now browsing by tag
#cyberfraud | #cybercriminals | WhatsApp is under attack and you should be aware of this growing risk
Along with WhatsApp, other firms being targeted in these scams include PayPal, Facebook, Microsoft and Netflix.
If you are concerned about these types of online attacks then the UK’s National Cyber Security Center has some good advice for consumers.
Here’s their top tips for avoiding phishing scams online.
• Many phishing scams originate overseas and often the spelling, grammar and punctuation are poor. Others will try and create official-looking emails by including logos and graphics. Is the design (and quality) what would you’d expect from a large organisation?
• Is it addressed to you by name, or does it refer to ‘valued customer’, or ‘friend’, or ‘colleague’? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam.
View full post on National Cyber Security
Hackers have finally done what bond issuers may have feared most from cyber criminals.
A ransomware attack on Pleasant Valley Hospital in West Virginia was partly responsible for the hospital’s breach of its covenant agreement, according to a notice to the hospital’s bondholders from the trustee, WesBanco Bank. It appears to be the first time a cyber attack triggered a formal covenant violation, according to research firm Municipal Market Analytics.
The virus entered the hospital’s system via emails sent 10 months before the cyber criminals asked the hospital for money, said Craig Gilliland, the hospital’s chief financial officer. The information the criminals held for ransom did not contain patient data or confidential data, so it was “more of an annoyance,” he added.
Because of the attack, the hospital was forced to spend about $1 million on new computer equipment and infrastructure improvements, Gilliland said. That cost, along with declining patient volume, caused the hospital’s debt service coverage for the fiscal year that ended on Sept. 30 to fall to 78%, below the 120% the loan agreement requires, according to the material notice to bondholders.
“When we had the cyber attack, we didn’t have the sophisticated anti-virus software that we needed,” he said. “Cyber attacks are effective on smaller hospitals and smaller government agencies who do not have the resources and do not spend the money to proactively get ahead of the curve.”
The hospital did not miss any payments to bond investors. Gilliland said he is not aware of whether or not payments were made to the perpetrators because the attack was managed by a cyber liability insurance carrier Beazley Group. Mairi MacDonald, who manages media relations for Beazley Group, said via email that the company does not comment on specific client matters.
“The resolution of the situation will likely cost the hospital via monetary settlements and security hardening, making a financial rebound a bit more difficult than otherwise,” MMA said in its report. “Pleasant Valley highlights cyber risks as, at least so far, primarily a worsener for most municipal credits.”
Cyber risk is a growing concern for the municipal market. There were 133 publicly reported attacks against health-care providers since 2016, 47 of which occurred in 2019, according to data collected by threat intelligence company Recorded Future, Inc. Health-care providers are at particular risk for cyber attacks because patient care is disrupted, so there is an expectation the hospital will pay to remedy that quickly, said Allan Liska, an intelligence analyst at the company. Health-care providers also use unique software that is often managed by vendors, leaving updates to the software out of their hands.
“You have hospitals and doctors offices that are often forced to run outdated and old software that makes them at risk for these ransomware attacks,” Liska said.
And it’s not just health-care providers that are at risk. In 2019, state and local governments reported 106 ransomware attacks, nearly double what was reported a year before, according to data collected by Recorded Future. Among them were the Syracuse School District, which said it experienced a cyber attack that could “impact its financial position” according to a July 31 regulatory filing, and the city of Baltimore, which disclosed a cyber attack to investors in its bond offering documents when it borrowed last year.
For Pleasant Valley Hospital, the insurance company Beazley Group “connected the Hospital with other vendors to settle and remediate the issue,” according to the statement to bondholders. To address the decreasing patient volume, the hospital has lowered its labor costs and plans to convert doctor offices into two rural health clinics and to offer a new medical withdrawal inpatient service.
The threat to credit will get worse in the public finance realm before it can be alleviated, said Geoffrey Buswick, an analyst for S&P Global Ratings. Issuers can do all the right things, like protect their network and have proper insurance in place, and still find it difficult to fully offset cyber risks, he added.
“The various actors out there, be it a nation-state or criminal organization or just a rouge hacker, seem to have advanced technologies that are changing quickly,” Buswick said.
–With assistance from Amanda Albright and Danielle Moran.
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.
The post #school | #ransomware | Ransomware Attack on Hospital Shows New Risk for Muni-Bond Issuers appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans debug_backtrace reloaded A PHP bug initially dismissed as posing no security threat could potentially enable code execution outside the sandbox in shared-server environments, a new exploit has revealed. Discovered in the popular website language nearly two years ago, the vulnerability can allow attackers to execute arbitrary […] View full post on AmIHackerProof.com
In January the Information Commissioner’s Office (ICO) fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
An ICO investigation found that an attacker installed malware on 5,390 tills at DSG’s Currys PC World and Dixons Travel stores between July 2017 and April 2018, collecting personal data during the nine-month period before the attack was detected.
The company’s failure to secure the system allowed unauthorised access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers.
Because the data breach occurred before the General Data Protection Regulation (GDPR) came into effect, DSG were found to have breached the earlier Data Protection Act 1998.
The ICO cited poor security arrangements and a failure to take adequate steps to protect personal data. This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing.
The ICO said that the contraventions in this case were so serious that they imposed the maximum penalty under the previous law, but the fine would inevitably have been much higher under the GDPR.
The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving affected customers vulnerable to financial theft and identity fraud. The ICO received 158 complaints between June 2018 and November 2018 from DSG’s customers. As of March 2019, the company reported that nearly 3,300 customers had contacted them directly in relation to this data breach.
The ICO stressed that while cyber-attacks are becoming more frequent, organisations still have responsibilities under the law to take serious security steps to protect systems, and most importantly, people’s personal data.
This incident will have cost DSG a great deal, both in direct costs to deal with the breach, and also in terms of its reputation. DSG may also face claims from its customers – especially given the ICO’s findings of poor security.
Given such incidents it’s unsurprising that the threat of cyber attacks is keeping many business leaders up at night and sadly, if business leaders aren’t worried, then they aren’t paying attention. In fact, the latest Allianz Risk Barometer 2020 from insurers Allianz – which identifies the top corporate risks for 2020 – highlights cyber risk as the number one business risk for 2020. Seven years ago cyber risk was ranked just 15th.
A top priority for all businesses in 2020 must be to take all reasonable and practicable steps to make their businesses as cyber risk proof and as resilient as possible. There’s plenty of guidance and support available – the National Cyber Security Centre (NCSC) promotes cyber essentials which should be a first port of call for any SME (https://www.cyberessentials.ncsc.gov.uk/about).
Businesses should also consider whether they should take out cyber insurance. It should not be assumed cyber risks are covered in your existing insurance policies.
A number of cyber policies are now available and a specialist insurance broker should be able to assist you and help explain what’s available and what is and what is not covered. Such policies can help protect against financial losses (including for business interruption, privacy breach costs, cyber extortion, hacker damage, and media liability) but many also offer assistance at the time of an incident e.g. by providing cyber forensic support.
Such policies do pay out – last year the Association of British Insurers revealed that 99% of claims made (207) on ABI-member cyber insurance policies in 2018 were paid – this is one of the highest claims acceptance rates across all insurance products.
As the NCSC advise:
“Organisations that are considering cyber insurance should understand that it will not protect you from an attack, but it may provide you with additional resources during and after an incident. So cyber insurance can be considered as an additional risk management tool, but do take time to:
- understand the scope and scale of the cover provided
- ensure that you are able to meet any operational requirements placed on you by the insurer”
As always when buying insurance you need to read the fine print of the cover. Crucially you must also ensure you meet any security or other IT requirements placed on you by the insurer. If you have pre-existing IT issues you knew or ought to have known about and these lead to a breach of security you are unlikely to be covered.
Insurance is not a panacea, of course. You need to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks your organisation faces. This is required by the General Data Protection Regulation (GDPR) in any event where you process personal data.
Ensuring your business is protected against cyber security risks should be a recurring New Year’s resolution, no matter what type of business you run.
The post #nationalcybersecuritymonth | Why Cyber risk is the number one business risk in 2020 appeared first on National Cyber Security.
View full post on National Cyber Security
As 2019 came to an end, Imperva CTO Kunal Anand began working with our global research team, Imperva Labs, to put together a list of the most important cybersecurity issues security leaders should be prepared for in 2020. He published his list in the blog, “Top 5 Cybersecurity Trends to Prepare for in 2020.” Since then, we’ve been digging deeper into each of his five trends in blogs that examine risk and security strategies that can keep your business safe. Today, we’ve arrived at the fifth and final trend to prepare for in 2020: defense-in-depth.
Digital Transformation is a Driver
We know that digital transformation is definitely having an impact on every aspect of our business life. Increased efficiencies, higher revenue and improved communication are just a few of the benefits we are starting to see. But the urge to be online all the time via smartphones, laptops, tablets, smart speaker systems and even IoT devices, is putting a strain on the enterprise. The lines between corporate and personal become blurred as employees use personal devices to access corporate apps in the cloud, check email one last time before going to bed, or log onto the business intranet. And everyone – customers and employees alike – wants consistent, high-speed access to all the websites and applications they need, always and everywhere.
Digital transformation has an unexpected side as well, with serious implications for security and performance.
There is a new weakest link to be aware of: the point at which the enterprise-owned network connects to a third-party network – typically at major Internet hubs. Connections to potentially vulnerable API backends, weak security or older, vulnerable versions of operating systems on personal devices, password re-use, and increasingly sophisticated cyberattacks can spell danger for even the most security-savvy organization.
DDoS attacks remain attractive to hackers: In 2019 our team saw the largest-ever attacks, five times bigger than any previously seen. At the same time, spear phishing attacks are increasingly successful. They impersonate executives through business email compromise (BEC) to execute unauthorized wire transfers and use publicly available information to trick employees into giving up their credentials. It’s easier than ever to attack mobile devices that connect to corporate assets, converting them into vectors to attack resources, steal data, and slow down access to websites and apps.
In Search of Comprehensive Security and Efficiency
Traditional defense mechanisms are not able to keep up with the increasing power and agility of cyberattacks. That’s why it’s important to keep attacks as far away as possible from the corporate network and data center. In practice, that means mitigating them close to the point of attack – at the edge. Not only is this more efficient, it can have a positive impact on the user experience as well. This approach requires us to push strong security all the way to the edge, encompassing all devices – especially mobile devices, which are often the target of attacks.
Still, edge security is not enough. We need to take a much more efficient and comprehensive risk-reduction approach than we have in the past. Traditional approaches involved separate edge security solutions to combat DDoS attacks, provide protection for web applications, detect and deter malicious account takeover attempts, etc. Even worse, there were separate providers and solutions for protecting against external threats, bad bots, hackers, and insiders who have become internal threats. And separate solutions for protecting assets that live on-premises, in the cloud, and in mixed cloud environments – at a time when many organizations are in the process of migrating from one environment to the other. Different platforms, user interfaces, and management consoles lead to inefficient operations, bombarding security analysts with massive amounts of uncoordinated alerts and increasing the management burden.
A Better Way
Businesses need security solutions that protect applications regardless of where they live, that are integrated to share important data, that can analyze complex attacks and find patterns, and that make life easier for scarce talent like security analysts. Solutions that reconcile the often-conflicting requirements for speed, performance, scalability, and protection.
The best way to accomplish this is through security that provides true defense-in-depth from the edge to inside the application itself. The ideal scenario is a“layered” security model where malicious actors must pass through multiple gates in order to execute an attack, without introducing latency or jeopardizing essential business processes.
Imperva Application Security
At Imperva, we take a security-first approach that ensures an optimal user experience while managing risk. Our global network of full-stack PoPs ensures protection at the edge while guaranteeing optimal performance and speed.
The Imperva WAF inspects all traffic destined for customer websites and mitigates malicious traffic at the nearest PoP, allowing legitimate traffic to continue on its way. Our powerful DDoS protection stops attacks of any size in three seconds or less – an industry first (and best) SLA. Our content delivery network optimizes website delivery, improving performance while reducing bandwidth costs. Our bot management provides protection against all OWASP automated threats. Our Runtime Application Self-Protection (RASP) offers security by default against known and zero-day vulnerabilities. And Attack Analytics gives analysts a prioritized set of actionable security insights to improve productivity.
The Imperva Application Security suite delivers all this in a simple, flexible, and predictable licensing approach that lets you deploy regardless of whether your devices are in the cloud, on-premises or in a hybrid model.
Featured Webinar: Take on 2020 with Vision. Imperva CMO David Gee sits down with Imperva CTO Kunal Anand to discuss all the trends you should watch for in 2020. Watch here.
The post Businesses Will Buy Down Risk With Defense-in-Depth – 2020 Trend #5 appeared first on Blog.
*** This is a Security Bloggers Network syndicated blog from Blog authored by Kim Lambert. Read the original post at: https://www.imperva.com/blog/buy-down-risk-2020-trend-5/
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Cyber risks were cited as the top concern among businesses of all sizes in 2019, according to a Travelers report released in October. Of the 1,200 business leaders who participated in an insurer-sponsored survey, 55% said they worry some or a great deal about cyber risks, […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans End-of-life devices not properly sanitized of data can cause compliance issues and make corporate data vulnerable GDPR, CCPA and the rest of the alphabet soup of privacy laws should have organizations looking more deeply at how and where they store and use data. While most companies […] View full post on AmIHackerProof.com
Phishing is still a vector to attack presidential campaigns. Many 2020 candidate organizations still aren’t using best practice by implementing a proper DMARC policy.
It seems they’ve not learned from the hack on Hillary’s campaign. In 2016, John Podesta got tricked by a crude phish—and it easily could happen again.
Things are better now, but there’s still acres of room for improvement. In today’s SB Blogwatch, we dig their DNS records.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: a decade in three minutes.
Can You Spell DMARC?
What’s the craic, Zack? Mister Whittaker reports—“Only a few 2020 US presidential candidates are using a basic email security feature”:
DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects spoofed emails … could prevent a similar attack that hobbled the Democrats during the 2016 election. … Only Elizabeth Warren … Joe Biden, Kamala Harris, Michael Bloomberg, Amy Klobuchar, Cory Booker, Tulsi Gabbard and Steve Bullock have … improved their email security.
The remaining candidates, including … Donald Trump, are not rejecting spoofed emails. … That, experts say, puts their campaigns at risk from foreign influence campaigns and cyberattacks.
In the run-up to the 2016 presidential election, Russian hackers sent an email to Hillary Clinton campaign manager John Podesta, posing as a Google security warning. [It] tricked Podesta into … allowing hackers to steal tens of thousands of private emails.
Or perhaps you prefer a different topical angle? G’day, David Braue—“You may be targeting Black Friday bargains, but cybercriminals are targeting you”:
Security firms are warning shoppers to be careful online as cybercriminals increase their activity in the runup to [the] retail season. … Shoppers need to be particularly wary of online scams and malware propagated through emails spoofing legitimate retailers.
Despite efforts by the Australian Signals Directorate to promote the use of next-generation DMARC email anti-fraud tools … research suggests that just 45 percent of Australia’s biggest online retailers have actually begun implementing DMARC – and just 10 percent have adopted the strictest level of security.
Returning to this hemisphere, Agari’s Armen Najarian claims, “2020 Presidential Candidates Remain Vulnerable”:
The kinds of email attacks that helped derail Hillary Clinton’s candidacy in 2016 are only getting more sophisticated. [But some] campaigns are not taking the threat as seriously as they should.
Meanwhile, we’re seeing new trends in how cybercriminals execute … advanced threats, which are liable to throw an entire candidacy off-course. After all, it only requires one campaign employee or volunteer to click on one link in a malicious email.
It’s likely only a matter of time before the unthinkable happens once again. … The Mueller Report … squarely pointed to spear phishing as the primary attack vector for Russian hackers seeking to gain access.
Unfortunately, candidates must not only be concerned about email directed to them and their campaign staff. … Imagine the damage that can be done by emails that appear to come from the legitimate domain of the candidate, but actually come from a malicious criminal who uses that domain to spread false information to potential … donors, voters, and the media.
This is entirely possible, and likely even probable, unless candidates take the steps they need to protect against it by implementing DMARC with a p=reject policy.
DMARC: HOWTO? Chad Calease obliges—“A Definitive Guide”:
This is the time of year we’re all too aware how much phishing really sucks. … While technology isn’t able to catch all of it 100% of the time, DMARC is one of these important layers of defense that helps to dramatically minimize the amount of phishing emails that get through to our inboxes.
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. [It] is a set of 3 DNS records that work together to ensure email is sent only from authorized … mail servers, thereby helping block fraudulent messages.
DMARC sets a clear policy for what to do if a message hasn’t been sent from an authorized source. … DMARC helps prevent criminals from spoofing the “header from” or “reply-to” address: … First it checks that the DKIM … digital signature is a match. Then it checks the SPF record to ensure the message came from an authorized server. If both DKIM and SPF pass these checks, DMARC delivers the message.
But if one or more of these tests fails, DMARC behaves according to a policy we set:
‘none’ [which] doesn’t impose any actions …
‘quarantine’ [which] Flags messages … to be directed to the recipients’ spam or junk folders …
‘reject’ [which] outright refuses messages that fail … (this is the end goal of a good DMARC configuration).
OK, so why aren’t all the candidates on board? Here’s lostphilosopher:
I see this as a reflection of the candidates ability to find and listen to experts. I don’t expect a candidate to understand how to do tech “right” – I’m in the industry and still get half of it wrong! However, when you’re running a multi million dollar campaign you can afford to bring in experts to set this stuff up and audit your practices.
I assume these candidates are already doing this and that if they are still not following some basic best practices it’s because they are actively ignoring the experts. … That’s what worries me: If they can’t find or listen to these people now, what makes me think they’ll be able to in office?
And this Anonymous commentator agrees:
Think about this for a second! If the … candidates don’t care enough about their own email traffic, why would anyone vote for them to secure this nation? If your own private info is easily up for grabs, what do you honestly think national security would be like under any of them?
But gl4ss spots an oint in the flyment:
If you rely on DMARC … and just trust it blindly then you know what? You’re gonna get ****ed by someone on whthouse.org.co.uk.acva.com.
Sure the email is sent from that domain, but so what? The domain isn’t right.
It was ever thus. Ryan Dunbar—@ryandunbar2—looks back:
In 1980 we knew internet email was not secure.
2003 get email SPF
2007 get email DKIM
2012 get DMARC
2019 get ARC, BIMI
2025 get QUIC, yet email will still not be secure.
2050 get internet3
Why does it look like the ones running the internet don’t want a secure internet?
Meanwhile, El Duderino knows who to blame:
This is Al Gore’s fault because he invented the internet.
10 Years; 100 songs; 3 minutes
Previously in And Finally
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Tia Dufour (public domain)
View full post on National Cyber Security
Understanding the Security Gap
According to a recent report by the Advanced Cyber Security Center, 91% of organizations…
The post These 4 Tips Will Make You Fluent in Cyber Risk appeared first on ZeroNorth.
*** This is a Security Bloggers Network syndicated blog from Blog | ZeroNorth authored by ZeroNorth. Read the original post at: https://www.zeronorth.io/blog/these-4-tips-will-make-you-fluent-in-cyber-risk/
The post #cybersecurity | #hackerspace |<p> These 4 Tips Will Make You Fluent in Cyber Risk <p> appeared first on National Cyber Security.
View full post on National Cyber Security
American consumers love loyalty programs. It’s estimated that the 3.3 billion loyalty program members in the U.S. currently store about $48 billion worth of points and miles in their accounts, according to Chargebacks911. These programs have grown so large in recent years that they’ve become an inviting target for hackers.
“It’s a huge problem and getting bigger,” said Brett Johnson, a former cyber-thief who turned his life around and became a digital security consultant after spending six years in prison. “Rewards points are a goldmine for crooks. They’re easy to access, very easy to use or transfer, and victims rarely check their accounts, so criminals flock to this type of crime without fear of consequences.”
While we call them miles or points, loyalty rewards are really a form of digital currency that can be used just like cash. Because they’re so liquid, the hackers don’t have to book flights or hotel stays with them. They can buy gift cards or merchandise to resell online, or they can simply sell the stolen rewards to other criminals.
Electronic gift cards are the favorite way to turn loyalty rewards into cash, said Peter R. Maeder, secretary and cofounder of the Loyalty Security Association.
“The opportunities for criminals in the loyalty area are tremendous,” Maeder told NBC News BETTER from his home-base of Switzerland. “Crooks talk to one another and the word is out that they can make easy money very quickly this way, and there’s not a lot of danger of being caught.”
Scammers always look for soft targets, and loyalty accounts are relatively easy to attack.
“They are incredibly insecure,” said John Breyault at Fraud.org (a public service of the National Consumers League). “Typically, they usually don’t have two-factor authentication; they’re only protected by an e-mail address and password. That’s just like leaving your front door unlocked to cyberthieves, who can get in easily and make money off of your miles or points.”
While travel rewards are a prime target for hackers, any loyalty program where the rewards are accessed digitally is at risk. Loyalty programs at McDonald’s, Domino’s and Buffalo Wild Wings have all been hacked, the New York Times reported.
How much are stolen rewards worth?
There’s a vibrant market for stolen miles and points and loyalty reward program login credentials on the ‘dark web’, the online black market where criminals shop.
“They can just go shopping for what they want,” said Kevin Lee, digital trust and safety architect at Sift, a digital security company. The dark web, Lee says, is “essentially like an Amazon marketplace where you can find rewards for hotel chains and airlines.”
Get the better newsletter.
NBC News BETTER asked Lee to check the dark web so he could give us an idea of what these rewards are selling for right now. Turns out, they’re a steal (pun intended). He found:
- 900,000 Marriott points (value $1,125) selling for only $270.
- 44,000 Hilton points (worth $450) selling for just $20.
- 2,000 Jet Blue miles ($75 to buy from the airline) selling for $2.50.
“They’re cheap and you aggregate lots of these different accounts together and then funnel them into one account and buy a plane ticket or redeem them for other rewards,” Lee said.
View full post on National Cyber Security