The battle against the breaches continues, this week Google might aid the fight, adding a new feature to browser Chrome’s latest iteration Chrome 79.

Google’s password checking service

Google’s “Password Checkup” began as an extension for desktop versions of Chrome. It audits passwords when they are entered, comparing them against a 4 billion record public list of compromised usernames and passwords. The list has been compiled from all the breaches that have occurred in recent years. The new feature has already been integrated into Google accounts as an on-demand task that can be performed on all saved passwords. Now Password Checkup has been integrated into the standard desktop versions of Chrome 79.

Let’s look at some of the many more breached records that might be added to that already 4 billion strong record of exposed data…

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Conor, South Africa, 1 million web browsing records

Breaking this week, a major South African IT company, Conor is reportedly behind a breach that’s led to the exposure of “highly sensitive and private information and activity, including porn browsing history,” as per ZDNet.

A database containing “detailed, daily logs” of user behaviour by customers of ISPs which use web filtering software created by Conor was discovered by vpnMentor’s research team. It contains all the internet browsing activity of the users as well as personally identifying information.

The research team discovered the unsecured, unencrypted database on November 12. It’s 890GB in size and contains over a million records. They were able to view activity of ISP users on porn websites, and as usernames were also exposed, then identify these individuals on social media platforms. VpnMentor says:

“We viewed constantly updating user activity logs for the last two months from customers of numerous ISPs based in African and South American countries.”

LightInTheBox, China, 1.3TB of data

Noam Rotem and Ran Locar, of vpnMentor, also discovered a breach in late November. This time an unsecured and unencrypted database that could be accessed from a normal browser and belonging to Chinese e-commerce website LightInTheBox.com. The database was 1.3 terabytes in size and contained around 1.5 billion entries. As per The Register:

“The database [we found] was a web server log – a history of page requests and user activity on the site dating from 9th of August 2019 to 11th of October.”

The server logs included user email addresses, IP addresses, countries of residences, and pages viewed on the website. The breaches database also contained information from subsidiary sites including MiniInTheBox.com. LightInTheBox reportedly has 12 million monthly visitors.

Cheshire West and Chester Council Website

The names of 50 foster carers, amounts paid for accommodation, mileage, and other expenses, were inadvertently published online by Cheshire West and Chester Council Website.

A member of the public contacted website CheshireLive and a data analyst after spotting the breach. The data analyst informed the council who removed the sensitive information.

The information was contained in the “Open Data” section of the site which allows the public to check local government spending records but where personal information should be redacted. The council’s director of governance, Vanessa Whiting has responded:

“We take our responsibility for personal information very seriously. It appears that, due to a processing error, surnames and initials of some individuals have been included in data published on our website. This has now been removed. Our data protection officer is investigating this incident and the council has reported it to the Information Commissioner.”

It is, as per CheshireLive, not the first breach for the Open Data section of the council’s website.

750,000 applications for US birth certificate copies exposed online

As per TechCrunch, an online company that allows individuals to obtain copy birth and death certificates from US state governments has exposed the application forms of 752,000 site users.

The applications were discovered online in an Amazon Web Services (AWS) storage bucket that wasn’t protected by a password and could be accessed via an “easy-to-guess” web address.

The data checked by TechCrunch reportedly revealed names, dates of birth, addresses, email addresses, phone numbers, previous addresses, the names of family members, and the reason for the application. The records date back to late in 2017.

Fidus Information, a UK penetration testing company found the exposed data.

As we missed last weeks data breach roundup, let’s also take some statistics from one by Dark Reading published on December 10. It says 2.7 billion email addresses and 1 billion email account passwords have also been breached via unsecured “cloud buckets.” Dark Reading says:

“An epidemic in the past year or so of organizations inadvertently leaving their Amazon Web Services S3 and ElasticSearch cloud-based storage buckets exposed and without proper security has added a new dimension to data breaches.”

It adds that organisations aren’t securing their cloud servers properly.

Researcher Bob Diachenko discovered the ElasticSearch breached data base of 2.7 billion email address included 1 billion plain text passwords. The email domains were from mainly internet providers in China and were discovered at a US based colocation service. The database had reportedly been open and searchable with no password protection for a week. It may have contained records previously exposed in 2017 and Diachenko says users probably are not aware of the breach. The database may have been uploaded by either cybercriminals, or even security researchers.

Our last data breach round-up was December 3, and detailed breaches affecting millions of users of Mixcloud, Adobe Magento Marketplace, and TrueDialog.

Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

In our now constantly digitally transforming business landscape every year will bring new and evolving cybersecurity threats and challenges. Trend Micro has recently published its key cybersecurity expectations for 2020.

Cybersecurity for next year and beyond, says Trend Micro, needs to be viewed “through many lenses,” and it adds:

“The old paradigm, where networks are isolated behind a company firewall, is behind us. Gone are the days of using a limited stack of enterprise applications. The current paradigm demands a wide variety of apps, services, and platforms that will all require protection. Layered security that is applied to various implementation efforts and keeps up with ecosystem shifts will be crucial in tackling the broad range of threats.”

It’s an important introduction, and one that for us here at The Defence Works points to a need for awareness of the changing digital landscape. For small businesses it may be time to break away from the daily demands of revenue generation and consider the threat of cybercrime and data breaches more attentively.

It’s estimated that 60% of small businesses close within six months of a cyber-attack. Many never recover financially or from the loss of reputation a cyber or data breach can create.

Trend Micro’s report is comprehensive, and it is here to read, so let’s take a look at a just a few key points:

Attackers move faster than system and software vulnerabilities are patched

Trend Micro says:

“System administrators will need to be vigilant when it comes to not only the timeliness of patch deployments but also the quality of the patches they deploy.”

Many breaches and successful cyber attacks occur via outdated software and unaddressed system vulnerabilities. Malware is often also hiding in outdated websites. It’s not just giant enterprises who need the latest software, every application, website, and digital asset, needs to be regularly assessed.

Artificial intelligence creates new threats

We’ve seen this in recent cyberattacks such as with the energy company CEO. “Deepfakes” are attacks that see social engineering and imitation taken to the next level. Trend Micro says:

“AI technology is being used to create highly believable counterfeits (in image, video, or audio format) that depict individuals saying or doing things that did not occur.”

Deepfakes are being used to target executives and manipulate employees, they can be hard to spot and they can cost millions.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Supply chain attacks may pick up pace

A growth in outsourcing means that attackers can bypass a businesses cybersecurity measures and attack through a potentially less defended third-party supplier. Trend Micro recommends:

“Enterprises should perform regular vulnerability and risk assessments and implement preventive measures, including thorough checks on providers and employees who have system access.”

Remote or home workers also add new risks to corporate networks, and the move to the cloud means that even more employees and contractors are accessing systems away from a businesses core operation. Yet this remote activity needs to be protected as much if not more than any other. Trend Micro says:

“More compromises in cloud platforms will happen in 2020 by way of code injection attacks, either directly to the code or through a third-party library. Malware injection can be done in an attempt to eavesdrop or take control of a user’s files and information on the cloud.”

IoT devices could be used for “espionage and extortion.”

As scary as it sounds it is true. Cybercriminals are taking more time to create targeted individual attacks just as with deepfakes. Trend Micro expects these illicit actors to use “machine learning and AI to listen in on connected devices in enterprise settings, such as smart TVs and speakers.” It adds:

“They can use language recognition and object identification to snoop on personal and business conversations. From there, they can identify a set of targets for extortion or gain a foothold for corporate espionage.”

Attack surfaces are widening and it’s vital to ensure every “smart” device and phone, and every IoT enabled item of equipment is included in security protection, processes, monitoring, and constant re-evaluation.

Trend Micro concludes that collaboration with security experts needs to happen to mitigate risks and allow “defenders” to have visibility and control, adding:

“Real-time and zero-hour detection will also be crucial in proactively identifying known and unknown threats.”

Security experts can be internal to an organization or external. The key takeaway here is the need for “collaboration.” This collaboration to fight cyber threats needs to take place between every element of any business.

A breach of any kind can destroy a business. Employees are encouraged to do their best to ensure revenue generation and company reputation. In the same way, every person within a business should understand the damage an attack or breach can cause and how they can help to fight this risk.

Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

Cybercriminals have a new way of making money, and it’s at your expense. Actually “cryptojacking,” the unauthorized use of a machine or system to mine cryptocurrency has been around for some years due to cryptocurrency’s unprecedented rise to fame. However, it’s on the increase, IBM’s X-Force Threat Intelligence Index for 2019 puts cryptojacking occurrences as growing 450% during 2018.

And, in recent days, Microsoft has warned that new “Dexphot” mining malware has infected more than 80,000 machines between its first discovery in October 2018 and its peak in June 2019. The good news is the number of daily Dexphot infections has been reducing since June. Microsoft, as per ZDNet, says it has employed countermeasures to improve detection and prevent successful attacks.

What is cryptocurrency mining and cryptojacking?

Cryptocurrencies are digital currencies or assets stored and recorded using blockchain technology. This technology is, in essence, a type of software that for the first time gives forms of money, and other assets, a digital and tradeable identity.

A blockchain is a type of distributed ledger where the data is stored across multiple machines instead of singular centralized data silos. To manage this ledger and produce new crypto coins, for some cryptocurrencies, a process of “mining” takes place. Without going into too much detail, this process involves a mathematical algorithm ran by software that helps to validate new blockchain transactions. Miners are rewarded with new coins, but the process takes a good deal of computer resources, like RAM, as well as electricity.

Cybercriminals are able to infect websites and systems with cryptomining malware just as easily as any other type of malware. They either hide it in phishing and other spam emails or on websites where it is downloaded by unwitting visitors.

Once in a computer system, cryptomining malware can secretly use the device’s resources to mine cryptocurrency, sending the reward back to the cybercriminals. It can quickly wear down a machine, causes slowdown’s, and costs electricity.

Dexphot is advanced, but the cryptomining malware threat often takes second place to that of data breaches

Microsoft says that Dexphot is notably advanced considering that the rewards for cybercriminals are perhaps much less, over a longer period, when compared to something like a ransomware attack or a data breach.

Hazel Kim, a malware analyst for the Microsoft Defender ATP Research Team, says “Dexphot is not the type of attack that generates mainstream media attention,” adding:

“It’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles – to install a coin miner that silently steals computer resources and generates revenue for the attackers.”

But Kim says:

“Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.”

These advanced techniques include “fileless execution, polymorphic techniques, and smart and redundant boot persistence mechanisms.”

Microsoft says Dexphot is a “second-stage payload” which means it is a type of malware that infects systems already hosting other malware and in this case a malware strain called ICLoader. ICLoader often infects systems alongside software installs.

Microsoft also explains that because of “fileless execution” only Dexphot’s installer is written to a computer’s drive and only for a short time which makes the malware hard to detect by less advanced signature-based antivirus solutions.

Dexphot also hijacks and hides in normal Windows processes and its creators and executors employ “polymorphism” a process of changing Dexphot’s file names and URLs used in the mining process every 20-30 minutes. Again, this makes Dexphot hard to identify.

Dexphot has other complexities, detailed by ZDNet and Microsoft, so advanced that they are usually found in malware that targets governments or even operated by government sponsored hackers. ZDNet writes:

“In the last two years, these techniques have been slowly trickling down to cyber-criminal gangs, and are now pretty much a common occurrence in something as mundane as a crypto-currency mining operation like Dexphot, infostealers like Astaroth, or click-fraud operations like Nodersok.”

So how to protect against or detect cryptomining malware?

CSOonline, after recently detailing the threat of cryptojacking and many of the types of cryptomining malware prevalent today says to minimize the risk of cryptojacking:

“Incorporate the cryptojacking threat into your security awareness training, focusing on phishing-type attempts to load scripts onto users’ computers.”

Marc Laliberte, threat analyst at WatchGuard Technologies adds:

“Training will help protect you when technical solutions might fail.”

Awareness of phishing emails, their features and their risks helps employees to identify them and deal with them appropriately. As does knowing to avoid less credible or out of date websites which may be less protected and contain malware that can sneak onto corporate systems.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

There are also ad-blocking and anti-cryptomining extensions for web browsers and endpoint and antivirus protection should be deployed that is capable of detecting cryptocurrency mining software. Web filtering tools and browser extensions need also to be kept up to date. Known infected websites should be blocked and extensions should be monitored as even legitimate ones can contain hidden malware.

Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

Another week, another few million items of personal information exposed. It’s not getting better yet, cybercriminals are hard at work attacking company systems and companies still appear to be making errors that expose the data of their customers.

There is light at the end of the cybersecurity tunnel

Cybersecurity experts are working just as hard to improve defences and protect systems. There is a growing appreciation for the need for every individual and employee to have security awareness in order to join the fight against cybercrime and data breaches. A culture of cybersecurity is a recognised strategy, combined with technology and stringent processes, to identify, deflect, and deal with cyber threats and protect data.

Let’s look at this past week’s data breaches and what we can learn from them.

Mixcloud, UK, 20 million records affected

UK-based audio streaming service Mixcloud has seen the data from 20 million, and potentially up to 22 million, user accounts put up for sale on the dark web, as per reports by TechCrunch.

On November 30, Mixcloud published a statement and “security notice,” saying:

“We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems.”

The streaming company adds that “the incident” involves email addresses, IP addresses, and “securely encrypted passwords.” And, that “the majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords.” The company also declares that it does not store full credit card numbers or mailing addresses. Mixcloud adds:

“The passwords that Mixcloud does store are encrypted with salted cryptographic hashes to ensure that they are extremely difficult to unscramble. This means that they are unlikely to be decrypted by hackers.”

TechCrunch, reported the breach on November 29, saying it was alerted by a dark web data seller and writing that:

“The data breach happened earlier in November, according to a dark web seller who supplied a portion of the data to TechCrunch, allowing us to examine and verify the authenticity of the data.”

TechCrunch says the breached data from Mixcloud was available on the dark web for around $4,000, or 0.5 Bitcoin. The publication checked the data for authenticity and adds:

“The data contained usernames, email addresses, and passwords that appear to be scrambled with the SHA-2 algorithm, making the passwords near impossible to unscramble. The data also contained account sign-up dates and the last-login date. It also included the country from which the user signed up, their internet (IP) address, and links to profile photos.”

Mixcloud, in its statement, says users may want to change their passwords, especially if they use the same one across different services but adds, “we have no reason to believe that any passwords have been compromised.” The company signs off the statement with the first names of the co-founders, “Nico, Mat, Nikhil,” saying:

“We are actively investigating the incident. We apologize to those affected and are sorry that this has happened. We understand this is frustrating and upsetting to hear, and we take the trust you put in us very seriously.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Church’s Chicken Restaurants, US

As per Techgenix, fast-food chain Church’s Chicken has notified its customers of a data breach in October localized to customers of restaurants in 11 US states. In a statement Church’s says:

“Our company immediately retained a leading cybersecurity forensics firm, to help us contain and remediate the activity, and launch an investigation to determine the extent to which information in Church’s systems may have been impacted. In addition, we are continuing to cooperate with federal law enforcement and have notified payment card networks and credit monitoring agencies.”

The breach appears to have occurred via “payment processing systems,” and the company has not confirmed exactly how many restaurants have been affected. It has said that customer are safe to use credit cards as steps have been taken to remediate the incident and “any previous unauthorized third-party access is not ongoing.” Church’s believes that customer data has not been accessed but warns customers that bank statements should be monitored.

Another US food chain, On the Border, has also notified customers of a data breach in a payment processing system in restaurants in 28 US states and says that some customer credit card information may have been compromised between April and August 2019.

Adobe Magento Marketplace

Customers of the Magento e-commerce Content Management System, who number around 250,000, use the Magento Marketplace for software add-ons.

Reports last week indicate that the security team discovered a vulnerability on November 21 that allowed an “unauthorised third party,” to access account information.

The breached data includes names, email addresses, billing and shipping addresses, and phone numbers, as well as some information on developer use.

Adobe has said it “immediately launched an investigation, shut down the service and addressed the issue.”

Records of 7.5 million Adobe Creative Cloud customers were discovered online in an exposed database just weeks ago.

TrueDialog, millions of text messages exposed

News is also just breaking that a database containing “tens of millions” of SMS text messages ran by business SMS service TrueDialog has been found exposed online. The messages, reports TechCrunch, are mostly those sent by businesses to potential customers and date back years.

The database appears to have been stored on the internet without password protection or encryption and was discovered by security researchers Noam Rotem and Ran Locar.

The data contained information about university finance applications, job alerts, and marketing messages, but also some sensitive text messages containing two-factor security authorisation codes. This latter data may allow those with access to the information to gain access to online accounts and includes codes to access online medical services, Facebook and Google accounts, to obtain password reset and login codes.

TrueDialog has removed the database from the internet, as per reports, but does not appear to have commented or made a statement yet on the matter.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

Emerging technologies create new cyber threats and are beginning to be used in attacks by cybercriminals. However, technologies like AI and machine learning (ML) are also critical new tools in the global fight against cybercrime.

There is evidence that AI is being used in cyberattacks. Take the recent incident of an energy company CEO swindled out of hundreds of thousands because cyberattackers used AI to impersonate the man’s boss on the telephone.

AI powered attacks can be automated and more frequent

Right now, there is the potential for AI powered software to be used in telephone attacks, with AI mimicking natural voices. These attacks could be very targeted like the CEO example, or AI voice attacks could be automated by one computer conducting many scam, social engineering and phishing call or email attacks.

Cybercriminals could develop AI and ML technologies to use quickly use the masses of information from data breaches available on the dark web to create and target social engineering attacks, prepare the phishing emails, and even analyse the data and vulnerabilities of potential victims and enterprise systems in order to pick out the weakest targets.

AI can provide a competitive edge in information security and data safety

Nathan McKinley of AI and ML mobile application development company Cerdonis Technologies LLC, writing for CPO Magazine, says AI and ML can give businesses a competitive edge in “information security and data safety.” McKinley says, “cybersecurity remains to be one of the most important beneficiaries of these new technologies.”

Though AI cannot yet completely replace human intelligence McKinley says:

“When it is about reducing errors and faults in the operational tasks and when it is about finding anomalies and irregularities, AI is way ahead of the human efficiency and capability. Apart from adding a robust security layer AI is super efficient in evaluating the mistakes and all the errors that human intelligence is prone to commit.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Making predictions and identifying anomalies

AI and ML can be used to analyse past data to make future predictions and identify anomalies. AI and ML powered cybersecurity software can constantly learn the normal behaviour of a company’s systems, accounts, customer accounts, and even email traffic. It can then constantly monitor these areas of cyber vulnerability quickly identifying an anomaly that could mean an attack.

Such cybersecurity systems may be able to respond themselves or notify of a potential attack or breach. A constant automation of vulnerability monitoring is far faster and more effective than even a whole team of humans. Suddenly companies and such cybersecurity systems may be able to keep up with what is in some industries a constant stream of attacks by cybercriminals. McKinley writes:

“Timely detection of the security threat or dangerous malware is the key to gain a competitive and proactive lead in providing security safeguards.”

Newly developed cybersecurity tools which use AI and ML could provide this timely detection and competitive edge.

There are some limitations to the development and effectiveness of such tools, one is the availability of sufficient data sets to model expected behaviour in order to identify unexpected behaviour. There is also a lack of collaboration between cybersecurity companies in order to share knowledge as well as, says McKinley:

“A sheer lack of global cybersecurity experts who have the necessary knowledge and skills to work with AI and machine learning based security algorithms.”

But, he says:

“We should be hopeful about the future of intelligent cybersecurity mechanisms simply because of the over-abundant data we already have that can be put under sophisticated analytics tools for garnering important data-driven insights.”

As well as enterprise cybersecurity application, AI and ML can also be used in home and individual security systems. They can be used in home security systems and remote monitoring systems that use facial recognition to identify intruders.

McKinley concludes:

“To deal with the cybersecurity threats of the future, businesses need to embrace AI and ML-based tools and security mechanisms. They also need to have a solid understanding of how machine learning based algorithms work, and how they can enhance security, how to train ML algorithms, and the most suitable ML algorithm training methods.”

To deal with the threat of emerging technology use in cyberattacks as well as being able to identify the potential for AI and ML powered tools to help fight cybercrime, awareness as always is key.

Here at The Defence Works our focus is on helping you stay “in the know,” with everything you need to know about cybersecurity.

Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

New research reveals 87% of UK CIOs and high-level IT professionals are struggling to find the right cybersecurity experts to fill internal vacancies for their companies in order to combat growing cyber risk.

The study by digital resilience company RedSeal, and as reported by Netimperative, reveals that the UK may have a major weak point when it comes to fighting cybercrime and protecting against cyber-attacks. Netimperative cites another study which estimates that cybercrime cost UK businesses alone £2.3 million per minute in 2018.

Made worse by Brexit uncertainty

The skills gap is exacerbated by Brexit uncertainty as 73% of participants in the study state that Brexit is a major concern when they are considering hiring cybersecurity professionals from outside of the UK. 95% expect that Brexit will widen the skills gap further as there are many IT security professionals already working in the UK, from other countries. This could be due to the lack of advanced cybersecurity education available in the UK.

More action is needed

Netimperative writes that little has been done since Parliament’s Joint Committee on the National Security Strategy published its “Cyber Security Skills and the UK’s Critical National Infrastructure” report in July 2018. The report said that:

“Although the UK has one of the most vibrant digital economies in the world, there is not currently the cyber security skills base to match, with both the Government and private sector affected by the shortage in skills.”

The report’s authors raised concerns over the UK government’s lack of urgency in addressing the cybersecurity skills gap in relation to Critical National Infrastructure. And this is without attention to the affect of the skills gap in wider industry.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

The UK’s cybersecurity sector is potentially the largest in Europe with a value of over $5 billion but the shortage of cybersecurity talent is without question.

As per James Lyne writing for TechRadar, the UK government has launched an Initial Cyber Security Skills strategy with £2.5 million in funding for a UK Cyber Security Council which will have the role of developing a skilled workforce for the future.

This August, the government appointed the Institute of Engineering and Technology (IET) to lead the council. And, three years ago a government-backed Cyber Discovery Programme was launched for 13 to 18-year olds and 50,000 students have taken part to encourage more young people to enter careers in cybersecurity.

But, by 2021, as per Lyne and Cybersecurity Ventures there will be 3.5 million unfilled cybersecurity vacancies globally. Help Net Security and ISC (2) put the global cybersecurity skills gap higher, at over 4 million vacancies now. It says that in the UK the shortage of cybersecurity professionals is nearly 300,000.

City A.M and Cisco UK’s chief technologist, Chintan Patel, notes that it has recently been reported that there has actually been a drop of 40,000 in the number of pupils sitting GCSEs in computing or ICT.

There is an immediate and outstanding cybersecurity skills gap. But also, a lack of comprehensive cybersecurity and even ICT and programming education in schools and further education in order to nurture the cybersecurity workforce of the next decade

The government announced in September it would conduct an assessment of the UK’s cybersecurity workforce. Ipsos MORI will survey private and public sector organisations as well as charities and focus on issues of both employment and training of cybersecurity professionals.

Ipsos MORI published the results of last year’s survey in April this year as per the release of findings from the National Cyber Security Centre (NSCS) and the Department for Digital, Culture, Media and Sport. This previous survey focused on individual awareness of, and attitudes towards cybersecurity.

There are other government led initiatives to meet the cybersecurity skills gap too, like the Cyber Skills Immediate Impact Fund. And, cybersecurity has, and rightly so, appeared on recent General Election 2019 party manifestos.

It is clear there is much to be done to halt a growing shortage of cybersecurity professionals both in industry and by governments.

Every business of every size, however, can take action today to prevent a cybersecurity skills shortage from enabling cyber-attacks, cybercrime, and data breaches. Cybersecurity and security awareness training can and should happen in the workplace and it is not just applicable to IT departments.

A cyberattack and subsequent system breach can occur anywhere within an operation. Fostering a corporate wide culture and awareness of cybersecurity with every employee in every department is crucial in the fight against cybercrime. It will also help to mitigate the risks posed by a global cybersecurity skill shortage and raise awareness of the sector to perhaps inspire future career paths.

Want to help secure your organisation? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

Despite growing cyber security awareness and cyber security’s escalation to a board level agenda item, this past week’s data breaches are proof that no company is impervious and there is still much work to be done to prevent both breaches and cyberattacks.

T-Mobile pre-paid customers – 1 million+ affected

Telecoms giant T-Mobile has confirmed a malicious actor was able to obtain names, addresses, phone numbers, and account information including rate plans and features purchased, of over a million of its users.

As per TechRadar and a T-Mobile announcement:

“Our Cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities. None of your financial data (including credit card information) or social security numbers was involved, and no passwords were compromised.”

The breach has reportedly affected “less than 1.5 percent” of T-Mobile customers and did not expose passwords. Pymnts.com says little more details were revealed as to the length of the breach or how it was fixed. T-Mobile was also the victim of an attack and breach that exposed around 3% of its 75 million customer’s records in August 2018.

OnePlus website breached

Staying in the telecommunications industry, smartphone maker OnePlus has revealed an attacker has accessed some customer data via a vulnerability in its website.

As per ZDNet and a OnePlus FAQ page the breach happened last week and was discovered quickly. Cyber attackers were, however, able to gain access to past customer orders, customer names, telephone numbers, emails, and addresses. OnePlus has said passwords and financial details were not exposed and adds:

“We’ve inspected our website thoroughly to ensure that there are no similar security flaws.”

The exact vulnerability does not appear to have been disclosed. OnePlus says:

“Before making this public, we informed our impacted users by email. Right now, we are working with the relevant authorities to further investigate this incident.”

The company has also committed to using a new security platform as of next month and plans to launch an official bug bounty program by the end of the year. In January 2018 attackers managed to breach the data of around 40,000 OnePlus customers in a similar incident.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Centers for Medicare and Medicaid (CMS), US, affecting 220,000

In the US, and in yet another healthcare breach, CMS says around 220,000 Medicare beneficiaries card numbers were compromised by an unknown actor. It appears unclear to date how the breach occurred but is checking affected Medicare accounts for fraudulent use.

Macy’s, US

Iconic US retailer Macy’s has informed online customers they may have been affected by a breach, after performing an investigation commencing in October. It has sent a letter to customers, as per Business Insider, and believes an attacker attached “malicious computer code” to Macys.com “Checkout” and “MyWallet” webpages. Macy’s wrote:

“On behalf of Macy’s, we are writing to inform you about a recent incident involving unauthorized access to personal information about you on macys.com. We regret that this incident occurred and appreciate your time to read this letter.”

Reports indicate Macy’s was made aware of the breach on October 15 and removed the code the same day. Macy’s also believe the website was breached a week previously. The company told Business Insider:

“We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution.”

It also says it has offered affected customers free consumer protection.

As per Bleeping Computer the malicious code used may have been a Magecart attack, malware that attempts to steal payment information as a customer completes a shopping cart checkout and payment.

PayMyTab

Cybersecurity researchers have exposed a data breach that made personal and financial information of PayMyTab mobile and card terminal users available online.

The breach is reportedly due to an “unsecured Amazon Web Services (AWS) S3 bucket” and PayMyTab not following Amazon’s security protocols.

vpnMentor, as per ZDNet, says the leak may have left “10,000s of people vulnerable to online fraud and attacks.” It adds:

“As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. This is especially true when the companies data breach contains such private information. However, these ethics also mean we carry a responsibility to the public. PayMyTab users must be aware of a data breach that impacts them also.”

The exposed records included customer names, addresses and telephone numbers, as well as the last four digits of customer payment card numbers.

Catch Restaurants, New York

In another point-of-sale (POS) system breach, as per ThreatPost, three New York restaurants have discovered malware on the their POS systems.

Catch NYC, Catch Roof and Catch Steak, owned by Catch Hospitality Group, customers may have had their credit-card information breached. The restaurant group issued a notice explaining:

“The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date and internal verification code) read from a payment card as it was being routed through these PoS devices. There is no indication that other customer information was accessed.”

It also says it has implemented “enhanced” security measures and is working with cybersecurity experts to “evaluate additional ways to enhance the security of payment-card data.”

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this:

As we approach the UK General Election on December 12, party manifestos are beginning to emerge. The Labour Party has just released its precursory list of promises. If elected to power, the Labour Party has big plans for cybersecurity.

As per New Statesman Tech and the Labour Party’s “It’s time for real change,” 2019 manifesto, the party plans to give additional powers to security officials to ensure cybersecurity is maximised. If elected, it plans to review the powers of the National Cyber Security Centre (NCSC). From the party manifesto:

“Cybercrime and cyberwarfare are growing, all around the world. Every aspect of our lives, from the NHS to our nuclear facilities, from transport systems to communications networks is vulnerable.”

The NCSC is part of the Government Communications Headquarters (GCHQ), the UK’s intelligence and security organization. The role of the NCSC is to secure the UK’s communications infrastructure and it has a more consumer-facing role. It’s in place to help both the public and private sector avoid cybersecurity threats and it was formed in 2016.

The Labour Party plans to allow NCSC officials to audit the cybersecurity of both public and private sector organisations. The NCSC would have the power to “issue warnings,” to organisations. The party also plans to create a ministerial role with sole responsibility for cybersecurity.

“A Labour government, ever more dependent on digital technology, will overhaul our cybersecurity by creating a co-ordinating minister and regular reviews of cyber-readiness.”

And, Labour wants to improve the National Crime Agency to make it more able to deal with cybercrime:

“We will also review the structures and roles of the National Crime Agency, to strengthen the response to all types of economic crime, including cybercrime and fraud, and ensure a modern, technologically advanced police service that has the capacity and skills to combat online crime, supported by a new national strategy on cybercrime and fraud.”

In the manifesto, there is also a promise to add more funds to the NHS’s cyber defences. A potentially sensible move considering the ever-increasing cybercriminal targeting of healthcare providers and organisations around the globe.

Matt Lock, technical director at data security company Varonis, says:

“All political parties should have a cybersecurity platform – it’s a matter of national defence in our connected age. Just as political parties present their plans for jobs, education, and healthcare, they would be smart to add cybersecurity to that list.”

Malcolm Taylor, a former GCHQ British intelligence officer and now director of cyber security at ITC Secure told the Verdict:

“It is impossible to argue that a greater focus on cyber security is a bad thing; quite simply the issue is not going away and standing still is tantamount to going backwards.”

Taylor adds that “cabinet scrutiny of cybersecurity” is a good idea and that it needs to come from a ministerial position. He adds:

“I espouse – maybe even proselytise – to my senior clients that security is not a technical issue but a strategic issue, and so must the response be. This is a good idea, in principle, though of course the details will matter a lot.”

Labour has also said it will take steps to better protect patient records adding:

“We will ensure data protection for NHS and patient information, a highly valuable publicly funded resource that can be used for better diagnosis of conditions and for ground-breaking research.”

And, it says, it’s not going to let NHS patient data be “exploited” by international technology and pharmaceutical corporations.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

The Labour Party has been the target of cyber-attacks in recent weeks

On November 12, the Labour Party says it was subject to a second cyberattack to its website after successfully rebounding one days earlier. Distributed Denial of Service (DDoS) attacks, where many compromised systems are used to drive traffic, were focused on the Labour Party website.

Both attacks were reportedly successfully deflected, and no data was stolen, a Labour Party spokesperson said after the second attack:

“We have ongoing security processes in place to protect our platforms, so users may be experiencing some differences. We are dealing with this quickly and efficiently.”

Niall Sookoo, the party’s executive director of elections and campaigns said:

“Every single one of these attempts failed due to our robust security systems and the integrity of all our platforms and data was maintained.”

The attacks were reported to the NCSC and a spokesperson from the organisation said, as per the BBC:

“The attack was not successful and the incident is now closed.”

Labour leader Jeremy Corbyn also responded:

“If this is a sign of things to come, I feel very nervous about it.”

Emily Ortin, of cybersecurity company Darktrace, told BBC Radio 4:

“Really this is the tip of the iceberg in terms of the types of threats that, not just the Labour Party, but all political parties are going to be without a doubt experiencing on a daily basis.”

She believes anyone “involved in politics and in government” should be preparing themselves for the prospect of much more serious attacks.

In fact, anyone in business, politics, and in government, should be preparing for more sophisticated and serious cyberattacks. The latest incident of “CEO fraud” confirms this too. Cybercrime is a threat that’s not going to go away.  Want to help secure your organisation, no matter who wins the election? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

The so far unidentified CEO of an unnamed company appears to have been conned out of almost $1 million whilst buying a property in Belize, as per Quartz reporting and according to a criminal complaint filed in a US federal court.

Social engineering and a spoof email address to blame

The CEO, referred to as S.K, had reportedly communicated with the seller’s genuine attorney and paid part of the property’s purchase price as a deposit. The buyer then received a new email he thought was from the lawyer with instructions for sending a remaining $918,000 for the property. He then sent the transfer believing it to be headed to a bank account in Belize when actually it went to a Citizens Bank in Boston, US, now appearing to be under the control of the cybercriminals. As per Quartz and the complaint:

“The lengthy email which S.K. received included lawyerly verbiage that gave it the appearance it was from the attorney in Belize. The author included information about Belize-specific regulations on the purchase of property by a foreign company. The email included the standard confidentiality notice and legal disclaimers that are commonly part of emails from attorneys. Lastly, it included a professional signature block with the attorney’s name and contact information.”

The genuine lawyer then revealed the money had never arrived and the victim CEO realized he had been swindled out of nearly $1 million dollars. The last email with the payment instructions was from a spoofed email address which an FBI affidavit says was “deliberately created to deceive the recipient into believing he was communicating with the seller’s attorney.”

It all came down to an extra “s”

What the CEO didn’t realise was that the spoof email address had an extra “s” which with close inspection may have revealed that it wasn’t from the attorney he was dealing with for the property sale. Quartz writes:

“That one easily overlooked detail wound up setting S.K. back six-figures.”

The reporting indicates that half of the near one million dollars was transferred out of the Citizens Bank in Boston to other accounts including with JP Morgan Chase and then onto bank accounts in China and Nigeria. Quartz writes:

“Simultaneously, a man began visiting JPMorgan Chase branches throughout the area, withdrawing thousands of dollars in cash at a time.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

CEO fraud is on the increase

Business email compromise, says Quartz, known as “CEO fraud,” reached a value of $26 billion between June 2016 and July 2019 across 177 countries as per the FBI’s Internet Crime Complaint Center.

Email address spoofing is a common attack vector with cybercriminals compromising genuine email accounts and using social engineering tactics and known information to glean further data or money. Quartz says:

“The fraudsters then attempt to convince their unwitting victims to wire money to bank accounts that they actually control.”

In other recent incidences of CEO fraud:

  • Mattel CEO Christopher Sinclair authorized a transfer of $3 million to what he thought was a new supplier in China. It wasn’t but Mattel eventually recovered the money.
  • Ubiquiti revealed in a quarterly earnings report that it had transferred $46.7 million to what it believed to be a company subsidiary. It was a cybercriminal.
  • An unidentified US defense contractor sent millions of dollars worth of sensitive military equipment valued at $3.2 million to international cybercriminals.
  • A UK energy company CEO transferred €220,000 to attackers after an artificial intelligence (AI) powered fake call from his boss.
  • A Texas manufacturing company was scammed out of $480,000 by a cybercriminal impersonating the company’s CEO.

CSO at Cybereason, Sam Curry, told Quartz:

“If an attacker can insinuate themselves between two trusted parties, they benefit from that default to trust by both parties. And that’s the real danger.”

And, Curry says, business email compromise is “effectively the next generation of cons.”

Quartz adds:

“The FBI recommends all companies have strong verification protocols in place for large transactions—a phone call to confirm the payment request is legitimate, would be a good start—and use two-factor authentication to verify requests for any changes to account information. Be alert for slightly misspelled names and hyperlinks that redirect to misspelled URLs.”

Security awareness training and simulated phishing attacks can help

One of the greatest cyber-defences against business email compromise and other email attacks like phishing and those that use social engineering tactics is security awareness training. Simulated phishing attacks can form part of this and both these educational elements of a cybersecurity strategy can be conducted at every level of a business, from CEO down. Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

The Defence Works are recognised the provider of the world’s most interactive online security awareness training and this week our MD, Edward Whittingham, was asked to comment upon the latest emerging fake “Windows update” scam.

SC Media UK sought comment the new threat that has been identified by Trustwave, which directs users to

“PLease install the latest critical update from Microsoft attached to this email”

It directs the recipient’s attention to the attachment as the “latest critical update”.

In the attach, the attachment has a .jpg extension, but in reality it is actually an executable file. The filename is randomised, and its file size is around 28KB. This executable file is a malicious .NET downloader that will deliver another malware to the infected system.

This file, named bitcoingenerator.exe, will be downloaded from misterbtc2020, a Github account that was active for a few days during an investigation by the company. The file is in fact .NET compiled malware, the Cyborg ransomware.

This then encrypts files on the target system and 86532append to their filename its own file extension, in this case, a 777. Then, a ransom note “Cyborg_DECRYPT.txt” will be left on the compromised machine’s Desktop. The information provided in this txt file can be found on the overlay of the ransomware bitcoingenerator.exe.

The malware also leaves a copy of itself as “bot.exe” hidden at the root of the infected drive.

Kelvin Murray, senior threat researcher at Webroot, explained that to SC Media UK:

“As well as causing damage in the short term, fake updates undermine the general confidence people have updating, and this leads to weaker security as a whole. The sheer amount of updates that we all see on a day-to-day basis means that users are unlikely to spend much time investigating any notifications”

Edward Whittingham, MD of The Defence Works, ultimately raised that the go-to user behaviour must be to avoid clicking on links but that a large onus must be place on organisation to provide effective security awareness that truly engages the workforce.

“More and more frequently, organisations are adopting security awareness training, but it so often falls flat because the content is dull, too technical or simply doesn’t capture their attention. It’s very important to start to engage with users in a way they’ll find compelling and to make this a topic they’ll actively want to learn more about. That means ditching cliché images such as hoodies, Matrix code and so on – and instead, trying to provide the lessons through a medium they’ll understand and relate to”

These types of attacks reinforce why organisations should work with companies like The Defence Works, to deliver security awareness training to help educate employees and equip them with the knowledge they need to defence themselves.

You can read the full article over at SC Magazine: https://www.scmagazineuk.com/users-warned-fake-windows-update-spam/article/1666372

Share this:

No one will be shocked if we tell you that cyber-attacks on banking and investment institutions are on the rise.

Finance is the cyber rogue’s favourite. Its where the money is. Simple as that.

What’s less obvious is how rapidly the range of threats is evolving, even while the number of attacks spikes upward.

Despite some sharply negative market reaction to high-profile hacks, and big investments in the latest cyber kit, the financial services industry still accounts for 35% of all data breaches.

That earns it the dubious honour of ‘most-breached sector’.

You can be sure that the negative publicity around data theft and the dodgy IT systems big banks are saddled with have kept minds focused, but the sector’s security problems are getting worse.

Banking breaches are a growth industry

According to UK law firm RPC, the number of successful attacks on UK financial services firms rose by 480 per cent last year, up to 145 from just 25 in 2017.

Retail banking saw the biggest increase, rising to 25 last year from only one in 2017.

Cyber criminals have clearly seen an opportunity and they’re targeting bank accounts in ever greater numbers. With a growing number of alternative challenger banks like Monzo and Starling nipping at their heels, breaches could cost high street banking institutions lost customers.

Consumers already rate banks and others on how well or poorly they protect personal data. They will quickly abandon a brand following a major security incident.

Seven UK banks were forced to shut down their systems last year after attacks that cost hundreds of thousands of pounds to fix. Some of the biggest names were affected including RBS, Santander and Barclays

The number of successful attacks on UK financial services firms rose by 480 per cent last year

For a highly regulated industry like financial services, the penalties can be immediate. Tesco Bank, for example, was fined £16.4m last year by the FCA after a cyber attack led to £2.26m being taken from personal current accounts.

The risks however go beyond hacked current accounts. RPC’s research also shows that cybercriminals are targeting investment firms, believing their cybersecurity readiness is even weaker than retail banks.

The financial stakes are potentially much higher. The data they hold on M&A deals for example could be used for insider trading. The American Securities Exchange Commission is already investigating insider dealing cases that relate to cyber breaches.

A changing threat landscape

Cybercrime groups are perfecting new infiltration techniques to get at the customer and proprietary data held by financial institutions. The arsenal of tools is expanding, and they’re looking for new targets.

According Kaspersky, cybercriminals are still very focused on banks, but are also identifying vulnerabilities in the systems of fintech companies, cryptocurrency exchanges, point-of-sale terminals, and ATMs.

Fintechs and crypto exchanges are thought to be vulnerable because their systems are new and ‘immature’ in cybersecurity terms. For everyone else, some familiar attack vectors continue to be effective:

Identity theft

Whenever there’s a large-scale data breach, much of the hijacked personal information finds its way onto the dark web. Its then traded and appended to other data acquired from other breaches. Once all the dots have been connected, cybercriminals can clone the identity of individuals and take over their financial accounts. It’s now a reality that whenever a customer creates a new bank account online, banks need to question whether they are who claim to be.  A report by Javelin Research found that social media users had a 30 percent higher risk of fraud because of data exposure.

Synthetic Fraud

Synthetic identity theft occurs when criminals create a fictitious identity using various pieces of real and fabricated information — such as a National Insurance Number, date of birth, address, phone number and email. The immediate victim is the bank or lender, but the person who’s credentials have been mis-used will have to deal with the impact of the fraud. According to reports in The Wall Street Journal, a record $355 million USD in outstanding credit card debt is now owned by people who don’t actually exist.

Authorised Push Payment Scams (APP)

An APP scam is where a customer is tricked into making a financial transaction with a fraudster posing as someone else. The attack uses social engineering tactics as well as email. The victim will typically receive an invoice for a service they use which they unwittingly pay, the money however ends up in the criminals account. UK banks’ ‘Faster Payments’ system has actually facilitated this kind of scam – as the fraudster receives the cash quickly, then moves it and disappears.

Phishing

Kaspersky says more than a third of phishing campaigns target the financial sector. Banks and other financial institutions hold our money and provide us with credit. This trusted relationship is used by cybercriminals to trick customers into revealing login credentials, payment card details, and other personal data.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

How the industry should fight back

Human error – like clicking the link in a well-crafted phishing email – enables more breaches than it should. But even the best scams have telltale signs that are detectable when people have been taught to spot them.

As the financial world continues to get to grips with cyber risk, firms can build more resilience into their defence posture with effective security training, and creating a culture of security awareness.

Banks and cyber-thieves are locked in a long-term struggle where the weapons and tactics change monthly. Unless someone invents a box that finally makes devices and networks impenetrable, treating cyber risk as a daily management challenge – and enlisting your own people to help – is the safest route to secure systems.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this:

Growing pressure for comprehensive data privacy protection, and of course GDPR, are spurring global discussions and more new regulations.

Last week Columbia University in the US held a conference for CISOs, lawmakers, academics, and businesses to discuss data privacy. GDPR was on the agenda, but so too was the California Consumer Privacy Act (CCPA), and the prospect of data privacy regulation for the state of New York.

Elsewhere China’s national internet finance association has asked internet businesses to improve data privacy in response to consumer concerns.

And, Microsoft is updating its commercial cloud contracts after it has been found it may be in breach of GDPR.

Data Protection World Forum’s PrivSec Conference

The PrivSec Conference was held for the first time in the US last week. The first such conference was in response to reactions to the proposed introduction of GDPR. CEO of the Data Protection World Forum, Nick James, says:

“As a result of GDPR, so many other countries have bolstered their own data protection and privacy regulations. But the GDPR made it so that people understood that privacy and security are two sides of the same coin.”

The latest conference allowed attendees to cover questions and concerns relating to CCPA which will be implemented in the US in January.

New York State Senator Kevin Thomas, as per TechRepublic, says his team are trying to get a data privacy bill passed for New York and that:

“Whatever is on the books now federally is outdated and not suitable for the current tech landscape that we live in. The EU passed the GDPR and California has their own, so New Yorkers deserve better.”

A law for New York, he says, would provide:

“Transparency about how your data is used and sold; Control to let you determine whether your personal data is sold; and the creation of data fiduciaries to force companies to be accountable for the sensitive data they control.”

The conference also covered the differences between US data privacy law and GDPR as well as laws in other countries, like Brazil, and the implications. Anju Khurana, BNY Mellon’s head of data privacy and protection for the Americas says:

“Currently, there are over 100 countries privacy laws so we are dealing with a very fast changing regulatory environment. The laws are coming at us faster and more furious, so you have to take a look at your regulatory environment and see what’s the risk associated there.”

James adds that businesses need not only to understand their own applicable data privacy laws but also how different laws relate to others.

The PrivSec Conference was held at Columbia University as its one of only a handful globally creating data privacy and security courses.

Here at The Defence Works we offer comprehensive and cost-effective security awareness and GDPR training online.

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

China’s internet companies need to improve data privacy

There are concerns within China that some internet businesses are “violating consumer privacy,” as per SCMP. This may include stealing, trading, or revealing personal information disguised as “big data research.”

China’s national internet finance association has responded saying that without consent its members should not collect, use, or provide personal consumer information to third parties.” It has asked that member institutions “take personal responsibility” for protecting personal information as well as strengthening consumer risk warnings and correcting and informing of any problems.

The China Consumers Association (CCA) also asked for better data privacy earlier this year saying smartphone applications in China were collecting too much personal data.

Microsoft may be in breach of GDPR for Office 365 data collection

The European Data Protection Supervisor (EDPS) has, as per Forbes reporting, expressed “serious concerns” as to whether Microsoft’s commercial cloud contracts are in breach of GDPR. And, it has questioned Microsoft’s role as “data processor” or “data controller” for EU customers.

Issues have been raised as to whether Office 365’s collection of “functional and diagnostics data” breaches GDPR. Some data is collected from email subject lines and text that has been spell checked.  Microsoft’s chief privacy officer, Julie Brill, explained Microsoft will be updating its terms and has responded as follows:

“In the [Online Services Terms] OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune.”

The new terms for Microsoft’s commercial customers will be put into place at the start of 2020. Brill has reportedly said Microsoft is the only major cloud provider to offer such terms in Europe.

Where Data Protection World Forum CEO Nick James as said data privacy and data security are “two sides of the same coin,” recently Vigilant Software looked at the differences between the two and how combined they can help with GDPR compliance.

Need to get your hands on security awareness trying your employees will love? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: