraud.
But, we do also have a rising tide of malware. Some of that rising tide is prevalence, and some is sophistication. We also have criminal business models where malware is bought and sold or even rented on the web’s darker markets.
In the Cylance report, there is a useful summary of the “top malware threats” for Windows and Mac users. Cylance says that it complied its most dangerous list by using an “in-house tooling framework to monitor the threat landscape for attacks across different operating systems.” Essentially that means detecting malware in the wild across the endpoints monitored by its software and systems. It’s a volume list.
For cyber-guru Ian Thornton-Trump, the real concerns for individuals and companies around the world remain Business Email Compromise, “the fastest growing and most lucrative cyber-criminal enterprise.” He also points out that doing the basics better goes a long way—“there is little if any mention of account compromises due to poor password hygiene or password reuse and the lack of identifying poorly or misconfigured cloud hosting platforms leading to some of the largest data breaches” in many of the reports now coming out.
So here are Cylance’s fifteen most rampant threats. This is their own volume-based list compiled from what their own endpoints detected. There are missing names—Trickbot, Sodinokibi/REvil, Ryuk, but they’re implied. Trickbot as a secondary Emotet payload, for example, or Cylance’s observation that “the threat actors behind Ryuk are teaming with Emotet and Trickbot groups to exfiltrate sensitive data prior to encryption and blackmail victims, with the threat of proprietary data leakage should they fail to pay the ransom in a timely manner.”
There are a lot of legacy malware variants listed—hardly a surprise, these have evolved and now act as droppers for more recent threats. We also now see multiple malware variants combine, each with a specific purpose. Ten of the malware variants target Windows and five target Macs—the day-to-day risks to Windows users remain more prevalent given the scale and variety of the user base, especially within industry.
- Emotet: This is the big one—a banking trojan hat has been plaguing users in various guises since 2014. The malware has morphed from credential theft to acting as a “delivery mechanism” for other malware. The malware is viral—once it gets hold of your system, it will set about infecting your contact with equally compelling, socially engineered subterfuges.
- Kovter: This fileless malware targets the computer’s registry, as such it makes it more difficult to detect. The malware began life hiding behind spoofed warnings over illegal downloads or file sharing. Now it has joined the mass ad-fraud market, generating fraudulent clicks which quickly turn to revenue for the malware’s operators.
- Poison Ivy: A malicious “build you own” remote access trojan toolkit, providing a client-server setup that can be tailed to enable different threat actors to compile various campaigns. the malware infects target machines with various types of espionage, data exfiltration and credential theft. Again the malware is usually spread by emailed Microsoft Office attachments.
- Qakbot: Another legacy malware, dating back a decade, bit which has evolved with time into something more dangerous that its origins. The more recent variants are better adapted to avoiding detection and to spreading across networks from infected machines. The malware can lock user and administrator accounts, making remove more difficult.
- Ramnit: A “parasitic virus” with “worming capabilities,” designed to infect removable storage media, aiding replication and the persistence of an attack. The malware can also infect HTML files, infecting machines where those files are opened. The malware will steal credentials and can also enable a remote system takeover.
- Sakurel (aka. Sakula and VIPER): Another remote access trojan, “typically used in targeted attacks.” The delivery mechanism is through malicious URLs, dropping code on the machine when the URL is accessed. The malware can also act as a monitor on user browsing behavior, with other targeted attacks as more malware is pulled onto the machine.
- Upatre: A more niche, albeit still viable threat, according to Cylance. Infection usually results from emails which attach spoof voicemails or invoices, but Cylance warns that users can also be infected by visiting malicious websites. As is becoming much more prevalent now, this established legacy malware acts as a dropper for other threats.
- Ursnif: This is another evolved banking trojan, which infects machines that visit malicious websites, planting code in the process. The malware can adapt web content to increase the chances of infection. The malware remains a baking trojan in the main, but also acts as a dropper and can pull screenshots and crypto wallets from infected machines.
- Vercuse: This malware can be delivered by casual online downloads, but also through infected removable storage drives. The malware has adapted various methods of detection avoidance, including terminating processes if tools are detected. The primary threat from this malware now is as a dropper for other threats.
- Zegost: This malware is designed to identify useful information on infected machines and exfiltrate this back to its operators. That data can include activity logging, which includes credential theft. The malware can also be used for an offensive denial of service attack, essentially harnessing infected machines at scale to hit targets.
- CallMe: This is a legacy malware for the Mac world, opening a backdoor onto infected systems that can be exploited by its command and control server. Dropped through malicious Microsoft Office attachments, usually Word, the vulnerability has been patched for contemporary versions of MacOS and Office software. Users on those setups are protected.
- KeRanger: One of the first ransomware within the Mac world, the malware started life with a valid Mac Developer ID, since revoked. The malware will encrypt multiple file types and includes a process for pushing the ransom README file to the targeted user. Mitigation includes updates systems, but also offline backups as per all ransomware defenses.
- LaoShu: A remote access trojan that uses infected PDF files too spread its payload. The malware will look for specific file types, compressing those into an exfiltration zip file that can be pulled from the machine. While keeping systems updated, this malware also calls for good user training and email bevavior, including avoidance of unknown attachments.
- NetWiredRC: A favourite of the Iranian state-sponsored APT33, this malware is a remote access trojan that will operate across both Windows and Mac platforms. The malware focuses on exfiltrating “sensitive information” and credentials—the latter providing routes in for state attackers. Cylances advises administrators to block 212[.]7[.]208[.]65 in firewalls and monitor for “%home%/WIFIADAPT.app” on systems.
- XcodeGhost: Targeting both Mac and iOS, this compiler malware is considered “the first large-scale attack on Apple’s App Store.” Again with espionage and wider attacks in minds, the malware targets, captures and pulls strategic information from an infected machine. its infection of “secure apps” servers as a wider warning as to taking care when pulling apps from relatively unknown sources.
In reality, the list itself is largely informational as mitigation is much the same: Some combination of AV tools, user training, email filtering, attachment/macro controls, perhaps some network monitoring—especially for known IP addresses. The use of accredited VPNs, avoiding public WiFi, backups. Cylance also advises Windows administrators to watch for unusual registry mods and system boot executions.
Thornton-Trump warns that we need constant reminding that cyber security is about “people, process and technology.” Looking just at the technology side inevitably gives a skewed view. For him, any vendor reports inevitably “overstate the case for anti-malware defences in contrast to upgrade and improvement of other defensive mechanisms, including awareness training and vulnerability management.”
And so, ultimately, user training and keeping everything updated resolves a material proportion of these threats. Along with some basic precautions around backups and use of cloud or detached storage which provides some redundancy. Common sense, inevitably, also features highly—whatever platform you may be using.
View full post on National Cyber Security
#cyberfraud | #cybercriminals | FBI Publishes 2019 Internet Crimes Report Causing 3.5 Billion Dollars Loss
As the internet has become an indispensable part of our lives, crimes committed on the internet have started to increase significantly. In the 2019 report of the FBI, it was emphasized that cybercrime cost $ 3.5 billion.
The Federal Bureau of Investigation (FBI) published the ‘2019 Internet Crimes Report’. According to the published report, the number of crimes complained during the year reached 467 thousand 361. The cost of the crimes complaining exceeds $ 3.5 billion.
Cybercrime increased in 2019
The Internet Crime Complaints Center (IC3), an FBI source that reports suspected cybercrime activities, was established in May 2020 and reached a total number of 4,883,231 complaints with 2019 reports.
While the number of complaints received in the last five years has reached 1.7 million, the total annual loss has increased from $ 1.1 billion (2015) to $ 3.5 billion (2019). The damage of cybercrime to individuals and businesses in the US has exceeded $ 10 billion in the past five years. 2019 was the worst year in this respect. During the year, the highest cyber crime complaints ever made, while the victims of cyber crime have also suffered their greatest losses. In the fight against cybercrime, an amount of $ 300 million was saved.
In the fraudulent activities carried out via company e-mails, more than $ 1.7 billion was lost. A total of 23,775 complaints were made in this area in 2019. Business email scams have become the most dangerous group in cybercrime.
“Many organizations have been vulnerable to email attacks because criminals are developing their methods to compromise traditional email,” said Cencornet CEO Ed Macnair. The attackers targeted the most CEOs and staff working in the financial department in these areas.
Macnair said that cybercriminals trick employees and steal valuable information by using e-mail addresses similar to trusted companies’ e-mails. Macnair said this method is very difficult to catch by traditional defense systems and companies need to improve their security techniques.
The FBI warned about the magnitude of the ransomware’s impact on businesses and organizations. In the ransomware attack against the city of New Orleans in December 2019, it was revealed that the FBI’s warnings were not taken seriously.
In 2018, there were some reductions in complaints about ransomware attacks, but this number increased again in 2019 and reached the highest number of complaints after 2016. Ransomware attacks caused $ 2.4 million of damage in 2016, up from $ 8.9 million in 2019.
View full post on National Cyber Security